VA新纸老虎寻求测试(2022)

xmbwg

逻辑很清晰 甚至太清晰了 作为打包挺好的 但是加密强度比较弱
很久没逆向了 久违的参与一下
本来只是提取资源并不需要完全理清解码流程  因为可以在内存里取 但还是认真看完了 写了解码脚本
要不是RM已经卸载很久了 而且也比较忙 甚至想反打包一个data.fux2 用exe的解码函数去提取

近段时间科研日常深度学习 都不会写ruby和c了 用python应付一下啦

PYTHON 代码复制

from pathlib import Path
with open("Graphics.fux2", "rb") as f:
    data = f.read()
pointer = 8
while any((b != 0 for b in data[pointer+0x10:pointer+0x14])):
    key = data[pointer:pointer+2]
    length = int.from_bytes(data[pointer+4:pointer+8], "little") * 2
    start = int.from_bytes(data[pointer+8:pointer+0xC], "little")
    filename = list(data[start:start+length])
    for i in range(length):
        filename[i] ^= key[i%2]
    filename = str(bytes(filename), "utf-16").replace('\\', '/')
    filename = Path(filename)
    key = 0
    fn = filename.stem
    fn = list(fn.encode("utf-16"))
    # 0xFF 0xFE
    for i in range(2, len(fn), 2):
        key = key * 0x83 + fn[i] + fn[i+1]*0x100
        key &= 0xFFFFFFFF
    length = int.from_bytes(data[pointer+0xC:pointer+0x10], "little")
    start = int.from_bytes(data[pointer+0x10:pointer+0x14], "little")
    img = list((int.from_bytes(data[start+k*4:start+k*4+4], "little") for k in range(length//4)))
    imglist = []
    for i, j in enumerate(img):
        imglist.extend(list(int.to_bytes(j^key, 4, "little")))
        key = key * 7 + 13
        key &= 0xFFFFFFFF
    img = bytes(imglist) + data[start+length//4*4:start+length]
    filename.parent.mkdir(parents=True, exist_ok=True)
    with open(filename, "wb") as f:
        f.write(img)
    pointer += 0x14

from pathlib import Path


with open("Graphics.fux2", "rb") as f:


    data = f.read()


pointer = 8


while any((b != 0 for b in data[pointer+0x10:pointer+0x14])):


    key = data[pointer:pointer+2]


    length = int.from_bytes(data[pointer+4:pointer+8], "little") * 2


    start = int.from_bytes(data[pointer+8:pointer+0xC], "little")


    filename = list(data[start:start+length])


    for i in range(length):


        filename[i] ^= key[i%2]


    filename = str(bytes(filename), "utf-16").replace('\\', '/')


    filename = Path(filename)


    key = 0


    fn = filename.stem


    fn = list(fn.encode("utf-16"))


    # 0xFF 0xFE


    for i in range(2, len(fn), 2):


        key = key * 0x83 + fn[i] + fn[i+1]*0x100


        key &= 0xFFFFFFFF


    length = int.from_bytes(data[pointer+0xC:pointer+0x10], "little")


    start = int.from_bytes(data[pointer+0x10:pointer+0x14], "little")


    img = list((int.from_bytes(data[start+k*4:start+k*4+4], "little") for k in range(length//4)))


    imglist = []


    for i, j in enumerate(img):


        imglist.extend(list(int.to_bytes(j^key, 4, "little")))


        key = key * 7 + 13


        key &= 0xFFFFFFFF


    img = bytes(imglist) + data[start+length//4*4:start+length]


    filename.parent.mkdir(parents=True, exist_ok=True)


    with open(filename, "wb") as f:


        f.write(img)


    pointer += 0x14

xmbwg

fux2 发表于 2022-4-24 11:18
层主效率太高啦
这份exe本身没有做过特别的处理，目前看来确实有些简单过头了
不过在何强度目前心里已有 ...

恩 因为包头解码后 文件的名字 索引 长度 密钥 都是明文了
也就不需要再去看那部分流程
一个小想法
可以用两个不同的hash函数 输入是文件名
一个生成标识符 存储在包头用于索引
一个生成密钥
也就是 包头没有文件名这部分信息
读取时先由hash1定位文件 再由hash2解码文件
这样就不存在通用解包器了
或者说和游戏的耦合度大大增加了