Reverse Engineering and Weaponizing XP Solitaire (Mini-Course)

As a beginner, reverse engineering can be a daunting and frustrating endeavor - But it's a lot more fun if you can learn via hacking and modding games to create your own cheats and maybe even inject a few (harmless) pranks into the code!

Whether you watch it all the way through, or just in bits and pieces, join me in this master (of none) class as we try to recapture the fun and amazement of being a first-time reverser exploring and testing the limits of software and our own creativity, while also taking our minds off of the curse of the headless twins which has plagued our times!

In this video, we will:

- Use Ghidra to look at the internals of the XP Solitaire binary
- Hack the gameplay to our own benefit using Ghidra and x64dbg
- Create our own card images to use in the game using Resource Hacker + Python and Pillow
- Write C++ code to perform DLL Hijacking/Proxying to run our own "weaponized" code when Solitaire runs

Please leave feedback and questions here as comments, or DM me on Mastodon (social links listed on the channel).

Check the pinned comment for any updates to the content.

Remember: Use your knowledge and skills for good and fun, not evil (not even evil fun).

Finally, let me know what you would like to see in future videos!

Project Homepage:

https://github.com/jeFF0Falltrades/Tu...

Resources and References:

- XP Solitaire Download: https://archive.org/details/ms_solita...
- Ghidra: https://github.com/NationalSecurityAg...
- x64dbg: https://x64dbg.com/
- Resource Hacker: http://www.angusj.com/resourcehacker/
- Format of Icons: https://devblogs.microsoft.com/oldnew...
- Two's Complement: https://www.rit.edu/academicsuccessce...
- Cutting Room Floor - Solitaire: https://tcrf.net/Solitaire_(Windows,_...
- x86 Opcodes: https://nets.ec/Shellcode/Appendix/Al...
- Structure Padding: https://www.javatpoint.com/structure-...
- Pixlr Photo Editor: https://pixlr.com/e/
- DLL Hijacking https://www.upguard.com/blog/dll-hija...
- MSYS2: https://www.msys2.org/
- cards.dll Function Descriptions: http://www.catch22.net/tuts/win32/usi...
- Writing DLLs: https://www.tutorialspoint.com/dll/dl...
- PE Resource Section Blog: https://blog.kowalczyk.info/articles/...

00:00:00 - Intro
00:03:46 - Important Notes
00:05:23 - Downloading XP Solitaire
00:07:00 - Starting a Ghidra Project
00:09:00 - Ghidra Familiarization
00:17:58 - Start Reversing: Examining Strings
00:21:41 - Patching Metadata Strings
00:25:33 - Loading/Patching Resource Strings
00:34:57 - Learning/Modding the ShellAbout Window
00:37:01 - Detour: Loading Icons from GroupIcon Resources
00:43:20 - Back to Modifying the ShellAbout Window
00:47:31 - Start Gameplay Hacking: Examining Scoring
00:59:56 - Finding the Score Value
01:03:03 - Scoring Options Parsed from the Registry
01:07:43 - Using x64dbg/x32dbg to Debug Scoring
01:22:45 - Detour: Two's Complement
01:26:06 - Back to Reversing the Scoring Function
01:30:37 - Found Score; Manually Modifying It
01:32:59 - Permanently Hacking the Scoring System and Timer
01:37:46 - Disabling the Game Timer Permanently
01:40:07 - Finding Score Value Tables
01:43:16 - Patching the Score Tables Permanently
01:49:55 - Testing Our Patched Program
01:52:16 - Creating Our Own Cheat Code
01:54:45 - Keyboard Accelerators Overview
02:00:16 - Detour: Structure Padding
02:01:41 - Back to Writing Our Own Cheat Code
02:04:03 - Testing Our Cheat Code
02:04:31 - End Gameplay Hacking; Start Modding Card Graphics
02:05:41 - Introducing Resource Hacker
02:06:46 - Examining Card Graphics in cards.dll
02:07:40 - Swapping in a Custom/Handsome Card Graphic
02:09:07 - Accidental Hilarity
02:09:50 - Formatting and Importing Our Graphic
02:11:05 - Overview: Using Python for Generating Custom Graphics
02:12:46 - Python Script Output
02:13:36 - Compiling .rc files to .res files
02:14:17 - Importing the .res file into Resource Hacker
02:14:58 - Playing with Our Custom Cards
02:15:19 - End Graphics Modding; Start Weaponization
02:16:23 - DLL Hijacking/Proxying Overview
02:18:55 - Downloading MSYS2/gcc
02:20:49 - Choosing a Function to Hijack
02:24:09 - Writing a DEF File
02:26:53 - Writing Our Weaponized DLL in C++
02:36:13 - Compiling the Weaponized DLL
02:41:09 - Wrap-Up
02:42:42 - Bonus Chapter: Manually Reversing PE Resource Trees


Music from Uppbeat:
https://uppbeat.io/t/dominique-charpe...
License code: QCOL8HO4IBFDSKTZ
https://uppbeat.io/t/ak/time-flies
License code: KA8ZAYC34IVTKIPS

Photos from Pexels:
https://www.pexels.com/

Get out of here, False Brian...