数据库逆向工程(三)：代码复用与图像解压技术详解<\/h1>

1. 数据库逆向工程回顾<\/h2>
在第二部分中，我们研究了Microcat Ford USA数据库的内部机制，重点分析了代表车辆和车辆部件的通用数据结构。本部分将聚焦于零件图的逆向分析，这是该数据库研究的最后一个关键组件。<\/p>

1.1 数据结构依赖关系<\/h3>

MCData.idx<\/strong>：代表零件树的索引文件<\/li>
MCData.dat<\/strong>：包含车辆零件数据<\/li>

MCImage[2].dat<\/strong>：包含车辆零件图，通过image_offset<\/code>和image_size<\/code>字段与索引关联<\/li> <\/ul> 2. 图像存储格式分析<\/h2> 2.1 图像文件初步检查<\/h3> 图像开头部分显示非标准格式特征<\/li> 没有明显的幻数(magic numbers)<\/li> 存在大量零值和重复字节，表明可能是压缩格式<\/li> 每个图像都有独特的标题结构<\/li> <\/ul> 2.2 图像格式特性<\/h3> 标题结构<\/strong>：每个图像都有独特的标题部分<\/li> 压缩特征<\/strong>：中间部分显示明显的压缩特征<\/li> 无标准标识<\/strong>：缺乏常见的图像格式标识符<\/li> <\/ol> 3. 逆向工程方法<\/h2> 3.1 调试工具选择<\/h3> 由于目标程序是16位NE格式，调试工具选择至关重要：<\/p> 调试工具<\/th> 适用性评估<\/th> <\/tr> <\/thead> WinDbg<\/td> 最佳选择，支持NE模块调试<\/td> <\/tr> OllyDbg 1\/2<\/td> 通过NTVDM间接调试，16位代码断点会异常<\/td> <\/tr> x64dbg<\/td> 不支持NE格式<\/td> <\/tr> Open Watcom\/Insight Debugger<\/td> 因自加载功能无法启动目标程序<\/td> <\/tr> <\/tbody> <\/table> 3.2 调试策略<\/h3> WinAPI断点设置<\/strong>：重点关注以下BMP相关函数：<\/p> CreateBitmap<\/code><\/li> CreateBitmapIndirect<\/code><\/li> CreateCompatibleBitmap<\/code><\/li> CreateDIBitmap<\/code><\/li> CreateDIBSection<\/code><\/li> LoadBitmap<\/code><\/li> <\/ul> <\/li> 内存布局分析<\/strong>：<\/p> 16位模块加载在0x10000到0xA0000地址范围<\/li> 类似于实模式内存布局<\/li> <\/ul> <\/li> 函数定位技术<\/strong>：<\/p> 通过函数前导字节序列搜索目标函数<\/li> 示例搜索模式：8b F8 83 3e 08 1f 00 74 2c 83 7e fa 00 74 15 ff<\/code><\/li> <\/ul> <\/li> <\/ol> 3.3 关键发现<\/h3> 图像处理主要发生在两个库中： VBRUN300.dll<\/strong>：Visual Basic运行时库<\/li> FNAUTIL2.dll<\/strong>：包含核心图像处理函数<\/li> <\/ol> <\/li> <\/ul> 4. 图像解压算法分析<\/h2> 4.1 解压流程<\/h3> 读取压缩数据<\/strong>：从MCImage.dat中读取指定偏移和大小的数据<\/li> 调用解压函数<\/strong>：READ_AND_UNPACK_IMAGE<\/code>（内部实现仍为黑盒）<\/li> 尺寸调整<\/strong>：根据screen_height<\/code>和screen_width<\/code>调整解压后图像<\/li> 调色板处理<\/strong>：通过get_palette_handle<\/code>创建调色板<\/li> 位图创建<\/strong>：使用CreateDIBitmap<\/code>创建最终位图<\/li> 资源释放<\/strong>：释放解压使用的临时内存<\/li> <\/ol> 4.2 函数接口<\/h3> HBITMAP decrypt_image(char<\/span>*<\/span> mcimage_path, <\/span><\/span> unsigned<\/span> long<\/span> enc_image_offset, <\/span><\/span> unsigned<\/span> long<\/span> enc_image_size) <\/span><\/span><\/code><\/pre>5. 