求助关于游戏文本解密问题

烟99

血战上海滩，解开游戏的PCK文件后，并没有发现关于杀敌积分配置的文件，于是怀疑在游戏根目录下的那几个加密的INI文件里。


先讲我的想法：

把游戏主程序EXE拽入IDA里，搜到了很多“.ini”的字符串，然后每一个下方都call了sub_402A50这个函数，再往下就看到有不能打开这个文件的错误提醒，基本可以断定此函数与加载并解密INI文件有关










跳转到sub_402A50


按空格进入流程图模式

[Asm] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13

; int __stdcall sub_402A50(char ArgList) sub_402A50 proc near   ArgList= byte ptr 4   push ebx push ebp push esi push edi mov edi, dword ptr [esp+10h+ArgList] mov ebp, ecx test edi, edi jnz short loc_402A81

如上图所示，首先压入四种寄存器，然后从内存中取数据加载到edi寄存器。计算内存地址的方式是栈指针esp加上十六进制的10h（16字节）再加上ArgList所表示的偏移量（4字节），然后从这个计算得到的内存地址取出一个双字（32位，dword ptr表示）的数据放到edi寄存器中、将ecx寄存器的值移动到ebp寄存器中，测试检查，如果test指令的结果不为0则继续，否则报参数无效。


接着，执行下面的操作

[Asm] 纯文本查看 复制代码

?

1 2 3 4 5 6 7 8

mov     eax, [ebp+14h] lea     esi, [ebp+14h] push    4 push    edi mov     ecx, esi call    dword ptr [eax+14h] test    al, al jnz     short loc_402AC7

这里又看到了一个call，应该是INI解密操作，call到eax寄存器的值加上十六进制的14h，然后从这个地址取出一个双字（32位）的值作为函数的入口地址。
后来发现这样效率很低，exe本身无壳，有很多明文的错误提示，在想错误提示应该会写到log文件里，于是故意破坏掉一个ini文件，看输出的错误类型。



直接搜索“Bad key name format”，来到了sub_4031F0函数


这里的代码如下

[Asm] 纯文本查看 复制代码

?

001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050 051 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 070 071 072 073 074 075 076 077 078 079 080 081 082 083 084 085 086 087 088 089 090 091 092 093 094 095 096 097 098 099 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308

