前言
未完待续。
代码在这里:https://github.com/N0zoM1z0/SiglusEngine-Extract
以后随时会更新。()
因为我是选择直接逆向游戏引擎,在无源码,不hook的情况下硬逆Siglus……
路漫漫。。。
read.sav
可以直接逆SiglusCounter.exe
read.sav Unpack后可以得到游戏进度信息
# define _CRT_SECURE_NO_WARNINGS
#include<Windows.h>
#include<stdio.h>
#include<stdlib.h>
#include<string.h>
using namespace std;
char data[0x20000];
void sub_401000(BYTE* a1, BYTE* a2, int a3) {BYTE* v3; // eaxunsigned int v4; // edxBYTE* v5; // ediBYTE* v6; // esiint i; // ecxunsigned int v10; // [esp+14h] [ebp+Ch]v3 = a2;v4 = *a1 + 256;v5 = a1 + 1;v10 = (unsigned int)&a2[a3]; // 末尾if ((unsigned int)a2 < v10){do{if (v4 == 1)v4 = (unsigned __int8)*v5++ + 256;if ((v4 & 1) != 0){*v3++ = *v5++;}else{v6 = &v3[-(*(unsigned __int16*)v5 >> 4)];for (i = (*(WORD*)v5 & 0xF) + 2; i > 0; --i)*v3++ = *v6++;v5 += 2;}v4 >>= 1;} while ((unsigned int)v3 < v10);}
}
int main() {BYTE key[256] = { 0x8B, 0xE5, 0x5D, 0xC3, 0xA1, 0xE0, 0x30, 0x44, 0x00, 0x85, 0xC0, 0x74, 0x09, 0x5F, 0x5E, 0x33, 0xC0, 0x5B, 0x8B, 0xE5, 0x5D, 0xC3, 0x8B, 0x45, 0x0C, 0x85, 0xC0, 0x75, 0x14, 0x8B, 0x55, 0xEC, 0x83, 0xC2, 0x20, 0x52, 0x6A, 0x00, 0xE8, 0xF5, 0x28, 0x01, 0x00, 0x83, 0xC4, 0x08, 0x89, 0x45, 0x0C, 0x8B, 0x45, 0xE4, 0x6A, 0x00, 0x6A, 0x00, 0x50, 0x53, 0xFF, 0x15, 0x34, 0xB1, 0x43, 0x00, 0x8B, 0x45, 0x10, 0x85, 0xC0, 0x74, 0x05, 0x8B, 0x4D, 0xEC, 0x89, 0x08, 0x8A, 0x45, 0xF0, 0x84, 0xC0, 0x75, 0x78, 0xA1, 0xE0, 0x30, 0x44, 0x00, 0x8B, 0x7D, 0xE8, 0x8B, 0x75, 0x0C, 0x85, 0xC0, 0x75, 0x44, 0x8B, 0x1D, 0xD0, 0xB0, 0x43, 0x00, 0x85, 0xFF, 0x76, 0x37, 0x81, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x6A, 0x00, 0x76, 0x43, 0x8B, 0x45, 0xF8, 0x8D, 0x55, 0xFC, 0x52, 0x68, 0x00, 0x00, 0x04, 0x00, 0x56, 0x50, 0xFF, 0x15, 0x2C, 0xB1, 0x43, 0x00, 0x6A, 0x05, 0xFF, 0xD3, 0xA1, 0xE0, 0x30, 0x44, 0x00, 0x81, 0xEF, 0x00, 0x00, 0x04, 0x00, 0x81, 0xC6, 0x00, 0x00, 0x04, 0x00, 0x85, 0xC0, 0x74, 0xC5, 0x8B, 0x5D, 0xF8, 0x53, 0xE8, 0xF4, 0xFB, 0xFF, 0xFF, 0x8B, 0x45, 0x0C, 0x83, 0xC4, 0x04, 0x5F, 0x5E, 0x5B, 0x8B, 0xE5, 0x5D, 0xC3, 0x8B, 0x55, 0xF8, 0x8D, 0x4D, 0xFC, 0x51, 0x57, 0x56, 0x52, 0xFF, 0x15, 0x2C, 0xB1, 0x43, 0x00, 0xEB, 0xD8, 0x8B, 0x45, 0xE8, 0x83, 0xC0, 0x20, 0x50, 0x6A, 0x00, 0xE8, 0x47, 0x28, 0x01, 0x00, 0x8B, 0x7D, 0xE8, 0x89, 0x45, 0xF4, 0x8B, 0xF0, 0xA1, 0xE0, 0x30, 0x44, 0x00, 0x83, 0xC4, 0x08, 0x85, 0xC0, 0x75, 0x56, 0x8B, 0x1D, 0xD0, 0xB0, 0x43, 0x00, 0x85, 0xFF, 0x76, 0x49, 0x81, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x6A, 0x00, 0x76 };FILE* in;in = fopen("D:\\N0zoM1z0\\Sec-Learning\\Reverse\\游戏逆向\\read.sav", "rb");fread(data, sizeof(char), sizeof(data), in);DWORD* dw_data = (DWORD*)data;DWORD v12 = dw_data[2];DWORD v26 = dw_data[3];for (int i = 0x10; i < 0x10 + v12; i++) {data[i] ^= key[(i - 0x10) & 0xFF];}DWORD v25 = dw_data[5];void* Block = malloc(v25);sub_401000((BYTE*)data + 24, (BYTE*)Block, v25);printf("+++++++++++++++++++++++++++++++++++++++++++++++");for (int i = 0; i < v25; i++) {BYTE c = *((BYTE*)Block + i);} // checked ✔️FILE* Stream = fopen("D:\\N0zoM1z0\\Sec-Learning\\Reverse\\游戏逆向\\SiglusCounter.txt", "wb");FILE* v4; // eaxFILE* v5; // edichar* v6; // eaxconst char* v7; // edichar* v8; // eaxFILE* v9; // eaxFILE* v10; // edivoid* v11; // esiint* v13; // esiconst WCHAR* v14; // esiint* v15; // esiint v16; // ecxsize_t v17; // eaxint v19; // [esp-14h] [ebp-3A0h]char Buffer[304]; // [esp+Ch] [ebp-380h] BYREFCHAR MultiByteStr[260]; // [esp+13Ch] [ebp-250h] BYREFCHAR pszPath[304]; // [esp+240h] [ebp-14Ch] BYREFint v24; // [esp+374h] [ebp-18h]size_t v27; // [esp+380h] [ebp-Ch]size_t Size; // [esp+384h] [ebp-8h]if (Stream){v13 = (int*)Block;v24 = 0;Size = 0;if (v26 > 0){v25 = v26;do{v19 = *v13;v14 = (const WCHAR*)(v13 + 1);v26 = v19;MultiByteStr[WideCharToMultiByte(0x3A4u, 0, v14, v19, MultiByteStr, 256, 0, 0)] = 0;v15 = (int*)&v14[v26];v16 = *v15;v13 = v15 + 1;v26 = v16;if (v16){v17 = 0;v27 = 0;if (v16 > 0){v27 = v16;do{v17 += *(unsigned __int8*)v13;v13 = (int*)((char*)v13 + 1);--v27;} while (v27);v27 = v17;}Size += v17;v24 += v16;fprintf(Stream,"%6d/%6d %3d.%d%% %s\r\n",v27,v26,(int)(1000 * v17) / v16 / 10,(int)(1000 * v17) / v16 % 10,MultiByteStr);}--v25;} while (v25);}free(Block);fprintf(Stream,"----------------------------------------\r\n%6d/%6d %3d.%d%% (ALL)\r\n",Size,v24,(int)(1000 * Size) / v24 / 10,(int)(1000 * Size) / v24 % 10);fclose(Stream);}ShellExecuteA(0, "open", "D:\\N0zoM1z0\\Sec-Learning\\Reverse\\游戏逆向\\SiglusCounter.txt", NULL,NULL, 1);
}
mode.cgm
这个解出来是一个TABLE,感觉像是来索引各个g00图片文件的。
解出来大概长这样:
nwa
网上有现成脚本,就不自己造轮子了。
https://github.com/mirrorange/NwaConverter
强烈建议解Rewrite的BGM017,散花!(sakuya😭)
g00
逆了好久。。。还只弄了一个分支。。。
占个坑,后面补完整。
终于可以解出Rewrite的CG了😭😭😭
# define _CRT_SECURE_NO_WARNINGS
#include<Windows.h>
#include<stdio.h>
#include<stdlib.h>
#include<string.h>
#include<stdint.h>
using namespace std;void Unpack_1(UINT8 a1,BYTE* a2,BYTE* a3,DWORD fileLen) {}
int Unpack_2(UINT8 a1, BYTE* a2, BYTE* a3,DWORD fileLen) {/**/int result; // eaxchar v4; // cfchar v5; // clint v6; // esiBYTE* v7; // esiBYTE* v8; // ediBYTE* v9; // [esp-4h] [ebp-4h]DWORD cnt = 0;DWORD id1 = 0, id2 = 0; // id1: edi id2:esifileLen -= 0xD;DWORD flag = 0;while (TRUE) {if (!flag) {a1 = a3[id2];++id2;flag = 7;}else {flag--;}if (id2 >= fileLen)break;if(id1 == 0x10038)printf("[+] a1: %x id1: %x\n", a1,id1);v4 = a1 & 1;a1 >>= 1;if (v4) {//for (int i = 0; i < 3; i++) {a2[id1 + i] = a3[id2 + i];}a2[id1 + 3] = 0;id1 += 4;id2 += 3;} // checkedelse {int WORD_a3 = *(WORD*)((BYTE*)a3 + id2);v5 = (WORD_a3 & 0xF) + 1;v6 = (id1 - (4 * (WORD_a3 >> 4))); // !!! 这里不能用WORD!!! ... 要int 。。。//cnt += 1;//printf("v6: %x id1: %x\n", v6,id1);//if (cnt > 3)return;//return;do {for (int i = 0; i < 4; i++) {a2[id1 + i] = a2[v6 + i];}id1 += 4;v6 += 4;v5--;} while (v5);id2 += 2;}}return id1; // .... 开始手贱写成id2了...
