Cheat Engine

[m_miro]

Howdy,

I'm trying to reverse engineer Jet Set Radio. Right now I'm trying make sense of the file formats AFS and the files inside of AFS files. There's a function call to the function fopen I think opens an AFS file.

I'm trying to read the filename while the game is running but address of the function call in ghidra isnt the same as it is in cheat engine. So I'm attempting to find the address in cheat engine by searching for one of the parameters in the fopen call.
The function call in ghidra is _fopen(_Filename,"rb")

Is there a way to search function parameters or for the string "rb"?
I tried searching for "rb" but all it gave was an unrelated string.

[Corroder]

I think fopen, _wfopen is a standard library C function.
It uses to open a file by check the file and return a validity parameter.
Same like in Lua. fopen = io.open. Some mode to open a file using fopen (in C) or io.open (in Lua) are :

"r" read mode (the default);
"w" write mode;
"a" append mode;
"r+" update mode, all previous data is preserved;
"w+" update mode, all previous data is erased;
"a+" append update mode, previous data is preserved, writing is only allowed at the end of the file.

So, if you try to search "rb", then, of course, the search result returns all strings contain "rb".

Maybe, to finding parameters list (in C) called by a function:

1. Identify the address of the start of the parameter list. A pointer to the parameter list is passed to the called function in register 1
2. Locate the value of the base register in the Saved Registers section of the function you are interested in.
3. Find the offset of the static variable in the partial storage offset compiler listing.
4. Add the value of the base register to the offset
5. Locate the parameter

More info : https://www.ibm.com/support/knowledgecenter/SSLTBW_2.3.0/com.ibm.zos.v2r3.ceea100/fvar.htm

[m_miro]

Sorry but I'm really confused. I don't know how to do things you stated in that list. Could you explain it to me?

[FreeER]

just set a breakpoint on the function _fopen ?
CE does support (lua) conditional breakpoints, I think it's even in the creation GUI now (previously you had to set the break point then open the breakpoint window and right click it to set a condition).
Once you find the call you care about you can see where it returns to

[m_miro]

Are you saying to set a breakpoint on the function call _fopen or on the function? I don't where the _fopen function call is to place the breakpoint, I can't find the address for the function call in cheat engine.

[FreeER]

just type the name fopen or _fopen, it's a C library function. example when attached to CE itself:

[m_miro]

I didn't know that was thing. That's very useful, thanks for showing me. I can just place a breakpoint on fopen now and wait for something to use the function , right?

[FreeER]

pretty much, you may have to follow the jmp and place the breakpoint there, it's been awhile since I tried to track anything through the library functions

[atom0s]

Just a side note for other programs you may approach with this, it will not always work depending on how the program is compiled. fopen is a C runtime function, but if the program is statically linked to the runtime and has it's debug information stripped out, you won't always have the ability to jump to functions by name like that.

[m_miro]

How do I determine if a program is statically linked?

[atom0s]

The imports table is generally the best/easiest way to tell as you'll see imports to specific libraries if things are not statically linked. (Keep in mind an application can mix linking types, as in some DLLs can be static linked while others aren't.)

An example:


This is an application compiled with Visual Studio 2019. (Compiled in debug mode, not static linked.)

In the imports table there is 'MSVCP140D.dll' and 'VCRUNTIME140D.dll'. These are the C runtime libraries for Visual Studio's compiler. When you static link to the runtime in Visual Studio, you won't see those libraries in the table.

[m_miro]

What program is that? I don't know how to look at an import table. I took a look at the games Module list in Process Monitor. Would statically linked DLLs show up in the module list?

[Corroder]

How about "tasklist /m" command?

[m_miro]

I found out what program that is it's CFF Explorer for anyone may be reading this. I took a look at the game in CFF Explorer and it does contain the MSVCRT.dll.

It was also compiled in Visual Studios C++8

I placed breakpoints on MSVCRT.fopen and MSVCRT.fopen+D, but the process never breaks. Does this mean MSVCRT.fopen is never called? Am I doing something wrong?


EDIT

I tried using "tasklist /m" and it only shows the following DLLs:
ntdll.dll, wow64.dll, wow64win.dll,wow64cpu.dll


CFF Explorer showed way more DLLs in the import table than tasklist did. I'm not what this means.

[atom0s]

There are different versions of each function and depending on the age of the CRT used, it can be used via a different name.

For example, Microsoft introduced 'safe' versions of the CRT functions such as 'fopen'. In that case, it would be 'fopen_s'. There is also unicode versions of the same functions, for fopen those would be:
_wfopen and _wfopen_s

There are older versions as well such as:
_open / _wopen
_sopen_s / _wsopen_s

File access is not guaranteed to be done through these functions either. It may use normal API such as:
CreateFileA / CreateFileW
ReadFile

And so on. And yea, the tool in my screen shot is CFF Explorer.