|
Post by henrik51 on Nov 27, 2005 0:09:19 GMT -5
Well, this post will not be as elaborate as my last. But I have, after 4 years, made SOME progress on the bloody state machine at $F666. It is 4K of self-modifying code!
Anyway, the state machine text for the logon area is loaded in by 0010. It has two hunks. One loads at $4000, and is the actual state machine code. The other loads at $F46C and is the list of pointers to segments in the state machine.
Miniwho...
To process the D4 command, we look it up out of tables at C800. The code is 00/A2. I do not yet know what the 00 is for, tho I have susupicions. A2 is the main input to the state machine, and that is the code we will act on.
I sent this command to the client at the point the screen is displaying "Verifying your account information" or somesuch. Anyway, right after the DD is sent.
First we retreive pointers $0A and $0C from the $F46C table. This tells us to copy every 3 (from $0A) bytes starting at $4111 (from $0C). This seems to be the 'current state' array. It is copied up to F494 - F4A7.
Then we look at pointer $36 (again from F46C), and add in the value at F495. That seems to be 'current state'. It points us at $4159, which tells us that we should use table 4.
Then we look at pointer $12, and we look up the pointers to the start of tables 4 and 5. These pointers are at $41A5 - $41A8, and they tell us that table 4 starts at item 7, and table 5 starts at item 15. So, to read all of table 4, we need to read items 7-14.
We retreive pointer $14, which tells us the items are stored starting at $41CB. We look up item 7 at $41D2 and start scanning for our $A2 that we are trying to match. We find it quickly enough at $41D3, at item 8.
Now we retreive pointer $16, which tells us that the operations list starts at $4221. We look up item 8 in this list. Entries are two bytes long, so the beginning and end of the operations are stored at $4231-$4234. This tells us we want to perform operations 23 and 24.
Pointer $18 points to the commands for operations. Pointer $1A points to the parameters.
Command $23 is stored at $42F0, and it's parameter is stored at $440B. This tells us we want to execute $0D/$04. Command $0D says to print a message by number, so this will print message $04 (your disk is being registered). The messages are also part of the state machine table.
Command $24 is now executed. It is stored at $42F1, and it's parameter at $440C. This gives us $0B/$0E. $0B says to call a ML function, and $0E references a pointer within a table pointed to by pointer $02, at $4094. This is where the ML block is executed to set the primary user ID of the disk to the parameter of the D4 command.
Obviously, there are miles to go before we can fully extract and rewrite state machine code. But, I have made that key breakthrough. There are many other commands possible, and this just scratches the surface.
|
|
|
Post by henrik51 on Mar 12, 2006 0:29:11 GMT -5
Well, some further investigation gets me the first start on a disassembler for the state machine. If you have some experience with the protocol, you'll catch on pretty quick. I have attached the dump for the login section only. No people connection or anything here. You will see some of the codes the state machine selects are not listed in the tokens section. These are the codes that the client uses internally. I beleive 0x2B is sent to the state machine when you hit <F5>. Things like that.
The biggest thing I do not know at this point is....what is the 'execption' value? I am calling it that, since it seems to somehow force the state to change BEFORE the state machine is run. But I do not know exactly what that value is or how it is used.
