Monthly Archives: July 2012

Creating Custom JAR Loaders With ClassLoaders

[Note] This article is part one of a two part series on making a bot for a java game [/Note]

[Intro]

As part of being in the trial team we were given a game called Objection! which is a really old/DOS-looking kind of game with horrible graphics that allows you to hone your objection skills.  It gets really tough after a while, so I thought it would be fun to inject a dll and dump the questions and make a simple bot. If anything, it would be a good exercise in reverse engineering.

Since it comes bundled in an exe, and it looks old as hell, I assumed the game was written in C and using the WinAPI.  But after popping up IDA and looking inside the exe, I quickly realized that it was nothing more than a JNI class loader, and the game itself came bundled in a jar file called tmgames.jar.  This changes everything, instead of injecting a dll to detour functions from the process, I can build a custom loader to load the jar, and instrument the client’s code at runtime.

The first step in this whole process is taking control of the loading process of the game.  After that we can instrument it.  And so this tutorial is born.

[>>>>>]

The process breaks down in six steps:

  1. Build a classloader from the gamejar.
  2. Load the class that has the game’s main method.
  3. Get the constructor that you want to call of that class.
  4. Instantiate the class with the constructor and parameter(s) you need.
  5. Find the game’s main method.
  6. Invoke the main method.
package runtime;
 
import java.net.URLClassLoader;
import java.net.URL;
import java.lang.reflect.Method;
import java.io.*;
import java.lang.reflect.Constructor;
 
public class Main 
{
	/**
	 * @param args
	 */
	public static void main(String[] args) 
	{
		URL[] url = new URL[1];
		try
		{
			url[0] = new URL("file:////C://Users//emist//workspace//tmloader//bin//runtime//tmgames.jar");
			verifyValidPath(url[0]);
		}
		catch (Exception ex)
		{
			System.out.println("URL error");
		}
		Loader l = new Loader();
		l.loadobjection(url);
 
	}
 
	public static void verifyValidPath(URL url) throws FileNotFoundException
	{
		    File filePath = new File(url.getFile());
		    if (!filePath.exists()) 
		    {
		      throw new FileNotFoundException(filePath.getPath());
		    }
	}
 
}
 
class Loader
{
	public void loadobjection(URL[] myJar)
	{
		try 
		{
			//Create a classloader.  myJar holds the full path to the game's jar file. 
			URLClassLoader child = new URLClassLoader(myJar, this.getClass().getClassLoader());
 
			//tmcore.game is the class that holds the main method in the jar
			Class<?> classToLoad = Class.forName("tmcore.game", true, child);
			if(classToLoad == null)
			{
				System.out.println("No tmcore.game");
				return;
			}
 
			//game doesn't have a default constructor, so we need to get the reference to public game(String[] args)
			Constructor ctor = classToLoad.getDeclaredConstructor(String[].class);
			if(ctor == null)
			{
				System.out.println("can't find constructor");
				return;
			}
 
			//Instantiate the class by calling the constructor
			String[] args = {"tmgames.jar"};
			Object instance = ctor.newInstance(new Object[]{args});
			if(instance == null)
			{
				System.out.println("Can't instantiate constructor");
			}
 
			//get reference to main(String[] args)
			Method method = classToLoad.getDeclaredMethod("main", String[].class);
			//call the main method
			method.invoke(instance);
		}	
		catch (Exception ex)
		{
			System.out.println(ex.getMessage());
			ex.printStackTrace();
		}
	}
}

Something to note about this code is that there are many hidden pitfalls.  For example, if you call getDeclaredMethod(“main”) you will have a methodnotfoundexception.  The reason being that you have to match the method declaration.  getDeclaredMethod(“main”, String[].class) matches main(String[] args), while getDeclaredMethod(“main”) looks for main(), which doesn’t exist.

Another thing that can trip you up is that classToLoad.getDeclaredConstructor is required if the class doesn’t have a default constructor.  If you forget to do this, you will get an exception to the effect that the class cannot be instantiated.

[Epilogue]

If you’re wondering how you find out what methods you need to call and what parameters they take, there’s many ways of going about it.  Personally, since its java I extracted the jar and ran the classes through jad.  Once decompiled its a simple process to figure out what code you need to be calling.

[End]

So now you have a class loader to load your jar.  This is the first step in making a working bot.  In the next article I will show you how this fits into a working bot.

Vmware and Diablo 3-Don’t be stupid like me!

So I got Diablo 3 a couple of days ago to start helping develop a bot called D3Adventures.

For all my I run linux, there’s just something about windows I can’t stand. But I heard of people getting banned for running d3 under wine, and since I would like to limit all the variables I can when it comes to getting banned I decided to run d3 on under vmware.

As soon as the installer came up I would receive a “Below Minimum Specifications” message and the installer would get stuck at 0%. My current setup has 2 quad core xeons clocked at 2.33ghz, 16gigs of RAM and a decent video card, so I knew something must have been wrong. Diablo 3 definitely can run on this.

After days of searching and trying different fixes for different problems with the installer that also manifest themselves as “stuck at 0%,” I was just about ready to call it in. I don’t even want to play this game to begin with, I just want to code for it!

And then I realized it……..I had my vm setup to only 1 core for the processor. So D3 was seeing my computer as a single core pentium clocking at 2.33ghz. After changing that to 4 cores the installer proceeded to move past the frustrating 0% and everyone lived happily ever after.

Moral of the story-Sometimes the issue is simple. Start at the bottom before you start to complicate your life.

Defcon Talk – Game Hacking Overview

I ran into this video on youtube a few hours ago. This is definitely a decent talk if you’re interested in gamehacking. It gives a good notion of the big picture as it relates to multiplayer games.

Recommended watch.

Planescape Torment Trainer-Insta Kill and Godmode hacks

Planescape Torment Trainer

[Intro]

When coding an instakill or a godmode Planescape Torment trainer, there are several interesting problems we must address.  If you have a hard time following this, go back and read up on my other articles.

Note: You can click the pictures if you need to get a better view, or if they do not display correctly in the blogview.

[Tools]

You will need:

  1. Cheat Engine (or your preferred debugger)
  2. Planescape Torment (Thus Planescape Torment trainer)
  3. Visual Studio (or your preferred IDE)

[Epilogue]

Planescape Torment, like most other games these days utilizes DMA.  DMA, or dynamic memory allocation is just a fancy way of saying that your values and objects are going to be in the heap, allocated at runtime.  I’m bringing this up because you might have read tutorials somewhere that talk about finding “static” values.  Those tutorials date back to the good old days when games had very few values to keep track of and stuff would be allocated in global variables whose address never changed.  Those days are mostly over.

Direct Runtime Memory Modification (Planescape Torment Trainer)

[Intro]

A trainer is a program that allows a player to gain an advantage over a game.  There are many ways to code trainers, here I will show you how to code a very simple trainer using direct memory modification.