代码复用实现<\/h2> 5.1 开发环境<\/h3> 编译器<\/strong>：Open Watcom C（16位兼容）<\/li> 目标平台<\/strong>：16位Windows环境<\/li> <\/ul> 5.2 核心数据结构<\/h3> typedef<\/span> struct<\/span> { <\/span><\/span> long<\/span> unk_1; <\/span><\/span> long<\/span> unk_2; <\/span><\/span> int<\/span> unk_3; <\/span><\/span> int<\/span> mcimage; <\/span><\/span>} ImageFileData; <\/span><\/span><\/code><\/pre>5.3 位图保存实现<\/h3> int<\/span> save_bitmap<\/span>(HBITMAP bitmap, char<\/span>*<\/span> dec_image_path) <\/span><\/span>{ <\/span><\/span> \/\/ 1. 获取设备上下文 <\/span><\/span><\/span><\/span> HDC dc =<\/span> GetDC(NULL); <\/span><\/span> <\/span><\/span> \/\/ 2. 分配BITMAPINFO结构内存 <\/span><\/span><\/span><\/span> unsigned<\/span> lpbi_size =<\/span> 256<\/span>*<\/span>4<\/span> +<\/span> sizeof<\/span>(BITMAPINFOHEADER); <\/span><\/span> BITMAPINFO*<\/span> lpbi =<\/span> (BITMAPINFO*<\/span>)calloc(1<\/span>, lpbi_size); <\/span><\/span> <\/span><\/span> \/\/ 3. 初始化BITMAPINFOHEADER <\/span><\/span><\/span><\/span> lpbi-><\/span>bmiHeader.biSize =<\/span> sizeof<\/span>(BITMAPINFOHEADER); <\/span><\/span> lpbi-><\/span>bmiHeader.biPlanes =<\/span> 1<\/span>; <\/span><\/span> <\/span><\/span> \/\/ 4. 获取位图信息 <\/span><\/span><\/span><\/span> ret_val =<\/span> GetDIBits(dc, bitmap, 0<\/span>, 0<\/span>, NULL, lpbi, DIB_RGB_COLORS); <\/span><\/span> <\/span><\/span> \/\/ 5. 分配位图数据内存 <\/span><\/span><\/span><\/span> void<\/span> __huge*<\/span> bits =<\/span> halloc(lpbi-><\/span>bmiHeader.biSizeImage, 1<\/span>); <\/span><\/span> <\/span><\/span> \/\/ 6. 获取位图数据 <\/span><\/span><\/span><\/span> ret_val =<\/span> GetDIBits(dc, bitmap, 0<\/span>, (WORD)lpbi-><\/span>bmiHeader.biHeight, <\/span><\/span> bits, lpbi, DIB_RGB_COLORS); <\/span><\/span> <\/span><\/span> \/\/ 7. 创建输出文件 <\/span><\/span><\/span><\/span> int<\/span> dec_image; <\/span><\/span> _dos_creat(dec_image_path, _A_NORMAL, &<\/span>dec_image); <\/span><\/span> <\/span><\/span> \/\/ 8. 