最近弄了下KAMIPANI相关,那引擎被Front Wing/Etude/Clochette使用。PEiD判断它是Borland Delphi 6.0 - 7.0编译的。跟了一下它的字体创建部分,看到了些特别的地方。
创建字体是用CreateFontIndirect。有EnumFontFamiliesEx的调用记录。
看看这里。
kamipani_trial.exe:
0042CBEC mov edx,kamipani.0042CCC0 ; ASCII "Default"
0042CBF1 call kamipani.0040AE84
0042CBF6 test eax,eax
0042CBF8 jnz short kamipani.0042CC14
0042CBFA lea eax,dword ptr ss:[ebp-48]
0042CBFD mov edx,kamipani.00527EA3 ; ASCII 0D,"MS Sans Serif"
0042CC02 call kamipani.00404D88
0042CC07 mov edx,dword ptr ss:[ebp-48]
0042CC0A lea eax,dword ptr ss:[ebp-24]
0042CC0D call kamipani.0040B8AC
0042CC12 jmp short kamipani.0042CC2D
0042CC14 lea eax,dword ptr ss:[ebp-4C]
0042CC17 mov edx,dword ptr ss:[ebp-4]
0042CC1A add edx,1B
0042CC1D call kamipani.00404D88
0042CC22 mov edx,dword ptr ss:[ebp-4C]
0042CC25 lea eax,dword ptr ss:[ebp-24]
0042CC28 call kamipani.0040B8AC
0042CC2D mov byte ptr ss:[ebp-26],0
0042CC31 mov byte ptr ss:[ebp-28],0
0042CC35 mov byte ptr ss:[ebp-27],0
0042CC39 mov eax,ebx
0042CC3B call kamipani.0042CE04
0042CC40 dec al ; Switch (cases 1..2)
0042CC42 je short kamipani.0042CC4A
0042CC44 dec al
0042CC46 je short kamipani.0042CC50
0042CC48 jmp short kamipani.0042CC56
0042CC4A mov byte ptr ss:[ebp-25],2 ; Case 1 of switch 0042CC40
0042CC4E jmp short kamipani.0042CC5A
0042CC50 mov byte ptr ss:[ebp-25],1 ; Case 2 of switch 0042CC40
0042CC54 jmp short kamipani.0042CC5A
0042CC56 mov byte ptr ss:[ebp-25],0 ; Default case of switch 0042CC40
0042CC5A lea eax,dword ptr ss:[ebp-40]
0042CC5D push eax ; /pLogfont
0042CC5E call <jmp.&gdi32.CreateFontIndirectA> ; \CreateFontIndirectA
这样的调用本来也说不上奇怪不奇怪,反正就那样。不过刚才因为一些原因而打开原始的吉里吉里2是发觉这玩意也有一样的代码。相似度如此的高……
krkr.eXe:
004A3614 mov edx,krkr.004A36E8 ; ASCII "Default"
004A3619 call krkr.004F52E0
004A361E test eax,eax
004A3620 jnz short krkr.004A363C
004A3622 lea eax,dword ptr ss:[ebp-48]
004A3625 mov edx,krkr.006A4CAF ; ASCII 0D,"MS Sans Serif"
004A362A call krkr.004FD750
004A362F mov edx,dword ptr ss:[ebp-48]
004A3632 lea eax,dword ptr ss:[ebp-24]
004A3635 call krkr.004F5BA8
004A363A jmp short krkr.004A3655
004A363C lea eax,dword ptr ss:[ebp-4C]
004A363F mov edx,dword ptr ss:[ebp-4]
004A3642 add edx,1B
004A3645 call krkr.004FD750
004A364A mov edx,dword ptr ss:[ebp-4C]
004A364D lea eax,dword ptr ss:[ebp-24]
004A3650 call krkr.004F5BA8
004A3655 mov byte ptr ss:[ebp-26],0
004A3659 mov byte ptr ss:[ebp-28],0
004A365D mov byte ptr ss:[ebp-27],0
004A3661 mov eax,ebx
004A3663 call krkr.004A382C
