DLL Injection - Developers - Facepunch Forum

Well, this isn't really a question for anything but the sake of learning. But I know that you can inject DLLs into applications to modify the data during runtime. I've used this before on applications and it works well. Going along with that, you can inject data into a browser. I'm pretty sure that this can be done in a way to modify something on the browser. For example, a flash game. The problem here would be to modify data in a flash game to remove a client-side check to a server. Since this seems to be quite possible, it'd be cool if someone could explain how you'd do it or if it by some chance isn't possible, why it isn't? FTR, I'm fluent in C++ but don't know all that much about how Flash operates so if this isn't possible, that should explain why I don't know.

It's possible, but difficult: you have to reverse-engineer compiled software enough to figure out how you need to patch it, which is a different skillset than just knowing a language like C++.

Fuck, I just forgot how to do that :suicide:

Would having access to the actionscript stuff and what not behind it be of assistance or do you need to reverse engineer flash's compiler too?

If you can figure out how to modify the actionscript code in memory before Flash parses it, you shouldn't need to do anything to the actionscript engine itself.

Hmm... interesting. Do you know anything about how flash stores actionscript code pre-parsing or a place where I could read up on it?

Nope, sorry. Adobe doesn't exactly document the internal workings of their proprietary plugin. That's where the reverse-engineering comes in.

True, but I meant more like a third party that's already done this, since it was really just an idea I was pondering, not actually interesting in messing with it if I've gotta go around reverse-engineering stuff.

[QUOTE=Wyzard;20906091]Nope, sorry. Adobe doesn't exactly document the internal workings of their proprietary plugin. That's where the reverse-engineering comes in.[/QUOTE] Just use a runtime memory editor like a software called "Cheat Engine". It's pretty useful for debugging applications (You can see the memory). You can also access the memory of a process. So do that, and have it look at the memory of the flash process and do a mem search for some actionscript, and hopefully you'll find it. Problem is, it already ran the AS by time you find it and edit it.

Well the problem is it'd need to be automated, though I see how you could figure some stuff out through Cheat Engine. It'd also need to be able to do it before the AS has been run since by then it'd be too late.

I'm pretty sure you can intercept function calls.

Hmm, perhaps I'll look into it. Thanks guys.

You want to disable a server-side check? Not possible, unless you somehow gain access to said server such that you can modify it.

Sorry rather, it's a sync check with a server.

There are applications around dedicated to reverse engineering and debugging that could attach to a process and be better suited for the job than a simple cheating app. One such application would be [URL="http://www.ollydbg.de/"]OllyDbg[/URL]. Such applications assume you can read assembly fluently though. You could theoretically use the debugger to find the function you want to disable, then make it return whatever value the caller expects on a successful check. Don't know if this is how it would work in Flash though. As nullsquared said however, if the check relies on the server, there's not much you can do about it.

Have you tried decompiling the Flash file? Maybe its author was stupid enough not to obfuscate it.

[QUOTE=DrTaxi;20912938]Have you tried decompiling the Flash file? Maybe its author was stupid enough not to obfuscate it.[/QUOTE] Oh yeah that would be impossible to counter then.. If only there was a way to deobfuscate things.. Oh wait..

Asking the FP user high might be a good starting point.

Or voided, I think he's a reverse engineer too. (although i think he just makes steamid spoofers :v:)

[QUOTE=layla;20919956](although i think he just makes steamid spoofers :v:)[/QUOTE] Lies.. [QUOTE=<ToD> Aaron;20905554]Well, this isn't really a question for anything but the sake of learning. But I know that you can inject DLLs into applications to modify the data during runtime. I've used this before on applications and it works well. Going along with that, you can inject data into a browser. I'm pretty sure that this can be done in a way to modify something on the browser. For example, a flash game. The problem here would be to modify data in a flash game to remove a server-side check. Since this seems to be quite possible, it'd be cool if someone could explain how you'd do it or if it by some chance isn't possible, why it isn't? FTR, I'm fluent in C++ but don't know all that much about how Flash operates so if this isn't possible, that should explain why I don't know.[/QUOTE] As DrTaxi said, I'd start with seeing if you can decompile the flash file first. Although I see this bit, [QUOTE=<ToD> Aaron;20905554]The problem here would be to modify data in a flash game to remove a server-side check.[/QUOTE] And I hope you're the one running the authoritative server, otherwise there isn't much you can do. Past that, you could potentially inject your own code into the browser, but having it then modify flash itself would be an interesting challenge. Perhaps [url=http://www.facepunch.com/member.php?u=60704]high[/url] knows more about this.

