自学内容网 自学内容网

Siglus引擎 Unpack | 未完待续

前言

未完待续。
代码在这里:https://github.com/N0zoM1z0/SiglusEngine-Extract
以后随时会更新。()
因为我是选择直接逆向游戏引擎,在无源码,不hook的情况下硬逆Siglus……
路漫漫。。。

read.sav

可以直接逆SiglusCounter.exe
read.sav Unpack后可以得到游戏进度信息
在这里插入图片描述

# define _CRT_SECURE_NO_WARNINGS
#include<Windows.h>
#include<stdio.h>
#include<stdlib.h>
#include<string.h>
using namespace std;
char data[0x20000];
void sub_401000(BYTE* a1, BYTE* a2, int a3) {
    BYTE* v3; // eax
    unsigned int v4; // edx
    BYTE* v5; // edi
    BYTE* v6; // esi
    int i; // ecx
    unsigned int v10; // [esp+14h] [ebp+Ch]

    v3 = a2;
    v4 = *a1 + 256;
    v5 = a1 + 1;
    v10 = (unsigned int)&a2[a3];                  // 末尾
    if ((unsigned int)a2 < v10)
    {
        do
        {
            if (v4 == 1)
                v4 = (unsigned __int8)*v5++ + 256;
            if ((v4 & 1) != 0)
            {
                *v3++ = *v5++;
            }
            else
            {
                v6 = &v3[-(*(unsigned __int16*)v5 >> 4)];
                for (i = (*(WORD*)v5 & 0xF) + 2; i > 0; --i)
                    *v3++ = *v6++;
                v5 += 2;
            }
            v4 >>= 1;
        } while ((unsigned int)v3 < v10);
    }
}
int main() {
BYTE key[256] = { 0x8B, 0xE5, 0x5D, 0xC3, 0xA1, 0xE0, 0x30, 0x44, 0x00, 0x85, 0xC0, 0x74, 0x09, 0x5F, 0x5E, 0x33, 0xC0, 0x5B, 0x8B, 0xE5, 0x5D, 0xC3, 0x8B, 0x45, 0x0C, 0x85, 0xC0, 0x75, 0x14, 0x8B, 0x55, 0xEC, 0x83, 0xC2, 0x20, 0x52, 0x6A, 0x00, 0xE8, 0xF5, 0x28, 0x01, 0x00, 0x83, 0xC4, 0x08, 0x89, 0x45, 0x0C, 0x8B, 0x45, 0xE4, 0x6A, 0x00, 0x6A, 0x00, 0x50, 0x53, 0xFF, 0x15, 0x34, 0xB1, 0x43, 0x00, 0x8B, 0x45, 0x10, 0x85, 0xC0, 0x74, 0x05, 0x8B, 0x4D, 0xEC, 0x89, 0x08, 0x8A, 0x45, 0xF0, 0x84, 0xC0, 0x75, 0x78, 0xA1, 0xE0, 0x30, 0x44, 0x00, 0x8B, 0x7D, 0xE8, 0x8B, 0x75, 0x0C, 0x85, 0xC0, 0x75, 0x44, 0x8B, 0x1D, 0xD0, 0xB0, 0x43, 0x00, 0x85, 0xFF, 0x76, 0x37, 0x81, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x6A, 0x00, 0x76, 0x43, 0x8B, 0x45, 0xF8, 0x8D, 0x55, 0xFC, 0x52, 0x68, 0x00, 0x00, 0x04, 0x00, 0x56, 0x50, 0xFF, 0x15, 0x2C, 0xB1, 0x43, 0x00, 0x6A, 0x05, 0xFF, 0xD3, 0xA1, 0xE0, 0x30, 0x44, 0x00, 0x81, 0xEF, 0x00, 0x00, 0x04, 0x00, 0x81, 0xC6, 0x00, 0x00, 0x04, 0x00, 0x85, 0xC0, 0x74, 0xC5, 0x8B, 0x5D, 0xF8, 0x53, 0xE8, 0xF4, 0xFB, 0xFF, 0xFF, 0x8B, 0x45, 0x0C, 0x83, 0xC4, 0x04, 0x5F, 0x5E, 0x5B, 0x8B, 0xE5, 0x5D, 0xC3, 0x8B, 0x55, 0xF8, 0x8D, 0x4D, 0xFC, 0x51, 0x57, 0x56, 0x52, 0xFF, 0x15, 0x2C, 0xB1, 0x43, 0x00, 0xEB, 0xD8, 0x8B, 0x45, 0xE8, 0x83, 0xC0, 0x20, 0x50, 0x6A, 0x00, 0xE8, 0x47, 0x28, 0x01, 0x00, 0x8B, 0x7D, 0xE8, 0x89, 0x45, 0xF4, 0x8B, 0xF0, 0xA1, 0xE0, 0x30, 0x44, 0x00, 0x83, 0xC4, 0x08, 0x85, 0xC0, 0x75, 0x56, 0x8B, 0x1D, 0xD0, 0xB0, 0x43, 0x00, 0x85, 0xFF, 0x76, 0x49, 0x81, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x6A, 0x00, 0x76 };
FILE* in;
in = fopen("D:\\N0zoM1z0\\Sec-Learning\\Reverse\\游戏逆向\\read.sav", "rb");
fread(data, sizeof(char), sizeof(data), in);
DWORD* dw_data = (DWORD*)data;
DWORD v12 = dw_data[2];
DWORD v26 = dw_data[3];
for (int i = 0x10; i < 0x10 + v12; i++) {
data[i] ^= key[(i - 0x10) & 0xFF];
}
    DWORD v25 = dw_data[5];
    void* Block = malloc(v25);
    sub_401000((BYTE*)data + 24, (BYTE*)Block, v25);
    printf("+++++++++++++++++++++++++++++++++++++++++++++++");
    