004A3668 dec al ; Switch (cases 1..2)
004A366A je short krkr.004A3672
004A366C dec al
004A366E je short krkr.004A3678
004A3670 jmp short krkr.004A367E
004A3672 mov byte ptr ss:[ebp-25],2 ; Case 1 of switch 004A3668
004A3676 jmp short krkr.004A3682
004A3678 mov byte ptr ss:[ebp-25],1 ; Case 2 of switch 004A3668
004A367C jmp short krkr.004A3682
004A367E mov byte ptr ss:[ebp-25],0 ; Default case of switch 004A3668
004A3682 lea eax,dword ptr ss:[ebp-40]
004A3685 push eax ; /pLogfont
004A3686 call <jmp.&GDI32.CreateFontIndirectA> ; \CreateFontIndirectA
而krkr.eXe是Borland C++ Builder 5.5编译出来的。上面这段代码看来应该是Borland里的什么库里的一段。
是VCL么?哪位大侠要是知道的话请教教我……我真的没那信心就这么自己去碰Borland的东西。
=============================================================
krkr.eXe里有一个地方比较有用:
mov byte ptr ds:[ebx+17],80
这句初始化了一个LOGFONT的lfCharSet到0x80=SHIFTJIS_CHARSET。
顺便再记一次LOGFONT的结构:
typedef struct tagLOGFONT {
LONG lfHeight;
LONG lfWidth;
LONG lfEscapement;
LONG lfOrientation;
LONG lfWeight;
BYTE lfItalic;
BYTE lfUnderline;
BYTE lfStrikeOut;
BYTE lfCharSet;
BYTE lfOutPrecision;
BYTE lfClipPrecision;
BYTE lfQuality;
BYTE lfPitchAndFamily;
TCHAR lfFaceName[LF_FACESIZE];
} LOGFONT, *PLOGFONT;
+17也就是lfCharSet。把这个改成0x86=GB2312_CHARSET就合适显示中文了。
不过kamipani_trial.exe里却没有这种赋值。LOGFONT里多数地方都用了0x01=DEFAULT_CHARSET,这些地方不改也没关系。惟独有一处是出现了一个0x80的,是第一次运行到这里的时候:
0042CC5E call <gdi32.CreateFontIndirectA> ; \CreateFontIndirectA
直接赋值的位置是:
0042CBD2 mov eax,dword ptr ss:[ebp-4]
0042CBD5 mov al,byte ptr ds:[eax+1A]
0042CBD8 mov byte ptr ss:[ebp-29],al
=============================================================
不过说到Borland,这Delphi编译器真Good Job,能编译出如此神奇的代码:
0044D2AC push ebx
0044D2AD mov ebx,eax
0044D2AF mov eax,ebx
0044D2B1 call kamipani.0045F2FC
Google了一下这串关键字:borland 编译 缺乏优化
看到这条:
引用
Delphi 代码优化.: 程序员编程知识库Borland拥有世界上最出色的编译器(当然也许更好的在你的脑子里),不仅速度快,而且编译期优化能力也是一流。因此在大多数情况下,自然的代码就能达到较高的效率,你 ...
www.freshinfo.cn/article.php?id=224 - 60k - 网页快照 - 类似网页
太好了,原来“最出色”的编译器能编译出如此GJ的代码。有机会,俺们还是有机会走这条路的啊 =_=
=============================================================
顺便,看到kamipani_trial.exe这主窗体的ID是TForm1了。好偷懒。
然后看到有个地方会出现这个:
EAX 00F8FB00 ASCII 0C,"Font.Charset"
在这里:
00425390 mov edx,ebx
00425392 mov eax,dword ptr ss:[ebp-4]
00425395 call kamipani.00425878
0042539A mov eax,dword ptr ss:[ebp-4]
0042539D call kamipani.0042495C
004253A2 test al,al
004253A4 je short kamipani.00425390
来源是:
00F8FA60 54 50 46 30 06 54 46 6F 72 6D 31 05 46 6F 72 6D TPF0TForm1Form
00F8FA70 31 04 4C 65 66 74 03 7D 01 03 54 6F 70 03 EB 00 1Left}Top?