写入文件头 <\/span><\/span><\/span><\/span> BITMAPFILEHEADER file_header =<\/span> {0<\/span>}; <\/span><\/span> file_header.bfType =<\/span> 0x4D42<\/span>; \/\/ "BM" <\/span><\/span><\/span><\/span> file_header.bfSize =<\/span> sizeof<\/span>(BITMAPFILEHEADER) +<\/span> lpbi_size +<\/span> <\/span><\/span> lpbi-><\/span>bmiHeader.biSizeImage; <\/span><\/span> file_header.bfOffBits =<\/span> sizeof<\/span>(BITMAPFILEHEADER) +<\/span> lpbi_size; <\/span><\/span> _dos_write(dec_image, &<\/span>file_header, sizeof<\/span>(BITMAPFILEHEADER), &<\/span>bytes_written); <\/span><\/span> <\/span><\/span> \/\/ 9. 分块写入位图数据（处理>64KB情况） <\/span><\/span><\/span><\/span> DWORD i =<\/span> 0<\/span>; <\/span><\/span> while<\/span>(i <<\/span> lpbi-><\/span>bmiHeader.biSizeImage) { <\/span><\/span> WORD block_size =<\/span> 0x8000<\/span>; <\/span><\/span> if<\/span>(lpbi-><\/span>bmiHeader.biSizeImage -<\/span> i <<\/span> 0x8000<\/span>) { <\/span><\/span> block_size =<\/span> (WORD)(lpbi-><\/span>bmiHeader.biSizeImage -<\/span> i); <\/span><\/span> } <\/span><\/span> _dos_write(dec_image, (BYTE __huge*<\/span>)bits +<\/span> i, block_size, &<\/span>bytes_written); <\/span><\/span> i +=<\/span> block_size; <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 10. 释放资源 <\/span><\/span><\/span><\/span> _dos_close(dec_image); <\/span><\/span> hfree(bits); <\/span><\/span> free(lpbi); <\/span><\/span> return<\/span> 1<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>6. 未来研究方向<\/h2> 自动化逆向分析工具<\/strong>：<\/p> 实现启发式算法重构表、记录和字段<\/li> 交互式界面允许用户修正和补充数据结构<\/li> 正反馈系统，基于已知结构推断其他结构<\/li> <\/ul> <\/li> 交叉引用研究自动化<\/strong>：<\/p> 开发启发式算法识别偏移量指针<\/li> 自动扩展数据库文件格式知识库<\/li> <\/ul> <\/li> 方法论扩展<\/strong>：<\/p> 探索更多数据库逆向工程方法<\/li> 建立标准化逆向工程流程<\/li> <\/ul> <\/li> 公共资源建设<\/strong>：<\/p> 贡献逆向工程文件格式描述<\/li> 参与维护格式库（如Kaitai Struct格式库）<\/li> <\/ul> <\/li> <\/ol> 7. 关键知识点总结<\/h2> 16位调试技术<\/strong>：<\/p> NE格式模块的特殊性<\/li> 自加载功能的影响<\/li> 实模式内存布局<\/li> <\/ul> <\/li> 图像处理逆向<\/strong>：<\/p> 通过API调用追踪定位关键函数<\/li> 压缩图像格式的特征识别<\/li> 调色板处理机制<\/li> <\/ul> <\/li> 代码复用策略<\/strong>：<\/p> 16位兼容代码编写<\/li> 大内存处理技术（halloc\/huge指针）<\/li> DOS文件操作限制的规避<\/li> <\/ul> <\/li> 逆向工程方法论<\/strong>：<\/p> 从黑盒到白盒的渐进分析<\/li> 通过行为分析推断内部实现<\/li> 最小化假设验证技术<\/li> <\/ul> <\/li> <\/ol> 8. 参考资料<\/h2> Bitmap Functions - MSDN<\/a><\/li> Reversing a 16-bit NE File Part 1<\/a><\/li> Kaitai Struct格式库<\/li> <\/ol>

