I have already replied to you.

hFile changes on each call to CreateFile so you won't find it. Looks like this isn't very clear part of my guide since there was another comment on this question earlier – check out my answer.

You've read the entire thing and still have no idea?

The point in what is described here is to load game executable that interprets game scenarios and determine the exact algorithm it uses to extract scripts from game archives (if there are any), to determine how it converts scenario bytecode into operations and how it treats strings. Then you write your own tool to convert scenario into text files that after editing (translating) can be converted back into the format recognized by the game.

Hey, ¶

Can you give me some details on what exactly confuses you? Or at least starting from which paragraph (in Part 3). ¶

Hey Sledge, are my mails still landing in your spambox? ¶

Hey Pyrex! ¶

Nice to see you around. Don't worry, I'm extremely (that's true) excited to expain something to someone from «scratch» :) ¶

Please ask questions without second thought even if they look too noobish – it helps me understand what you and others need to learn. ¶

(Oh, and it's pretty good to be a Japanese translator… my respect.) ¶

Let's start with the hexeditor and how program usually handles strings. What you see before yourself when you open runme.dat you see exactly what my ScenarioRunner sees too. It means that it starts from the first byte ever – that is, 06. Then it sees 00, then 0E 00 and so on. ¶

In other words, it reads this file byte-by-byte. Actually, runme.dat is just like a story script or performance scenario. Why? Because if you remove some stuff from this file, change it or do something else the program will, depending on the changes (and thus depending on the file contents), also alter its own execution. Just like a stage performance – give the guys wrong sheet and they'll screw it up… Or, as in our case, replace some stuff here and there and «guys» will do it alright – but sing a different song. Talk in another language. Sounds familiar, eh? That's what we want ScenarioRunner or any other game to do – speak in English instead of Japanese. That's just one case of course. ¶

So yeah, the program reads some scenario file from its first byte (actually it can read it from an arbitrary position but it's safe to assume this simplest case), interprets those bytes and does something, then repeats. By interpreting here I mean that, say, byte with hex value FF doesn't mean anything by itself – this value won't make MS Paint output a message but when our program reads it it thinks: «Aha, my scenario instructs me to do command No. 255 – let's look up what it means…». Naturally, every program that runs scenarios has an opcode (operation code) table that maps codes to specific routines that actually output messages, read user input, etc. ¶

Now a bit deeper dive. Say, a program sees byte FF which means «output a message» – a message like you see in any Visual Novel. But wait – the program does not contain those messages, does it? It runs scenario file(s). So the message must be there. ¶

Naturally, as any scenario file is an octet stream («octet» is a clever name for «8 bits» which in our context means «byte»), or a data stream, or a stream of bytes. So when it reads that FF byte it must then read the string to output. Technically, nothing prevents the program from reading it from the end of scenario file, from another file or from some network location (but I haven't seen such crazy programs yet). Usually since programmers are in general sane people they will read the message to be output after the instruction's opcode. In other words, first goes opcode, then goes some string. ¶

Does it make sense so far? ¶

So we're speaking about this structure: ¶

<INSTRUCTION> <STRING>

For example: ¶

<FF> <06 H e l l o !>

Or, in bytecode: ¶

<FF> <06 48 65 6C 6C 6F 21>

First we see message opcode – FF – that makes the program output some message; then we see some stuff. Since the program reads file byte-by-byte from left to right (even Arabic programs don't read files from right to left) it sees FF first, then it reads string… but to which length? So 06 above is actually string's length – program reads this value, thinks: «Look, the string is going to be 6 characters long. Let's grab them all». So after reading 06 it reads all those 48 65 6C 6C 6F 21 bytes that actually correspond to ANSI codes of characters «Hello!». ¶

Edit the first string – I made it «Do not cry…» – in this case we have an extra «!» left from the old string – delete it. The file will become 1 byte shorter.  ¶

Now about this part. What I meant here was about this piece of runme.dat: ¶

  06 00 0E 00 4D 61 6B 65 20 6D 65 20 6C    ....Make me l
  61 75 67 68 21                            augh!

Suppose we want to make program output «Do not cry…» instead of the above text. What is the most obvious way? Simply overwrite the above bytes (from «M» 4D to «!» 21) with the new string. In 010 editor, put the cursor on letter «M» on the right frame (narrow column with letters and symbols), make sure OVR, not INS is written in bottom-right corner of the program's statusbar and start typing. OVR means overwrite mode while INS means insert mode – you can toggle between them with the Insert key on the keyboard (near Delete and Home). ¶

You will type last period (of «cry…») and the cursor will stop on the exclamation mark that has left from the original string. What to do with it? Well, this is the point the tutorial can pick you up on: ¶

1. …we have an extra «!» left from the old string – delete it. The file will become 1 byte shorter.

