I need twelvesky 2 reborn IMG structure
I need twelvesky 2 reborn IMG structure
10/14/2021 12:34
kaneki321#1
10/15/2021 23:14
sdefref#2
Figure it out, that part isnt hard if you know what your doing.
10/24/2021 06:07
lnwnuyhodd#3
Use IDA to find the correct structure
Example:
an exe is packed, you will need to dump process before load into IDA
IDA menu > Search > Sequence of bytes > "005_00002.IMG" > OK > double click result >
right click result name ex: "aG03GdataD01Gim_0" > List cross references to > OK (go to function)
Example:
an exe is packed, you will need to dump process before load into IDA
IDA menu > Search > Sequence of bytes > "005_00002.IMG" > OK > double click result >
right click result name ex: "aG03GdataD01Gim_0" > List cross references to > OK (go to function)
Code:
BOOL CITEM::CheckValidElement(int a2)
{
int i; // [esp+4h] [ebp-8h]
int j; // [esp+4h] [ebp-8h]
int l; // [esp+4h] [ebp-8h]
int k; // [esp+8h] [ebp-4h]
if ( !*(436 * a2 + this[1]) )
return 1;
if ( *(436 * a2 + this[1]) < 1 || *(436 * a2 + this[1]) > 99999 )
return 0;
if ( *(436 * a2 + this[1]) != a2 + 1 )
return 0;
for ( i = 0; i < 25 && *(436 * a2 + this[1] + i + 4); ++i )
{
;
}
if ( i == 25 )
return 0;
for ( j = 0; j < 3; ++j )
{
for ( k = 0; k < 51 && *(51 * j + k + 436 * a2 + this[1] + 29); ++k )
{
;
}
if ( k == 51 )
return 0;
}
if ( *(this[1] + 436 * a2 + 184) < 1 || *(this[1] + 436 * a2 + 184) > 6 )
return 0;
if ( *(this[1] + 436 * a2 + 188) < 1 || *(this[1] + 436 * a2 + 188) > 32 )
return 0;
if ( *(this[1] + 436 * a2 + 192) < 1 || *(this[1] + 436 * a2 + 192) > 10000 )
return 0;
if ( *(this[1] + 436 * a2 + 196) < 0 || *(this[1] + 436 * a2 + 196) > 10000 )
return 0;
if ( *(this[1] + 436 * a2 + 200) < 0 || *(this[1] + 436 * a2 + 200) > 10000 )
return 0;
if ( *(this[1] + 436 * a2 + 204) < 1 || *(this[1] + 436 * a2 + 204) > 145 )
return 0;
if ( *(this[1] + 436 * a2 + 208) < 0 || *(this[1] + 436 * a2 + 208) > 12 )
return 0;
if ( *(this[1] + 436 * a2 + 212) < 1 || *(this[1] + 436 * a2 + 212) > 4 )
return 0;
if ( *(this[1] + 436 * a2 + 216) < 1 || *(this[1] + 436 * a2 + 216) > 14 )
return 0;
if ( *(this[1] + 436 * a2 + 220) < 1 || *(this[1] + 436 * a2 + 220) > 2000000000 )
return 0;
if ( *(this[1] + 436 * a2 + 224) < 0 || *(this[1] + 436 * a2 + 224) > 2000000000 )
return 0;
if ( *(this[1] + 436 * a2 + 228) < 0 || *(this[1] + 436 * a2 + 228) > 2000000000 )
return 0;
if ( *(this[1] + 436 * a2 + 232) < 1 || *(this[1] + 436 * a2 + 232) > 145 )
return 0;
if ( *(this[1] + 436 * a2 + 236) < 0 || *(this[1] + 436 * a2 + 236) > 12 )
return 0;
if ( *(this[1] + 436 * a2 + 240) < 1 || *(this[1] + 436 * a2 + 240) > 2 )
return 0;
if ( *(this[1] + 436 * a2 + 244) < 1 || *(this[1] + 436 * a2 + 244) > 2 )
return 0;
if ( *(this[1] + 436 * a2 + 248) < 1 || *(this[1] + 436 * a2 + 248) > 2 )
return 0;
if ( *(this[1] + 436 * a2 + 252) < 1 || *(this[1] + 436 * a2 + 252) > 2 )
return 0;
if ( *(this[1] + 436 * a2 + 256) < 1 || *(this[1] + 436 * a2 + 256) > 2 )
return 0;
if ( *(this[1] + 436 * a2 + 260) < 1 || *(this[1] + 436 * a2 + 260) > 2 )
return 0;
if ( *(this[1] + 436 * a2 + 264) < 1 || *(this[1] + 436 * a2 + 264) > 2 )
return 0;
if ( *(this[1] + 436 * a2 + 268) < 1 || *(this[1] + 436 * a2 + 268) > 2 )
return 0;
if ( *(this[1] + 436 * a2 + 272) < 1 || *(this[1] + 436 * a2 + 272) > 2 )
return 0;
if ( *(this[1] + 436 * a2 + 276) < 1 || *(this[1] + 436 * a2 + 276) > 2 )
return 0;
if ( *(this[1] + 436 * a2 + 280) < 1 || *(this[1] + 436 * a2 + 280) > 2 )
return 0;
if ( *(this[1] + 436 * a2 + 284) < 1 || *(this[1] + 436 * a2 + 284) > 3 )
return 0;
if ( *(this[1] + 436 * a2 + 288) < 0 || *(this[1] + 436 * a2 + 288) > 365 )
return 0;
