_                _   _                 ____            _     _ 	
   / \   _ __   ___ | |_| |__   ___ _ __  |  _ \ _ __ ___ (_) __| |	
  / _ \ | '_ \ / _ \| __| '_ \ / _ \ '__| | | | | '__/ _ \| |/ _\` |	
 / ___ \| | | | (_) | |_| | | |  __/ |    | |_| | | | (_) | | (_| |	
/_/   \_\_| |_|\___/ \__|_| |_|\___|_|    |____/|_|  \___/|_|\__,_|	
                                                                bbs
  XQTRs lair...
Home // Blog // NULL emag. // Files // Docs // Tutors // GitHub repo
        __  _                        __ _                           _  __
  ______\ \_\\_______________________\///__________________________//_/ /______
  \___\                                                                   /___/
   | .__                                 __                                  |
   | |                   ___  __________/  |________                         |
   |                     \  \/  / ____/\   __\_  __ \                        |
   ;                      >    < <_|  | |  |  |  | \/                        ;
   :                     /__/\_ \__   | |__|  |__|                           :
   .                           \/  |__|                                      .
   .                                                                         .
   :           H/Q Another Droid BBS - andr01d.zapto.org:9999                :
   ;                                                                         ;
   + --- --  -   .     -        ---    ---    ---        -     .    - -- --- +
   :                                                                         :
   |                        Savefile reverse enginnering                     |
   :                                                                         :
   ` --- --  -   .     -        ---    ---    ---        -     .    - -- --- '

    i created a new mod and wanted to be able to export a phonebook file in 
    the format of Netrunner. Unfortunately, Netrunner is close-source 
    software, so its not possible to get the code or the record type for the 
    structure of the phonebook file. One option, is to ask the developer and 
    perhaps he would be willing to share the structure... but in that case, i 
    wouldn't have the idea to write down this tutor on reverse engineering a 
    save file :) of any type.

    So for this example i will use Netrunner, a tool to check differences 
    between binary files called vbindiff (install it with apt-get) a 
    calculator, paper and pen :)

    First thing in reverse engineering... its not 100% accurate! keep that in 
    mind. When you don't have the code for something, you only make guesses or 
    in some point you will have to make a guess... and guesses are not 
    accurate :) When you rev.eng a file, code, a machine, you may figure out 
    98-99.999% of it, but always something will be missing, cause sometimes 
    things are not obvious or can be done in various ways... anyway... lets 
    start.

    Remove your old phonebook file and start netrunner. NR will tell you that 
    the phonebook doesn't exist and create a new one, which will be about 
    70kb. First clue! NR creates the complete file, as if it had a filled 
    phonebook. In other case the file would be very small and everytime you 
    saved a new record it would increase in size.

    Open the file netrunner.phn with vbinhexx. Navigate inside the file and 
    take a look. We only see some text in top of the file like "NetRunner 
    Phone Book" and a few characters... also we see that in some points the 
    name of the capture file is mentioned, by default netrunner.cap. Not too 
    many info to proceed. So open NR and create a phonebook record. In each 
    field put a number and fill the whole field. For example in Sys.Name type 
    11111111111111111111 in Address 222222222222222222222222222, in sysop 
    33333333333333333333 etc. Fill all fields but don't touch anything else. 
    Save the file.

    Reopen netrunner.phn file with vbinhexx and look the file again. Now we 
    have more info to proceed. Its obvious that we can get the position of the 
    fields we filled out very easy. You will notice that in the beginning of 
    each field there is one more character. This is the length of the field, 
    cause the record structure and Netrunner is written in Pascal code. But 
    how i know that is written in Pascal? I know it, because i know that the 
    author uses Pascal for his programs... but even if i didn't know that, i 
    checked the executable file of netrunner with a hex editor and found some 
    code and strings that are used under FreePascal (ex. TIniFile).

    So before each field we have the length of it, written in hex. Use your 
    calculator to convert that in decimal and write that down to your paper. 
    Note each field and its corresponding length. With just this move, we 
    almost have the record structure, but now the hard part begins. Text 
    fields are easy to find, but in the phonebook editor of NR, we also saw 
    some other fields like StatuBar,Emulation,Backspace and more. Those fields 
    are not using text, but bytes, perhaps even bits. How do we find those 
    values?

    If you remember, i told you not to touch any other fields, except the text 
    ones. Go to NR directory and make a copy of the new phonebook file we 
    created (netrunner.cop). Now, change the value of StatusBar field and save 
    it. Here, we will need the program we download earlier, vbindiff. We are 
    going to compare the two files netrunner.cop and netrunner.phn with 
    vbindiff. Give this command:
                     
                     vbindiff netrunner.cop netrunner.phn
                     
    The program will start. Press once the Enter key and you will see that one 
    value in the files being displayed is in magenta color. Now we know that 
    this is the value for the StatusBar option. When it says "ON" inside 
    Netrunner the value is 01 and when it says "OFF" its 00... simple? Its 
    simple, because this option/field has only two states, its a boolean 
    variable. But if you check the Emulation field, you will notice that it 
    has three states: VT102, NONE, ANSI-BBS. How do we find those? With the 
    same way. You change once the value and compare it with the old one in the 
    original file. But we only change one option/field each time!!! You don't 
    want to change ex. StatusBar and Emulation options together, because then, 
    we will not be able to know which one is, in the phonebook file. 

    We have to do that for each field and value of that particular field, so 
    we know the exact location in the file and also, what values it gets. Do 
    that and after, come to continue the tutor..................



































    Finished?


































    Are you sure? cause i am getting the filling that you are lying... :p


































    So, by now we know the values and positions (almost) of each field. There 
    is one more thing to do. As we saw in the beginning, in the beginning of 
    the file there is a small header... The "Netrunner Phone Book" text. But a 
    header could contain more info and not only that text. We need to know the 
    format of the header and also the length of it. Headers in general are 
    tricky.

    In your working phonebook file, create one more record. Fill only the 
    Sysname (or any other text field, but only ONE field). Open the phonebook 
    with a hex editor (vbindiff also does the job) and check the text of the 
    field (sysname) of the first record and the second record. If you count 
    the bytes between the start of Sysname, in the first record and the start 
    of Sysname in the second record, this number/difference is the size of the 
    phonebook record/entry. If you add the bytes of the structure (you should 
    all ready have found :p ) and compare it with this number, they should 
    match.

    Compare those two files again with vbindiff. vbindiff will shows as some 
    differences, because we added one more record. Immediately will see that 
    in position 2F we have a difference. THis is the number of records we have 
    in our phone book file. We are lucky because, this value is next to the 
    byte that holds the text for the Sys.Name value. So now we know, that the 
    header for the phone book file, ends at 2F!

    Header can contain any sort of info/data, so its not always possible to 
    figure them out. In some cases, may contain checksums, dates, file size 
    etc. So in order to figure them out, we need to do a lot of testing in 
    various ways.

    For example, create two new phonebook files, one after another. No need to 
    create any records. Compare those two files and you will see that bytes 
    from 21-24hex have changed. With no other bytes changed, we can assume that 
    those four bytes are containing a date value, in some type of format. In 
    our case is a Pascal DateTime value. 

    Now we reached a point that we can't figure the other bytes of the 
    header... we have a text string, a date, a number for the count of records 
    and also a version number (the 1 00 string). When we reach at a point of 
    this, we can try to use a copy of a header, from an existing file to our 
    own file, that we create with code and check if it works, or something 
    wrong is going. So we could copy the header from a valid phonebook file 
    and see if, for example, the program crashes, records are not appearing 
    etc. Info like that, can give us ideas in what to search next and how. 

    But we can stop right here, as for our purposes we don't want the header. 
    We can make a conversion utility, from Netrunner to Syncterm, by just 
    knowing the record structure, so we are happy with that.... :)

    With the same process we can reverse engineer save game files, from games 
    and create cheats/patches that will give us more credits, lives, gold etc 
    in the game. Its just trial and error... ;)


    + --- --  -   .     -        ---    ---    ---        -     .    - -- --- '
         _____         _   _              ____          _   _ 
        |  _  |___ ___| |_| |_ ___ ___   |    \ ___ ___|_|_| |        8888
        |     |   | . |  _|   | -_|  _|  |  |  |  _| . | | . |     8 888888 8
        |__|__|_|_|___|_| |_|_|___|_|    |____/|_| |___|_|___|     8888888888
                                                                   8888888888
                DoNt Be aNoTHeR DrOiD fOR tHe SySteM               88 8888 88
                                                                   8888888888
 /: HaM RaDiO   /: ANSi ARt!     /: MySTiC MoDS   /: DooRS         '88||||88'
 /: NeWS        /: WeATheR       /: FiLEs         /: SPooKNet       ''8888"'
 /: GaMeS       /: TeXtFiLeS     /: PrEPardNeSS   /: FsxNet            88
 /: TuTors      /: bOOkS/PdFs    /: SuRVaViLiSM   /: ArakNet    8 8 88888888888
                                                              888 8888][][][888
   TeLNeT : andr01d.zapto.org:9999 [UTC 11:00 - 20:00]          8 888888##88888
   SySoP  : xqtr                   eMAiL: xqtr@gmx.com          8 8888.####.888
   DoNaTe : https://paypal.me/xqtr                              8 8888##88##888