Hacking a 25 Year Old Game To Make It Work

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

as I was mindlessly scrolling for a game to play I was struck with a thought could a beloved game from my childhood run on my modern Windows 11 PC Worms 2 was released in 1997 also the last year of the uk1 euro vision but due to window's Relentless obsession with backwards compatibility I was wondering if it would just work heading over to good old games I saw that not only did they have it it was also only a quit not being able to pass up a bargain I part with 1 Sterling downloaded and launched [Music] it however all was not as it seemed after that incredible intro movie nothing happened uh computer Hello computer hello after trying a few times to no avail I headed to the comment section it seems I'm not alone in my struggle to play Worms 2 there's multiple reports of it failing to play on Windows 10 and it seems that despite all the improvements of Windows 11 fixing Worms 2 is not one of them the comment section has led me to this forum where apparently there is a fix however it involves downloading a zip file and then copying over some random DLS now I have two issues with this one Not To Doubt the Integrity ofet but I'm skeptical of downloading and running code from a random 2012 Forum post and two where's the fun in that maybe we can figure out what's wrong and fix it ourselves how hard can it be okay let's figure out why it's not running my guess is that it's crashing somewhere in some sort of startup or initialization code so let's run it under a debugger I'm using x64 debug to see where it crashes so the debugger never stops which means it's never reaching main what's happening to my process I can see in the task manager it's still running so let's run procmon which is a Windows tool that shows all the real time file system activity and I can see here it's stuck in an endless loop trying to find and load win mm. dll which according to the internet is a library for Windows Legacy audio components although presumably it wasn't Legacy back in 1997 so looking at the stack Trace provided by proon we can see that the code originates in nl.d and this is why our code never reaches main it's getting stuck in an infinite Loop trying to do its initial Library loading so I've done a quick search for the string win mm. dll in the game files to see what might be loading it and it's used by this mysteriously named win 32.dll so let's peek inside the guts of this mysterious DL and to do that I'm using gedra an open source decompiler and disassembler so the first thing I'm going to do is get a list of all the strings in this DL and I'm just looking through them and surprisingly there's a GitHub link so I've gone to this GitHub link and after a bit of reading I've come to the following realization this game assumes it will always be loaded from a CD which was probably a fair assumption back in 1997 so that's where it's trying to load all the audio files from what this Library does is effectively patch win mm. dll so that any functions which try to load audio from a CD instead get loaded from a file and all the other functions just get passed through as normal I guess go just ships this with old CD ends anyway there's a GitHub issue which says that it doesn't work on Windows 10 I've skimmed through the code and it looks fairly innocuous so I'm going to clone it build it cross my fingers and import it into the game still broken still endlessly searching for W.D so the GitHub issue says that it's due to the relative paths in the def file So Def file is a Microsoft construct that allows you to map function calls when building a library basically it says that when a user calls X it should actually forward that call to Y and that's how this Library forwards all the non CD audio functions to the original dll you can you can see here that all these functions just get patched through to the wind mm DL version and any of the ones that have been over overridden get passed to the uh libraryies implementation I can see from prop one that it's searching in the right location for these DLS so I'm just going to remove these relative paths and this glorious menu have not seen in over two decades so I played a few rounds to remind myself how bad I was at the game but something was still bothering me the menu specifically this option feels off not only is it lost in the negative space there seems to be something strange with the background so let's grab a screenshot and open it up in photo shop there's clearly a hard edge around this menu option I found a video recording of the original Worms 2 game and there's another menu option this is for Network play and referring back to Gog we can see that the only multiplayer available is local multiplayer but this got me thinking if Gog is just patching libraries and removing menu items then the code for the networking and the menu is probably still in there somewhere so let's see if we can find it so back to looking at all the strings in the binary and I can see that there's a network menu string So This lends Credence to my assumption that the code is in there somewhere however there's no code that actually loads this string or indeed any of the menu strings so I've set a hardware breakpoint on the menu string which means the debug will stop when the string is loaded so we just continue through till the program runs then hover over the menu item Okay so we've breaked so if I take this address and load up into G we can see that the string is loaded with a load string a function and and according to the dots this load this loads a stream from a resource so a resource is a way to embed data directly into a Windows executable this means the data is always available without having to distribute additional files using a tool called cff Explorer we can see all the resources in the worms executable so if we look into the bit Maps folder we can see all the menu icons are actually bit M resources in the executable itself and these are loaded with the load image a function so if we go back to our debugger we can set a break point on this load image a function and in fact we can make it a conditional breakpoint so that only stops when we load bit map 211 I.E the start campaign image from the Resources directory so if we look at the call stack we can take the address of this function and then load that again load that up into gidra so looking at this this is the function that loads the menu items so in fact looking at this it actually loads two images the normal one and then the onclick image as well and in fact actually if we keep walking up the stack we eventually end up in this function which looks like it calls that Double Image load function multiple time so this is probably the function that's being used to build the menu it's loading one icon and then another icon then another icon to prove to myself that this code is doing what I think it's doing I'm going to patch the resource ID for the onclick image look at that now we need to figure out how clicking on an icon loads to next menu and this was the start of my misery So reading up about how Wind 32 forms works I found call Window proc a which is used to Pass events down to sub elements so I set a break point on this conditionally on the on button event type as as loads of messages flying around and sure enough I can break when I click the button so looking at the stab we can see we start in a fairly standard win32 message Loop and eventually end up in this switch statement so what I think is happening is that each button press fires an event with an ID this then triggers this function which then uses the ID to decide which menu to render and we can verify this by hacking around with a process memory I can see that id2 is on the stack this is the ID of the campaign menu that we're trying to load when we click on the button so let's change that let's just try and making it one larger and now we continue and oh we're at the we're at the network menu okay so it turns out that the network menu is just one Beyond the campaign menu so that's ni surprise but the final piece of the puzzle is how can I patch the binary to do that I don't want to have to attach a debugger and Hot Patch my memory every time I want to access this hidden menu and it was here I lost a considerable amount of time falling down rabbit holes and clawing myself out just to fall into the next one I was tempted just to call it a day here after all i' done about 90% of the work I set out to do but there was this Goring feeling in the back of my mind I had to fix this last issue when I get stuck like this it's useful just to take a step back and ask myself what do I actually know and that is pressing a button fires an event with an ID and the ID determines which menu is rendered so where does that ID come from that seems to be the key to this puzzle it's not easy to track down because when that message is fired it disappears off into the windows kernel then pops out in our message Handler there's no clear path between the code that sends the message and the code that handles it however I've painstakingly traced the stack variable all the way up the call stack back to the original mage message Handler and it's this argument in Windows you can register a custom message Handler function which has to have this signature and the last argument is for custom data so someone somewhere is sending us a message and passing us two there's two ways to send messages in Windows set message and post message with the former being blocking and the latter being fire and forget so set break points on these messages conditionally on the last argument being two and sure enough it breaks when I click menu option walking up the stack we end up at this function which calls post message a and uses two as the last value it also does similar thing with some other messages with different last values so presumably this is some sort of um button Handler code anyway I'm going to patch this two to a three and see what happens but works however my dreams of showcasing my lack of skills to strangers on the internet were dashed as it turns out the servers were Switched Off in 2020 which is presumably why Gog has removed the menu option so whilst my hack might be a few years too late to be actually useful the real priz is the break points that we set along the way don't worry though because the low level fund doesn't end here if you want to see how I reverse engineered roller coast Tycoon then check out this next video

Info

Channel: Nathan Baggs

Views: 279,043

Rating: undefined out of 5

Keywords: games, gaming, hacking, hacks, worms, worms 2, ghidra, x64dbg

Id: eQOOx4mmY6I

Channel Id: undefined

Length: 11min 26sec (686 seconds)

Published: Tue Oct 17 2023