调试工具<\/th>	适用性评估<\/th> <\/tr> <\/thead>
WinDbg<\/td>	最佳选择，支持NE模块调试<\/td> <\/tr>
OllyDbg 1\/2<\/td>	通过NTVDM间接调试，16位代码断点会异常<\/td> <\/tr>
x64dbg<\/td>	不支持NE格式<\/td> <\/tr>
Open Watcom\/Insight Debugger<\/td>	因自加载功能无法启动目标程序<\/td> <\/tr> <\/tbody> <\/table> 3.2 调试策略<\/h3> WinAPI断点设置<\/strong>：重点关注以下BMP相关函数：<\/p> `CreateBitmap<\/code><\/li>` `CreateBitmapIndirect<\/code><\/li>` `CreateCompatibleBitmap<\/code><\/li>` `CreateDIBitmap<\/code><\/li>` `CreateDIBSection<\/code><\/li>` `LoadBitmap<\/code><\/li> <\/ul> <\/li>` 内存布局分析<\/strong>：<\/p> 16位模块加载在0x10000到0xA0000地址范围<\/li> 类似于实模式内存布局<\/li> <\/ul> <\/li> 函数定位技术<\/strong>：<\/p> 通过函数前导字节序列搜索目标函数<\/li> 示例搜索模式：8b F8 83 3e 08 1f 00 74 2c 83 7e fa 00 74 15 ff<\/code><\/li> <\/ul> <\/li> <\/ol> 3.3 关键发现<\/h3> 图像处理主要发生在两个库中： VBRUN300.dll<\/strong>：Visual Basic运行时库<\/li> FNAUTIL2.dll<\/strong>：包含核心图像处理函数<\/li> <\/ol> <\/li> <\/ul> 4. 图像解压算法分析<\/h2> 4.1 解压流程<\/h3> 读取压缩数据<\/strong>：从MCImage.dat中读取指定偏移和大小的数据<\/li> 调用解压函数<\/strong>：READ_AND_UNPACK_IMAGE<\/code>（内部实现仍为黑盒）<\/li> 尺寸调整<\/strong>：根据screen_height<\/code>和screen_width<\/code>调整解压后图像<\/li> 调色板处理<\/strong>：通过get_palette_handle<\/code>创建调色板<\/li> 位图创建<\/strong>：使用CreateDIBitmap<\/code>创建最终位图<\/li> 资源释放<\/strong>：释放解压使用的临时内存<\/li> <\/ol> 4.2 函数接口<\/h3> HBITMAP decrypt_image(char<\/span><\/span> mcimage_path, <\/span><\/span> unsigned<\/span> long<\/span> enc_image_offset, <\/span><\/span> unsigned<\/span> long<\/span> enc_image_size) <\/span><\/span><\/code><\/pre>5. 代码复用实现<\/h2> 5.1 开发环境<\/h3> 编译器<\/strong>：Open Watcom C（16位兼容）<\/li> 目标平台<\/strong>：16位Windows环境<\/li> <\/ul> 5.2 核心数据结构<\/h3> typedef<\/span> struct<\/span> { <\/span><\/span> long<\/span> unk_1; <\/span><\/span> long<\/span> unk_2; <\/span><\/span> int<\/span> unk_3; <\/span><\/span> int<\/span> mcimage; <\/span><\/span>} ImageFileData; <\/span><\/span><\/code><\/pre>5.3 位图保存实现<\/h3> int<\/span> save_bitmap<\/span>(HBITMAP bitmap, char<\/span><\/span> dec_image_path) <\/span><\/span>{ <\/span><\/span> \/\/ 1. 获取设备上下文 <\/span><\/span><\/span><\/span> HDC dc =<\/span> GetDC(NULL); <\/span><\/span> <\/span><\/span> \/\/ 2. 分配BITMAPINFO结构内存 <\/span><\/span><\/span><\/span> unsigned<\/span> lpbi_size =<\/span> 256<\/span><\/span>4<\/span> +<\/span> sizeof<\/span>(BITMAPINFOHEADER); <\/span><\/span> BITMAPINFO<\/span> lpbi =<\/span> (BITMAPINFO<\/span>)calloc(1<\/span>, lpbi_size); <\/span><\/span> <\/span><\/span> \/\/ 3. 初始化BITMAPINFOHEADER <\/span><\/span><\/span><\/span> lpbi-><\/span>bmiHeader.biSize =<\/span> sizeof<\/span>(BITMAPINFOHEADER); <\/span><\/span> lpbi-><\/span>bmiHeader.biPlanes =<\/span> 1<\/span>; <\/span><\/span> <\/span><\/span> \/\/ 4. 获取位图信息 <\/span><\/span><\/span><\/span> ret_val =<\/span> GetDIBits(dc, bitmap, 0<\/span>, 0<\/span>, NULL, lpbi, DIB_RGB_COLORS); <\/span><\/span> <\/span><\/span> \/\/ 5. 分配位图数据内存 <\/span><\/span><\/span><\/span> void<\/span> __huge<\/span> bits =<\/span> halloc(lpbi-><\/span>bmiHeader.biSizeImage, 1<\/span>); <\/span><\/span> <\/span><\/span> \/\/ 6. 获取位图数据 <\/span><\/span><\/span><\/span> ret_val =<\/span> GetDIBits(dc, bitmap, 0<\/span>, (WORD)lpbi-><\/span>bmiHeader.biHeight, <\/span><\/span> bits, lpbi, DIB_RGB_COLORS); <\/span><\/span> <\/span><\/span> \/\/ 7. 