.text:004031F0                              ; =============== S U B R O U T I N E ======================================= .text:004031F0 .text:004031F0 .text:004031F0                              ; unsigned __int8 *__thiscall sub_4031F0(_DWORD *this, unsigned __int8 *, int) .text:004031F0                               sub_4031F0 proc near                   ; CODE XREF: sub_403040+49↑p .text:004031F0 .text:004031F0                               var_8= dword ptr -8 .text:004031F0                               Count= dword ptr -4 .text:004031F0                               arg_0= dword ptr  4 .text:004031F0                               arg_4= dword ptr  8 .text:004031F0 .text:004031F0 83 EC 08                      sub     esp, 8 .text:004031F3 89 4C 24 00                   mov     [esp+8+var_8], ecx .text:004031F7 53                            push    ebx .text:004031F8 8B 4C 24 14                   mov     ecx, [esp+0Ch+arg_4] .text:004031FC 55                            push    ebp .text:004031FD 56                            push    esi .text:004031FE 57                            push    edi .text:004031FF 85 C9                         test    ecx, ecx .text:00403201 7F 2A                         jg      short loc_40322D .text:00403201 .text:00403203 68 EC 75 5B 00                push    offset aBadLengthParam         ; "Bad length parameter." .text:00403208 68 96 01 00 00                push    196h .text:0040320D 68 90 74 5B 00                push    offset aEDevAbaseAwndi         ; "E:\\dev\\ABASE\\AWndIniFile.cpp" .text:00403212 68 84 74 5B 00                push    offset aSDS                    ; "%s(%d) : %s" .text:00403217 6A 00                         push    0                              ; int .text:00403219 E8 62 0E 00 00                call    sub_404080 .text:00403219 .text:0040321E 83 C4 14                      add     esp, 14h .text:00403221 33 C0                         xor     eax, eax .text:00403223 5F                            pop     edi .text:00403224 5E                            pop     esi .text:00403225 5D                            pop     ebp .text:00403226 5B                            pop     ebx .text:00403227 83 C4 08                      add     esp, 8 .text:0040322A C2 08 00                      retn    8 .text:0040322A .text:0040322D                              ; --------------------------------------------------------------------------- .text:0040322D .text:0040322D                               loc_40322D:                            ; CODE XREF: sub_4031F0+11↑j .text:0040322D 8B 74 24 1C                   mov     esi, [esp+18h+arg_0] .text:00403231 33 ED                         xor     ebp, ebp .text:00403233 85 C9                         test    ecx, ecx .text:00403235 7E 1C                         jle     short loc_403253 .text:00403235 .text:00403237 .text:00403237                               loc_403237:                            ; CODE XREF: sub_4031F0+61↓j .text:00403237 8A 04 2E                      mov     al, [esi+ebp] .text:0040323A 3C 3D                         cmp     al, 3Dh ; '=' .text:0040323C 74 15                         jz      short loc_403253 .text:0040323C .text:0040323E 3C 0A                         cmp     al, 0Ah .text:00403240 0F 84 8B 00 00 00             jz      loc_4032D1 .text:00403240 .text:00403246 3C 0D                         cmp     al, 0Dh .text:00403248 0F 84 83 00 00 00             jz      loc_4032D1 .text:00403248 .text:0040324E 45                            inc     ebp .text:0040324F 3B E9                         cmp     ebp, ecx .text:00403251 7C E4                         jl      short loc_403237 .text:00403251 .text:00403253 .text:00403253                               loc_403253:                            ; CODE XREF: sub_4031F0+45↑j .text:00403253                                                                      ; sub_4031F0+4C↑j .text:00403253 33 C0                         xor     eax, eax .text:00403255 33 DB                         xor     ebx, ebx .text:00403257 8A 06                         mov     al, [esi] .text:00403259 89 5C 24 1C                   mov     [esp+18h+arg_0], ebx .text:0040325D 50                            push    eax                            ; C .text:0040325E 8D 7D FF                      lea     edi, [ebp-1] .text:00403261 FF 15 0C B3 58 00             call    ds:__imp_isspace .text:00403261 .text:00403267 83 C4 04                      add     esp, 4 .text:0040326A 85 C0                         test    eax, eax .text:0040326C 74 1E                         jz      short loc_40328C .text:0040326C .text:0040326E .text:0040326E                               loc_40326E:                            ; CODE XREF: sub_4031F0+96↓j .text:0040326E 3B 5C 24 20                   cmp     ebx, [esp+18h+arg_4] .text:00403272 7D 14                         jge     short loc_403288 .text:00403272 .text:00403274 43                            inc     ebx .text:00403275 33 C9                         xor     ecx, ecx .text:00403277 8A 0C 33                      mov     cl, [ebx+esi] .text:0040327A 51                            push    ecx                            ; C .text:0040327B FF 15 0C B3 58 00             call    ds:__imp_isspace .text:0040327B .text:00403281 83 C4 04                      add     esp, 4 .text:00403284 85 C0                         test    eax, eax .text:00403286 75 E6                         jnz     short loc_40326E .text:00403286 .text:00403288 .text:00403288                               loc_403288:                            ; CODE XREF: sub_4031F0+82↑j .text:00403288 89 5C 24 1C                   mov     [esp+18h+arg_0], ebx .text:00403288 .text:0040328C .text:0040328C                               loc_40328C:                            ; CODE XREF: sub_4031F0+7C↑j .text:0040328C 33 D2                         xor     edx, edx .text:0040328E 8A 14 37                      mov     dl, [edi+esi] .text:00403291 52                            push    edx                            ; C .text:00403292 FF 15 0C B3 58 00             call    ds:__imp_isspace .text:00403292 .text:00403298 83 C4 04                      add     esp, 4 .text:0040329B 85 C0                         test    eax, eax .text:0040329D 74 18                         jz      short loc_4032B7 .text:0040329D .text:0040329F .text:0040329F                               loc_40329F:                            ; CODE XREF: sub_4031F0+C5↓j .text:0040329F 3B FB                         cmp     edi, ebx .text:004032A1 7C 14                         jl      short loc_4032B7 .text:004032A1 .text:004032A3 4F                            dec     edi .text:004032A4 33 C0                         xor     eax, eax .text:004032A6 8A 04 37                      mov     al, [edi+esi] .text:004032A9 50                            push    eax                            ; C .text:004032AA FF 15 0C B3 58 00             call    ds:__imp_isspace .text:004032AA .text:004032B0 83 C4 04                      add     esp, 4 .text:004032B3 85 C0                         test    eax, eax .text:004032B5 75 E8                         jnz     short loc_40329F .text:004032B5 .text:004032B7 .text:004032B7                               loc_4032B7:                            ; CODE XREF: sub_4031F0+AD↑j .text:004032B7                                                                      ; sub_4031F0+B1↑j .text:004032B7 2B FB                         sub     edi, ebx .text:004032B9 47                            inc     edi .text:004032BA 85 FF                         test    edi, edi .text:004032BC 89 7C 24 14                   mov     [esp+18h+Count], edi .text:004032C0 7F 1E                         jg      short loc_4032E0 .text:004032C0 .text:004032C2 68 D4 75 5B 00                push    offset aBadKeyValueFor         ; "Bad key value format." .text:004032C7 68 B8 01 00 00                push    1B8h .text:004032CC E9 EB 00 00 00                jmp     loc_4033BC .text:004032CC .text:004032D1                              ; --------------------------------------------------------------------------- .text:004032D1 .text:004032D1                               loc_4032D1:                            ; CODE XREF: sub_4031F0+50↑j .text:004032D1                                                                      ; sub_4031F0+58↑j .text:004032D1 68 C0 75 5B 00                push    offset aBadKeyNameForm         ; "Bad key name format" .text:004032D6 68 AC 01 00 00                push    1ACh .text:004032DB E9 DC 00 00 00                jmp     loc_4033BC .text:004032DB .text:004032E0                              ; --------------------------------------------------------------------------- .text:004032E0 .text:004032E0                               loc_4032E0:                            ; CODE XREF: sub_4031F0+D0↑j .text:004032E0 8B 4C 24 20                   mov     ecx, [esp+18h+arg_4] .text:004032E4 45                            inc     ebp .text:004032E5 3B E9                         cmp     ebp, ecx .text:004032E7 7C 0F                         jl      short loc_4032F8 .text:004032E7 .text:004032E9 68 D4 75 5B 00                push    offset aBadKeyValueFor         ; "Bad key value format." .text:004032EE 68 BF 01 00 00                push    1BFh .text:004032F3 E9 C4 00 00 00                jmp     loc_4033BC .text:004032F3 .text:004032F8                              ; --------------------------------------------------------------------------- .text:004032F8 .text:004032F8                               loc_4032F8:                            ; CODE XREF: sub_4031F0+F7↑j .text:004032F8 8B FD                         mov     edi, ebp .text:004032F8 .text:004032FA .text:004032FA                               loc_4032FA:                            ; CODE XREF: sub_4031F0+11C↓j .text:004032FA 8A 04 2E                      mov     al, [esi+ebp] .text:004032FD 3C 0A                         cmp     al, 0Ah .text:004032FF 74 0F                         jz      short loc_403310 .text:004032FF .text:00403301 3C 0D                         cmp     al, 0Dh .text:00403303 74 0B                         jz      short loc_403310 .text:00403303 .text:00403305 84 C0                         test    al, al .text:00403307 74 07                         jz      short loc_403310 .text:00403307 .text:00403309 45                            inc     ebp .text:0040330A 3B E9                         cmp     ebp, ecx .text:0040330C 7C EC                         jl      short loc_4032FA .text:0040330C .text:0040330E EB 07                         jmp     short loc_403317 .text:0040330E .text:00403310                              ; --------------------------------------------------------------------------- .text:00403310 .text:00403310                               loc_403310:                            ; CODE XREF: sub_4031F0+10F↑j .text:00403310                                                                      ; sub_4031F0+113↑j .text:00403310                                                                      ; sub_4031F0+117↑j .text:00403310 3B E9                         cmp     ebp, ecx .text:00403312 8D 5D FF                      lea     ebx, [ebp-1] .text:00403315 7C 02                         jl      short loc_403319 .text:00403315 .text:00403317 .text:00403317                               loc_403317:                            ; CODE XREF: sub_4031F0+11E↑j .text:00403317 8B DD                         mov     ebx, ebp .text:00403317 .text:00403319 .text:00403319                               loc_403319:                            ; CODE XREF: sub_4031F0+125↑j .text:00403319 33 C9                         xor     ecx, ecx .text:0040331B 8A 0C 37                      mov     cl, [edi+esi] .text:0040331E 51                            push    ecx                            ; C .text:0040331F FF 15 0C B3 58 00             call    ds:__imp_isspace .text:0040331F .text:00403325 83 C4 04                      add     esp, 4 .text:00403328 85 C0                         test    eax, eax .text:0040332A 74 1A                         jz      short loc_403346 .text:0040332A .text:0040332C .text:0040332C                               loc_40332C:                            ; CODE XREF: sub_4031F0+154↓j .text:0040332C 3B 7C 24 20                   cmp     edi, [esp+18h+arg_4] .text:00403330 7D 14                         jge     short loc_403346 .text:00403330 .text:00403332 47                            inc     edi .text:00403333 33 D2                         xor     edx, edx .text:00403335 8A 14 37                      mov     dl, [edi+esi] .text:00403338 