Hello folks.
Thought I'd drop by with some information about the game's Engine and other specifics which may make your lives easier (of those interested in reverse-engineering the game).
I initially thought the game will be using Foundation Engine, as the majority of the titles Nixxes has been involved with worked with that. But alas, it's a slightly different Engine, even though their signature launcher is still there:
Remember this?
Tell me they're not similar
First things first: a copy/back-up of the Steam executable, normalized to 0x140000000 ImageBase, so we all speak the same "language" and you can use it for later research. Especially since the game will most likely update several times in the future.
Spider-Man v1.812.1.0 | Steam executable: [Link]
(password: sunbeam)
Past that, I started looking into the executable itself, threw it in IDA, let it "simmer" for ~3hours and ran Class Informer over it. Then dumped the Names window to a text file, filtering by vftable word:
Then removed the header and changed tabs into ~ so I can process them easier in Lua and got this file: [Link].
!!-- NOTE THAT THE ADDRESSES IN THE LINK ABOVE WILL WORK FOR ONLY THE v1.812.1.0 EXECUTABLE FROM STEAM --!!
Then wrote this Lua script (you will have to adjust the folder names to yours):
Code: Select all
frm = getLuaEngine()
log = frm.mOutput
log.Color = '0x000000'
log.Font.Name = "Terminal"
log.Font.Size = 6
log.Font.Color = '1030655'
-- see if the file exists
function file_exists( file )
local f = io.open( file, "rb" )
if f then f:close() end
return f ~= nil
end
-- get all lines from a file, returns an empty
-- list/table if the file does not exist
function lines_from( file )
if not file_exists( file ) then return {} end
lines = {}
for line in io.lines( file ) do
lines[ #lines + 1 ] = line
end
return lines
end
imageBaseFromIDA = 0x140000000
imageBase = getAddressSafe( process )
-- tests the functions above
local file_in = 'D:\\Games Analysis\\Spider-Man Remastered\\IDA_vftable_names.txt'
local lines = lines_from( file_in )
local file_out = io.open( 'D:\\Games Analysis\\Spider-Man Remastered\\lblRTTIFunctions.txt', 'w' )
-- print all lines
for k, v in pairs( lines ) do
a, b = string.match( v, "(.*)~(.*)" )
faddr = string.format( "0x%X", tonumber( b, 16 ) - imageBaseFromIDA + imageBase )
fname = a
--print( v )
processMessages()
t = string.format( "lbl %X,\"%s\"\n", faddr, fname )
file_out:write( t )
end
file_out:write( "ret" )
file_out:close()
What is the above? It's a script you can now run in x64dbg which will apply labels to static addresses.
So now, in x64dbg, attached to game process, I paused the game in x64bdg, then loaded the script above (the last link) and ran it. There will be some pop-ups that some lines can't be executed (if a line exceeds 240 characters, x64dbg script window will split that line in 2), but at the end of the process, this is the result:
Spider-Man v1.812.1.0 | x64dbg database file: [Link]
(password: sunbeam)
How is all of this useful, you may ask? Well.. let's take a look at some string references:
And the function:
Although you don't have the function names available (there's no PDB file available), you do have a lot of names for the RTTI virtual functions/tables, so you can easily roam around the code while at it.
For example, if we were to look at @NomuNomu's script found here: viewtopic.php?p=262791#p262791 and set a breakpoint at his scanned-for location, we see this:
Happy messing around from here on
BR,
Sun