if ( *(this[1] + 436 * a2 + 292) < 0 || *(this[1] + 436 * a2 + 292) > 10000 )
return 0;
if ( *(this[1] + 436 * a2 + 296) < 0 || *(this[1] + 436 * a2 + 296) > 10000 )
return 0;
if ( *(this[1] + 436 * a2 + 300) < 0 || *(this[1] + 436 * a2 + 300) > 10000 )
return 0;
if ( *(this[1] + 436 * a2 + 304) < 0 || *(this[1] + 436 * a2 + 304) > 10000 )
return 0;
if ( *(this[1] + 436 * a2 + 308) < 0 || *(this[1] + 436 * a2 + 308) > 10000 )
return 0;
if ( *(this[1] + 436 * a2 + 312) < 0 || *(this[1] + 436 * a2 + 312) > 20000 )
return 0;
if ( *(this[1] + 436 * a2 + 316) < 0 || *(this[1] + 436 * a2 + 316) > 10000 )
return 0;
if ( *(this[1] + 436 * a2 + 320) < 0 || *(this[1] + 436 * a2 + 320) > 20000 )
return 0;
if ( *(this[1] + 436 * a2 + 324) < 0 || *(this[1] + 436 * a2 + 324) > 10000 )
return 0;
if ( *(this[1] + 436 * a2 + 328) < 0 || *(this[1] + 436 * a2 + 328) > 10000 )
return 0;
if ( *(this[1] + 436 * a2 + 332) < 0 || *(this[1] + 436 * a2 + 332) > 10000 )
return 0;
if ( *(this[1] + 436 * a2 + 336) < 0 || *(this[1] + 436 * a2 + 336) > 100 )
return 0;
if ( *(this[1] + 436 * a2 + 340) < 0 || *(this[1] + 436 * a2 + 340) > 16 )
return 0;
if ( *(this[1] + 436 * a2 + 344) < 0 || *(this[1] + 436 * a2 + 344) > 10000 )
return 0;
if ( *(this[1] + 436 * a2 + 340) == 9 && (*(this[1] + 436 * a2 + 344) < 1 || *(this[1] + 436 * a2 + 344) > 3) )
return 0;
if ( *(this[1] + 436 * a2 + 348) < 0 || *(this[1] + 436 * a2 + 348) > 300 )
return 0;
if ( *(this[1] + 436 * a2 + 352) < 0 || *(this[1] + 436 * a2 + 352) > 100 )
return 0;
if ( *(this[1] + 436 * a2 + 356) < 0 || *(this[1] + 436 * a2 + 356) > 1000 )
return 0;
if ( *(this[1] + 436 * a2 + 360) < 0 || *(this[1] + 436 * a2 + 360) > 100 )
return 0;
if ( *(this[1] + 436 * a2 + 364) < 0 || *(this[1] + 436 * a2 + 364) > 100 )
return 0;
if ( *(this[1] + 436 * a2 + 368) < 0 || *(this[1] + 436 * a2 + 368) > 100 )
return 0;
for ( l = 0; l < 8; ++l )
{
if ( *(this[1] + 436 * a2 + 8 * l + 372) < 0 || *(this[1] + 436 * a2 + 8 * l + 372) > 300 )
return 0;
if ( *(this[1] + 436 * a2 + 8 * l + 376) < 0 || *(this[1] + 436 * a2 + 8 * l + 376) > 100 )
return 0;
}
return 1;
}
BOOL CITEM::Init()
{
BOOL result;
DWORD nReadBytes;
ITEM_INFO *tDATA;
HANDLE hFile;
int index01;
int tNumWithXOR;
int tDataNum;
int tOffset;
BYTE *tCompress;
BYTE *tOriginal;
DWORD tCompressSize;
DWORD tOriginalSize;
if ( mLanguage == 1 )
hFile = CreateFileA("G03_GDATA\\D01_GIMAGE2D\\005\\TR\\005_00002.IMG", 0x80000000, 1u, 0, 3u, 0x80u, 0);
else
hFile = CreateFileA("G03_GDATA\\D01_GIMAGE2D\\005\\005_00002.IMG", 0x80000000, 1u, 0, 3u, 0x80u, 0);
if ( hFile == INVALID_HANDLE_VALUE)
return 0;
if ( ReadFile(hFile, &tOriginalSize, 4, &nReadBytes, 0) && nReadBytes == 4 )
{
tOriginal = GlobalAlloc(0, tOriginalSize);
if ( tOriginal && ReadFile(hFile, &tCompressSize, 4, &nReadBytes, 0) && nReadBytes == 4 )
{
tCompress = GlobalAlloc(0, tCompressSize);
if ( tCompress && ReadFile(hFile, tCompress, tCompressSize, &nReadBytes, 0) && nReadBytes == tCompressSize )
{
if ( CloseHandle(hFile) )
{
if ( CUTIL::Decompress(tCompressSize, tCompress, tOriginalSize, tOriginal) )
{
tNumWithXOR = 0;
tOffset = 0;
CopyMemory(&tNumWithXOR, tOriginal, 4);
tDataNum = tNumWithXOR ^ 0x1CB3;
tOffset = 67;
if ( (tNumWithXOR ^ 0x1CB3) == 99999 )
{
tDATA = GlobalAlloc(0, 43599564);
if ( tDATA )
{
CopyMemory(tDATA, &tOriginal[tOffset], 436 * tDataNum);
GlobalFree(tCompress);
GlobalFree(tOriginal);
mDataNum = tDataNum;
mDATA = tDATA;
for ( index01 = 0; index01 < mDataNum; index01++ )
{
if ( !CITEM::CheckValidElement(index01) )
return 0;
}
result = 1;
}
else
{
result = 0;
}
}
else
{
result = 0;
}
}
else
{
result = 0;
}
}
else
{
result = 0;
}
}
else
{
CloseHandle(hFile);
result = 0;
}
}
else
{
CloseHandle(hFile);
