TECHNICAL

Reverse Analysis on Windows - A First Look

Dig deep into advanced debugging with Visual Studio and x64dbg: breaking and modifying game rules on Windows, and mastering single-step analysis and instruction edits for optimized code execution.

fairycn

Aug 30, 2023 • 4 min read

Jose Elgueta, a graphic designer, is deeply devoted to the arts of painting, illustration, and muralism. Continuously striving to hone his graphic and artistic expressions, he possesses a profound fascination with Latin-American shamanic themes. Through his journey, he has crafted a unique visual language, unveiling a world of forms and colors yet to be discovered by others.

Environment Information

System information: Windows
Tools involved: Visual studio , x64dbg
Note: This is a translation of the article previously written into English version, if you can not see the message I improve the translation
Test code.
C:

#include <stdio.h>
int main()
{
    int a;
    printf("Please input a number:\n");
    int x = scanf_s("%d", &a);               
    printf("%d\n", x);
     if (a % 5 == 0 && a % 7 == 0 && a >1 && a <200)                        
            printf("yes\n");                                
    else
            printf("no\n");                                    
    return 0;
}

Game rules

Enter a value so that its terminal returns the following information.

1
yes

Note: Normal input of 140 will satisfy the requirement

Break the rules

Enter something that does not match the condition to satisfy the requirement

Example idea:
After the program runs, a string will be entered

After that, the user starts to input, and then returns some content after judging.
The normal flow of the output string code will be before the judgment code, and most likely in a region, you can test to locate the judgment code region according to this string.

Verification:
The following settings will break at the Entry Breakpoint

Click the Run button to let the program continue to run

At this point, return to the x64dbg interface and search for the string information loaded by the program

Result:

Double-click the left mouse button to enter. At this time, see some judgment process.

Mouse wheel slide up to see the entry point of this function area (sub)
There are multiple int3 on sub, determine this is the address of the call

Next breakpoint

Reload the program

Run to the place where the breakpoint is placed

Breakpoints under Call and Judgment instructions are used for analysis

lea instruction: take offset address 7FF7D3DA2260 and send to register RCX

Run it in a single step and see that the terminal outputs the following string after this call

After this call, the terminal can enter the value

After confirming

Call register information

Return 1 after Call

Rerun, enter the value that does not meet the condition and compare

Call register information

Return 0 after Call

Difference
RAX is different
Rerun and enter the value that does not meet the condition and change the rax information to 1
Select RAX or the corresponding value and right click

Modify

Call runs and sees that 1 has been returned and a rule has been broken

Continue to run and see the following judgments

Judgment: according to the displayed instruction execution flow judgment, if the two jne instructions do not jump and jbe jump can return yes
Right click to edit the instruction so that it does not work

Modify the instructions

After modifying

Run to verify

This article, this is the end, have the fate to meet again.

Test code modified at: https://blog.csdn.net/qq_42200183/article/details/81431747