    for (int i = 0; i < v25; i++) {
        BYTE c = *((BYTE*)Block + i);
    } // checked ✔️
    FILE* Stream = fopen("D:\\N0zoM1z0\\Sec-Learning\\Reverse\\游戏逆向\\SiglusCounter.txt", "wb");
    FILE* v4; // eax
    FILE* v5; // edi
    char* v6; // eax
    const char* v7; // edi
    char* v8; // eax
    FILE* v9; // eax
    FILE* v10; // edi
    void* v11; // esi
    int* v13; // esi
    const WCHAR* v14; // esi
    int* v15; // esi
    int v16; // ecx
    size_t v17; // eax
    int v19; // [esp-14h] [ebp-3A0h]
    char Buffer[304]; // [esp+Ch] [ebp-380h] BYREF
    CHAR MultiByteStr[260]; // [esp+13Ch] [ebp-250h] BYREF
    CHAR pszPath[304]; // [esp+240h] [ebp-14Ch] BYREF
    int v24; // [esp+374h] [ebp-18h]

    size_t v27; // [esp+380h] [ebp-Ch]
    size_t Size; // [esp+384h] [ebp-8h]

    if (Stream)
    {
        v13 = (int*)Block;
        v24 = 0;
        Size = 0;
        if (v26 > 0)
        {
            v25 = v26;
            do
            {
                v19 = *v13;
                v14 = (const WCHAR*)(v13 + 1);
                v26 = v19;
                MultiByteStr[WideCharToMultiByte(0x3A4u, 0, v14, v19, MultiByteStr, 256, 0, 0)] = 0;
                v15 = (int*)&v14[v26];
                v16 = *v15;
                v13 = v15 + 1;
                v26 = v16;
                if (v16)
                {
                    v17 = 0;
                    v27 = 0;
                    if (v16 > 0)
                    {
                        v27 = v16;
                        do
                        {
                            v17 += *(unsigned __int8*)v13;
                            v13 = (int*)((char*)v13 + 1);
                            --v27;
                        } while (v27);
                        v27 = v17;
                    }
                    Size += v17;
                    v24 += v16;
                    fprintf(
                        Stream,
                        "%6d/%6d   %3d.%d%%   %s\r\n",
                        v27,
                        v26,
                        (int)(1000 * v17) / v16 / 10,
                        (int)(1000 * v17) / v16 % 10,
                        MultiByteStr);
                }
                --v25;
            } while (v25);
        }
        free(Block);
        fprintf(
            Stream,
            "----------------------------------------\r\n%6d/%6d   %3d.%d%%   (ALL)\r\n",
            Size,
            v24,
            (int)(1000 * Size) / v24 / 10,
            (int)(1000 * Size) / v24 % 10);
        fclose(Stream);
    }
    ShellExecuteA(0, "open", "D:\\N0zoM1z0\\Sec-Learning\\Reverse\\游戏逆向\\SiglusCounter.txt", NULL,NULL, 1);
}