result = 0;
}
}
else
{
CloseHandle(hFile);
result = 0;
}
return result;
}
10/24/2021 12:46
kaneki321#4
How can i dump exe,can you help meQuote:
Use IDA to find the correct structure
Example:
an exe is packed, you will need to dump process before load into IDA
IDA menu > Search > Sequence of bytes > "005_00002.IMG" > OK > double click result >
right click result name ex: "aG03GdataD01Gim_0" > List cross references to > OK (go to function)
Code:BOOL CITEM::CheckValidElement(int a2) { int i; // [esp+4h] [ebp-8h] int j; // [esp+4h] [ebp-8h] int l; // [esp+4h] [ebp-8h] int k; // [esp+8h] [ebp-4h] if ( !*(436 * a2 + this[1]) ) return 1; if ( *(436 * a2 + this[1]) < 1 || *(436 * a2 + this[1]) > 99999 ) return 0; if ( *(436 * a2 + this[1]) != a2 + 1 ) return 0; for ( i = 0; i < 25 && *(436 * a2 + this[1] + i + 4); ++i ) { ; } if ( i == 25 ) return 0; for ( j = 0; j < 3; ++j ) { for ( k = 0; k < 51 && *(51 * j + k + 436 * a2 + this[1] + 29); ++k ) { ; } if ( k == 51 ) return 0; } if ( *(this[1] + 436 * a2 + 184) < 1 || *(this[1] + 436 * a2 + 184) > 6 ) return 0; if ( *(this[1] + 436 * a2 + 188) < 1 || *(this[1] + 436 * a2 + 188) > 32 ) return 0; if ( *(this[1] + 436 * a2 + 192) < 1 || *(this[1] + 436 * a2 + 192) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 196) < 0 || *(this[1] + 436 * a2 + 196) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 200) < 0 || *(this[1] + 436 * a2 + 200) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 204) < 1 || *(this[1] + 436 * a2 + 204) > 145 ) return 0; if ( *(this[1] + 436 * a2 + 208) < 0 || *(this[1] + 436 * a2 + 208) > 12 ) return 0; if ( *(this[1] + 436 * a2 + 212) < 1 || *(this[1] + 436 * a2 + 212) > 4 ) return 0; if ( *(this[1] + 436 * a2 + 216) < 1 || *(this[1] + 436 * a2 + 216) > 14 ) return 0; if ( *(this[1] + 436 * a2 + 220) < 1 || *(this[1] + 436 * a2 + 220) > 2000000000 ) return 0; if ( *(this[1] + 436 * a2 + 224) < 0 || *(this[1] + 436 * a2 + 224) > 2000000000 ) return 0; if ( *(this[1] + 436 * a2 + 228) < 0 || *(this[1] + 436 * a2 + 228) > 2000000000 ) return 0; if ( *(this[1] + 436 * a2 + 232) < 1 || *(this[1] + 436 * a2 + 232) > 145 ) return 0; if ( *(this[1] + 436 * a2 + 236) < 0 || *(this[1] + 436 * a2 + 236) > 12 ) return 0; if ( *(this[1] + 436 * a2 + 240) < 1 || *(this[1] + 436 * a2 + 240) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 244) < 1 || *(this[1] + 436 * a2 + 244) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 248) < 1 || *(this[1] + 436 * a2 + 248) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 252) < 1 || *(this[1] + 436 * a2 + 252) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 256) < 1 || *(this[1] + 436 * a2 + 256) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 260) < 1 || *(this[1] + 436 * a2 + 260) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 264) < 1 || *(this[1] + 436 * a2 + 264) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 268) < 1 || *(this[1] + 436 * a2 + 268) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 272) < 1 || *(this[1] + 436 * a2 + 272) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 276) < 1 || *(this[1] + 436 * a2 + 276) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 280) < 1 || *(this[1] + 436 * a2 + 280) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 284) < 1 || *(this[1] + 436 * a2 + 284) > 3 ) return 0; if ( *(this[1] + 436 * a2 + 288) < 0 || *(this[1] + 436 * a2 + 288) > 365 ) return 0; if ( *(this[1] + 436 * a2 + 292) < 0 || *(this[1] + 436 * a2 + 292) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 296) < 0 || *(this[1] + 436 * a2 + 296) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 300) < 0 || *(this[1] + 436 * a2 + 300) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 304) < 0 || *(this[1] + 436 * a2 + 304) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 308) < 0 || *(this[1] + 436 * a2 + 308) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 312) < 0 || *(this[1] + 436 * a2 + 312) > 20000 ) return 0; if ( *(this[1] + 436 * a2 + 316) < 0 || *(this[1] + 436 * a2 + 316) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 320) < 0 || *(this[1] + 436 * a2 + 320) > 20000 ) return 0; if ( *(this[1] + 436 * a2 + 324) < 0 || *(this[1] + 436 * a2 + 324) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 328) < 0 || *(this[1] + 436 * a2 + 328) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 332) < 0 || *(this[1] + 436 * a2 + 332) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 336) < 0 || *(this[1] + 436 * a2 + 336) > 100 ) return 0; if ( *(this[1] + 436 * a2 + 340) < 0 || *(this[1] + 436 * a2 + 340) > 16 ) return 0; if ( *(this[1] + 436 * a2 + 344) < 0 || *(this[1] + 436 * a2 + 344) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 340) == 9 && (*(this[1] + 436 * a2 + 344) < 1 || *(this[1] + 436 * a2 + 344) > 3) ) return 0; if ( *(this[1] + 436 * a2 + 348) < 0 || *(this[1] + 436 * a2 + 348) > 300 ) return 0; if ( *(this[1] + 436 * a2 + 352) < 0 || *(this[1] + 436 * a2 + 352) > 100 ) return 0; if ( *(this[1] + 436 * a2 + 356) < 0 || *(this[1] + 436 * a2 + 356) > 1000 ) return 0; if ( *(this[1] + 436 * a2 + 360) < 0 || *(this[1] + 436 * a2 + 360) > 100 ) return 0; if ( *(this[1] + 436 * a2 + 364) < 0 || *(this[1] + 436 * a2 + 364) > 100 ) return 0; if ( *(this[1] + 436 * a2 + 368) < 0 || *(this[1] + 436 * a2 + 368) > 100 ) return 0; for ( l = 0; l < 8; ++l ) { if ( *(this[1] + 436 * a2 + 8 * l + 372) < 0 || *(this[1] + 436 * a2 + 8 * l + 372) > 300 ) return 0; if ( *(this[1] + 436 * a2 + 8 * l + 376) < 0 || *(this[1] + 436 * a2 + 8 * l + 376) > 100 ) return 0; } return 1; } BOOL CITEM::Init() { BOOL result; DWORD nReadBytes; ITEM_INFO *tDATA; HANDLE hFile; int index01; int tNumWithXOR; int tDataNum; int tOffset; BYTE *tCompress; BYTE *tOriginal; DWORD tCompressSize; DWORD tOriginalSize; if ( mLanguage == 1 ) hFile = CreateFileA("G03_GDATA\\D01_GIMAGE2D\\005\\TR\\005_00002.IMG", 0x80000000, 1u, 0, 3u, 0x80u, 0); else hFile = CreateFileA("G03_GDATA\\D01_GIMAGE2D\\005\\005_00002.IMG", 0x80000000, 1u, 0, 3u, 0x80u, 0); if ( hFile == INVALID_HANDLE_VALUE) return 0; if ( ReadFile(hFile, &tOriginalSize, 4, &nReadBytes, 0) && nReadBytes == 4 ) { tOriginal = GlobalAlloc(0, tOriginalSize); if ( tOriginal && ReadFile(hFile, &tCompressSize, 4, &nReadBytes, 0) && nReadBytes == 4 ) { tCompress = GlobalAlloc(0, tCompressSize); if ( tCompress && ReadFile(hFile, tCompress, tCompressSize, &nReadBytes, 0) && nReadBytes == tCompressSize ) { if ( CloseHandle(hFile) ) { if ( CUTIL::Decompress(tCompressSize, tCompress, tOriginalSize, tOriginal) ) { tNumWithXOR = 0; tOffset = 0; CopyMemory(&tNumWithXOR, tOriginal, 4); tDataNum = tNumWithXOR ^ 0x1CB3; tOffset = 67; if ( (tNumWithXOR ^ 0x1CB3) == 99999 ) { tDATA = GlobalAlloc(0, 43599564); if ( tDATA ) { CopyMemory(tDATA, &tOriginal[tOffset], 436 * tDataNum); GlobalFree(tCompress); GlobalFree(tOriginal); mDataNum = tDataNum; mDATA = tDATA; for ( index01 = 0; index01 < mDataNum; index01++ ) { if ( !CITEM::CheckValidElement(index01) ) return 0; } result = 1; } else { result = 0; } } else { result = 0; } } else { result = 0; } } else { result = 0; } } else { CloseHandle(hFile); result = 0; } } else { CloseHandle(hFile); result = 0; } } else { CloseHandle(hFile); result = 0; } return result; }
10/24/2021 13:12
lnwnuyhodd#5
[Only registered and activated users can see links. Click Here To Register...]
