Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

[Tutorial] Reverse Engineering C++ Programs: NyxLauncher.exe (Work-In-Progress)

Newbie Spellweaver
Joined
Aug 6, 2009
Messages
74
Reaction score
88
If you can't read x86 assembly, you should turn back now.

This is an introduction to reverse engineering using Gunbound as an example. The file I'm analyzing in this tutorial is NyxLauncher.exe (1,126,400 bytes, 1100 KiB, SHA1: 242c4c9e7f004088e6252ae12060b8738f39d9f5) from GunBound_GIS_S2_120731_Ver1068.exe (497,546,464 bytes, 474 MiB, SHA1: 66cd0efd8ed30ffa0f39dd901fe270ea3aa11d3b), this was the latest version I could get my hands on as I can't access MEGA.nz.

This tutorial is a work-in-progress.

Recommended knowledge before reading this tutorial:​

  • C and C++ programming basics
  • Win32 programming basics

Tools required to follow along:

  • for easier disassembly, latest version is v8.3.
  • Virtualization (VM) software to host old software. (I use )
  • Windows XP/2000 iso to install guest OS in a VM. (I use Windows 2000)
  • Visual Studio .NET 2003 to compile old software, I'll explain why this particular version later.
This particular version of Gunbound (v1068) was probably developed on Windows XP as can be seen in Gunbound.log, but I use Win 2000 for now as it requires less space and still works. You can find downloads for both OS and VS .iso files from archive.org (which I can't access either), but I got mine elsewhere. No matter where you download your .iso file, please make sure to verify/search the .iso file's hash (usually SHA1 for old OS) online.

Optional tools:
- , just a great tool in general, I use it for checking file hashes, and uncompressing .zip files for my guest OS as Windows 2000 doesn't support .zip files natively.
- Newer Visual Studio version, mainly to get dumpbin.exe, but .NET 2003 also comes with it. (I'm using the 2022 version on my host OS Windows 10)

Side note: You don't really need to install things within a VM, but I do it to prevent my host OS from messing up, it's also easier to make snapshots/backups to revert back to if things go wrong, and you can also isolate the guest OS from the internet.

I won't go over the installation of all the tools required.

Step 1. Determine the compiler and language used to create the executable.​

Open NyxLauncher.exe in IDA with the default options, after the autoanalysis completes, you should see something like this:
1 - [Tutorial] Reverse Engineering C++ Programs: NyxLauncher.exe (Work-In-Progress) - RaGEZONE Forums
Follow the jmp instruction to see this:
2 - [Tutorial] Reverse Engineering C++ Programs: NyxLauncher.exe (Work-In-Progress) - RaGEZONE Forums

If you lookup the three functions (AfxGetThread, AfxGetModuleState, AfxWinInit) I've underlined in red, you'll find that these are functions, so we know that this file was written with the MFC Library that comes with Visual C++.

In the HEADERS segment in IDA, you should find the following that tells us the linker version used, which is 7.10:
Code:
HEADER:00400140 ; IMAGE_OPTIONAL_HEADER
HEADER:00400140                 dw 10Bh                 ; Magic number
HEADER:00400142                 db 7                    ; Major linker version
HEADER:00400143                 db 0Ah                  ; Minor linker version
To get the compiler version, lookup or the partial table I've pasted below. The linker version is in parenthesis on the left, _MSC_VER is the compiler version. But we only need to know that linker version 7.10 corresponds to VS .NET 2003.
Visual Studio version_MSC_VER
Visual Studio 6.01200
Visual Studio .NET 2002 (7.0)1300
Visual Studio .NET 2003 (7.1)1310
Visual Studio 2005 (8.0)1400
To check if this is true, I run link.exe from cmd within the VM. The first line of output gives the linker version:
Code:
D:\Program Files\Microsoft Visual Studio .NET 2003\Vc7>link.exe
Microsoft (R) Incremental Linker Version 7.10.6030

Visual Studio comes with the source codes for MFC, C Runtime (CRT) and C++ standard library, they are located in "Vc7\atlmfc" and "Vc7\crt".
These are useful for identifying functions that IDA doesn't recognize, and that's why I listed VS .NET 2003 as a required tool.
We can also compile our own source code while analyzing the file to check that we are on the right path, as some C++ classes can be very tricky to navigate by just looking at disassembly.

About DUMPBIN.exe​

comes with Visual Studio, here's how to run it:
  • Visual Studio 2022 comes with "x64 Native Tools Command Prompt for VS 2022", this setups the required environment for easy command-line access to tools, so you don't have to mess with your environment variables.
    • If you just want to use cmd, you have to navigate to somewhere like "Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.XX.XXXXX\bin\Hostx64\x64" to find dumpbin.exe, or add the directory to your PATH variable.
  • Visual Studio .NET 2003 has something similar, execute "Vc7\bin\vcvars32.bat" from cmd to get a working environment.
The main I use are:
  • : Displays the file PE/COFF headers, not as fancy as seen in IDA.
    • Usage example: dumpbin /headers NyxLauncher.exe
  • : I use it to find the in statically-linked libraries.
    • Usage example: dumpbin /symbols Vc7\atlmfc\lib\nafxcw.lib > symbols.txt
  • : Similar to "/symbols" but for dynamically linked libraries.
    • Usage example: dumpbin /exports Vc7\atlmfc\lib\mfc71.lib > exports.txt
What are ?
Functions, data, and objects in C and C++ programs are represented internally by their decorated names. A decorated name is an encoded string created by the compiler during compilation of an object, data, or function definition. It records calling conventions, types, function parameters and other information together with the name. This name decoration, also known as name mangling, helps the linker find the correct functions and objects when linking an executable.
For us, this is just a way to set function names and types in IDA, especially when C++ classes and templates are involved. There are pages to determine which .lib file to use for finding and names. The static library files "Vc7\lib\libcpmt.lib" (C++ STL) and "Vc7\atlmfc\lib\nafxcw.lib" (MFC) are enough for now.

Step 2. Find out which libraries are used.​

Knowing the compiler and language used is just the first step.
For programs written in languages like C#/Java, there are decompilers that can reconstruct source code very effectively.

For C/C++ programs, knowing the third-party libraries used can speed things up, as you can spend more time functions that the authors wrote, instead of wasting time on identifying standard and third-party functions (e.g. C/C++ standard library, ATL/MFC, Boost, directx, zlib).

In our case, we know that NyxLauncher.exe uses the MFC Library from Visual Studio .NET 2003. There are strings we can find in IDA that indicate other libraries as well:
  • : "inflate 1.2.1 Copyright 1995-2003 Mark Adler", "deflate 1.2.1 Copyright 1995-2003 Jean-loup Gailly"
  • Boost: "boost::bad_weak_ptr", version unknown but no later than (released on Feb 24th 2012), as the file time stamp is "Wed Mar 21 09:05:24 2012". Maybe much earlier depending on how often the devs updated their libraries, will need to compare Boost source codes to find out.
I have only just begun so there may be more to uncover.

To be continued...analysis is still being done, tutorials will be updated whenever I have time to do so.
 

Attachments

You must be registered for see attachments list
Last edited:
Newbie Spellweaver
Joined
Aug 21, 2019
Messages
10
Reaction score
4
That's an amazing work! I wonder how's that going now
 
Back
Top