April 15, 2020

Opening Virtools Files

April 15, 2020 Posted by phaicm
Recently, I was assisting on resurrecting an old game via emulation. The first thing I usually do is determining what type of engine/software system the game uses. The files from the game usually give it away. However, the game was from 2008 and the engines were not yet (apparently) standardized at the time. The game was distributed by Nick.com. They and Sarbakan Studios seem to use the same engine for that time period. The folder structure had some key file extensions such as ".NMO" and ".CMO". After a bit of research, these games used Virtools SDK, some type of 3D modeling application with scripting and logic capabilities for games and web applications.

From what I gathered, these files are more or less zlib modifications with the signature "NEMO Fi". There is a tool made by Luigi Auriemma that can extract these files, but doesn't parse the "objects" or "components" files. These two files contains (what I assume) scripts and schematics of models. I thought that is not problem because Virtools saves these files as projects so we can use Virtools itself open them but problem occurred:


After double checking my version of Virtools, it seems that I would have to poke a bit at the player vs. SDK to see what the difference is. I luckily came into contact with a user "Zhenya1690" from FPS Creator World. He showed me that when saving a .VMO / .NMO, you have options to make it player viewable only.


So, I asked to make two identical VMO files, TEST1.VMO will be viewable by Virtools and TEST2.VMO will be viewable by custom players only. Utilizing unvirt tool earlier, I check the differences.


Ignoring the compressed size (csz) and uncompressed size (sz) differences, we can see the "flags" (offset+0x18) are different. Open-able files have a flags value of 0x8 while player-only files have a flags of 0xC. I thought, surely it cannot be that easy. I used a hex editor to change the byte. Thankfully it was and the file loaded into Virtools just fine. Success!

There is just one last hurdle: the scripts are hidden.


Unfortunately, this seems to be much more complicated than just a simple flag change. The entire components and objects files are different. Virtools strips these files to bytecode only and the script is no longer accessible. There is a project on github called VirtoolsScriptDeobfuscation which does exactly what we need. It is a DLL for Virtools that makes bytecode readable similar to how Lua Bytecode (.LUB) is decompiled back to Lua Script files (.LUA). Though, this plugin is for Virtools 2.1 thru 3.5 meaning it requires some modification for 4.0 thru 5.0.

Hopefully this post is helpful to anyone working with Virtools because it is increasingly hard to find information about this. Special thanks to Luigi and Zhenya1690. :)

February 16, 2018

DirectX7 and Windows 10 UAC

February 16, 2018 Posted by phaicm , , ,

This is an obscure post that I'm sure no one will ever have this problem except for me playing Ragnarok Online which uses DirectX7. There is a certain problem with programs that uses DirectX7 on a Windows 10 machine. Obviously, Window 10 was made way after, but there is bug with the User Account Control prompts.

Apparently, if any UAC prompt occurs (regardless which program produces the prompt), all directX7 function will cease until the program that uses it become active again. This means if you alt-tab from your game and produce any kind of UAC prompt, the game will stop rendering. The strange part is that the CPU usage stays the same as the program continues to run. I have confirmed that the directX7 functions stopped by hooking/proxy the functions to a basic logger. I have no idea why this occurs and I'm too lazy to figure it out. Just wanted anyone who comes across this problem see that its not them, its Windows 10 UAC.

Why did I come across such a situation? Because I rely on proxying directx7 to enhance ragnarok online and some features are critical to be run actively. If directx7 fails to run, my proxy functions fails thus needing a new way of running custom code.

If anyone digs deep into this and finds the cause, shoot me an email.

September 27, 2016

Pogoplug LED Control via Number of SSH Connections

September 27, 2016 Posted by phaicm , , ,

I have a pogoplug just sitting on my desk doing nothing. It is essentially a obsolete-ish cloud solution product for $10 on eBay. However, what makes the thing so neat is that you can install Debian on it using this tutorial. Now you can SSH into it and use it as a headless linux machine that you can customize however you like. However, my current network setup is prone to random SSH login attempts. While you should be using something like fail2ban and a secure network system, you can also implement a visual approach!
The pogoplug has LEDs on the front: a green one and a red one which normally blinks on certain triggers. You can easily modify them and control them with simple commands such as
echo 1 > /sys/devices/platform/leds-gpio/leds/status:red:fault/brightness
echo 0 > /sys/devices/platform/leds-gpio/leds/status:green:health/brightness
That will change the LED to red. Change the switch the 1 and 0 around and you get green. If both if on, you get a yellow/orange color. You can read all about the pogoplug's LED control and its triggers over at Wills House Tech Blog. I thought it will be a cool idea to setup daemontools to create a service that checks the number of SSH connections. If there is a SSH connection, the LED in the front will change to red like so:


full video

First thing you need to do is install daemontools. If you have no idea how to use daemontools or linux services in general, I was in the same boat until I came across this blog post which gives a good understanding on the topic. The run script I used is a very simple while loop that checks for SSH processes using ps and grep commands.
#!/bin/bash
while true; do
 if [ "$(ps auxwww | grep -c sshd:)" -eq 1 ]; then
  echo 0 > /sys/devices/platform/leds-gpio/leds/status:red:fault/brightness
  echo 1 > /sys/devices/platform/leds-gpio/leds/status:green:health/brightness
 else
  echo 1 > /sys/devices/platform/leds-gpio/leds/status:red:fault/brightness
  echo 0 > /sys/devices/platform/leds-gpio/leds/status:green:health/brightness
 fi
 sleep 5
done
The logic is to check the number of SSH processes/connections and change the LED color if its greater than 1 or rather, when you are SSH-ing into the pogoplug. Keep in mind that when you execute "ps auxwww | grep -c sshd:", it will always show at least 1 process even when you are not connected to the machine because it the command itself (ps) will show in the "grep" execution as well like so:

The sleep command is so that this run script doesn't eat up the pogoplug's very limited CPU resource. So far this is nice. However, it got me thinking about the possibility of another person logging in while I'm already connected. Which in this case, would always stay red and I wouldn't be able to tell. Or the possibility of a bruteforce attempt occuring, can I show this as well? Yes! (but really, use fail2ban as well). To do this, you can just take advantage of the yellow light to show you are connected. All you would need to do is add an else if check:
#!/bin/bash
while true; do
 if [ "$(ps auxwww | grep -c sshd:)" -eq 1 ]; then
  echo 0 > /sys/devices/platform/leds-gpio/leds/status:red:fault/brightness
  echo 1 > /sys/devices/platform/leds-gpio/leds/status:green:health/brightness
 elif [ "$(ps auxwww | grep -c sshd:)" -eq 2 ]; then
  echo 1 > /sys/devices/platform/leds-gpio/leds/status:red:fault/brightness
  echo 1 > /sys/devices/platform/leds-gpio/leds/status:green:health/brightness
 else
  echo 1 > /sys/devices/platform/leds-gpio/leds/status:red:fault/brightness
  echo 0 > /sys/devices/platform/leds-gpio/leds/status:green:health/brightness
 fi
 sleep 5
done
This way, when you are attempting to log into the machine, it will appear red. When 1 person successfully logs in, it will show yellow. Any further login attempts or logged in accounts will change it back to red.

Very fun and useful to see at the corner of my eye! Now if I can decide what I want to do with it...