mode.cgm

这个解出来是一个TABLE,感觉像是来索引各个g00图片文件的。
解出来大概长这样:在这里插入图片描述

nwa

网上有现成脚本,就不自己造轮子了。

https://github.com/mirrorange/NwaConverter

强烈建议解Rewrite的BGM017,散花!(sakuya😭)

g00

逆了好久。。。还只弄了一个分支。。。
占个坑,后面补完整。

终于可以解出Rewrite的CG了😭😭😭
在这里插入图片描述

# define _CRT_SECURE_NO_WARNINGS
#include<Windows.h>
#include<stdio.h>
#include<stdlib.h>
#include<string.h>
#include<stdint.h>
using namespace std;

void Unpack_1(UINT8 a1,BYTE* a2,BYTE* a3,DWORD fileLen) {

}
int Unpack_2(UINT8 a1, BYTE* a2, BYTE* a3,DWORD fileLen) {
    /*
    */
    int result; // eax
    char v4; // cf
    char v5; // cl
    int v6; // esi
    BYTE* v7; // esi
    BYTE* v8; // edi
    BYTE* v9; // [esp-4h] [ebp-4h]
    DWORD cnt = 0;
    DWORD id1 = 0, id2 = 0; // id1: edi  id2:esi
    fileLen -= 0xD;
    DWORD flag = 0;
    while (TRUE) {
        if (!flag) {
            a1 = a3[id2];
            ++id2;
            flag = 7;
        }
        else {
            flag--;
        }
        if (id2 >= fileLen)break;
        if(id1 == 0x10038)
            printf("[+] a1: %x   id1: %x\n", a1,id1);
        v4 = a1 & 1;
        a1 >>= 1;
        if (v4) {
            //
         
            for (int i = 0; i < 3; i++) {
                a2[id1 + i] = a3[id2 + i];
            }
            a2[id1 + 3] = 0;
            id1 += 4;
            id2 += 3;
        } // checked
        else {
            int WORD_a3 = *(WORD*)((BYTE*)a3 + id2);
            v5 = (WORD_a3 & 0xF) + 1;
            v6 = (id1 - (4 * (WORD_a3 >> 4))); // !!! 这里不能用WORD!!! ... 要int 。。。
            //cnt += 1;
            //printf("v6: %x  id1: %x\n", v6,id1);
            //if (cnt > 3)return;
            //return;
            do {
                for (int i = 0; i < 4; i++) {
                    a2[id1 + i] = a2[v6 + i];
                }
                id1 += 4;
                v6 += 4;
                v5--;

            } while (v5);
            id2 += 2;

        }
    }
    return id1; // .... 开始手贱写成id2了...
}
DWORD dword_404337, dword_404333, dword_40433F, dword_404343;
void Trans2BMP_1() {

}
int Trans2BMP_2(LPCVOID dword_40434B,LPCVOID lpBuffer) {
    int v2; // ebx
    int v3; // edi
    __int16 v4; // cx
    __int16 v5; // cx
    __int16 v6; // ax
    __int16 v7; // dx
    int result; // eax
    int v9; // [esp-6h] [ebp-6h]
    __int16 v10; // [esp-2h] [ebp-2h]


    BYTE* v0 = (BYTE*)dword_40434B;
    BYTE* v1 = (BYTE*)lpBuffer;
    *(WORD*)lpBuffer = 0x4D42;
    *(DWORD*)(v1 + 2) = dword_404343 + 54;
    *(DWORD*)(v1 + 6) = 0;
    *(DWORD*)(v1 + 10) = 54;
    *(DWORD*)(v1 + 14) = 40;
    v2 = dword_404337;
    *(DWORD*)(v1 + 18) = dword_404333;
    *(DWORD*)(v1 + 22) = v2;
    *((WORD*)v1 + 13) = 1;
    *((WORD*)v1 + 14) = 24;
    *(DWORD*)(v1 + 30) = 0;
    *(DWORD*)(v1 + 34) = 0;
    *(DWORD*)(v1 + 38) = 0;
    *(DWORD*)(v1 + 42) = 0;
    *(DWORD*)(v1 + 46) = 0;
    *(DWORD*)(v1 + 50) = 0;
    v3 = (v2 - 1) * dword_40433F + 54;
    v4 = dword_404337;
    int idx_0 = 0;

