|
|
In this lab you learn how code and data are represented in memory and
|
|
|
how to make low-level changes to a program in an assembly language. You
|
|
|
will create modifications (mods) to a game.
|
|
|
|
|
|
Edit
|
|
|
|
|
|
Note that due to the network boot setup, your home folder is wiped when
|
|
|
the computer is restarted/crashes. Therefore, store all your files
|
|
|
during this lab in the \~/local-data folder, which is located on the
|
|
|
local disk.
|
|
|
|
|
|
Edit
|
|
|
|
|
|
- Text editor: Geany
|
|
|
|
|
|
- Hex editor: wxHexEditor or ghex
|
|
|
|
|
|
- Disassembler:
|
|
|
`objdump -d --demangle /path/to/executable > disassembly.txt`
|
|
|
|
|
|
- Assembler:
|
|
|
`as /path/to/assembly.s -o /tmp/asm.o && ld -e 0 --oformat binary -o /path/to/machine_code /tmp/asm.o`
|
|
|
|
|
|
<!-- -->
|
|
|
|
|
|
- IA-32 cheat sheet (GNU format):
|
|
|
<http://www.cs.utsa.edu/~clark/cs3843/IA32cheatSheet.pdf>
|
|
|
|
|
|
- Intel IA-32 instruction set reference:
|
|
|
<http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-instruction-set-reference-manual-325383.pdf>
|
|
|
|
|
|
Edit
|
|
|
|
|
|
- 0\) Download and unpack the archive with the the material for this lab
|
|
|
from <https://polybox.ethz.ch/index.php/s/pIpnV3oDaRpV4Ms>,
|
|
|
<http://www.disco.ethz.ch/lectures/ti2fp/exercises/disassembly.zip>. It
|
|
|
contains the binaries and files for the exercises. Make sure to unpack
|
|
|
it to the ‘local-data’ folder!
|
|
|
|
|
|
<!-- -->
|
|
|
|
|
|
- 1\) When you run the `TuxRAR` program, a pop-up will appear that asks you
|
|
|
to pay for a license. Modify the binary such that this pop-up does not
|
|
|
appear any more when starting the program. Alternatively, you can
|
|
|
postpone the pop-up for a long time.
|
|
|
|
|
|
<!-- -->
|
|
|
|
|
|
- 2\) Execute the program bomb. It tells you to find a correct input to
|
|
|
defuse the “bomb”. Find the correct input by disassembling the program
|
|
|
and/or looking at the HEX representation.\
|
|
|
Hint 1: Check out the “ELF” structure of a binary. The `objdump` tool
|
|
|
has an option to display a specific section of a binary.\
|
|
|
Hint 2: Once you find potential inputs to the program, you can analyze
|
|
|
the disassembly and match the inputs to program flow branches.\
|
|
|
Hint 3: Try to supply these inputs which lead to the correct program
|
|
|
exit.
|
|
|
|
|
|
<!-- -->
|
|
|
|
|
|
- 3\) Now, you are ready to hack into SuperTuxKart! Show us your abilities
|
|
|
by modifying the game in cool ways. For instance, make your kart faster,
|
|
|
get better items, etc. Before you start modifying the binary, we
|
|
|
recommend you to save a backup copy of it so when you break the game,
|
|
|
you always have a clean copy. Start the game with the `run` script.\
|
|
|
Hint 0: Due to non-optimized compiling (for easier understanding of the
|
|
|
disassembly), the game performance is low. You can try reducing the
|
|
|
graphics settings or work with the version of SuperTuxKart which is
|
|
|
installed on your machines.\
|
|
|
Hint 1: The binary contains many library functions. Try guessing
|
|
|
function names which might appear in this game and search for these
|
|
|
keywords. You can also list all function names if you do `grep -A1 ^$`
|
|
|
on the disassembly.\
|
|
|
Hint 2: Some items and events slow karts down, that is, their maximum
|
|
|
speed is reduced. Disable the function which sets this slowdown.\
|
|
|
Hint 3: Karts’ maximum speed can be increased by some events. Prevent
|
|
|
the maximum speed from being reset to its original value.\
|
|
|
Hint 4: Infinite nitro: When nitro is burned, the nitro reserves
|
|
|
shrink…\
|
|
|
Hint 5: Karts are normally slowed down when being off the track…\
|
|
|
Can you find other mods which give an advantage to the player over the
|
|
|
AI? |