10/24/2021 14:10
kaneki321#6
Thanks for all,if you have ida pro download link, would you please share to me.Quote:
[Only registered and activated users can see links. Click Here To Register...]Quote:
Example:
an exe is packed, you will need to dump process before load into IDA
IDA menu > Search > Sequence of bytes > "005_00002.IMG" > OK > double click result >
right click result name ex: "aG03GdataD01Gim_0" > List cross references to > OK (go to function)
Code:BOOL CITEM::CheckValidElement(int a2) { int i; // [esp+4h] [ebp-8h] int j; // [esp+4h] [ebp-8h] int l; // [esp+4h] [ebp-8h] int k; // [esp+8h] [ebp-4h] if ( !*(436 * a2 + this[1]) ) return 1; if ( *(436 * a2 + this[1]) < 1 || *(436 * a2 + this[1]) > 99999 ) return 0; if ( *(436 * a2 + this[1]) != a2 + 1 ) return 0; for ( i = 0; i < 25 && *(436 * a2 + this[1] + i + 4); ++i ) { ; } if ( i == 25 ) return 0; for ( j = 0; j < 3; ++j ) { for ( k = 0; k < 51 && *(51 * j + k + 436 * a2 + this[1] + 29); ++k ) { ; } if ( k == 51 ) return 0; } if ( *(this[1] + 436 * a2 + 184) < 1 || *(this[1] + 436 * a2 + 184) > 6 ) return 0; if ( *(this[1] + 436 * a2 + 188) < 1 || *(this[1] + 436 * a2 + 188) > 32 ) return 0; if ( *(this[1] + 436 * a2 + 192) < 1 || *(this[1] + 436 * a2 + 192) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 196) < 0 || *(this[1] + 436 * a2 + 196) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 200) < 0 || *(this[1] + 436 * a2 + 200) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 204) < 1 || *(this[1] + 436 * a2 + 204) > 145 ) return 0; if ( *(this[1] + 436 * a2 + 208) < 0 || *(this[1] + 436 * a2 + 208) > 12 ) return 0; if ( *(this[1] + 436 * a2 + 212) < 1 || *(this[1] + 436 * a2 + 212) > 4 ) return 0; if ( *(this[1] + 436 * a2 + 216) < 1 || *(this[1] + 436 * a2 + 216) > 14 ) return 0; if ( *(this[1] + 436 * a2 + 220) < 1 || *(this[1] + 436 * a2 + 220) > 2000000000 ) return 0; if ( *(this[1] + 436 * a2 + 224) < 0 || *(this[1] + 436 * a2 + 224) > 2000000000 ) return 0; if ( *(this[1] + 436 * a2 + 228) < 0 || *(this[1] + 436 * a2 + 228) > 2000000000 ) return 0; if ( *(this[1] + 436 * a2 + 232) < 1 || *(this[1] + 436 * a2 + 232) > 145 ) return 0; if ( *(this[1] + 436 * a2 + 236) < 0 || *(this[1] + 436 * a2 + 236) > 12 ) return 0; if ( *(this[1] + 436 * a2 + 240) < 1 || *(this[1] + 436 * a2 + 240) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 244) < 1 || *(this[1] + 436 * a2 + 244) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 248) < 1 || *(this[1] + 436 * a2 + 248) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 252) < 1 || *(this[1] + 436 * a2 + 252) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 256) < 1 || *(this[1] + 436 * a2 + 256) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 260) < 1 || *(this[1] + 436 * a2 + 260) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 264) < 1 || *(this[1] + 436 * a2 + 264) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 268) < 1 || *(this[1] + 436 * a2 + 268) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 272) < 1 || *(this[1] + 436 * a2 + 272) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 276) < 1 || *(this[1] + 436 * a2 + 276) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 280) < 1 || *(this[1] + 436 * a2 + 280) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 284) < 1 || *(this[1] + 436 * a2 + 284) > 3 ) return 0; if ( *(this[1] + 436 * a2 + 288) < 0 || *(this[1] + 436 * a2 + 288) > 365 ) return 0; if ( *(this[1] + 436 * a2 + 292) < 0 || *(this[1] + 436 * a2 + 292) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 296) < 0 || *(this[1] + 436 * a2 + 296) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 300) < 0 || *(this[1] + 436 * a2 + 300) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 304) < 0 || *(this[1] + 436 * a2 + 304) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 308) < 0 || *(this[1] + 436 * a2 + 308) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 312) < 0 || *(this[1] + 436 * a2 + 312) > 20000 ) return 0; if ( *(this[1] + 436 * a2 + 316) < 0 || *(this[1] + 436 * a2 + 316) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 320) < 0 || *(this[1] + 436 * a2 + 320) > 20000 ) return 0; if ( *(this[1] + 436 * a2 + 324) < 0 || *(this[1] + 436 * a2 + 324) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 328) < 0 || *(this[1] + 436 * a2 + 328) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 332) < 0 || *(this[1] + 436 * a2 + 332) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 336) < 0 || *(this[1] + 436 * a2 + 336) > 100 ) return 0; if ( *(this[1] + 436 * a2 + 340) < 0 || *(this[1] + 436 * a2 + 340) > 16 ) return 0; if ( *(this[1] + 436 * a2 + 344) < 0 || *(this[1] + 436 * a2 + 344) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 340) == 9 && (*(this[1] + 436 * a2 + 344) < 1 || *(this[1] + 436 * a2 + 344) > 3) ) return 0; if ( *(this[1] + 436 * a2 + 348) < 0 || *(this[1] + 436 * a2 + 348) > 300 ) return 0; if ( *(this[1] + 436 * a2 + 352) < 0 || *(this[1] + 436 * a2 + 352) > 100 ) return 0; if ( *(this[1] + 436 * a2 + 356) < 0 || *(this[1] + 436 * a2 + 356) > 1000 ) return 0; if ( *(this[1] + 436 * a2 + 360) < 0 || *(this[1] + 436 * a2 + 360) > 100 ) return 0; if ( *(this[1] + 436 * a2 + 364) < 0 || *(this[1] + 436 * a2 + 364) > 100 ) return 0; if ( *(this[1] + 436 * a2 + 368) < 0 || *(this[1] + 436 * a2 + 368) > 100 ) return 0; for ( l = 0; l < 8; ++l ) { if ( *(this[1] + 436 * a2 + 8 * l + 372) < 0 || *(this[1] + 436 * a2 + 8 * l + 372) > 300 ) return 0; if ( *(this[1] + 436 * a2 + 8 * l + 376) < 0 || *(this[1] + 436 * a2 + 8 * l + 376) > 100 ) return 0; } return 1; } BOOL CITEM::Init() { BOOL result; DWORD nReadBytes; ITEM_INFO *tDATA; HANDLE hFile; int index01; int tNumWithXOR; int tDataNum; int tOffset; BYTE *tCompress; BYTE *tOriginal; DWORD tCompressSize; DWORD tOriginalSize; if ( mLanguage == 1 ) hFile = CreateFileA("G03_GDATA\\D01_GIMAGE2D\\005\\TR\\005_00002.IMG", 0x80000000, 1u, 0, 3u, 0x80u, 0); else hFile = CreateFileA("G03_GDATA\\D01_GIMAGE2D\\005\\005_00002.IMG", 0x80000000, 1u, 0, 3u, 0x80u, 0); if ( hFile == INVALID_HANDLE_VALUE) return 0; if ( ReadFile(hFile, &tOriginalSize, 4, &nReadBytes, 0) && nReadBytes == 4 ) { tOriginal = GlobalAlloc(0, tOriginalSize); if ( tOriginal && ReadFile(hFile, &tCompressSize, 4, &nReadBytes, 0) && nReadBytes == 4 ) { tCompress = GlobalAlloc(0, tCompressSize); if ( tCompress && ReadFile(hFile, tCompress, tCompressSize, &nReadBytes, 0) && nReadBytes == tCompressSize ) { if ( CloseHandle(hFile) ) { if ( CUTIL::Decompress(tCompressSize, tCompress, tOriginalSize, tOriginal) ) { tNumWithXOR = 0; tOffset = 0; CopyMemory(&tNumWithXOR, tOriginal, 4); tDataNum = tNumWithXOR ^ 0x1CB3; tOffset = 67; if ( (tNumWithXOR ^ 0x1CB3) == 99999 ) { tDATA = GlobalAlloc(0, 43599564); if ( tDATA ) { CopyMemory(tDATA, &tOriginal[tOffset], 436 * tDataNum); GlobalFree(tCompress); GlobalFree(tOriginal); mDataNum = tDataNum; mDATA = tDATA; for ( index01 = 0; index01 < mDataNum; index01++ ) { if ( !CITEM::CheckValidElement(index01) ) return 0; } result = 1; } else { result = 0; } } else { result = 0; } } else { result = 0; } } else { result = 0; } } else { CloseHandle(hFile); result = 0; } } else { CloseHandle(hFile); result = 0; } } else { CloseHandle(hFile); result = 0; } return result; }
