__ _ __ _ _ __ ______\ \_\\_______________________\///__________________________//_/ /______ \___\ /___/ | .__ __ | | | ___ __________/ |________ | | \ \/ / ____/\ __\_ __ \ | ; > < <_| | | | | | \/ ; : /__/\_ \__ | |__| |__| : . \/ |__| . . . : H/Q Another Droid BBS - andr01d.zapto.org:9999 : ; ; + --- -- - . - --- --- --- - . - -- --- + : : | Savefile reverse enginnering | : : ` --- -- - . - --- --- --- - . - -- --- ' i created a new mod and wanted to be able to export a phonebook file in the format of Netrunner. Unfortunately, Netrunner is close-source software, so its not possible to get the code or the record type for the structure of the phonebook file. One option, is to ask the developer and perhaps he would be willing to share the structure... but in that case, i wouldn't have the idea to write down this tutor on reverse engineering a save file :) of any type. So for this example i will use Netrunner, a tool to check differences between binary files called vbindiff (install it with apt-get) a calculator, paper and pen :) First thing in reverse engineering... its not 100% accurate! keep that in mind. When you don't have the code for something, you only make guesses or in some point you will have to make a guess... and guesses are not accurate :) When you rev.eng a file, code, a machine, you may figure out 98-99.999% of it, but always something will be missing, cause sometimes things are not obvious or can be done in various ways... anyway... lets start. Remove your old phonebook file and start netrunner. NR will tell you that the phonebook doesn't exist and create a new one, which will be about 70kb. First clue! NR creates the complete file, as if it had a filled phonebook. In other case the file would be very small and everytime you saved a new record it would increase in size. Open the file netrunner.phn with vbinhexx. Navigate inside the file and take a look. We only see some text in top of the file like "NetRunner Phone Book" and a few characters... also we see that in some points the name of the capture file is mentioned, by default netrunner.cap. Not too many info to proceed. So open NR and create a phonebook record. In each field put a number and fill the whole field. For example in Sys.Name type 11111111111111111111 in Address 222222222222222222222222222, in sysop 33333333333333333333 etc. Fill all fields but don't touch anything else. Save the file. Reopen netrunner.phn file with vbinhexx and look the file again. Now we have more info to proceed. Its obvious that we can get the position of the fields we filled out very easy. You will notice that in the beginning of each field there is one more character. This is the length of the field, cause the record structure and Netrunner is written in Pascal code. But how i know that is written in Pascal? I know it, because i know that the author uses Pascal for his programs... but even if i didn't know that, i checked the executable file of netrunner with a hex editor and found some code and strings that are used under FreePascal (ex. TIniFile). So before each field we have the length of it, written in hex. Use your calculator to convert that in decimal and write that down to your paper. Note each field and its corresponding length. With just this move, we almost have the record structure, but now the hard part begins. Text fields are easy to find, but in the phonebook editor of NR, we also saw some other fields like StatuBar,Emulation,Backspace and more. Those fields are not using text, but bytes, perhaps even bits. How do we find those values? If you remember, i told you not to touch any other fields, except the text ones. Go to NR directory and make a copy of the new phonebook file we created (netrunner.cop). Now, change the value of StatusBar field and save it. Here, we will need the program we download earlier, vbindiff. We are going to compare the two files netrunner.cop and netrunner.phn with vbindiff. Give this command: vbindiff netrunner.cop netrunner.phn The program will start. Press once the Enter key and you will see that one value in the files being displayed is in magenta color. Now we know that this is the value for the StatusBar option. When it says "ON" inside Netrunner the value is 01 and when it says "OFF" its 00... simple? Its simple, because this option/field has only two states, its a boolean variable. But if you check the Emulation field, you will notice that it has three states: VT102, NONE, ANSI-BBS. How do we find those? With the same way. You change once the value and compare it with the old one in the original file. But we only change one option/field each time!!! You don't want to change ex. StatusBar and Emulation options together, because then, we will not be able to know which one is, in the phonebook file. We have to do that for each field and value of that particular field, so we know the exact location in the file and also, what values it gets. Do that and after, come to continue the tutor.................. Finished? Are you sure? cause i am getting the filling that you are lying... :p So, by now we know the values and positions (almost) of each field. There is one more thing to do. As we saw in the beginning, in the beginning of the file there is a small header... The "Netrunner Phone Book" text. But a header could contain more info and not only that text. We need to know the format of the header and also the length of it. Headers in general are tricky. In your working phonebook file, create one more record. Fill only the Sysname (or any other text field, but only ONE field). Open the phonebook with a hex editor (vbindiff also does the job) and check the text of the field (sysname) of the first record and the second record. If you count the bytes between the start of Sysname, in the first record and the start of Sysname in the second record, this number/difference is the size of the phonebook record/entry. If you add the bytes of the structure (you should all ready have found :p ) and compare it with this number, they should match. Compare those two files again with vbindiff. vbindiff will shows as some differences, because we added one more record. Immediately will see that in position 2F we have a difference. THis is the number of records we have in our phone book file. We are lucky because, this value is next to the byte that holds the text for the Sys.Name value. So now we know, that the header for the phone book file, ends at 2F! Header can contain any sort of info/data, so its not always possible to figure them out. In some cases, may contain checksums, dates, file size etc. So in order to figure them out, we need to do a lot of testing in various ways. For example, create two new phonebook files, one after another. No need to create any records. Compare those two files and you will see that bytes from 21-24hex have changed. With no other bytes changed, we can assume that those four bytes are containing a date value, in some type of format. In our case is a Pascal DateTime value. Now we reached a point that we can't figure the other bytes of the header... we have a text string, a date, a number for the count of records and also a version number (the 1 00 string). When we reach at a point of this, we can try to use a copy of a header, from an existing file to our own file, that we create with code and check if it works, or something wrong is going. So we could copy the header from a valid phonebook file and see if, for example, the program crashes, records are not appearing etc. Info like that, can give us ideas in what to search next and how. But we can stop right here, as for our purposes we don't want the header. We can make a conversion utility, from Netrunner to Syncterm, by just knowing the record structure, so we are happy with that.... :) With the same process we can reverse engineer save game files, from games and create cheats/patches that will give us more credits, lives, gold etc in the game. Its just trial and error... ;) + --- -- - . - --- --- --- - . - -- --- ' _____ _ _ ____ _ _ | _ |___ ___| |_| |_ ___ ___ | \ ___ ___|_|_| | 8888 | | | . | _| | -_| _| | | | _| . | | . | 8 888888 8 |__|__|_|_|___|_| |_|_|___|_| |____/|_| |___|_|___| 8888888888 8888888888 DoNt Be aNoTHeR DrOiD fOR tHe SySteM 88 8888 88 8888888888 /: HaM RaDiO /: ANSi ARt! /: MySTiC MoDS /: DooRS '88||||88' /: NeWS /: WeATheR /: FiLEs /: SPooKNet ''8888"' /: GaMeS /: TeXtFiLeS /: PrEPardNeSS /: FsxNet 88 /: TuTors /: bOOkS/PdFs /: SuRVaViLiSM /: ArakNet 8 8 88888888888 888 8888][][][888 TeLNeT : andr01d.zapto.org:9999 [UTC 11:00 - 20:00] 8 888888##88888 SySoP : xqtr eMAiL: xqtr@gmx.com 8 8888.####.888 DoNaTe : https://paypal.me/xqtr 8 8888##88##888