1 ]% T# M c. U; t* z4 rxcengine.dll----->proxy.dll、 ; Z2 Z. I6 B- f6 i0 x
为xcengine.dll做代理是很难实现的,没有开放接口的开发库,最多模仿个类指针来调用一下
: U7 h( ]! v- Z: X. k9 S+ T关键又是由类似COM接口的对象注册方式,整个解压流程都是以对象方法来调用的 ( b! s) ^5 m2 \7 H
- g' Y2 k7 e0 q r
注释的那两个就是XcFileZip和XcBitmap对象 - 10020316 |. 8B7C24 18 mov edi,dword ptr ss:[esp+18]
- 1002031A |> 8B4E 10 mov ecx,dword ptr ds:[esi+10]
- 1002031D |. 8B01 mov eax,dword ptr ds:[ecx]
- 1002031F |. 8B40 34 mov eax,dword ptr ds:[eax+34]
- 10020322 |. 6A 04 push 4
- 10020324 |. 8D5424 1C lea edx,dword ptr ss:[esp+1C]
- 10020328 |. 52 push edx ; //前面比较过是否XCPK头
- 10020329 |. FFD0 call eax ; // ::Read
- 1002032B |. 85C0 test eax,eax ; //根据长度与名字Yellowjacket 18读取完整的xpck文件
- 1002032D |.^ 0F85 55FFFFFF jnz xcEngine.10020288 ; //本次是读取39B3,到88 A9 4E 03,在往下正好是下个XCPK头
复制代码
* C! E. O/ U$ C上面方法本身类结构 - 003EDF50 BC 8E 0A 10 00 00 00 00 03 00 03 00 01 00 00 00 紟..........
- 003EDF60 00 00 00 00 04 00 00 00 90 B0 12 00 01 00 00 00 .......惏....
- 003EDF70 88 A9 4E 03 00 00 01 00 B3 39 00 00 D0 54 4E 03 埄N...?..蠺N
复制代码 ! ]" C( N* C( M& J, K/ P5 w0 F$ }: N
88 A9 4E 03 指向从Sl2fnt.dat读进来并XOR之后的内容,B3 39 00 00 本次读取长度,D0 54 4E 03 指向返回类
2 P9 |" f' ~" V- Z/ O) n! s* m! k3 t, p" U3 [, f; D) U
返回类指针指向结构 - 034E54D0 9D A9 4E 03 9E 39 00 00 15 00 00 00 4C B0 12 00 潻N?.....L?.
- 034E54E0 00 00 00 00 08 00 00 00 00 00 00 00 D8 82 4E 03 ...........貍N
- 034E54F0 00 6E 07 10 20 6E 07 10 00 00 00 00 05 00 00 00 .n n.......
复制代码 $ ?6 q# I4 k/ d6 ? q) J' r
9D A9 4E 03 表示目前未读的缓冲区指针,9E 39 00 00为剩下长度,15 00 00 00 表示已经解压长度,4C B0 12 00 解压缓冲区尾指针 . y" R% h% Y3 @, {
; W! {/ J, k4 x/ V4 I- N9 ~6 {8 g这里可以看到读取地址根据之前的GMGB文件来获取 -
- 02220C98 B7 39 00 00 CF 7A 40 00 2F 45 58 54 44 41 54 41 ?..蟴@./EXTDATA
- 02220CA8 53 46 4F 4E 54 2F 59 45 4C 4C 4F 57 4A 41 43 4B SFONT/YELLOWJACK
- 02220CB8 45 54 20 31 38 2E 46 52 00 00 00 00 00 00 00 00 ET 18.FR........
- 0012ADF8 00501684 /CALL 到 SetFilePointer 来自 SL2.0050167E
- 0012ADFC 00000690 |hFile = 00000690 (window)
- 0012AE00 00407ACF |OffsetLo = 407ACF (4225743.)
- 0012AE04 0012AE18 |pOffsetHi = 0012AE18
- 0012AE08 00000000 \\Origin = FILE_BEGIN
复制代码
/ E, s# B1 U& X8 a* I& }4 p% }$ z5 K* H0 h
接下来看看XCPK文件解压前的结构 - 10020431 |> /8B4E 10 /mov ecx,dword ptr ds:[esi+10]
- 10020434 |. |8B11 |mov edx,dword ptr ds:[ecx]
- 10020436 |. |8B52 34 |mov edx,dword ptr ds:[edx+34]
- 10020439 |. |6A 08 |push 8
- 1002043B |. |8D4424 2C |lea eax,dword ptr ss:[esp+2C]
- 1002043F |. |50 |push eax
- 10020440 |. |FFD2 |call edx ; XCTGX
- 10020442 |. |85C0 |test eax,eax
- 10020444 |.^|0F85 3EFEFFFF |jnz xcEngine.10020288
- 1002044A |. |817C24 28 5843544>|cmp dword ptr ss:[esp+28],47544358
- 10020452 |. |0F85 81010000 |jnz xcEngine.100205D9
- 10020458 |. |8B46 10 |mov eax,dword ptr ds:[esi+10]
- 1002045B |. |8B4C24 2C |mov ecx,dword ptr ss:[esp+2C]
- 1002045F |. |8B40 14 |mov eax,dword ptr ds:[eax+14]
- 10020462 |. |03C1 |add eax,ecx
- 10020464 |. |894424 24 |mov dword ptr ss:[esp+24],eax
- 10020468 |. |894C24 1C |mov dword ptr ss:[esp+1C],ecx
- 1002046C |> |8B4E 10 |/mov ecx,dword ptr ds:[esi+10]
- 1002046F |. |8B11 ||mov edx,dword ptr ds:[ecx]
- 10020471 |. |8B52 34 ||mov edx,dword ptr ds:[edx+34]
- 10020474 |. |6A 08 ||push 8
- 10020476 |. |8D4424 34 ||lea eax,dword ptr ss:[esp+34]
- 1002047A |. |50 ||push eax
- 1002047B |. |FFD2 ||call edx ; //Read 依次读取标记字符(bits,name,flag,wdth,hgth,fmt ...)
