liveoverflow / liveoverflow_youtube Goto Github PK
View Code? Open in Web Editor NEWMaterial for the YouTube series
Material for the YouTube series
When i follow the youtube video (https://www.youtube.com/watch?v=3NTXFUxcKPc&t=8s), my gdb segfaults when i try to run the program after i set the breakpoint.
Hi,
I'd like to suggest you that please try to use short names for the folders, sometimes by the resolution of my laptop ( 10.1" ) and a single monitor configuration in my desktop looks difficult to me, it's just a wish for me and maybe others, you could use standard rules for the folders ej youtubechapter_subfolder.
Take the folder 0x05_simple_crackme_intro_assembler as an example, after standarize that it would look like this :
heticor915RE@devilmachine ~/LiveOverflow/0x05$
heticor915RE@devilmachine ~/LiveOverflow/0x06_1$
heticor915RE@devilmachine ~/LiveOverflow/0x07$
heticor915RE@devilmachine ~/LiveOverflow/0x07_09$
Regards,
Hector.
Keep up the good work.
Basically I type "gdb license_1" in Terminal and it opens the program, pretty much everything is fine up to this point. Then I follow the instructions until I have to type "run". So I type it and run it and then gets some wired error that says "cannot execute: Permission Denied, During startup program exited with code 126". So please can you help me?
first include in the file is missing the characters "#i", might be confusing for beginners.
How? I modified it to hang for a second at the end, so i have time to quickly ^Z it away, and:
sudo gdb
attach <process>
That got gdb attached (with debug symbols & everything)
Then, i used vmmap
to get its mappings and found that the layout is something like this:
<asdf+0> (one page)
nothing (one page)
<asdf+0> (one page)
<asdf+0x1000> (one page)
So i used nasm to get an object that looks ok similar:
incbin "asdf"
resb 1024
incbin "asdf"
incbin "asdf"
And ran: nasm embed.s -felf64 -o asdf-fake.o
To my surpries, asdf-fake.o was good enough for radare and i was able to open it.
But there were no symbols (they were left alone in the cold with gdb). After analyzing it i did s <TAB> <TAB>
and found some functions radare2 found:
[0x08000180]> s
rax rbx rcx rdx rsi rdi r8
r9 r10 r11 r12 r13 r14 r15
rflags rbp rsp section. segment.ehdr section..text sym..text
rip fcn.08000718 fcn.08000740 fcn.08000750 fcn.08000760 fcn.08000770 fcn.08000780
fcn.080007c0 fcn.08000861 fcn.08000890 fcn.0800089a fcn.08002c08 fcn.08002c30 fcn.08002c40
fcn.08002c50 fcn.08002c60 fcn.08002c70 fcn.08002cb0 fcn.08002d51 fcn.08002d80 fcn.08002d8a
fcn.08004cf8 fcn.08004d20 fcn.08004d30 fcn.08004d40 fcn.08004d50 fcn.08004d60 fcn.08004da0
fcn.08004e41 fcn.08004e70 fcn.08004e7a section..shstrtab section..symtab section..strtab
So i had a look at the first function, fcn.08000718
. It was a small leaf function which looked very much like PLT handler. It had a code XREF from fcn.0800089a
What is that? main.
So that wasn't too hard...
Hi LiveOverflow I saw your latest Pwn Adventure 3 video and saw that you didn't quite get the Fly cheat you wanted working even with the help of another youtuber.
So I decided to give it a go as well and today I reached the solution!
I also then converted it to a cheat engine auto assembler script using pure code injection (instead of dll injection) just for fun.
See my repo here: https://github.com/RetroGamesEngineer/LOPWN
The .cpp and .h file for the cpp version... or the .cea for the cheat engine asm version
Or a directly copy and paste-able version below.
Yea perhaps it can be vectorized to make it a bit faster by adding or multiplying to multiple values at once, and/or using a faster sin & cos than built into x86 fsincos instruction but it's really not necessary as it's fast enough for these purposes.
:D
Copy and paste-able directly into CE's CheatTable list:
<?xml version="1.0" encoding="utf-8"?>
<CheatTable>
<CheatEntries>
<CheatEntry>
<ID>11</ID>
<Description>"Pwn Fly"</Description>
<LastState/>
<VariableType>Auto Assembler Script</VariableType>
<AssemblerScript>[enable]
//RetroGamesEngineer on github (C) 2019
alloc(FlyThread,$1000)
registersymbol(FlyThread)
createthread(FlyThreadStart)
define(VK_F1,70) //Toggle on/off
define(VK_MBUTTON,4) //Trigger Flying
struct rot
pitch: dd ?
yaw: dd ?
pitchcos: dd ?
pitchsin: dd ?
yawcos: dd ?
yawsin: dd ?
endstruct
struct vec3
x: dd ?
y: dd ?
z: dd ?