52                            push    edx                            ; C .text:00403339 FF 15 0C B3 58 00             call    ds:__imp_isspace .text:00403339 .text:0040333F 83 C4 04                      add     esp, 4 .text:00403342 85 C0                         test    eax, eax .text:00403344 75 E6                         jnz     short loc_40332C .text:00403344 .text:00403346 .text:00403346                               loc_403346:                            ; CODE XREF: sub_4031F0+13A↑j .text:00403346                                                                      ; sub_4031F0+140↑j .text:00403346 33 C0                         xor     eax, eax .text:00403348 8A 04 33                      mov     al, [ebx+esi] .text:0040334B 50                            push    eax                            ; C .text:0040334C FF 15 0C B3 58 00             call    ds:__imp_isspace .text:0040334C .text:00403352 83 C4 04                      add     esp, 4 .text:00403355 85 C0                         test    eax, eax .text:00403357 74 18                         jz      short loc_403371 .text:00403357 .text:00403359 .text:00403359                               loc_403359:                            ; CODE XREF: sub_4031F0+17F↓j .text:00403359 3B DF                         cmp     ebx, edi .text:0040335B 7C 14                         jl      short loc_403371 .text:0040335B .text:0040335D 4B                            dec     ebx .text:0040335E 33 C9                         xor     ecx, ecx .text:00403360 8A 0C 33                      mov     cl, [ebx+esi] .text:00403363 51                            push    ecx                            ; C .text:00403364 FF 15 0C B3 58 00             call    ds:__imp_isspace .text:00403364 .text:0040336A 83 C4 04                      add     esp, 4 .text:0040336D 85 C0                         test    eax, eax .text:0040336F 75 E8                         jnz     short loc_403359 .text:0040336F .text:00403371 .text:00403371                               loc_403371:                            ; CODE XREF: sub_4031F0+167↑j .text:00403371                                                                      ; sub_4031F0+16B↑j .text:00403371 2B DF                         sub     ebx, edi .text:00403373 43                            inc     ebx .text:00403374 85 DB                         test    ebx, ebx .text:00403376 7F 0C                         jg      short loc_403384 .text:00403376 .text:00403378 68 D4 75 5B 00                push    offset aBadKeyValueFor         ; "Bad key value format." .text:0040337D 68 DC 01 00 00                push    1DCh .text:00403382 EB 38                         jmp     short loc_4033BC .text:00403382 .text:00403384                              ; --------------------------------------------------------------------------- .text:00403384 .text:00403384                               loc_403384:                            ; CODE XREF: sub_4031F0+186↑j .text:00403384 8B 4C 24 10                   mov     ecx, [esp+18h+var_8] .text:00403388 8B 41 1C                      mov     eax, [ecx+1Ch] .text:0040338B 85 C0                         test    eax, eax .text:0040338D 7C 23                         jl      short loc_4033B2 .text:0040338D .text:0040338F 8B 54 24 14                   mov     edx, [esp+18h+Count] .text:00403393 03 FE                         add     edi, esi .text:00403395 53                            push    ebx                            ; size_t .text:00403396 57                            push    edi                            ; char * .text:00403397 52                            push    edx                            ; Count .text:00403398 8B 54 24 28                   mov     edx, [esp+24h+arg_0] .text:0040339C 03 D6                         add     edx, esi .text:0040339E 52                            push    edx                            ; Source .text:0040339F 50                            push    eax                            ; int .text:004033A0 E8 9B 02 00 00                call    sub_403640 .text:004033A0 .text:004033A5 8D 04 2E                      lea     eax, [esi+ebp] .text:004033A8 5F                            pop     edi .text:004033A9 5E                            pop     esi .text:004033AA 5D                            pop     ebp .text:004033AB 5B                            pop     ebx .text:004033AC 83 C4 08                      add     esp, 8 .text:004033AF C2 08 00                      retn    8 .text:004033AF .text:004033B2                              ; --------------------------------------------------------------------------- .text:004033B2 .text:004033B2                               loc_4033B2:                            ; CODE XREF: sub_4031F0+19D↑j .text:004033B2 68 A4 75 5B 00                push    offset aTheKeyMustInAS         ; "The key must in a section" .text:004033B7 68 E6 01 00 00                push    1E6h .text:004033B7 .text:004033BC .text:004033BC                               loc_4033BC:                            ; CODE XREF: sub_4031F0+DC↑j .text:004033BC                                                                      ; sub_4031F0+EB↑j .text:004033BC                                                                      ; sub_4031F0+103↑j .text:004033BC                                                                      ; sub_4031F0+192↑j .text:004033BC 68 90 74 5B 00                push    offset aEDevAbaseAwndi         ; "E:\\dev\\ABASE\\AWndIniFile.cpp" .text:004033C1 68 84 74 5B 00                push    offset aSDS                    ; "%s(%d) : %s" .text:004033C6 6A 00                         push    0                              ; int .text:004033C8 E8 B3 0C 00 00                call    sub_404080 .text:004033C8 .text:004033CD 83 C4 14                      add     esp, 14h .text:004033D0 8D 04 2E                      lea     eax, [esi+ebp] .text:004033D3 5F                            pop     edi .text:004033D4 5E                            pop     esi .text:004033D5 5D                            pop     ebp .text:004033D6 5B                            pop     ebx .text:004033D7 83 C4 08                      add     esp, 8 .text:004033DA C2 08 00                      retn    8 .text:004033DA .text:004033DA                               sub_4031F0 endp