- 1002047D |. |85C0 ||test eax,eax
- 1002047F |.^|0F85 03FEFFFF ||jnz xcEngine.10020288
- 10020485 |. |8B46 10 ||mov eax,dword ptr ds:[esi+10]
- 10020488 |. |8B0B ||mov ecx,dword ptr ds:[ebx]
- 1002048A |. |8B5424 18 ||mov edx,dword ptr ss:[esp+18]
- 1002048E |. |8B78 14 ||mov edi,dword ptr ds:[eax+14]
- 10020491 |. |8B0C0A ||mov ecx,dword ptr ds:[edx+ecx]
- 10020494 |. |8B01 ||mov eax,dword ptr ds:[ecx]
- 10020496 |. |8B40 08 ||mov eax,dword ptr ds:[eax+8]
- 10020499 |. |037C24 34 ||add edi,dword ptr ss:[esp+34]
- 1002049D |. |56 ||push esi
- 1002049E |. |8D5424 34 ||lea edx,dword ptr ss:[esp+34]
- 100204A2 |. |52 ||push edx
- 100204A3 |. |FFD0 ||call eax ; // LoadChunk 根据标记字符读取一个块并解压
- 100204A5 |. |8B4E 10 ||mov ecx,dword ptr ds:[esi+10]
- 100204A8 |. |8B11 ||mov edx,dword ptr ds:[ecx]
- 100204AA |. |8B42 3C ||mov eax,dword ptr ds:[edx+3C]
- 100204AD |. |6A 00 ||push 0
- 100204AF |. |57 ||push edi
- 100204B0 |. |FFD0 ||call eax
- 100204B2 |. |8B46 34 ||mov eax,dword ptr ds:[esi+34]
- 100204B5 |. |B9 F8FFFFFF ||mov ecx,-8
- 100204BA |. |2B4C24 34 ||sub ecx,dword ptr ss:[esp+34]
- 100204BE |. |014C24 2C ||add dword ptr ss:[esp+2C],ecx
- 100204C2 |. |85C0 ||test eax,eax
- 100204C4 |. |74 49 ||je short xcEngine.1002050F
- 100204C6 |. |DB4424 14 ||fild dword ptr ss:[esp+14]
- 100204CA |. |8B4C24 2C ||mov ecx,dword ptr ss:[esp+2C]
- 100204CE |. |85C9 ||test ecx,ecx
- 100204D0 |. |8B56 38 ||mov edx,dword ptr ds:[esi+38]
- 100204D3 |. |DC05 A0570B10 ||fadd qword ptr ds:[100B57A0]
- 100204D9 |. |52 ||push edx
- 100204DA |. |DB4424 30 ||fild dword ptr ss:[esp+30]
- 100204DE |. |7D 06 ||jge short xcEngine.100204E6
- 100204E0 |. |D805 38580B10 ||fadd dword ptr ds:[100B5838]
- 100204E6 |> |DA7424 20 ||fidiv dword ptr ss:[esp+20]
- 100204EA |. |51 ||push ecx
- 100204EB |. |DEE9 ||fsubp st(1),st
- 100204ED |. |DC0D 20590B10 ||fmul qword ptr ds:[100B5920]
- 100204F3 |. |DA7424 18 ||fidiv dword ptr ss:[esp+18]
- 100204F7 |. |D95C24 28 ||fstp dword ptr ss:[esp+28]
- 100204FB |. |D94424 28 ||fld dword ptr ss:[esp+28]
- 100204FF |. |D91C24 ||fstp dword ptr ss:[esp]
- 10020502 |. |FFD0 ||call eax
- 10020504 |. |83C4 08 ||add esp,8
- 10020507 |. |85C0 ||test eax,eax
- 10020509 |.^|0F85 92FDFFFF ||jnz xcEngine.100202A1
- 1002050F |> |837C24 2C 00 ||cmp dword ptr ss:[esp+2C],0
- 10020514 |.^|0F87 52FFFFFF |\\ja xcEngine.1002046C
复制代码
% `, J3 X3 Y' h, q/ H
+ T- z4 x. A! g }' l"XCPK" "bits" len <bits内容,也就是之前dump下来的字库块> "name" len <文件名Yellowjacket 18.en > "flag" <字库的像素度,长宽等信息>........."XCPK"(下一个XCPK文件头)
$ N7 X" Q7 c: Y3 Y. f5 e" r4 A6 S* p6 b9 r" n
先Read到字符串"bits",然后把"bits"作为参数LoadChunk 实际内容,然后一直循环到结尾 |