00F8FA80 0B 42 6F 72 64 65 72 49 63 6F 6E 73 0B 0C 62 69 BorderIcons.bi
00F8FA90 53 79 73 74 65 6D 4D 65 6E 75 0A 62 69 4D 69 6E SystemMenu.biMin
00F8FAA0 69 6D 69 7A 65 00 0B 42 6F 72 64 65 72 53 74 79 imize.BorderSty
00F8FAB0 6C 65 07 08 62 73 53 69 6E 67 6C 65 07 43 61 70 lebsSingleCap
00F8FAC0 74 69 6F 6E 06 0A 4D 61 69 6E 57 69 6E 64 6F 77 tion.MainWindow
00F8FAD0 0C 43 6C 69 65 6E 74 48 65 69 67 68 74 03 F0 00 .ClientHeight?
00F8FAE0 0B 43 6C 69 65 6E 74 57 69 64 74 68 03 40 01 05 ClientWidth@
00F8FAF0 43 6F 6C 6F 72 07 09 63 6C 42 74 6E 46 61 63 65 Color.clBtnFace
00F8FB00 0C 46 6F 6E 74 2E 43 68 61 72 73 65 74 07 10 53 .Font.CharsetS
00F8FB10 48 49 46 54 4A 49 53 5F 43 48 41 52 53 45 54 0A HIFTJIS_CHARSET.
00F8FB20 46 6F 6E 74 2E 43 6F 6C 6F 72 07 0C 63 6C 57 69 Font.Color.clWi
00F8FB30 6E 64 6F 77 54 65 78 74 0B 46 6F 6E 74 2E 48 65 ndowTextFont.He
00F8FB40 69 67 68 74 02 F4 09 46 6F 6E 74 2E 4E 61 6D 65 ight?Font.Name
00F8FB50 06 07 4D 53 20 3F 3F 3F 3F 0A 46 6F 6E 74 2E 53 MS ????.Font.S
00F8FB60 74 79 6C 65 0B 00 0E 4F 6C 64 43 72 65 61 74 65 tyle.OldCreate
00F8FB70 4F 72 64 65 72 08 08 50 6F 73 69 74 69 6F 6E 07 OrderPosition
00F8FB80 0E 70 6F 53 63 72 65 65 6E 43 65 6E 74 65 72 07 poScreenCenter
00F8FB90 4F 6E 43 6C 6F 73 65 07 09 46 6F 72 6D 43 6C 6F OnClose.FormClo
00F8FBA0 73 65 08 4F 6E 43 72 65 61 74 65 07 0A 46 6F 72 seOnCreate.For
00F8FBB0 6D 43 72 65 61 74 65 09 4F 6E 44 65 73 74 72 6F mCreate.OnDestro
00F8FBC0 79 07 0B 46 6F 72 6D 44 65 73 74 72 6F 79 09 4F yFormDestroy.O
00F8FBD0 6E 4B 65 79 44 6F 77 6E 07 0B 46 6F 72 6D 4B 65 nKeyDownFormKe
00F8FBE0 79 44 6F 77 6E 07 4F 6E 4B 65 79 55 70 07 09 46 yDownOnKeyUp.F
00F8FBF0 6F 72 6D 4B 65 79 55 70 07 4F 6E 50 61 69 6E 74 ormKeyUpOnPaint
00F8FC00 07 09 46 6F 72 6D 50 61 69 6E 74 0D 50 69 78 65 .FormPaint.Pixe
00F8FC10 6C 73 50 65 72 49 6E 63 68 02 60 0A 54 65 78 74 lsPerInch`.Text
00F8FC20 48 65 69 67 68 74 02 0C 00 06 54 44 44 44 44 37 Height..TDDDD7
00F8FC30 06 44 44 44 44 37 31 0B 44 65 62 75 67 4F 70 74 DDDD71DebugOpt
00F8FC40 69 6F 6E 0B 0E 64 64 6F 48 61 6C 74 4F 6E 45 72 ionddoHaltOnEr
00F8FC50 72 6F 72 00 09 42 61 63 6B 43 6F 6C 6F 72 02 00 ror..BackColor.