不出意外这里就是INI的解密了，这个函数有三个参数，可能有一个是密钥，所以我认为它需要外面给定一个密钥才能解密，前面是一些数据验证，到了00403201开始就看不懂了，有同学给解读一下吗？给个思路，应该怎么分析

烟99

scp201 发表于 2024-11-25 09:15
要不试试直接用内存修改器，在内存里面检索修改呢？

我知道有修改器啊，如果只为了修改游戏，那这个帖子就没意义了

苏紫方璇

解密代码

[Asm] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10

004027E0    8B5424 04       mov edx,dword ptr ss:[esp+0x4]          ; 数据地址 004027E4    8B4C24 08       mov ecx,dword ptr ss:[esp+0x8]          ; 长度 004027E8    33C0            xor eax,eax 004027EA    8A42 01         mov al,byte ptr ds:[edx+0x1] 004027ED    C0C0 03         rol al,0x3 004027F0    8802            mov byte ptr ds:[edx],al 004027F2    42              inc edx 004027F3    49              dec ecx 004027F4  ^ 7F F4           jg short shanghai.004027EA 004027F6    C3              retn

苏紫方璇

搞了个py脚本

[Python] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21

def decode(data):     decoded = bytearray()     for byte in data[1:]:         # 循环左移3位         decoded_byte = ((byte << 3) | (byte >> 5)) & 0xFF  # 确保只保留低 8 位         decoded.append(decoded_byte)     return decoded   def decode_file(input_file):     with open(input_file, 'rb') as f:         encrypted_data = f.read()     print("读取到的加密数据:", encrypted_data)     decrypted_data = decode(encrypted_data)     decoded_text = decrypted_data.decode('gb2312', errors='ignore').replace('\r\n', '\n')       print("解码结果:")     print(decoded_text)   if __name__ == "__main__":     input_path = input("文件名:")     decode_file(input_path)

苏紫方璇

类似

[Asm] 纯文本查看 复制代码

?

1 2	mov     ecx, esi call    dword ptr [eax+14h]

这种的应该是类函数，ecx是this指针的thiscall。用动态调试往下看就行
我没细看，流程好像是SetFileAttributes，CreateFile，GetFileSize，分配内存，ReadFile，然后解密

烟99

苏紫方璇 发表于 2024-11-25 15:08
类似

这种的应该 ...

对，这里我一开始也看明白了，先检测属性、大小，我在操作前后都下了断点，就是没有跟踪到解密的返回结果