Good start! Now push harder and break the language barrier :) ¶

You're getting hang of this whole thing, Sledge :) Your code seems fine to me although generally you should try to give variables more «human» names (even if you don't fully understand their purpose). For example, I would name al as byteKey, thisKey or even salt and v1/v2 as key1/key2. ¶

Since you're posting a lot lately let me give you a brief markup legend: ¶

**bold** //italic// __under__
^^super^^ --strike--
((http://google.com The Oogle))
> Inline quotation

Code is created by placing %% around the text and can be block (each %% is placed on separate lines) and inline. You seem to already know that :) But you can highlight the code too by putting braces with the syntax scheme after the opening %%: ¶

%%(php)echo 'code';%%
%%(delphi)WriteLn('Hi!');%%
%%(asm)IMUL EAX, 03h%%

Block code (works with any syntax scheme, e.g. those above): ¶

%%(asm)
MOV EAX, [EBX]   ; comment
%%

asmMOV EAX, [EBX]   ; comment

Currently there's no C highlighter, though. ¶

1. I'm not sure signed char is the best data type for the low piece of a Extended Register

You've made it right in the code but not in the comment :) ¶

AL/AH

8-bit value, char

AX

16-bit value, unsigned short int

EAX

32-bit value, unsigned int

RAX

I believe that's how EAX is named in 64-bit systems

I'm not sure why you're using unsigned char, though – there's no difference as long as you're using bitwise ops but it still look redundant. ¶

1. but all it took me was changing ONE line in my code.

This is usually how games work – most of them use symmetric or almost symmetric de/coding which is both easier to program and reverse-engineer. ¶

1. by the way I should change this function name too since it now does both things.

You can name it «transform», for instance. ¶

Hey, Sledge! ¶

You know what, you're actually making progress. Now that you've found the decoded script you've made half of the road. And I can see plain texts there so the game doesn't seem to encode them individually in any way (for example, some games use a modification of ShiftJIS that encode kana as 1 byte instead of 2 to squeeze texts). ¶

The reason why you're seeing those «_» functions is that they are 16-bit versions of CreateFile and friends: _lcreat function. This means they're really really old, even older than Win9x in some way. I even doubt that the game will run on Vista and above since 16-bit support has been removed from the core. ¶

Have you found an extremely old game or is it using those functions as a surprise for the hackers? ¶

Usually yes although a game might use standard Windows CryptoAPI or some other external function but I haven't seen one doing this yet ¶

However, this is usually more complicated. To give you an idea: ¶

1. «Wind» XOR encryption – essentially what you have in mind. Check the Wikipedia on XOR – it's an operation which allows you to create very basic but effective encryption. See: CD xor 11 = DC (encryption), DC xor 11 = CD (decryption) – here CD is the original unencoded byte and 11 is a cryption key. So when using"wind" encryption you'll find a (usually small) loop iterating once for each input byte.
2. We can still use XOR but make it more complex by getting crypting key from some table instead of using a constant number that doesn't change per encoded file, per encoding byte offset, per time/date/version/weather/etc. This is what most games do since there's not much room for customizing XOR. Some of them are really mad here.

For example, Sono Hanabira uses XOR encryption like this: ¶

1. Compute MD5 hash of form «SonoHanabira…» + chunk number; since MD5 hashes are always 32 chars long each chunk is also 32 bytes long.
2. Decode each byte from current offset like: byte[0] xor hash[0], byte[1] xor hash[1], etc. until 32 bytes are decoded.
3. Repeat from the first step until the EOF, incrementing chunk counter.

Another game, PatchuCon, uses a multitude of XOR tables and runs the same data over different kind of XOR loops several times. You can get the idea of the amount of xorring by checking my tool's code. ¶

Planetarian is definitely a killer becomes it uses some mad calculations to decode its data. I haven't worked out the full mechanics but even Haeleth (who's created RLDev) is using a hook in his localization. ¶

And completely crazy engines like WARC (.war files) even contain EXE files in some of its archives that they call (after it has been decrypted) to decrypt the rest of the archive. So they contain no decryption themselves. ¶

But don't worry – there are more simple encryptions than there are complex :) ¶

Usually, if the game uses XOR (and most of them are since it's simple) you'll first stumble upon a loop which, as you trace it step-by-step, produces decoded bytes that you're able to see elsewhere (for example, when the game is already running and you're dumping its memory to look for loaded data). Then you find out how the loop works and then reverse-engineer it to the top loop(s) that produce XOR table(s) or somehow else control the decryption. ¶

Btw, you can do memory dumps with LordPE. ¶

You're saying CreateFile args are not changed? Have you tried looking around the code, perhaps check the caller, what it does and why it loops? ¶

It's normal for a game to call CreateFile multiple times (say, 5) even with the same file name here and there but it definitely should not be stuck. ¶

You can pick any engine from my VN tools page (vn.i-forge.net). You can pretty much determine which engine a game uses by looking at its archives' file extension or using some extract tool (like AnimED, ExtractData or CRASS) – usually it'll tell you the name of the format. ¶

Sometimes you can also see the engine name used in the game exe's File Info dialogue (under Version, Comment or other field). ¶

Some commonly used engines I've primarily dealt with: ¶

• XP3 – KiriKiri/KAG engine (plenty of games)
• NOA/CSX – Entis scripting engine (Yosuga no Sora and many others)
• ARC – Majiro (Katahane, Aoi Shiro and others)
• MSD – FJSys (Sono Hanabira ni Kuchizuke wo)
• ISF – IkuraGDL (Crescendo)

That's what I can come up with ATM. If you have any questions don't hesitate to ask, now or later :) ¶

1. your documents provide some practice examples

Yeah, there's a lot of debugging practice with IDA and ScenarioRunner is a program I wrote myself that mimics the structure and behaviour of a typical visual novel/other scripting game. ¶

Please don't hesitate to ask any questions anytime should they arise. ¶

Frankly I haven't read any hacking tutorials myself :) Like I'm saying in the tutorial one day I just woke up and understood how things worked, then I tried to hack a few games to polish my skills. ¶

Did my tutorial help you in any way? If there's something unclear I might be able to explain. Also note that there are games with strong protection so you might have been out of luck picking one of them. ¶