32 inbound tokens located. Token=SS State machine input=0x71 Exception=0x00 Preparse function=0xC57E Token=DO State machine input=0x73 Exception=0x00 Preparse function=0xC57E Token=DK State machine input=0x6A Exception=0x00 Preparse function=0xC57E Token=DA State machine input=0x6D Exception=0x00 Preparse function=0xC57E Token=SM State machine input=0x6E Exception=0x00 Preparse function=0xE263 Token=SE State machine input=0x6F Exception=0x00 Preparse function=0xE263 Token=LO State machine input=0x72 Exception=0x00 Preparse function=0xE263 Token=MC State machine input=0x74 Exception=0x00 Preparse function=0xC57E Token=GP State machine input=0x54 Exception=0x00 Preparse function=0xC57E Token=XX State machine input=0x7F Exception=0x01 Preparse function=0xC57E Token=QM State machine input=0x7E Exception=0x01 Preparse function=0xC57E Token=PG State machine input=0x82 Exception=0x01 Preparse function=0xC57E Token=D! State machine input=0x7D Exception=0x00 Preparse function=0xC57E Token=DQ State machine input=0x7A Exception=0x00 Preparse function=0xC57E Token=DX State machine input=0x7B Exception=0x00 Preparse function=0xC57E Token=DZ State machine input=0x7C Exception=0x00 Preparse function=0xC57E Token=ON State machine input=0x53 Exception=0x01 Preparse function=0xC57E Token=XZ State machine input=0x79 Exception=0x01 Preparse function=0xC57E Token=D1 State machine input=0x87 Exception=0x00 Preparse function=0xC57E Token=ZE State machine input=0x90 Exception=0x82 Preparse function=0xE263 Token=ZQ State machine input=0x91 Exception=0x82 Preparse function=0xC92C Token=ZH State machine input=0x92 Exception=0x82 Preparse function=0xE263 Token=ZI State machine input=0x93 Exception=0x82 Preparse function=0xE263 Token=ZM State machine input=0x94 Exception=0xC2 Preparse function=0xC57E Token=ZT State machine input=0x95 Exception=0x82 Preparse function=0xE263 Token=ZZ State machine input=0x96 Exception=0x82 Preparse function=0xE263 Token=XS State machine input=0x97 Exception=0x01 Preparse function=0xE263 Token=D3 State machine input=0xA1 Exception=0x00 Preparse function=0xE263 Token=D4 State machine input=0xA2 Exception=0x00 Preparse function=0xE263 Token=SZ State machine input=0x98 Exception=0x01 Preparse function=0xC57E Token=D7 State machine input=0xA5 Exception=0x00 Preparse function=0xC57E Token=D8 State machine input=0xA6 Exception=0x00 Preparse function=0xE263 State 0x 0 matches: Code 0x75 Call 0x6246 Action 0x04 -- Param 0x00 Call 0x9A00 Change to state 0x01 State 0x 1 matches: Code 0x2B Call 0x9A00 Action 0x0D -- Param 0x01 Code 0x98 -- SZ Action 0x2C -- Param 0x00 Action 0x04 -- Param 0x13 Change to state 0x15 Code 0x77 Call 0x6146 Action 0x12 -- Param 0x26 Action 0x20 -- Param 0x01 Action 0x09 -- Param 0x05 Call 0x617F Action 0x04 -- Param 0x02 Action 0x32 -- Param 0x02 Change to state 0x04 Action 0x0A -- Param 0x03 Call 0x60CE Action 0x26 -- Param 0x41 Change to state 0x02 State 0x 2 matches: Code 0x6C Action 0x12 -- Param 0x40 Action 0x18 -- Param 0x01 Action 0x13 -- Param 0x26 Call 0x617F Action 0x04 -- Param 0x02 Action 0x32 -- Param 0x02 Action 0x27 -- Param 0x41 Change to state 0x04 Code 0x6B Action 0x04 -- Param 0x07 Action 0x02 -- Param 0x03 State 0x 3 matches: Code 0x2B Action 0x05 -- Param 0x00 Action 0x03 -- Param 0x00 State 0x 4 matches: Code 0xA5 -- D7 Action 0x0D -- Param 