Hex editing - what's the worst that could happen?

cloudrac3r · Post by **cloudrac3r** » Sat Dec 17, 2016 8:44 am

IMPORTANT: This post was written while considering RTW only! Please say in a reply if you are talking about WA!

I read the 2006 walking on walls topic, and everyone in there speaks of hex editing as if it is some kind of sacred god which, if tampered with, will awaken in a rage and destroy us all!
Okay, that's obviously a big exaggeration. What's the worst thing that could happen to your computer while:
(a) Playing a hex edited level which was uploaded by another user
(b) Creating a hex edited level, following instructions or using tiles that you know are safe
(c) Messing about with random hex codes to see what happens

Here's what I guess would happen for each of the above scenarios:
(a) Nothing. If something bad happened, they wouldn't have uploaded the level. Hopefully.
(b) Either it will work as expected, or something strange will happen and the game will crash (but all files will be left unharmed)
(c) The game will crash (but all files will be left unharmed)

If any of you have some past experience with hex edited levels, I'd like to know all about it, as well as any predictions or opinions on the subject.

EDIT 1 (18/12/16 22:27) Fixed spelling, changed bullets to letters for clarity, added important first sentence.

Oats · Post by **Oats** » Sat Dec 17, 2016 2:17 pm

I agree with you. As someone who's been a modder and programmer for quite a while, I can assure that any hex editing would only affect the Wonderland EXE whilst in runtime (and even then you could change it back if it causes a crash) and the file that has been tampered with. If you edit the files too much, again, easy fix. Just make a copy of your save file and your levels and then re-install Wonderland. Put the copied files back in and it's as good as new.

cloudrac3r · Post by **cloudrac3r** » Sun Dec 18, 2016 9:36 am

Are you saying that file damage/corruption could occur, but that it would only damage/corrupt files within RTW's installation directory? (i.e. "C:\Program Files\Midnight Synergy\Return to Wonderland")
Or are you saying that the Wonderland EXE would act differently while it remains running, but next time it is opened it will load the clean, unmodified executable again? Which one? Or something else?

Oats · Post by **Oats** » Sun Dec 18, 2016 2:58 pm

I'm saying that heavy hex editing could corrupt the edited file, but you could just reinstall wonderland to fix it. However, I've only used hex a few times before as most IDEs don't require knowledge of hex nowadays to program things, so maybe it isn't as severe as I imagine. Anyway, no permanent damage, and absolutely no chance of PC harm.

tyteen4a03 · Post by **tyteen4a03** » Mon Dec 19, 2016 2:29 am

You're not considering the worst case scenario: Malicious users using an 0-day in Wonderland/Blitz to infect your computer.

But hopefully we won't come to that.

Oats · Post by **Oats** » Mon Dec 19, 2016 3:48 am

I hadn't any idea that was possible, sorry. Like I said, this is theoretical based on my coding knowledge, I've rarely used hex myself. Like you said, let's hope it never happens.

Amnon · Post by **Amnon** » Tue Dec 20, 2016 9:53 am

I suppose this would be possible if someone was able to exploit a bug in Wonderland.exe that would cause the program to modify unintended areas of memory, including its own code or more likely, its memory stack, by accessing array-elements outside the array's boundaries.

The question is, whether such a bug exists - such bugs are not unheard of and though they are pretty hard to find just from the binaries, if I had access to the Wonderland source-code then I could probably detect such bugs.

cloudrac3r · Post by **cloudrac3r** » Wed Dec 21, 2016 10:14 am

Amnon wrote:...by accessing array-elements outside the array's boundaries.

Have you never seen billy bob's screenshots of crashing Wonderland Adventures? Usually, the error message is "Array index out of bounds".

So any such exploit would not work - Wonderland would crash.

Amnon · Post by **Amnon** » Wed Dec 21, 2016 10:41 am

Programmers do not normally check for this condition of array-index out of bounds because it makes the programming and the code too tedious. Some compilers have the option to do so automatically and it may be used while debugging - but it is expensive and slows down the programs, so I don't think that it would be used in a production-version of RTW.

There may be an explicit check of the array-indexes in 2 or 3 places where it is reasonably suspected due to a faulty level-file - but did the programmer find ALL the places where it could happen?

If writing on memory is possible, then an experienced hacker could either:
1. Change the program-code itself, so it runs code to take control over the computer.
Or
2. Hex-edit part of the board so that instead of valid Wonderland elements there is a malicious program there, then modify the stack so that when the careless subroutine/function ends, rather than return to its caller, it instead jumps to that board-area.

In both cases, crashing the program afterwards could help to cover the tracks. The player would think that the Hex-level is faulty, but in fact playing it once was enough and the damage is done.

If a hacker is allowed to access and modify the Wonderland code, then likely they wouldn't introduce code that does anything right away, but instead await a level with certain properties first. As players play 1000's of levels and nothing happens, which they can check for themselves, once the hacker publishes the triggering hex-level, the players would suspect the level rather than the program.

Hex editing - what's the worst that could happen?

Hex editing - what's the worst that could happen?

Severity of Hex Editing