endstruct
FlyThread:
label(NewPlayerPosition) //Forcing good alignment for NewPlayerPosition (so movaps works fine)
NewPlayerPosition:
dd 0 0 0 0
label(FlyEnabled)
FlyEnabled:
dd 1
label(FlyActive)
FlyActive:
dd 0
label(FlySpeed)
FlySpeed:
dd (float)33.33
label(FlyThreadStart)
FlyThreadStart:
push 1
call Sleep
//Get Pointers on initially starting thread before proceeding to main loop
//"PitchYaw","[[[[[['GameLogic.dll']+97d80]+58]+1cc]+294]+2a0]"
mov eax,[GameLogic.Game] //Same as
//mov eax,["GameLogic.dll"+97d80] // <--
test eax,eax
je @b
mov eax,[eax+58]
test eax,eax
je @b
mov eax,[eax+1cc]
test eax,eax
je @b
mov eax,[eax+294]
test eax,eax
je @b
lea eax,[eax+2a0]
mov [PitchYawPointer],eax
//"PlayerPosition","[[[[[['GameLogic.dll']+97d7c]+1c]+4]+114]+90]"
mov eax,[GameLogic.GameWorld] //Same as
//mov eax,["GameLogic.dll"+97d7c] <--
test eax,eax
je @b
mov eax,[eax+1c]
test eax,eax
je @b
mov eax,[eax+4]
test eax,eax
je @b
mov eax,[eax+114]
test eax,eax
je @b
lea eax,[eax+90]
mov [PlayerPositionPointer],eax
label(FlyThreadLoop)
FlyThreadLoop:
push 1
call Sleep
cmp [FlyEnabled],0 //Exit thread upon disabling
je FlyThreadExit
push VK_F1
call GetAsyncKeyState
and ax,8000
je @f
xor [FlyActive],1 //Toggle Fly on/off
push #337
call Sleep
@@:
cmp [FlyActive],1 //Only Fly if activated
jne FlyThreadLoop
push VK_MBUTTON //And Middle Mouse Button is pressed
call GetAsyncKeyState
and ax,8000
je FlyThreadLoop
mov eax,[PitchYawPointer]
mov edx,PitchYaw
//Get pitch sin & cos
fld dword [eax+pitch]
fmul dword [PI_divided_by_180] //Degrees to radians
fsincos
fstp dword [edx+pitchcos]
fstp dword [edx+pitchsin]
//Get yaw sin & cos
fld dword [eax+yaw]
fsub dword [Ninety] //rot.yaw - 90.0f
fmul dword [PI_divided_by_180] //Degrees to radians
fsincos
fstp dword [edx+yawcos]
fstp dword [edx+yawsin]
mov ebx,[PlayerPositionPointer]
mov ecx,NewPlayerPosition
//Calculate new x coordinate
xorps xmm0,xmm0
subss xmm0,[edx+yawsin] // -(sinf(DegreesToRadians(rot.yaw-90.0f)))
mulss xmm0,[edx+pitchcos] // * cosf(DegreesToRadians(rot.pitch)
mulss xmm0,[FlySpeed] // * FlySpeed
addss xmm0,[ebx+x] // + PlayerPosition.x ==
movss [ecx+x],xmm0 //Store in NewPlayerPosition.x
//Calculate new y coordinate
movss xmm0,[edx+yawcos] // cosf(DegreesToRadians(rot.yaw-90.0f)
mulss xmm0,[edx+pitchcos] // * cosf(DegreesToRadians(rot.pitch)
mulss xmm0,[FlySpeed] // * FlySpeed
addss xmm0,[ebx+y] // + PlayerPosition.y ==
movss [ecx+y],xmm0 //Store in NewPlayerPosition.y
//Calculate new z coordinate
movss xmm0,[edx+pitchsin] // sinf(DegreesToRadians(rot.pitch))
mulss xmm0,[FlySpeed] // * FlySpeed
addss xmm0,[ebx+z] // + PlayerPosition.z ==
movss [ecx+z],xmm0 //Store in NewPlayerPosition.z
//Write new player position to current player position! :)
movaps xmm0,[ecx]
movaps [ebx],xmm0
jmp FlyThreadLoop
label(FlyThreadExit)
FlyThreadExit:
ret
label(PI_divided_by_180)
PI_divided_by_180:
dd (float)0.0174532
label(Ninety)
Ninety:
dd (float)90.0
label(PitchYaw)
PitchYaw:
dd 0 0 0 0 0 0
label(PitchYawPointer)
PitchYawPointer:
dd 0
label(PlayerPositionPointer)
PlayerPositionPointer:
dd 0
[disable]
FlyThread+10: //Causes FlyThread to exit
dd 0
unregistersymbol(FlyThread)
</AssemblerScript>
<CheatEntries>
<CheatEntry>
<ID>13</ID>
<Description>"NewPlayerPosition.x"</Description>
<VariableType>Float</VariableType>
<Address>FlyThread</Address>
</CheatEntry>
<CheatEntry>
<ID>14</ID>
<Description>"NewPlayerPosition.y"</Description>
<VariableType>Float</VariableType>
<Address>FlyThread+4</Address>
</CheatEntry>
<CheatEntry>
<ID>15</ID>
<Description>"NewPlayerPosition.z"</Description>
<VariableType>Float</VariableType>
<Address>FlyThread+8</Address>
</CheatEntry>
<CheatEntry>
<ID>16</ID>
<Description>"FlyEnabled"</Description>
<VariableType>4 Bytes</VariableType>
<Address>FlyThread+10</Address>
</CheatEntry>
<CheatEntry>
<ID>17</ID>
<Description>"FlyActive"</Description>
<VariableType>4 Bytes</VariableType>
<Address>FlyThread+14</Address>
</CheatEntry>
<CheatEntry>
<ID>18</ID>
<Description>"FlySpeed"</Description>
<VariableType>Float</VariableType>
<Address>FlyThread+18</Address>
</CheatEntry>
</CheatEntries>
</CheatEntry>
</CheatEntries>
</CheatTable>
sorry for asking this kind of question. can you please tell me how did you compile this program? I tried to compile the same program but in disassembly this shows some extra line, not doing something extra but some extra lines.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.