Reverse Engineering and Weaponizing XP Solitaire (Mini-Course)

As a beginner, reverse engineering can be a daunting and frustrating endeavor - But it's a lot more fun if you can learn via hacking and modding games to create your own cheats and maybe even inject a few (harmless) pranks into the code! Whether you watch it all the way through, or just in bits and pieces, join me in this master (of none) class as we try to recapture the fun and amazement of being a first-time reverser exploring and testing the limits of software and our own creativity, while also taking our minds off of the curse of the headless twins which has plagued our times! In this video, we will: - Use Ghidra to look at the internals of the XP Solitaire binary - Hack the gameplay to our own benefit using Ghidra and x64dbg - Create our own card images to use in the game using Resource Hacker + Python and Pillow - Write C++ code to perform DLL Hijacking/Proxying to run our own "weaponized" code when Solitaire runs Please leave feedback and questions here as comments, or DM me on Mastodon (social links listed on the channel). Check the pinned comment for any updates to the content. Remember: Use your knowledge and skills for good and fun, not evil (not even evil fun). Finally, let me know what you would like to see in future videos! Project Homepage: https://github.com/jeFF0Falltrades/Tutorials/tree/master/hacking_weaponizing_solitaire Resources and References: - XP Solitaire Download: https://archive.org/details/ms_solitaire_windows_xp - Ghidra: https://github.com/NationalSecurityAgency/ghidra - x64dbg: https://x64dbg.com/ - Resource Hacker: http://www.angusj.com/resourcehacker/ - Format of Icons: https://devblogs.microsoft.com/oldnewthing/20120720-00/?p=7083 - Two's Complement: https://www.rit.edu/academicsuccesscenter/sites/rit.edu.academicsuccesscenter/files/documents/math-handouts/DM3_TwosComplement_BP_9_22_14.pdf - Cutting Room Floor - Solitaire: https://tcrf.net/Solitaire_(Windows,_1990 - x86 Opcodes: https://nets.ec/Shellcode/Appendix/Alphanumeric_opcode - Structure Padding: https://www.javatpoint.com/structure-padding-in-c - Pixlr Photo Editor: https://pixlr.com/e/ - DLL Hijacking https://www.upguard.com/blog/dll-hijacking - MSYS2: https://www.msys2.org/ - cards.dll Function Descriptions: http://www.catch22.net/tuts/win32/using-cards-dll-api# - Writing DLLs: https://www.tutorialspoint.com/dll/dll_writing.htm - PE Resource Section Blog: https://blog.kowalczyk.info/articles/pefileformat.html 00:00:00 - Intro 00:03:46 - Important Notes 00:05:23 - Downloading XP Solitaire 00:07:00 - Starting a Ghidra Project 00:09:00 - Ghidra Familiarization 00:17:58 - Start Reversing: Examining Strings 00:21:41 - Patching Metadata Strings 00:25:33 - Loading/Patching Resource Strings 00:34:57 - Learning/Modding the ShellAbout Window 00:37:01 - Detour: Loading Icons from GroupIcon Resources 00:43:20 - Back to Modifying the ShellAbout Window 00:47:31 - Start Gameplay Hacking: Examining Scoring 00:59:56 - Finding the Score Value 01:03:03 - Scoring Options Parsed from the Registry 01:07:43 - Using x64dbg/x32dbg to Debug Scoring 01:22:45 - Detour: Two's Complement 01:26:06 - Back to Reversing the Scoring Function 01:30:37 - Found Score; Manually Modifying It 01:32:59 - Permanently Hacking the Scoring System and Timer 01:37:46 - Disabling the Game Timer Permanently 01:40:07 - Finding Score Value Tables 01:43:16 - Patching the Score Tables Permanently 01:49:55 - Testing Our Patched Program 01:52:16 - Creating Our Own Cheat Code 01:54:45 - Keyboard Accelerators Overview 02:00:16 - Detour: Structure Padding 02:01:41 - Back to Writing Our Own Cheat Code 02:04:03 - Testing Our Cheat Code 02:04:31 - End Gameplay Hacking; Start Modding Card Graphics 02:05:41 - Introducing Resource Hacker 02:06:46 - Examining Card Graphics in cards.dll 02:07:40 - Swapping in a Custom/Handsome Card Graphic 02:09:07 - Accidental Hilarity 02:09:50 - Formatting and Importing Our Graphic 02:11:05 - Overview: Using Python for Generating Custom Graphics 02:12:46 - Python Script Output 02:13:36 - Compiling .rc files to .res files 02:14:17 - Importing the .res file into Resource Hacker 02:14:58 - Playing with Our Custom Cards 02:15:19 - End Graphics Modding; Start Weaponization 02:16:23 - DLL Hijacking/Proxying Overview 02:18:55 - Downloading MSYS2/gcc 02:20:49 - Choosing a Function to Hijack 02:24:09 - Writing a DEF File 02:26:53 - Writing Our Weaponized DLL in C++ 02:36:13 - Compiling the Weaponized DLL 02:41:09 - Wrap-Up 02:42:42 - Bonus Chapter: Manually Reversing PE Resource Trees Music from Uppbeat: https://uppbeat.io/t/dominique-charpentier/petit-soldat License code: QCOL8HO4IBFDSKTZ https://uppbeat.io/t/ak/time-flies License code: KA8ZAYC34IVTKIPS Photos from Pexels: https://www.pexels.com/ Get out of here, False Brian...