View previous topic :: View next topic |
Author |
Message |
LtO Advanced Cheater
Reputation: 0
Joined: 09 Mar 2015 Posts: 71
|
Posted: Fri Mar 30, 2018 7:53 am Post subject: Finding native bytecode after JIT |
|
|
I'm still looking to find the native bytecodes in a flash application, I have learned a few things on it but it's hard to find conclusive info or tutorials to do this... Awesome would be if I could just conver the code into how it would be after the jit compilation. But I guess it's probably not that easy.
When I check for in the memory with ffdec, I also notice javaw and javactivex are running and I thought maybe is that a way I could find it? But as I said I'm not finding specific info about this and would love some assistance with it...
|
|
Back to top |
|
 |
FreeER Grandmaster Cheater Supreme
Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Fri Mar 30, 2018 9:52 am Post subject: |
|
|
Perhaps try and find the flash bytecode pre-jit and set a breakpoint to see what reads it, whatever does is probably the code to jit it, so then you just need to look at the code to figure out where it writes the native code to during/after jitting.
_________________
|
|
Back to top |
|
 |
LtO Advanced Cheater
Reputation: 0
Joined: 09 Mar 2015 Posts: 71
|
Posted: Fri Mar 30, 2018 12:42 pm Post subject: |
|
|
FreeER wrote: | Perhaps try and find the flash bytecode pre-jit and set a breakpoint to see what reads it, whatever does is probably the code to jit it, so then you just need to look at the code to figure out where it writes the native code to during/after jitting. |
Ok, I certainly have access to all bytecodes pre-jit, that ain't a problem I just decompile the app and find all the bytecode in memory .
With breakpoints do you mean using the function 'find out what accesses/writes to this address?
|
|
Back to top |
|
 |
FreeER Grandmaster Cheater Supreme
Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Fri Mar 30, 2018 1:28 pm Post subject: |
|
|
do an aobscan for the flash p-code and find what accesses that, eg.
"whatever does is probably the code to jit it, so then you just need to look at the code to figure out where it writes the native code to during/after jitting. "
(disclaimer: I haven't done this myself, it's just something that seems logical to me)
_________________
|
|
Back to top |
|
 |
LtO Advanced Cheater
Reputation: 0
Joined: 09 Mar 2015 Posts: 71
|
|
Back to top |
|
 |
FreeER Grandmaster Cheater Supreme
Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Fri Mar 30, 2018 6:49 pm Post subject: |
|
|
You'd look for any byte code that you know exists, preferably one you're interested in finding the jitted code for... after that it's a matter of reverse-engineering the code you find to see where it writes the jitted intel assembly code...
_________________
|
|
Back to top |
|
 |
LtO Advanced Cheater
Reputation: 0
Joined: 09 Mar 2015 Posts: 71
|
Posted: Sat Mar 31, 2018 12:27 am Post subject: |
|
|
FreeER wrote: | You'd look for any byte code that you know exists, preferably one you're interested in finding the jitted code for... after that it's a matter of reverse-engineering the code you find to see where it writes the jitted intel assembly code... |
I'm not finding any of those bytecodes unfortunately, I'm afraid that code is already jit compiled too when the game logged on... Or is that not possible? I can look at all the bytecodes of the source and it's not there.
|
|
Back to top |
|
 |
FreeER Grandmaster Cheater Supreme
Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Sat Mar 31, 2018 11:18 am Post subject: |
|
|
I suppose it's possible, use the windows debugger and open the process from the file (which will break on the entry point, before the jit code could run), then do your scan and breakpoint setup.
If for some reason you can't do that with the flash player plugin then go get the standalone flash player (https://www.adobe.com/support/flashplayer/debug_downloads.html) and use that for finding the jit code and what the asm is, hopefully the jitted bytes will be the same.
_________________
|
|
Back to top |
|
 |
LtO Advanced Cheater
Reputation: 0
Joined: 09 Mar 2015 Posts: 71
|
Posted: Sun Apr 01, 2018 11:59 am Post subject: |
|
|
FreeER wrote: | I suppose it's possible, use the windows debugger and open the process from the file (which will break on the entry point, before the jit code could run), then do your scan and breakpoint setup.
If for some reason you can't do that with the flash player plugin then go get the standalone flash player (https://www.adobe.com/support/flashplayer/debug_downloads.html) and use that for finding the jit code and what the asm is, hopefully the jitted bytes will be the same. |
Thanks, that's a great tip actually, I tested it and the only problem I come across is that the process of the flashplayer plugin (in firefox) only is created when the game has started running... So I tried to start the flash process with another game and then attach to it with Windebug, when I then try to run my game it does pause quickly as we want it, but the game is not loaded in the memory yet then so I cannot change any values there... The new flash process then starts when I detach the debugger, but I guess it's already too late then... It would be great if the game could be paused before the first jit compilation, then I wouldn't need to find any jitted codes... Or would there be another process that contains that memory of the game already before flashplayer plugin is started? I tried some processes but no luck.
I now downloaded the flashplayer projector like you said, I'm not sure if I could run the game from there but I'll give a try.
I'm glad someone finally drives me in the right direction with this
I'm stuck again, could someone help me please with this?
|
|
Back to top |
|
 |
|