Parsia's Den

Because no one wants to be the other guy from Wham!

Nov 29, 2017 - 4 minute read - Comments - Game Hacking

"Hacking" Car Mechanic Simulator 2015

Not real hacking!

Tl;dr:

  1. Open this file with a hex editor:
    • \AppData\LocalLow\Red Dot Games\Car Mechanic Simulator 2015\profile#\global
  2. Search for money and xp.
  3. Locate the int32 value of each property in little-endian.
  4. Convert your current XP and money to hex to make the search easier.
  5. Overwrite them with6F FF FF FF.
  6. ???
  7. You have “hacked” the game.

It does not get easier than this.

Nov 27, 2017 - 1 minute read - Comments - Windows

cmd Startup Commands

This blog talks about how to run a command automatically every time you open a new command prompt on Windows.

  1. Open registry.
  2. Navigate to the following location:
    • HKCU\Software\Microsoft\Command Processor
  3. Double click Autorun and type in your command. For example:
    • cd /d C:\Users\IEUser\Desktop\Whatever\
  4. If the Autorun property is missing, create one with type REG_SZ.
  5. Now every cmd will automatically cd to the Whatever directory.

I am going to keep blogging consistently (hopefully). This means breaking my habit of having to write extensive blog posts.

Nov 15, 2017 - 9 minute read - Comments - winappdbg reverse engineering CTF

WinAppDbg - Part 4 - Bruteforcing FlareOn 2017 - Challenge 3

Previous parts:

We have learned some good stuff. In this part I am going to talk about the original problem that led me to learning WinAppDbg. This is my writeup for challenge 3 “Greek to me” of FlareOn 2017. This is a bruteforce challenge and is rather easy but instead of bruteforcing it the conventional (and straightforward way), I will show how I traversed arbitrary Assembly blobs using WinAppDbg.

I will (hopefully) mostly talk about solving the challenge and not a lot of recon or other places I was stuck at.

Code is in my clone:

Nov 15, 2017 - 17 minute read - Comments - winappdbg reverse engineering

WinAppDbg - Part 3 - Manipulating Function Calls

Previously on WinAppDbg-TV:

As usual, code is in my clone on Github. Download that directory to your VM and follow along:

In part two we learned how to hook functions by hooking IE and Firefox to see pre-TLS traffic. Just looking at function calls is fun but often not enough. We need to be able to modify function parameters and return values.

In this part we will learn how to do that (and a few other things). We will start with something simple and then move on to more complex examples.

Nov 11, 2017 - 23 minute read - Comments - winappdbg reverse engineering

WinAppDbg - Part 2 - Function Hooking and Others

In part one we talked about the basics of WinAppDbg. In this part we are going to learn a few new things:

  • I wrote a simple python module to simplify my use of WinAppDbg. It will most likely be modified later, but I have included a version that works with the tutorials at:
  • DLL enumeration: We’re going to implement one of procmon’s features.
  • Process/Thread tracing: Another procmon feature.
  • Function Hooking: It’s very easy in WinAppDbg and we will learn how to do it a couple of different ways.
    • We will hook pre-TLS encryption data for Internet Explorer and Firefox to hack the Gibson.

Copy this directory https://github.com/parsiya/Parsia-Clone/tree/master/code/winappdbg to your VM and let’s go.