Hash table concept
1. I believe that you often encounter the following code segment in UE4 or UE5 game reverse engineering
$ ==> > 41:8B42 0C > mov eax,dword ptr ds:[r10+C] >
$+4 > 3B05 AE589B04 > cmp eax,dword ptr ds:[7FF7B68B74F4] >
$+A > 7D 28 > jge projectlh.7FF7B1F01C70 >
$+C > 99 > cdq >
$+D > 0FB7D2 > movzx edx,dx >
$+10 > 03C2 > add eax,edx >
$+12 > 8BC8 > mov ecx,eax >
$+14 > 0FB7C0 > movzx eax,ax >
$+17 > 2BC2 > sub eax,edx >
$+19 > 48:98 > cdqe >
$+1B > C1F9 10 > sar ecx,10 >
$+1E > 48:63C9 > movsxd rcx,ecx >
$+21 > 48:8D1440 > lea rdx,qword ptr ds:[rax+rax*2] >
$+25 > 48:8B05 78589B04 > mov rax,qword ptr ds:[7FF7B68B74E0] >
$+2C > 48:8B0CC8 > mov rcx,qword ptr ds:[rax+rcx*8] >
$+30 > 48:8D1CD1 > lea rbx,qword ptr ds:[rcx+rdx*8] >
$+34 > 8B43 08 > mov eax,dword ptr ds:[rbx+8] >
2. In fact, this is to decrypt the hash ID. Some people don't understand how this ID gets our hash object through this hash table
3. Er~ teacher, what is a hash table?
4. Let's first look at how Baidu explained
5. As mentioned above, we can return the address in a table after bringing any given keyword value key into the function, then we call this table a hash table
6. Does it feel the same as the situation we encountered, we pass a hash ID (Key) in UE4, and get the object through the above code block
7. Ok~ I understand the general concept here, now we start to dynamically analyze this assembly code, and figure out how to decrypt the ID to get the object
Hash ID source
1. First breakpoint under the head, and break
2. Observe the register r10 at this time
3. Go to memory and find that r10 is an object
4. Press F8 to execute a sentence and continue to observe eax
5. It is found that eax stores the hash ID of the obtained 4-byte r10 object + C
6. From here, we observe that all r10 objects + C offsets are a hash ID!
7. Conclusion Everyone must remember! Later, if you see that the address of this object + C offset has a 4-byte ID, then this object is a hash object
8. Then get the hash ID and return the object through the following code segment. Now let's see how the assembly operates the hash ID
Dynamic analysis decryption ID
1. We continue to execute F8 to the next sentence of movzx edx, dx
2. After executing movzx edx, dx, observe that the register edx is 0, so let’s continue
3. After executing add eax, edx, it is observed that the original eax (hash ID) is added to edx (0), and then assigned to eax (hash ID). Note that 4 bytes are being operated here, because The hash ID is a 4-byte
4. At this point, our registers edx(0), eax (hash ID) are still equal to the hash ID due to the addition of 0
5. Continue to execute, after this code mov ecx, eax, we observe that eax (hash ID) is assigned to ecx (hash ID)
6. Continue F8 to execute movzx eax, ax, here is the key point, we observe the register changes
7. The original eax() has changed to 1D73. Did it take the lower 4 bits of the original 31D73? That is, the lower 2 bytes. Note that we are talking about 4 bytes here
8. In fact, it is not difficult to analyze. It turns out that ax means 2 bytes lower. For the convenience of understanding, a picture is drawn here
9. To put it bluntly, rax is 8 bytes, eax is 4 bytes, and ax is 2 bytes
10. So we see that the original 31D73 actually takes the lower 2 bytes and assigns 1D73 to eax
11. Continue to F8 to execute sub eax, edx
12.eax(1D73) plus edx(0) has no change
13. Continue to press F8 to execute sar ecx, 0x10, when this sentence comes to another key point
14. We found that after execution, ecx becomes 3, where is the source of this 3?
15. The analysis shows that this 3 is actually the upper 2 bytes of the above hash ID
16. Well, how did he get it? In fact, we will know the reason after carefully seeing the function of the sar assembly instruction sar ecx, 0x10
17. Some students don’t quite understand the function of sar, let’s take a look on Baidu
18. It is a bit operation!, and we see that sar ecx, 0x10 in 0x10 is converted into decimal, that is, 16 is just moved to the right by 16 bits (binary bits), is it equivalent to removing the original lower 16 bits? The original 16-bit has become the current
The lower 16 bits are 3!
19. A picture is drawn here for easy analysis
20. After analysis, it turns out that the code sar ecx, 0x10 takes the upper 4 bytes of the hash ID, while movzx eax, ax takes the lower 4 bytes
offset expression
1. Above we decrypted the ID and divided it into two parts, rcx (the upper 4 bytes of the hash ID) and eax (the lower 4 bytes of the hash ID)
2. Let's continue to execute, it is relatively simple here is the combination of offset expressions
3. Can get an offset expression
[[0x00007FF7B68B74E0]+ecx8]+eax3*8]==hash object
4. It turns out that our ecx and eax are two indexes, which are decomposed from the hash ID respectively
5. Then we finally come to the conclusion as shown in the figure
6. Well, this is the end of today's hash ID decryption, isn't it very simple?
7. Thanks for the support of the students, thanks for the support of Di University College 285530835