}
DWORD dword_404337, dword_404333, dword_40433F, dword_404343;
void Trans2BMP_1() {}
int Trans2BMP_2(LPCVOID dword_40434B,LPCVOID lpBuffer) {int v2; // ebxint v3; // edi__int16 v4; // cx__int16 v5; // cx__int16 v6; // ax__int16 v7; // dxint result; // eaxint v9; // [esp-6h] [ebp-6h]__int16 v10; // [esp-2h] [ebp-2h]BYTE* v0 = (BYTE*)dword_40434B;BYTE* v1 = (BYTE*)lpBuffer;*(WORD*)lpBuffer = 0x4D42;*(DWORD*)(v1 + 2) = dword_404343 + 54;*(DWORD*)(v1 + 6) = 0;*(DWORD*)(v1 + 10) = 54;*(DWORD*)(v1 + 14) = 40;v2 = dword_404337;*(DWORD*)(v1 + 18) = dword_404333;*(DWORD*)(v1 + 22) = v2;*((WORD*)v1 + 13) = 1;*((WORD*)v1 + 14) = 24;*(DWORD*)(v1 + 30) = 0;*(DWORD*)(v1 + 34) = 0;*(DWORD*)(v1 + 38) = 0;*(DWORD*)(v1 + 42) = 0;*(DWORD*)(v1 + 46) = 0;*(DWORD*)(v1 + 50) = 0;v3 = (v2 - 1) * dword_40433F + 54;v4 = dword_404337;int idx_0 = 0;do {v10 = v4;v9 = v3;v5 = dword_404333;do {/*printf("v3: %x\n", v3);return 1;*/v1[v3] = v0[idx_0];v1[v3 + 1] = v0[idx_0 + 1];v1[v3 + 2] = v0[idx_0 + 2];idx_0 += 4;v3 += 3;--v5;} while (v5);v3 = v9 - dword_40433F;//if (v3 == 0x36)break;v4 = v10 - 1;} while (v10 != 1);result = dword_404337 * dword_40433F + 54;return result;
}
void Unpack_G00(const CHAR* FileName) {HANDLE hFile = CreateFileA(FileName, GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL,NULL);if (hFile == INVALID_HANDLE_VALUE) {printf("[-] Error in CreateFileA!\n");return;}DWORD dwFileSize = GetFileSize(hFile, NULL);BYTE* buffer = (BYTE*)malloc(dwFileSize*2);ZeroMemory(buffer, dwFileSize);DWORD dwBytesToRead = dwFileSize;ReadFile(hFile, buffer, dwBytesToRead, &dwBytesToRead, NULL);printf("[+] BytesRead: %x\n", dwBytesToRead);LPCVOID lpBuffer = buffer;if (!(*(BYTE*)lpBuffer)) {DWORD fileLen;fileLen = *(DWORD*)((BYTE*)lpBuffer + 5) + 5;printf("[+] fileLen: %x\n", fileLen);BYTE* newBuf = (BYTE*)malloc(fileLen*2);DWORD dwUnpackSize = Unpack_2(*((BYTE*)lpBuffer + 0xD), newBuf, (BYTE*)((BYTE*)(lpBuffer) + 0xD), fileLen);FILE* out = fopen("D:\\N0zoM1z0\\Sec-Learning\\Reverse\\游戏逆向\\EXP\\g00cnv1\\etract", "wb");fwrite(newBuf, sizeof(BYTE), dwUnpackSize, out);printf("[+] Unpack Done!\n");// 9310000dword_404337 = *(unsigned __int16*)((char*)lpBuffer + 3);dword_404333 = *(unsigned __int16*)((char*)lpBuffer + 1);dword_40433F = (3 * dword_404333 + 3) & 0xFFFFFFFC;dword_404343 = dword_404337 * dword_40433F;LPCVOID pBMPBuffer = (BYTE*)malloc((16 * dword_404337 * dword_40433F + 54) + 1);DWORD dw_bmpSize = Trans2BMP_2(newBuf, pBMPBuffer);out = fopen("D:\\N0zoM1z0\\Sec-Learning\\Reverse\\游戏逆向\\EXP\\g00cnv1\\extract.bmp", "wb");fwrite(pBMPBuffer, sizeof(BYTE), dw_bmpSize, out);printf("[+] Transfer to BMP file done!\n");}else {}}
int main() {Unpack_G00("D:\\N0zoM1z0\\Sec-Learning\\Reverse\\游戏逆向\\Rewrite\\g00\\FGSZ08.g00");}
强烈吐槽IDA!!!
这个v6,IDA识别的是WORD类型,也就是无符号,但是,调试了好久,才发现要用有符号。。。这就是最开始extract半天没对的地方!。。