Didn't work
[Only registered and activated users can see links. Click Here To Register...]Quote:
Example:
an exe is packed, you will need to dump process before load into IDA
IDA menu > Search > Sequence of bytes > "005_00002.IMG" > OK > double click result >
right click result name ex: "aG03GdataD01Gim_0" > List cross references to > OK (go to function)
Code:BOOL CITEM::CheckValidElement(int a2) { int i; // [esp+4h] [ebp-8h] int j; // [esp+4h] [ebp-8h] int l; // [esp+4h] [ebp-8h] int k; // [esp+8h] [ebp-4h] if ( !*(436 * a2 + this[1]) ) return 1; if ( *(436 * a2 + this[1]) < 1 || *(436 * a2 + this[1]) > 99999 ) return 0; if ( *(436 * a2 + this[1]) != a2 + 1 ) return 0; for ( i = 0; i < 25 && *(436 * a2 + this[1] + i + 4); ++i ) { ; } if ( i == 25 ) return 0; for ( j = 0; j < 3; ++j ) { for ( k = 0; k < 51 && *(51 * j + k + 436 * a2 + this[1] + 29); ++k ) { ; } if ( k == 51 ) return 0; } if ( *(this[1] + 436 * a2 + 184) < 1 || *(this[1] + 436 * a2 + 184) > 6 ) return 0; if ( *(this[1] + 436 * a2 + 188) < 1 || *(this[1] + 436 * a2 + 188) > 32 ) return 0; if ( *(this[1] + 436 * a2 + 192) < 1 || *(this[1] + 436 * a2 + 192) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 196) < 0 || *(this[1] + 436 * a2 + 196) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 200) < 0 || *(this[1] + 436 * a2 + 200) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 204) < 1 || *(this[1] + 436 * a2 + 204) > 145 ) return 0; if ( *(this[1] + 436 * a2 + 208) < 0 || *(this[1] + 436 * a2 + 208) > 12 ) return 0; if ( *(this[1] + 436 * a2 + 212) < 1 || *(this[1] + 436 * a2 + 212) > 4 ) return 0; if ( *(this[1] + 436 * a2 + 216) < 1 || *(this[1] + 436 * a2 + 216) > 14 ) return 0; if ( *(this[1] + 436 * a2 + 220) < 1 || *(this[1] + 436 * a2 + 220) > 2000000000 ) return 0; if ( *(this[1] + 436 * a2 + 224) < 0 || *(this[1] + 436 * a2 + 224) > 2000000000 ) return 0; if ( *(this[1] + 436 * a2 + 228) < 0 || *(this[1] + 436 * a2 + 228) > 2000000000 ) return 0; if ( *(this[1] + 436 * a2 + 232) < 1 || *(this[1] + 436 * a2 + 232) > 145 ) return 0; if ( *(this[1] + 436 * a2 + 236) < 0 || *(this[1] + 436 * a2 + 236) > 12 ) return 0; if ( *(this[1] + 436 * a2 + 240) < 1 || *(this[1] + 436 * a2 + 240) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 244) < 1 || *(this[1] + 436 * a2 + 244) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 248) < 1 || *(this[1] + 436 * a2 + 248) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 252) < 1 || *(this[1] + 436 * a2 + 252) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 256) < 1 || *(this[1] + 436 * a2 + 256) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 260) < 1 || *(this[1] + 436 * a2 + 260) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 264) < 1 || *(this[1] + 436 * a2 + 264) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 268) < 1 || *(this[1] + 436 * a2 + 268) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 272) < 1 || *(this[1] + 436 * a2 + 272) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 276) < 1 || *(this[1] + 436 * a2 + 276) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 280) < 1 || *(this[1] + 436 * a2 + 280) > 2 ) return 0; if ( *(this[1] + 436 * a2 + 284) < 1 || *(this[1] + 436 * a2 + 284) > 3 ) return 0; if ( *(this[1] + 436 * a2 + 288) < 0 || *(this[1] + 436 * a2 + 288) > 365 ) return 0; if ( *(this[1] + 436 * a2 + 292) < 0 || *(this[1] + 436 * a2 + 292) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 296) < 0 || *(this[1] + 436 * a2 + 296) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 300) < 0 || *(this[1] + 