0x04 Call 0x61BA Code 0xA2 -- D4 Action 0x0D -- Param 0x04 Call 0x61C0 Code 0xA6 -- D8 Call 0x61F9 Code 0xA1 -- D3 Action 0x0D -- Param 0x05 Call 0x6234 Action 0x32 -- Param 0x09 Change to state 0x05 Code 0x73 -- DO Action 0x08 -- Param 0x00 Call 0x614D Action 0x33 -- Param 0x01 Change to state 0x08 Code 0x87 -- D1 Action 0x08 -- Param 0x00 Call 0xC57E Action 0x32 -- Param 0x14 Code 0x6E -- SM Call 0xEE30 Call 0xEE5D Change to state 0x06 Code 0x6F -- SE Call 0xEE30 Call 0xEE5D Change to state 0x07 Code 0x6A -- DK Action 0x08 -- Param 0x00 Action 0x04 -- Param 0x08 Change to state 0x15 Code 0x6D -- DA Action 0x08 -- Param 0x00 Action 0x04 -- Param 0x09 Change to state 0x15 Code 0x7A -- DQ Action 0x08 -- Param 0x00 Action 0x04 -- Param 0x0A Change to state 0x15 Code 0x7B -- DX Action 0x08 -- Param 0x00 Action 0x04 -- Param 0x0B Change to state 0x15 Code 0x7C -- DZ Action 0x08 -- Param 0x00 Action 0x04 -- Param 0x0C Change to state 0x15 Code 0x7D -- D! Action 0x04 -- Param 0x0D Change to state 0x15 State 0x 5 matches: Code 0x71 -- SS Call 0x6240 Code 0x74 -- MC Action 0x32 -- Param 0x09 Code 0xA3 Action 0x32 -- Param 0x01 Action 0x32 -- Param 0x17 Change to state 0x04 Code 0xA4 Action 0x0D -- Param 0x06 Action 0x32 -- Param 0x01 Action 0x32 -- Param 0x16 Change to state 0x04 State 0x 6 matches: Code 0x6E -- SM Call 0xEE5D Code 0x6F -- SE Call 0xEE5D Change to state 0x07 State 0x 7 matches: Code 0x2B Action 0x08 -- Param 0x00 Call 0x614D Action 0x33 -- Param 0x01 Change to state 0x08 State 0x 8 matches: Code 0x16 Call 0x615D Code 0x64 Call 0x6152 Code 0x85 Code 0x7F -- XX Code 0x80 Code 0x81 Code 0x83 Code 0x84 Action 0x32 -- Param 0x09 Change to state 0x09 State 0x 9 matches: Code 0x71 -- SS Call 0xEE15 Code 0x74 -- MC Action 0x32 -- Param 0x09 State 0x A matches: Code 0x79 -- XZ Action 0x2C -- Param 0x00 Action 0x32 -- Param 0x0A Action 0x04 -- Param 0x0E Call 0xC57E Change to state 0x15 Code 0x98 -- SZ Action 0x2C -- Param 0x00 Action 0x04 -- Param 0x12 Change to state 0x15 Code 0x97 -- XS Action 0x2C -- Param 0x00 Action 0x32 -- Param 0x0A Call 0xEE30 Call 0xEE5D Change to state 0x15 Code 0x53 -- ON Action 0x32 -- Param 0x0B Action 0x03 -- Param 0x00 Code 0x54 -- GP Action 0x32 -- Param 0x0C Action 0x03 -- Param 0x00 Code 0x7E -- QM Action 0x32 -- Param 0x0D Action 0x03 -- Param 0x00 Code 0x82 -- PG Action 0x32 -- Param 0x0E Action 0x03 -- Param 0x00 State 0x B matches: Code 0x94 -- ZM Action 0x2C -- Param 0x00 Call 0xEE95 Action 0x32 -- Param 0x13 Call 0xEE30 Change to state 0x0C State 0x C matches: Code 0x95 -- ZT Call 0xEE5D Code 0x96 -- ZZ Call 0xEE5D Change to state 0x0F Code 0x90 -- ZE Call 0xEE5D Action 0x33 -- Param 0x06 Change to state 0x10 Code 0x91 -- ZQ Change to state 0x0E Action 0x0E -- Param 0x91 State 0x D matches: Code 0x95 -- ZT Action 0x05 -- Param 0x00 Call 0xEE30 Call 0xEE5D Change to state 0x0E Code 0x92 -- ZH Call 0xEE30 Call 0xEE5D Change to state 0x0E Code 0x96 -- ZZ Action 0x05 -- Param 0x00 Call 0xEE30 Call 0xEE5D Change to state 0x0F Code 0x90 -- ZE Action 0x05 -- Param 0x00 Call 0xEE30 Call 0xEE5D Action 0x33 -- Param 0x06 Change to state 0x10 Code 0x91 -- ZQ Action 0x05 -- Param 0x00 Call 0xEE30 Change to state 0x0E Action 0x0E -- Param 0x91 Code 0x93 -- ZI Call 0xEE30 Call 0xEE5D Change to state 0x11 Action 0x02 -- Param 0x12 State 0x E matches: Code 