创建输出文件 <\/span><\/span><\/span><\/span> int<\/span> dec_image; <\/span><\/span> _dos_creat(dec_image_path, _A_NORMAL, &<\/span>dec_image); <\/span><\/span> <\/span><\/span> \/\/ 8. 写入文件头 <\/span><\/span><\/span><\/span> BITMAPFILEHEADER file_header =<\/span> {0<\/span>}; <\/span><\/span> file_header.bfType =<\/span> 0x4D42<\/span>; \/\/ "BM" <\/span><\/span><\/span><\/span> file_header.bfSize =<\/span> sizeof<\/span>(BITMAPFILEHEADER) +<\/span> lpbi_size +<\/span> <\/span><\/span> lpbi-><\/span>bmiHeader.biSizeImage; <\/span><\/span> file_header.bfOffBits =<\/span> sizeof<\/span>(BITMAPFILEHEADER) +<\/span> lpbi_size; <\/span><\/span> _dos_write(dec_image, &<\/span>file_header, sizeof<\/span>(BITMAPFILEHEADER), &<\/span>bytes_written); <\/span><\/span> <\/span><\/span> \/\/ 9. 分块写入位图数据（处理>64KB情况） <\/span><\/span><\/span><\/span> DWORD i =<\/span> 0<\/span>; <\/span><\/span> while<\/span>(i <<\/span> lpbi-><\/span>bmiHeader.biSizeImage) { <\/span><\/span> WORD block_size =<\/span> 0x8000<\/span>; <\/span><\/span> if<\/span>(lpbi-><\/span>bmiHeader.biSizeImage -<\/span> i <<\/span> 0x8000<\/span>) { <\/span><\/span> block_size =<\/span> (WORD)(lpbi-><\/span>bmiHeader.biSizeImage -<\/span> i); <\/span><\/span> } <\/span><\/span> _dos_write(dec_image, (BYTE __huge*<\/span>)bits +<\/span> i, block_size, &<\/span>bytes_written); <\/span><\/span> i +=<\/span> block_size; <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 10. 释放资源 <\/span><\/span><\/span><\/span> _dos_close(dec_image); <\/span><\/span> hfree(bits); <\/span><\/span> free(lpbi); <\/span><\/span> return<\/span> 1<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>6. 未来研究方向<\/h2> 自动化逆向分析工具<\/strong>：<\/p> 实现启发式算法重构表、记录和字段<\/li> 交互式界面允许用户修正和补充数据结构<\/li> 正反馈系统，基于已知结构推断其他结构<\/li> <\/ul> <\/li> 交叉引用研究自动化<\/strong>：<\/p> 开发启发式算法识别偏移量指针<\/li> 自动扩展数据库文件格式知识库<\/li> <\/ul> <\/li> 方法论扩展<\/strong>：<\/p> 探索更多数据库逆向工程方法<\/li> 建立标准化逆向工程流程<\/li> <\/ul> <\/li> 公共资源建设<\/strong>：<\/p> 贡献逆向工程文件格式描述<\/li> 参与维护格式库（如Kaitai Struct格式库）<\/li> <\/ul> <\/li> <\/ol> 7. 关键知识点总结<\/h2> 16位调试技术<\/strong>：<\/p> NE格式模块的特殊性<\/li> 自加载功能的影响<\/li> 实模式内存布局<\/li> <\/ul> <\/li> 图像处理逆向<\/strong>：<\/p> 通过API调用追踪定位关键函数<\/li> 压缩图像格式的特征识别<\/li> 调色板处理机制<\/li> <\/ul> <\/li> 代码复用策略<\/strong>：<\/p> 16位兼容代码编写<\/li> 大内存处理技术（halloc\/huge指针）<\/li> DOS文件操作限制的规避<\/li> <\/ul> <\/li> 逆向工程方法论<\/strong>：<\/p> 从黑盒到白盒的渐进分析<\/li> 通过行为分析推断内部实现<\/li> 最小化假设验证技术<\/li> <\/ul> <\/li> <\/ol> 8. 参考资料<\/h2> Bitmap Functions - MSDN<\/a><\/li> Reversing a 16-bit NE File Part 1<\/a><\/li> Kaitai Struct格式库<\/li> <\/ol>

数据库逆向工程(三)：代码复用与图像解压技术详解<\/h1>

1. 数据库逆向工程回顾<\/h2> 在第二部分中，我们研究了Microcat Ford USA数据库的内部机制，重点分析了代表车辆和车辆部件的通用数据结构。本部分将聚焦于零件图的逆向分析，这是该数据库研究的最后一个关键组件。<\/p>

2. 图像存储格式分析<\/h2>

3. 逆向工程方法<\/h2>

4. 图像解压算法分析<\/h2>

5. 代码复用实现<\/h2>

8. 参考资料<\/h2> Bitmap Functions - MSDN<\/a><\/li> Reversing a 16-bit NE File Part 1<\/a><\/li> Kaitai Struct格式库<\/li> <\/ol>

1. 数据库逆向工程回顾<\/h2>
在第二部分中，我们研究了Microcat Ford USA数据库的内部机制，重点分析了代表车辆和车辆部件的通用数据结构。本部分将聚焦于零件图的逆向分析，这是该数据库研究的最后一个关键组件。<\/p>

8. 参考资料<\/h2>

Bitmap Functions - MSDN<\/a><\/li>
Reversing a 16-bit NE File Part 1<\/a><\/li>
Kaitai Struct格式库<\/li> <\/ol>