I said before, but I'll say it again and change the op : I meant a client-side check to a server. I'll look to see if I can decompile the Flash, I assumed that would be necessary anyway.

i decompiled the swf and got the gateway but i dont know what im looking for in the .as files for a connection to the server [CODE] package { import BaseGame.*; import Engine.Classes.*; import Engine.Managers.*; import flash.display.*; import flash.events.*; import flash.ui.*; public class BaseGame extends Sprite { protected var m_viewportClass:Class; public var parameters:Object; public function BaseGame(param1:Object = null) { m_viewportClass = Viewport; if (LoaderInfo(this.root.loaderInfo).parameters) { this.addEventListener(Event.ADDED_TO_STAGE, onAddedToStage); } var _loc_2:* = new ContextMenu(); _loc_2.hideBuiltInItems(); contextMenu = _loc_2; return; }// end function protected function onFullScreenChanged(event:FullScreenEvent) : void { if (GlobalEngine.viewport) { GlobalEngine.viewport.centerViewport(); } return; }// end function protected function onAddedToStage(event:Event) : void { this.removeEventListener(Event.ADDED_TO_STAGE, onAddedToStage); this.stage.scaleMode = StageScaleMode.NO_SCALE; this.stage.align = StageAlign.TOP_LEFT; if (parameters == null) { parameters = LoaderInfo(this.root.loaderInfo).parameters; } initEngine(); init(); return; }// end function protected function onError(event:ErrorEvent) : void { return; }// end function private function initEngine() : void { GlobalEngine.stage = this.stage; GlobalEngine.viewport = new m_viewportClass() as Viewport; GlobalEngine.parseFlashVars(this.parameters); GlobalEngine.stage.addEventListener(FullScreenEvent.FULL_SCREEN, onFullScreenChanged); ErrorManager.getInstance().addEventListener(ErrorEvent.ERROR, onError); TransactionManager.initialize(); GlobalEngine.log("Init", "Base URL: " + Config.SERVICES_GATEWAY_PATH); GlobalEngine.log("Init", "Asset URL: " + Config.ASSET_BASE_PATH); return; }// end function public function enableAllInput() : void { GlobalEngine.stage.mouseChildren = true; InputManager.enableInput(); return; }// end function public function disableAllInput() : void { GlobalEngine.stage.mouseChildren = false; InputManager.disableInput(); return; }// end function protected function init() : void { return; }// end function } } [/CODE] thats BaseGame.as from farmville am i looking for a url?

[b]THREAD JACKED[/b] lol not really, but Farmville is a game with a check in it.

[QUOTE=layla;20919956]Or voided, I think he's a reverse engineer too. (although i think he just makes steamid spoofers :v:)[/QUOTE] his creations are based primarily on the reverse engineering work of other people. he's not the right person to ask.

you know voided commented, right?

Helps if you share the file in question.

[QUOTE=high;20922473]Helps if you share the file in question.[/QUOTE] a few comments ago, Wobbier gave part of the code from a flash game that this can be applied to.

[QUOTE=majorlazer;20922399]his creations are based primarily on the reverse engineering work of other people. he's not the right person to ask.[/QUOTE] Right.. Because I didn't have a major hand in OSW at all.

[QUOTE=<ToD> Aaron;20922538]a few comments ago, Wobbier gave part of the code from a flash game that this can be applied to.[/QUOTE] He didn't provide enough though :\.

But to get back on track, that decompiled file is missing the relevant code. My flash expertise is practically zero, so I'll leave the work to the people who know their way around it. Ahh, automerge.