0x92 -- ZH Code 0x95 -- ZT Call 0xEE5D Code 0x96 -- ZZ Call 0xEE5D Change to state 0x0F Code 0x90 -- ZE Call 0xEE5D Action 0x33 -- Param 0x06 Change to state 0x10 Code 0x91 -- ZQ Call 0xEE5D Action 0x12 -- Param 0x26 Action 0x20 -- Param 0x41 Action 0x09 -- Param 0x03 Call 0xEE92 Action 0x16 -- Param 0x60 Action 0x0A -- Param 0x1F Action 0x20 -- Param 0x42 Action 0x09 -- Param 0x03 Call 0xEE92 Action 0x16 -- Param 0xC0 Action 0x0A -- Param 0x1A Action 0x20 -- Param 0x44 Action 0x09 -- Param 0x02 Action 0x11 -- Param 0x04 Action 0x0A -- Param 0x16 Action 0x20 -- Param 0x45 Action 0x09 -- Param 0x02 Action 0x11 -- Param 0x05 Action 0x0A -- Param 0x12 Action 0x20 -- Param 0x46 Action 0x09 -- Param 0x02 Action 0x11 -- Param 0x02 Action 0x0A -- Param 0x0E Action 0x20 -- Param 0x47 Action 0x09 -- Param 0x02 Action 0x11 -- Param 0x03 Action 0x0A -- Param 0x0A Action 0x20 -- Param 0x48 Action 0x09 -- Param 0x03 Call 0xEE92 Action 0x16 -- Param 0xA0 Action 0x0A -- Param 0x05 Action 0x20 -- Param 0x49 Action 0x09 -- Param 0x02 Action 0x11 -- Param 0x06 Action 0x0A -- Param 0x01 Action 0x11 -- Param 0x07 Action 0x13 -- Param 0x03 Action 0x13 -- Param 0x04 Change to state 0x11 Code 0x93 -- ZI Call 0xEE5D Change to state 0x11 Action 0x02 -- Param 0x12 State 0x F matches: Code 0x01 Action 0x04 -- Param 0x11 Action 0x02 -- Param 0x14 Code 0x2B Action 0x32 -- Param 0x15 Action 0x33 -- Param 0x00 Action 0x08 -- Param 0x00 Action 0x2D -- Param 0x00 Action 0x31 -- Param 0x00 Change to state 0x0B State 0x10 matches: Code 0x2E Code 0x01 Action 0x04 -- Param 0x0F Action 0x33 -- Param 0x00 Action 0x02 -- Param 0x13 Code 0x2C Call 0xEE95 Action 0x32 -- Param 0x0F Action 0x33 -- Param 0x00 Change to state 0x0D Code 0x2D Call 0xEE95 Action 0x32 -- Param 0x10 Action 0x33 -- Param 0x00 Action 0x08 -- Param 0x00 Action 0x2D -- Param 0x00 Action 0x31 -- Param 0x00 Change to state 0x0B Code 0x2B Call 0xEE95 Action 0x32 -- Param 0x12 Action 0x33 -- Param 0x00 Action 0x08 -- Param 0x00 Action 0x2D -- Param 0x00 Action 0x31 -- Param 0x00 Change to state 0x0B State 0x11 matches: Code 0x2E Code 0x01 Action 0x04 -- Param 0x10 Action 0x33 -- Param 0x00 Action 0x02 -- Param 0x12 Code 0x3B Code 0x59 Action 0x2A -- Param 0x2E Action 0x2B -- Param 0x30 Action 0x0E -- Param 0x52 Code 0x34 Code 0x33 Action 0x2A -- Param 0x31 Action 0x2B -- Param 0x30 Action 0x0E -- Param 0x52 Code 0x2C Action 0x11 -- Param 0x03 Action 0x13 -- Param 0x3A Action 0x2E -- Param 0x00 Action 0x11 -- Param 0x13 Action 0x15 -- Param 0x01 Action 0x93 -- Param 0x30 Action 0x15 -- Param 0x01 Action 0x11 -- Param 0x05 Action 0x93 -- Param 0x30 Action 0x15 -- Param 0x01 Action 0x11 -- Param 0x19 Action 0x93 -- Param 0x30 Action 0x0E -- Param 0x52 Code 0x2D Code 0x16 Action 0x04 -- Param 0x13 Change to state 0x15 Call 0x6146 Code 0x52 Action 0x12 -- Param 0x26 Action 0x20 -- Param 0x01 Action 0x09 -- Param 0x05 State 0x12 matches: Code 0x01 Call 0x617F Action 0x04 -- Param 0x02 Code 0x2B Action 0x32 -- Param 0x02 Change to state 0x04 Action 0x0A -- Param 0x03 Call 0x60CE State 0x13 matches: Code 0x01 Action 0x26 -- Param 0x41 Change to state 0x02 Code 0x2B Action 0x12 -- Param 0x40 Action 0x18 -- Param 0x01 Action 0x13 -- Param 0x26 State 0x14 matches: Code 0x2B Call 0x617F Action 0x04 -- Param 0x02 State 0x15 matches: Code 0x2B Action 0x32 -- Param 0x02
|
|