Hints for reversing AI6WIN Engine

[etai2019]

Hello, hope you are doing well. Thanks for making this amazing tool! It truly unmystefied the packing logic and the underlying VM.

Do you happen to have any blogs or tutorials about how to reverse the AI6WIN engine? I am genuinely interested in understanding how you unraveled such a complex engine and its VM. Or would you please give some hints on how to approach this? I'd like to give it a try and see if I can figure out its packing and VM logic on my own.

[TesterTesterov]

@etai2019, there was a very good and very obscure starter tutorial in Russian, but it is long dead (10+ years) by now. Not even in Web Archive could I find it anymore.

About how I hacked the logic of the engine. Well, frankly speaking, it was not necessary to reverse it. I just have analyzed the structures and packing methods with HEX editor and some of programming magic. It has quite easy structures to figure out, really. There are much more difficult scripting systems, like that damn scripts of Valkyria Engine (ironically, the tool is not released, as I figured all things except one small but critical moment, which was too pain to figure out). Well, it is possible to figure out all the logic of the commands (personally, I recommend IDA Pro + HEX Rays), but it was not necessary for me; I labeled only the most needed commands after briefly testing them, Still, the additional details were given for me in an issue.

[etai2019]

@TesterTesterov Thanks for your guidance! I am a newbie in this area, cannot understand the logic from just a glance of Hex : )

So I chose the IDA Pro + Hey Rays approach you sugested and started to learn the reverse tech these weeks, now I meet a new question and would you please give me some guidances?

For the structure of .arc, I can find the file structure by hooking ReadFile and analyzing the logic to handle the read bytes, that the first 4 bytes store the script count, and then following by the script descriptors, each of them is 272 bytes in total, script name is stored in the first 260 bytes with a simple encrypt algo, and rests are script length and offset.

Then I try to analyze the script itself, I hooked the access to the script content in memory, and from the call stack I can locate the big switch case block that handles the opcodes (I see 68 cases), how can I tell the meaning of each opcode? I see in your .py script, you listed the actual operation of each opcode, it is amazing!

Thank you in advance!

[TesterTesterov]

@etai2019, well, at first, one need to list the most obvious commands. It is quite useful to actually test them in the game. You'll also get hints about what other commands could do. And after that it would be not as hard to understand the opcodes' meaning. Well, depends on commands, though...