geekman/pew.js

## pew.js
//
// solver script for flare-on #5 pewpewboat.exe
// run with frida -l pew.js -f pewpewboat.exe --no-pause -o pew.log
//

var mainProgLoop = ptr(0x403c05);
var getInput     = ptr(0x40377D);
var clearScreen  = ptr(0x4031E1);
var notMd5Prompt = ptr(0x403530);

Interceptor.replace(clearScreen,  new NativeCallback(function() {}, 'int', []));
Interceptor.replace(notMd5Prompt, new NativeCallback(function() {}, 'int', []));

function drawMap(state) {
	var map = '';
	for (var j = 0; j < 8; j++) {
		for (var i = 0; i < 8; i++) {
			map += state.and(1).compare(1) ? '.' : '@';
			map += ' ';
			state = state.shr(1);
		}
		map += '\n';
	}
	return map;
}

var coord = 0;
var level = 0;
var debug = false;  // more verbose

// patch getInput
Interceptor.replace(getInput, new NativeCallback(function(state) {
	if (debug) console.log('reading input... ' + coord);

	// iterate through all set positions, then "input" them
	var positions = Memory.readU64(state);
	positions = positions.shr(coord);
	while (positions.compare(0) != 0) {
		if (positions.and(1).compare(1) == 0)
			break;
		positions = positions.shr(1);
		coord++;
	}

	var bitmask = Memory.readU64(state.add(8));
	var newbit = uint64(1).shl(coord);
	bitmask = bitmask.or(newbit);
	Memory.writeU64(state.add(8), bitmask);

	// coordinates
	var c = 'A'.charCodeAt(0) + (coord >> 3);
	var n = '1'.charCodeAt(0) + (coord  & 7);
	Memory.writeU8(state.add(28), c);
	Memory.writeU8(state.add(29), n);
	if (debug) console.log('guess: ' + String.fromCharCode(c) + String.fromCharCode(n));

	coord++;
	if (coord > 077) {
		coord = 0;
	}

	return 0;
}, 'int', ['pointer']));

Interceptor.attach(mainProgLoop, {
	onEnter: function(args) {
		coord = 0;

		var state = args[0];
		var gameState = Memory.readU64(state);
		console.log('level ' + level + ' state: ' + gameState.toString(16));
		console.log(drawMap(gameState));

		var name = 'pew-dump-' + level + '.bin';
		var f = new File(name, 'wb');
		var data = Memory.readByteArray(state, 576);
		f.write(data);
		f.close();
		level++;
		if (debug) console.log('dumping to ', name);
	},
});
	//
	// solver script for flare-on #5 pewpewboat.exe
	// run with frida -l pew.js -f pewpewboat.exe --no-pause -o pew.log
	//

	var mainProgLoop = ptr(0x403c05);
	var getInput = ptr(0x40377D);
	var clearScreen = ptr(0x4031E1);
	var notMd5Prompt = ptr(0x403530);

	Interceptor.replace(clearScreen, new NativeCallback(function() {}, 'int', []));
	Interceptor.replace(notMd5Prompt, new NativeCallback(function() {}, 'int', []));

	function drawMap(state) {
	var map = '';
	for (var j = 0; j < 8; j++) {
	for (var i = 0; i < 8; i++) {
	map += state.and(1).compare(1) ? '.' : '@';
	map += ' ';
	state = state.shr(1);
	}
	map += '\n';
	}
	return map;
	}

	var coord = 0;
	var level = 0;
	var debug = false; // more verbose

	// patch getInput
	Interceptor.replace(getInput, new NativeCallback(function(state) {
	if (debug) console.log('reading input... ' + coord);

	// iterate through all set positions, then "input" them
	var positions = Memory.readU64(state);
	positions = positions.shr(coord);
	while (positions.compare(0) != 0) {
	if (positions.and(1).compare(1) == 0)
	break;
	positions = positions.shr(1);
	coord++;
	}

	var bitmask = Memory.readU64(state.add(8));
	var newbit = uint64(1).shl(coord);
	bitmask = bitmask.or(newbit);
	Memory.writeU64(state.add(8), bitmask);

	// coordinates
	var c = 'A'.charCodeAt(0) + (coord >> 3);
	var n = '1'.charCodeAt(0) + (coord & 7);
	Memory.writeU8(state.add(28), c);
	Memory.writeU8(state.add(29), n);
	if (debug) console.log('guess: ' + String.fromCharCode(c) + String.fromCharCode(n));

	coord++;
	if (coord > 077) {
	coord = 0;
	}

	return 0;
	}, 'int', ['pointer']));

	Interceptor.attach(mainProgLoop, {
	onEnter: function(args) {
	coord = 0;

	var state = args[0];
	var gameState = Memory.readU64(state);
	console.log('level ' + level + ' state: ' + gameState.toString(16));
	console.log(drawMap(gameState));

	var name = 'pew-dump-' + level + '.bin';
	var f = new File(name, 'wb');
	var data = Memory.readByteArray(state, 576);
	f.write(data);
	f.close();
	level++;
	if (debug) console.log('dumping to ', name);
	},
	});