00F8FC60 19 41 75 74 6F 44 69 73 70 6C 61 79 4D 6F 64 65 AutoDisplayMode
00F8FC70 49 6E 69 74 69 61 6C 69 7A 65 08 12 44 69 73 61 InitializeDisa
00F8FC80 62 6C 65 53 63 72 65 65 6E 53 61 76 65 72 09 05 bleScreenSaver.
00F8FC90 55 73 65 33 44 08 0F 56 73 79 6E 63 41 74 57 69 Use3DVsyncAtWi
00F8FCA0 6E 64 6F 77 65 64 08 0A 44 33 44 4F 70 74 69 6F ndowed.D3DOptio
00F8FCB0 6E 73 0B 00 04 4C 65 66 74 02 20 00 00 06 54 44 ns.Left ..TD
00F8FCC0 44 53 44 37 06 44 44 53 44 37 31 0B 44 65 62 75 DSD7DDSD71Debu
00F8FCD0 67 4F 70 74 69 6F 6E 0B 0E 64 73 6F 48 61 6C 74 gOptiondsoHalt
00F8FCE0 4F 6E 45 72 72 6F 72 00 0C 43 68 61 6E 6E 65 6C OnError..Channel
00F8FCF0 43 6F 75 6E 74 02 10 00 00 0A 54 50 6F 70 75 70 Count...TPopup
00F8FD00 4D 65 6E 75 0A 50 6F 70 75 70 4D 65 6E 75 31 03 Menu.PopupMenu1
00F8FD10 54 6F 70 02 20 00 09 54 4D 65 6E 75 49 74 65 6D Top ..TMenuItem
00F8FD20 05 53 68 6F 77 31 07 43 61 70 74 69 6F 6E 06 02 Show1Caption
00F8FD30 3F 3F 07 4F 6E 43 6C 69 63 6B 07 0A 53 68 6F 77 ??OnClick.Show
00F8FD40 31 43 6C 69 63 6B 00 00 00 00 00 00 00 00 00 00 1Click..........
上面数据在kamipani_trial.exe里位于0x00146AC0。
当然这样的数据就是从TForm1的属性数据里来的咯。
object Form1: TForm1
Left = 381
Top = 235
BorderIcons = [biSystemMenu, biMinimize]
BorderStyle = bsSingle
Caption = 'MainWindow'
ClientHeight = 240
ClientWidth = 320
Color = clBtnFace
Font.Charset = SHIFTJIS_CHARSET
Font.Color = clWindowText
Font.Height = -12
Font.Name = 'MS ????'
Font.Style = []
OldCreateOrder = False
Position = poScreenCenter
OnClose = FormClose
OnCreate = FormCreate
OnDestroy = FormDestroy
OnKeyDown = FormKeyDown
OnKeyUp = FormKeyUp
OnPaint = FormPaint
PixelsPerInch = 96
TextHeight = 12
object DDDD71: TDDDD7
DebugOption = [ddoHaltOnError]
BackColor = 0
AutoDisplayModeInitialize = False
DisableScreenSaver = True
Use3D = False
VsyncAtWindowed = False
D3DOptions = []
Left = 32
end
object DDSD71: TDDSD7
DebugOption = [dsoHaltOnError]
ChannelCount = 16
end
object PopupMenu1: TPopupMenu
Top = 32
object Show1: TMenuItem
Caption = '??'
OnClick = Show1Click
end
end
end
=============================================================
唉,明知道是Delphi程序我该早点开Dede的。前面用OllyDbg的效率太低了,找几个字体参数都花了那么长时间 OTL。Delphi程序的默认RVA->物理地址转换也跟我熟悉的不一样,郁闷。
CC的结果:
引用
## Offset Value Method
----- -------- -------- --------
1 0009DDF4 EDB88320 CRC32 Polynomial
2 0012A834 6A09E667 SHA-256 (Init)
3 0012A838 BB67AE85 SHA-256 (Init)
4 0012A83C 3C6EF372 SHA-256 (Init)
5 0012A840 A54FF53A SHA-256 (Init)
6 000029BD 08088405 PKZip/Borland Pseudo-Random Generator
不过FilePackVer3.0的archive格式其实并没有用SHA-256吧。在CC结果指出的SHA-256第一个特征值相关的位置设了断点,却一直没看到它被触发。
004A4DDB mov edx,kamipani.0052B634