forked from ReScrap/ScrapHacks
Daniel Seiller
8d92f25b8c
- Started implementing new parser for chunked data - Started documenting data formats - Started dissector for network protocol - Added AI-Graph renderer (converts .pth files to python data you can import into Blender) - Added Script to convert savefile to JSON - Added (old) parser for chunked data format - Added basic parser for LFVF data section (Vertex Data) - Added script to analyze and filter read trace generated with frida script - Added various Frida scripts
2.8 KiB
2.8 KiB
Scrapland Reverse Engineering notes and tools
Note!
All memory addresses are only valid for an unprotected Scrap.exe
v1.0 with a SHA1 checksum of d2dde960e8eca69d60c2e39a439088b75f0c89fa
, other version will crash if the memory offsets don't match and you try to inject ScrapHacks
Computer Bild Spiele Issue 2006/08 Contains a full version of the game which was used as the basis for this project
Scripts
tools/rbingrep.py
: Search for pattern in all files and generate radare2 script to find all references (currently configured to search for chunked file section headers)frida/
: Scripts for use with Fridaparse_chunked.py
: WIP Parser for the game's chunked data format (Models, Animations, Maps)save_to_json.py
: Convert game save to JSONscrapper.py
: Extractor and Repacker for *.packed files, needs theconstruct
andtqdm
python modules and python 3.x
- Run
scrapper.py -h
for help
r2_analyze.py
: uses radare2 to parse and label a lot of interesting stuff in theScrap.exe
binarylib/dbg.py
: general Script for poking around inside the game's scripting system
- Run
import dbg;dbg.init()
inside the Game's Console, this will load all builtin modules, ScrapHacks and enable godmode - The dbg module also enables writing to the ingame console using
print <var>
and defines two global functions s_write() and e_write() for writing to the Ingame Console's Stdout and Stderr Stream dbg.menu()
Displays the Game's built in Debug Menu (doesn't work properly)dbg.enable_all_conv()
allows you to "overwrite" any character, even if they are protected/invulnerabledbg.become(name)
allows you to transform into any characterdbg.helplib()
generates a filehelplib.txt
in the Game's folder containing all available Documentation for all available classes and functionsdbg.settrace()
Logs all Python function calls together with their arguments into adbg.txt
file inside the Game's folder
ScrapHacks
WIP Memory hacking library
Notes
Tools used:
- Binary parsing:
- HxD for initial file analysis
- Python 3 + Construct for binary parsing
- Kaitai Struct for binary parsing
- Static analysis:
- Dynamic analysis:
- x64dbg for dynamic analysis
- Reclass.NET to analyze structures and classes in memory
- Frida for tracing and instrumenting functions