Skip to main content

Cube World Reversing - Unpack the game

·1040 words·5 mins
Game Hacking Reverse Engineering
Cube World Reversing - This article is part of a series.
Part 1: This Article
I don’t give any information about game cracking, I have a legitimate version of Cube World (v1.0) on Steam and that’s why I need to remove Steam DRM to analyze the game.

Why Cube World ? #

Cube World is an action role-playing game developed and published by Picroma. The alpha version was released in 2013, today the official version is available on Steam. I chose this game because there is not much information about it in the game hacking community, you can find some Cheat Engine tables but not more. That’s why I chose this game, it forces me to do everything by myself and in my opinion it’s a great way to train.

The aim of this series is to reverse the game and implement some cheat functions like god mode, fly hack, speed hack… The game Cube World uses its own game engine which is also called Cube World, that’s why it can be a great reverse engineering challenge to reverse it.

How to get started ? #

Before we start to reverse the game, we need some tools:

Some of these tools will only be used in this part of the reversal, PE Bear and Detect It Easy are tools used to analyse the PE file of the game.

The first thing we want to do is load the game into IDA (or Ghidra) to look at the instructions and see if we can start analysing the game.

[steam_path]\steamapps\common\Cube World\cubeworld.exe

If you try to load the game into IDA, you will get errors like in the following screenshots (I think it is the same in Ghidra), this is not a good sign.

Also, if we look at the .text section, it is full of strange instructions and many functions are referenced as nullsub functions.

Loading Error
Error message when trying to load the game into IDA.
.text Section
IDA, with functions referenced as nullsub functions and .text section.
Section Zoom
Instructions in the .text section look strange and some of the functions cannot be analysed.

We can take a quick look at the sections of the PE file of the game, we can see that there are 2 sections containing code, first the .text section which is normal, but we can see that the .bind section also contains code. This is a big sign that the game might be packed.

Sections
Sections of the PE file of the game, view in IDA.
Entrypoint zoom
Entrypoint of the PE file of the game, in the .bind section.

As you can see we have 2 sections of code and the entry point is in the .bind section, there are a lot of flags that the game can be packed, but to be sure and maybe identify the packer that is used we need to analyse the PE file of the game.

Analysis of PE files #

So the first thing to do is to use PE Bear and Detect It Easy, PE Bear helps us to see the structure of the PE file and confirm that the entry point is in the .bind section and Detect It Easy is a special tool that helps to identify packers and compilers.

PE Bear
PE Bear of the game’s PE file, it confirms that the entry point is in the .bind section.

Steam Stub
Detect It Easy identifies the packer as Steam stub.

With Detect It Easy, we can now confirm that the game is packed with Steam DRM. So, to reverse the game and make our cheat, we need to unpack it first.

Unpack the game #

Use Steamless #

Now we know that the game comes with Steam DRM, you can find some information about the DRM here. The next step is to unpack the game, it is useless to do this manually as Steamless works great. Steamless is an automatic tool that allows you to remove the Steam DRM and decrypt the .text section of the game.

If you want to try unpacking the game manually, or want to know how Steam DRM works, you can look at the code of Steamless, every step of unpacking is described in the code.

Steamless
Steamless home page.

Steamless Unpack
Unpack the game using Steamless.

Analysis of the unpacked file #

As you can see it is very easy to unpack the game with Steamless, if you try to run the unpacked game it will crash as the new version of Cube World is very dependent on the Steam API and without patching functions the game will not work. In our case this is not important as we can do the analysis on the unpacked PE file with IDA and the debugging on the game that was dynamically unpacked by the DRM at runtime.

New Sections
Sections of the unpacked PE file, view in IDA.
New .text Section
Decrypted .text section.
New Section Zoom
Clean instructions in the decrypted .text section.

Now all the sections needed by the DRM have been removed, the .text section has been decrypted, the IDA analysis doesn’t return any nullsub functions anymore and the analysis is much faster. The next step is to see if we can retrieve instructions from the debugger (Cheat Engine or x64dbg) into IDA.

Setting up the debugger #

Using the VEH debugger #

The last step is to set up our environment, if you try to use Cheat Engine with Windows debugger, Cube World will crash in a few cases, so I recommend to use VEH debugger with Cheat Engine (I never had a problem with VEH, but this is only for Cube World). In the following screenshots I show you how to configure Cheat Engine.

VEH
Cheat Engine debugger settings.

Retrieve instructions from Cheat Engine into IDA #

Finally, we can retrieve instructions from the debugger (Cheat Engine) in IDA, since the game architecture is x64, the base address is 0x140000000. We need to add the offset retrieve from Cheat Engine, for example: cubeworld.exe+96579, and then look for the instructions at 0x140096579 in IDA.

Cheat Engine
Instructions in the Cheat Engine debugger.
IDA Pro
Instructions retrieved in IDA.

Our game hacking environment is now set up, we are ready to reverse the game and make a cheat !

adamhlt/Cube-World-Reversing

Cube World Reversing & Cheat (x64) - Include IDA file and unpacked game

C++
5
3


Cube World Reversing - This article is part of a series.
Part 1: This Article