    do {
        v10 = v4;
        v9 = v3;
        v5 = dword_404333;

        do {
            /*printf("v3: %x\n", v3);
            return 1;*/

            v1[v3] = v0[idx_0];
            v1[v3 + 1] = v0[idx_0 + 1];
            v1[v3 + 2] = v0[idx_0 + 2];
            idx_0 += 4;
            v3 += 3;
            --v5;
        } while (v5);
        v3 = v9 - dword_40433F;
        //if (v3 == 0x36)break;
        v4 = v10 - 1;
    } while (v10 != 1);

    result = dword_404337 * dword_40433F + 54;
    return result;
}
void Unpack_G00(const CHAR* FileName) {
    HANDLE hFile = CreateFileA(FileName, GENERIC_READ,
        FILE_SHARE_READ,
        NULL,
        OPEN_EXISTING,       
        FILE_ATTRIBUTE_NORMAL,
        NULL);
    if (hFile == INVALID_HANDLE_VALUE) {
        printf("[-] Error in CreateFileA!\n");
        return;
    }
    DWORD dwFileSize = GetFileSize(hFile, NULL);
    BYTE* buffer = (BYTE*)malloc(dwFileSize*2);
    ZeroMemory(buffer, dwFileSize);
    DWORD dwBytesToRead = dwFileSize;
    ReadFile(hFile, buffer, dwBytesToRead, &dwBytesToRead, NULL);
    printf("[+] BytesRead: %x\n", dwBytesToRead);
    LPCVOID lpBuffer = buffer;
    if (!(*(BYTE*)lpBuffer)) {
        DWORD fileLen;
        fileLen = *(DWORD*)((BYTE*)lpBuffer + 5) + 5;
        printf("[+] fileLen: %x\n", fileLen);
        BYTE* newBuf = (BYTE*)malloc(fileLen*2);
        DWORD dwUnpackSize = Unpack_2(*((BYTE*)lpBuffer + 0xD), newBuf, (BYTE*)((BYTE*)(lpBuffer) + 0xD), fileLen);
        FILE* out = fopen("D:\\N0zoM1z0\\Sec-Learning\\Reverse\\游戏逆向\\EXP\\g00cnv1\\etract", "wb");
        fwrite(newBuf, sizeof(BYTE), dwUnpackSize, out);
        printf("[+] Unpack Done!\n");
        // 9310000
        dword_404337 = *(unsigned __int16*)((char*)lpBuffer + 3);
        dword_404333 = *(unsigned __int16*)((char*)lpBuffer + 1);
        dword_40433F = (3 * dword_404333 + 3) & 0xFFFFFFFC;
        dword_404343 = dword_404337 * dword_40433F;
        LPCVOID pBMPBuffer = (BYTE*)malloc((16 * dword_404337 * dword_40433F + 54) + 1);

        DWORD dw_bmpSize = Trans2BMP_2(newBuf, pBMPBuffer);
        out = fopen("D:\\N0zoM1z0\\Sec-Learning\\Reverse\\游戏逆向\\EXP\\g00cnv1\\extract.bmp", "wb");
        fwrite(pBMPBuffer, sizeof(BYTE), dw_bmpSize, out);
        printf("[+] Transfer to BMP file done!\n");

    }
    else {

    }

}
int main() {
    Unpack_G00("D:\\N0zoM1z0\\Sec-Learning\\Reverse\\游戏逆向\\Rewrite\\g00\\FGSZ08.g00");

}

强烈吐槽IDA!!!
在这里插入图片描述
这个v6,IDA识别的是WORD类型,也就是无符号,但是,调试了好久,才发现要用有符号。。。这就是最开始extract半天没对的地方!。。


原文地址:https://blog.csdn.net/ULGANOY/article/details/143863710

免责声明:本站文章内容转载自网络资源,如本站内容侵犯了原著者的合法权益,可联系本站删除。更多内容请关注自学内容网(zxcms.com)!