RCE or Reverse Code Engineering is a field of computer science whereby the researcher attempts to determine the function of assembled byte code without access to the original source code.
This article is going to cover a few different tools that are available to assist you in your reverse engineering efforts. I won’t be covering tools like Ollydbg or IDA Pro just yet, this more for the novice to dip their toes into the water so to speak.
Information is key
Before jumping into a disassembler and flinging break points around it always wise to see what information is available to you readily. Particularly when reversing engineering games it’s very helpful to know what engine the game uses, this is particularly useful for FPS games like Call of Duty or Battlefield as companies tend to use the same engine from game to game with incremental upgrades overtime.
For example the Wikipedia page for Call of Duty – Black Ops III lists the game engine as IW Engine and even has a engine specific page here. From the article we can see that the IW Engine is based on the id Tech 3 engine. Why is that important? Well for starters the source code to the Quake 3 Arena engine is readily available. By digging through that we can get a basic idea of how some of the internal engine components fit together which will make disassembling the byte code much easier.
But what if the game engine isn’t listed or doesn’t contain much info? Well by visiting the application’s game folder we can learn more about how the individual pieces fit together. I’ll use Red Alert 2 as an example: on their Wikipedia page we see no engine listed. So we’re off to visit the application folder and see what’s up.
At a quick glance we see a number of different DLLs and Executable files and also many mysterious MIX files. Based on their size and names it can be safe to assume these files are some type of archive for game assets like sound, maps and configuration files.
By visiting this site we see the following:
The MIX file type is primarily associated with ‘Command & Conquer’ by Westwood Studios. The epic struggle between the Global Defense Initiative (GDI) and The Brotherhood of NOD. Series of .PCX images and .WAV sounds.
Nice! We now know what the file contains it would be relatively straight forward to write a program to parse the file and pull out the assets. Or we could do a quick google search and see if someone has done this for us already.
Based on googling for tools we can see that there is a somewhat active modding community for this game. So it would be wise to head over to one of the fan sites or forums and search around for any other information we can find.
You would have stumbled across an interesting post relating to a mysterious rules.ini file. According to the information acquired this file contains all the rules and variables for the game. You can use XCC Mixer to extract the file from RA2.mix then open the file up in a text editor (it’s a simple enough file to understand). And there you have it from nothing to complete control over the game and you didn’t even need to open a debugger or Cheat Engine.
When google fails…
This is all good and well for a game that’s well over 18 years old (fuck I’m ancient) I hear you say. But what if it’s a new release and there’s no existing tools available? Well you’re going to have to start digging into the files and figure out how everything works by yourself.
First go back to the application’s directory and poke around. Compare these files to other games you have on your system. You may find some similar parts or an identical directory structure to something you already have installed, which may reveal what engine the game uses or is based on.
Next we’re going to do some quick recon and dig through the main executable. Head over to Sysinternals and grab their program called strings. Now dump the strings executables in an easily find-able directory. There are two files one for 32 bit executables and one for 64 bit executables we know that RA2MD.exe is a 32 bit exe.
Open a command prompt and change the directory to where you extracted strings:
Now run strings on the target file:
E:\Tools\strings -a -o E:\Games\RA2\RA2MD.exe
The command will dump ALOT of information we can address this by instructing the command prompt to dump the output into a file for us to view:
E:\Tools\strings -a -o E:\Games\RA2\RA2MD.exe > dump.txt
This will create a file in the current directory called dump.txt which will contain the output of the program when run. Looking around the file we find a few interesting things:
These strings are commonly used when querying the registry in this case it looks as though RA2 stores the game’s serial key here (I’ll leave it up the reader to locate this by using the registry editor (regedit.exe) ).
Looking around further we see something VERY interesting:
These are Windows API which allows a windows program to request certain things from the operating system. In this specific case it appears that RA2MD.exe uses the Windows Graphical Device Interface for drawing.
This information will be very useful in the future when we attempt to disassemble or hook RA2MD.exe.
That’s all for now!
Support me on Patreon: