Obsidian's Developers Are Idiots

I had originally intended to publish an article on writing injectable DLL's today, however there is a rant that must be written down. It cannot wait. What is this important rant that must be published you ask? Well, let me answer that question with another question: If you were filling in property fields, where would you want the data to go? Most of you are probably thinking to yourself "WTF - go? Why would I want it to go anywhere? The entire point of typing it in the property field was so that it would define that particular property!" You would be right, too.

Well, the clever [read: moronic] folks at Obsidian Entertainment decided that the conventional wisdom we've all come to expect simply is unacceptable. Today I tried out the Neverwinter Nights 2 toolset for the first time. I've owned the game for quite some time, but due to bad developement (what a surprise) it had to be patched extensively before it would function, and I didn't get around to it until today. At any rate, our friends over at Obsidian got the bright idea that their toolset would be infinitely easier to use if the data from the field you defined gets moved (not just copied, MOVED) to the same property field of another object once clicked on. This wouldn't be too bad if the only way to save changes to the property fields is to, you guessed it, click on another object. This means that if you are filling in the description of an in-game item that is several paragraphs long, you have to select another property before switching focus to another object to save the changes. Worse yet, there is no mention of this in the help files. Personally I think they did a great job with the game itself, but this is rediculous. If they were writing a GUI using a WYSIWYG drag and drop editor, they would expect any labels that they filled in would be filled in with the appropriate strings. Not that their label's data suddenly get's put in a combobox when they decide to start defining another form control.

In short, Obsidian's developers need a desperate lesson in interface design. Maybe they should focus the vast majority of their open positions on designers for their developement software, instead of the single senior position they're advertising...

Taking Care of Your Notebook - 4 Rules

Todays feature will concern proper laptop care, and 4 rules to help keep it maintained and as pristine as the day it arrived. Recently (within the last 6 months) I purchased a new Dell Inspiron 1520 notebook to replace my 8 year old deprecated Gateway notebook. My Gateway was so old that it only had 128 MB's of RAM and a 1.2 ghz Pentium 3 processor. It only had on-board video (You can start giggling now). Compare that with my recent order and it's like day and night. Now we live in a world where everyone effectively has at leat 2 ghz's of processor power (either through OCing or as a default setting) and RAM is measured in GB's. Needless to say I wish to take good care of my investment. The first thing I noticed is that the new HD glossy widescreens attract dust much more quickly than my old notebook did. The way in which I used to clean my screen was with windex and a paper towel. I was heartbroken when I discovered that on my new screen, this left streaks. Unacceptable! The quest for a new methodology had begun; I immediately went to my nearest Wally world (Wal-mart), if anyone in my area had the supplies I would need at the lowest possible prices it would be them. After hours of what seemed like endless searching, I believed I had found my Holy Grail, lens cleaner. Yes, Wal-mart's optical "department" (it's really more of a hole carved in the wall, a hovel if you will) had a special on combo packs of lens cleaner. It came with several pre-moistened towlettes, a bottle of lens cleaner (with free refills for life) and a lint-free dry cloth. It was perfect. Naturally, my screen has never looked sexier. That brings us to rule #1: Lens cleaner is great for cleaning your notebook's screen.

My Inspiron also came with a massive 9-cell lithium-ion battery. I can get upto 6 hours of steady power (enough to play Gears of War without hiccups) from this baby with my WiFi turned off. Back when I bought my Gateway, lithium-ion technology was still in it's infancy. It didn't really shine until it was used in iPods. Naturally, I didn't get as much out of my old battery because I didn't know that lithium-ion batteries retain a longer overall life if they are used frequently, and only charged when they need to be. I would not be making the same mistake here. This leads us to rule #2: Use it or lose it. Only plug your AC power source in when needed, or when doing tasks that consume lots of power (gaming, movie watching, etc).

As with all PC's, keeping your drivers/bios up-to date is important. With my Inspiron, I initially had difficulty updating my display drivers. I have an nVidia GeForce Go 8600M GT, and so naturally began my search at nVidia's website. I would later learn that their do-it-yourself search system was flawed for notebooks. It is relatively easy to get necessary desktop drivers, but the only model they had a search mechanism for as far as notebooks went was the 8700M GTX. I then installed their ActiveX application so that nVidia could automatically detect my hardware configuration and send me to where my driver update was located. It was then that I was informed that Dell had given nVidia specific instructions not to distibute drivers to those with my model notebook and GPU. Dell is one of those vendors that likes to add customizations to driver updates, and therefore I would need to update my drivers directly from them. This leads us to rule #3: Get your driver updates from your notebook vendor whenever possible.

While I was waiting on my drivers to finish downloading, I surfed around Dell's online support center. "As long as I'm here, I may as well find everything else that I need", I said to myself. I looked up the latest BIOS version, and sure enough, there was an update. I downloaded it, and after installing my video drivers, I sat down to update my BIOS. I hadn't updated a notebook BIOS in a long time (I'm used to desktops, which are always plugged in to a power source), but luckily when I tried to flash my BIOS with the AC cord unplugged, Dell's software warned me of the dangers. Some vendors may not have such foresight, so that brings us to rule #4: Always plug yourself in before flashing your BIOS.

Todays post will be the first of a two part segment on exposing the relevant pieces of NWN2's game code in order to find, or in this particular case make, an exploit. The principals can be applied to any software, but for the purposes of this article we will be using a video game, where the exploit we make won't endanger or cause harm to anyone. Additionally, game's make excellent subjects for this type of lesson because the game world is a very easily controlled environment. Virtually everything we may want to change can be provoked by simple gameplay, and before the game's tutorial mode ends we should have a working money hack.

The first thing that must be addressed is whether or not we have the right tools to perform the task. Generally, the only tool you will need is L. Spiro's Memory Hacking Software (a link to his downloads page is available on the sidebar of this blog). It combines a Memory Scanner, a Debugger and Disassembler, as well as several very helpful misc utilities. Some of you more experienced people may remember SoftICE - and may even at one point in time been infatuated with the "auto-assembler" feature in which you could input any assembler code and it would give you the resulting hex bytes. MHS has resurrected this functionality, and rightfully so. If you intend to write a stand-alone hack to distribute to friends, alas I will not be covering injectable DLL's or trainers in this article. We will strictly be dealing with interpreting and rewriting game code. It should also be noted that I won't be explaining the basics of Assembler, Hex, or how to use a Debugger. If these concepts are foriegn to you, it may be in your best interests to Google them before continuing.

Start NWN2 and create a new game with a new character (it doesn't have to be a specific type of character, just so long as you start out with the default inventory). Go through the game as usual until you've finished speaking with Georg in the village square. You should now have 10 gold pieces and Daeghun's furs. Open up MHS (be sure to set nwn2main.exe as the opened process) and do a DWORD search for "10". You should get an astronomical amount of results. Go talk to Galen the Merchant and sell him Daeghun's furs (resulting in 170 gold pieces). Return to MHS and do a subsearch for "170". This narrows my list to 3 (which is within acceptable parameters). If your list still has too many results, buy the bow and sieve for the result. If you still have too many, you probably did something wrong and should start over. When you are ready to proceed, place a different value in each slot (Ex: 167, 168, and 169). This helps us identify which address actually holds the data we want (the other two are pointers, and get reset by the game). Once the results have been narrowed down to 1, right click on the address and select "Find out what writes this address". Go back to Galen and buy the bow (If you already bought the bow, sell your armor and then buy it back). The debugger should have landed on the following code:

MOV EAX, DWORD PTR [ESP+0x1C]

MOV DWORD PTR [EDI+0x800], EAX

This shows the game moving a function's parameter into EAX, and then EAX into the buffer the game has allocated dynamically at runtime for the player's gold. NWN2 is different from most games in that it has different functions for handling buy/sell events. The above code is for buy events. We want to change the two instructions above into the following:

MOV DWORD PTR [EDI+0x800], 100000

NOP

NOP

NOP

This will cause NWN2 to set your gold level to an absurdly high amount everytime you BUY something! Try it out by selling and then repurchasing your armor. One of the perks to the way in which we wrote this hack is that the game still believes you paid for the armor, and even displays the message that you lost 50 gold pieces! Furthermore, since we are setting the value instead of adding to it, we don't have to worry about a buffer overflow occurring after too many buy events. One thing to remember is that you need to be aware of what code you over-write and how it effects the game. Luckily for us the code we wrote is exactly the same size in bytes as the original two instructions in the game's code. In the event that this is not the case, it's important to remember to use code caves (MHS does this for you, but it is preferable to learn to do it yourself) - though that is a lesson for another day.

New Beginnings

Well, this is my first post on my brand-spankin' new blog. This will be my new and improved base of operations for all things technological. Feel free to use your Google/Gmail account to comment on posts and share your thoughts on articles.

Among the topics that will be discussed are programming, reverse engineering, video games, computer hardware and peripherals, and web developement. Most code samples (depending on the type of post) will be in either x86 Assembler (MASM Syntax), C#, C++, C++/CLI, or ASP.NET. Any personal works that are released should be considered freeware unless explicitly stated otherwise.

And, while I'm on the subject, I take no responsibility for the actions of those that use any information that is shared via this blog. I should hope that we are all mature enough adults to know the difference between right and wrong - and if not, those that can't should not be allowed to access this gift we take for granted known as the Internet. There was a time (20+ years ago) when only the government and government-affiliated universities had this luxury, so keep that in mind.

I think that just about covers everything. I will moderate this blog with an iron-fist, and spam or otherwise useless material will be removed without warning.