Category Archives: “Un-ethical” Gaming

VERSPER.5 – Trainer

versper5

Versper5

Today I ran into this game called Verpser.5. I guess the idea behind it is that you spend about one hundred days playing it to reach the end of the game.  Every day you get the chance to take one step down a long corridor/maze thing, and you get to look at pictures along the way.  I’m not really sure what would cause someone to create this type of game, let alone play it, but for whatever reason I felt like playing it to the end.

Ripping Models From Directx9 Games Part 3 – Making Use Of Exported Data

[Intro]

If you read part 2 of this series, you have yourself a bunch of indices and vertices for 3d geometry in a game.  The question now is, how are you going to do anything with them?  That’s where this final part of the tutorial comes in.  Here we turn the geometry vertex data into a usable format- Wavefront OBJ, which is a format that is readily understood by most 3D modeling software.

ripping models

Slenderman Re-Textured Model

Ripping Models From Directx9 Games Part 2 – Implementing

wowmodel

[Introduction]

In this part we’ll talk about what needs to be done under the hood to implement a directx9 model ripper.  To implement 3d geometry I used hooking.  I won’t get into the details of how to hook directx calls here since that subject has been more than covered online.  You should be familiar with that subject before continuing this tutorial.

Ripping Models From Directx9 Games Part 1 – The Basics

Ripping Models

If you’re like me you’ve seen games with really cool looking models and wondered how they were put together.  You might have searched online and seen a couple of tools that allowed you to get the models you were interested in.  And once you did that you couldn’t help but wonder how the process of ripping models from a game goes down.

In this tutorial I’ll show you what it takes to code a program for ripping models, something like this, and send you on your way to experiment with the world of directx9.

I’ll be splitting this tutorial into parts since otherwise it would get pretty long.  This first part will cover the concepts involved so that you can have the understanding required to implement a 3d ripper for directx9 for ripping models in directx.

ripping models

D3DModelRipper – Ripping Models From Directx9 Games

[Intro]

While there are tools out there that do this sort of thing, I couldn’t find the source code for any of them.  So I put together this library as a way of knowing how it goes down.  I gotta say 3d graphics is not my thing in the least, so putting this together was both challenging and fun.

[Usage]

To use the library, run your desired game, open up the cmd line, go to your exectuable directory and type in: Injector.exe “EXE Name” d3d9.dll PrimCount NumVerts.

Example:

Injector.exe “Slender – The Eight Pages.exe” d3d9.dll 2136 1469

The above command will pull the geometry for one of the trees in the Slender forest and dump into a file called model.obj in your Slender executable folder.

If you do not know how to get the primcounts and vertnums for the geometry you want check this other tool out.

The resulting file is in obj format.  This is probably the simplest format out there for representing 3d geometry, and most 3d modeling software is able to recognize it.

D3DTextureRipper – Ripping Textures From D3D9 Games

[Intro]

This tool allows you to rip textures from D3D9 games.  It grabs the textures by hooking device->SetTexture method and dumps it to a file inside your game’s path in a folder called “Textures.”  The textures are generated in BMP format and are named in non-descript names (by address in memory at the time SetTexture is called).

Slenderman – The Eight Pages – Chams

Here are some chams for the Slenderman – The Eight Pages that I pulled in about 5 minutes while testing my d3dlogger.  A side effect of the logger for slenderman is that you can see the slenderman while he is hiding in the forest because his model is highlighted red.  I found it surprising just how few models are used by the developer.  If you scroll through all the models present in a scene using the tool you’ll see that there’s maybe 15 models on scene at any given time.

The captions under the picture as well as the file names denote primcount and vertcount. 300×200.bmp means 300 primcount, 200 vertcount.

Enjoy.

MemoryUtility – A Binary Modification Library

[Intro]

I’ve found myself reverse engineering a few applications lately.  Usually I like to go about it with a debugger like ollydbg attached and modify the code during runtime and observe the results as I do it.  This is fine, except when you find yourself twenty instructions deep and having to re-type the instructions every time that you hit “Restart” in olly or every time that the process crashes on you.

So I’ve put together a simple library that injects bytes into the target process and that way I don’t have to retype work previously done every time that happens.

D3DTextureLoggerClient – A simple Primitive Finding Utility for Game Hacks and Chams

[Intro]

D3DTextureLoggerClient is a program that eases getting primitives for Direct3D games.  The current source can be found here. Binary build as of 07_06_2013 can be found here.

Values of the selected primitive are displayed in the form. Hitting “Save Primitive” saves a screenshot of the selected geometry to an Output folder in the executable directory. The “Forward” and “Backward” buttons traverse the geometry list currently in memory. “Reset Prims” clears the geometry list. This is good for when you just got out of a scene where a lot of stuff was rendered and now you are looking for a geometry in a scene with much less geometries being rendered. Or just if you have been looking for geometry for a while it is a good idea to clear it as it might have stale geometry that are just wasting your time.  “Add to Chams” clears the z-buffer on that geometry and applies a pixelshader to it so it stands out.  “Toggle Display” makes the geometry not be rendered by skipping the draw call to that geometry.  “Rip Model” dumps the geometry’s vertex and index data to a file in bin\Output\ExeName\modelX.obj.

If you get errors about assemblies not being strong named, you need to add “..\StrongName.snk” in the linker options for the VtableLookup project.  If problem persists follow this link.

IDA Hacking Android Apps – Hero Defense

Here I will show you how to disassemble an android game, and modify its files to obtain an advantage like god-mode using ida pro.  For simplicity purposes I will refer to editing codes with ida in this article as ida hacking.

The ida hack in action can be seen here:

Tools

  1. APK Downloader
  2. dex2jar
  3. jd-gui
  4. IDA Pro or similar disassembler (our main tool, and thus the phrase ida hacking)
  5. Binary patcher
  6. ZipSigner

IDA Hacking Tutorial

The steps for this project are as follow:

  1. Download the Hero Defense APK.
  2. Extract its contents.
  3. Turn its dex file into a .jar file.
  4. Dissasemble it.
  5. Dissasemble the shared library containing its API.
  6. Patch the library.
  7. Repackage the APK.
  8. Sign the APK.

The first thing you need to do before you start ida hacking is download the APK.  This can be done by using your android device, or you can do it from your pc using the APK Downloader from evozi.  Once you have the APK downloaded you can rename it to a .zip file and use any zip utility to extract its contents. You will see a classes.dex file at the root of your directory, you can turn this file into a jar with the dex2jar utility.  After you have done that you got yourself a dex2jar.jar file containing all the game’s class files.  You can load those class files using jd-gui and begin reading the code.