436 * a2 + 300) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 304) < 0 || *(this[1] + 436 * a2 + 304) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 308) < 0 || *(this[1] + 436 * a2 + 308) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 312) < 0 || *(this[1] + 436 * a2 + 312) > 20000 ) return 0; if ( *(this[1] + 436 * a2 + 316) < 0 || *(this[1] + 436 * a2 + 316) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 320) < 0 || *(this[1] + 436 * a2 + 320) > 20000 ) return 0; if ( *(this[1] + 436 * a2 + 324) < 0 || *(this[1] + 436 * a2 + 324) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 328) < 0 || *(this[1] + 436 * a2 + 328) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 332) < 0 || *(this[1] + 436 * a2 + 332) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 336) < 0 || *(this[1] + 436 * a2 + 336) > 100 ) return 0; if ( *(this[1] + 436 * a2 + 340) < 0 || *(this[1] + 436 * a2 + 340) > 16 ) return 0; if ( *(this[1] + 436 * a2 + 344) < 0 || *(this[1] + 436 * a2 + 344) > 10000 ) return 0; if ( *(this[1] + 436 * a2 + 340) == 9 && (*(this[1] + 436 * a2 + 344) < 1 || *(this[1] + 436 * a2 + 344) > 3) ) return 0; if ( *(this[1] + 436 * a2 + 348) < 0 || *(this[1] + 436 * a2 + 348) > 300 ) return 0; if ( *(this[1] + 436 * a2 + 352) < 0 || *(this[1] + 436 * a2 + 352) > 100 ) return 0; if ( *(this[1] + 436 * a2 + 356) < 0 || *(this[1] + 436 * a2 + 356) > 1000 ) return 0; if ( *(this[1] + 436 * a2 + 360) < 0 || *(this[1] + 436 * a2 + 360) > 100 ) return 0; if ( *(this[1] + 436 * a2 + 364) < 0 || *(this[1] + 436 * a2 + 364) > 100 ) return 0; if ( *(this[1] + 436 * a2 + 368) < 0 || *(this[1] + 436 * a2 + 368) > 100 ) return 0; for ( l = 0; l < 8; ++l ) { if ( *(this[1] + 436 * a2 + 8 * l + 372) < 0 || *(this[1] + 436 * a2 + 8 * l + 372) > 300 ) return 0; if ( *(this[1] + 436 * a2 + 8 * l + 376) < 0 || *(this[1] + 436 * a2 + 8 * l + 376) > 100 ) return 0; } return 1; } BOOL CITEM::Init() { BOOL result; DWORD nReadBytes; ITEM_INFO *tDATA; HANDLE hFile; int index01; int tNumWithXOR; int tDataNum; int tOffset; BYTE *tCompress; BYTE *tOriginal; DWORD tCompressSize; DWORD tOriginalSize; if ( mLanguage == 1 ) hFile = CreateFileA("G03_GDATA\\D01_GIMAGE2D\\005\\TR\\005_00002.IMG", 0x80000000, 1u, 0, 3u, 0x80u, 0); else hFile = CreateFileA("G03_GDATA\\D01_GIMAGE2D\\005\\005_00002.IMG", 0x80000000, 1u, 0, 3u, 0x80u, 0); if ( hFile == INVALID_HANDLE_VALUE) return 0; if ( ReadFile(hFile, &tOriginalSize, 4, &nReadBytes, 0) && nReadBytes == 4 ) { tOriginal = GlobalAlloc(0, tOriginalSize); if ( tOriginal && ReadFile(hFile, &tCompressSize, 4, &nReadBytes, 0) && nReadBytes == 4 ) { tCompress = GlobalAlloc(0, tCompressSize); if ( tCompress && ReadFile(hFile, tCompress, tCompressSize, &nReadBytes, 0) && nReadBytes == tCompressSize ) { if ( CloseHandle(hFile) ) { if ( CUTIL::Decompress(tCompressSize, tCompress, tOriginalSize, tOriginal) ) { tNumWithXOR = 0; tOffset = 0; CopyMemory(&tNumWithXOR, tOriginal, 4); tDataNum = tNumWithXOR ^ 0x1CB3; tOffset = 67; if ( (tNumWithXOR ^ 0x1CB3) == 99999 ) { tDATA = GlobalAlloc(0, 43599564); if ( tDATA ) { CopyMemory(tDATA, &tOriginal[tOffset], 436 * tDataNum); GlobalFree(tCompress); GlobalFree(tOriginal); mDataNum = tDataNum; mDATA = tDATA; for ( index01 = 0; index01 < mDataNum; index01++ ) { if ( !CITEM::CheckValidElement(index01) ) return 0; } result = 1; } else { result = 0; } } else { result = 0; } } else { result = 0; } } else { result = 0; } } else { CloseHandle(hFile); result = 0; } } else { CloseHandle(hFile); result = 0; } } else { CloseHandle(hFile); result = 0; } return result; }
thanks for everything