ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Thu Jun 21, 2018 6:47 am

All times are UTC




Post new topic  Reply to topic  [ 39 posts ]  Go to page 1 2 Next
Author Message
PostPosted: Tue Jul 26, 2016 8:27 pm 

Joined: Sun Aug 30, 2015 12:51 pm
Posts: 48
http://www20.zippyshare.com/v/1MIJVhOF/file.html

Files look like xor-ed ZIPs. Also in memory exe dump there are signs that game actually uses ZIP files as resources.

If someone could help to find the key and needs an exe - pm me.

TYVM.


Top
   
PostPosted: Wed Jul 27, 2016 1:21 am 

Joined: Sat Aug 09, 2014 2:34 pm
Posts: 759
Fast look - info

Code:
struct BinHeader
{
   uint32_t   dwID;
   uint16_t   wVersion; // 1 - is encrypted
   uint16_t   wComprType; // 11 - is Zlib
   uint32_t   dwFiles;
   uint32_t   dwIndexZSize; //Index table (compressed size)
   uint32_t   dwNamesSize; //Names table (real size)
   uint32_t   dwNamesZSize; //Names table (compressed size)
   uint32_t   dwUnknown3; // ???
};


Read index table (offset 0x1C)
:geek:

Read names table (offset after index table)
:geek:

Decrypting

Code:
void iDecrypt(unsigned char* pBuffer, unsigned int dwSize)
{
   int i = 0;
   int m_Key = (((signed __int16)(dwSize + 85) | ((signed __int16)(dwSize + 85) << 16)) ^ 0x3B9A1D9) & 0xFFFFFFF;
   do
   {
      ++i;
      m_Key = (0x3FD * m_Key + 1) & 0xFFFFFFF;
      *((DWORD *)pBuffer + i - 1) ^= m_Key;
   }
   while (i < dwSize >> 2);
}


Tables also compressed by zlib.


Top
   
PostPosted: Wed Jul 27, 2016 7:01 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 8298
Well done:
http://aluigi.org/bms/marvel_ultimate_alliance.bms

I used the algorithm to build a xor key so that the script is valid for reimporting too :)


Top
   
PostPosted: Wed Jul 27, 2016 8:26 am 

Joined: Sun Aug 30, 2015 12:51 pm
Posts: 48
Thanks for the script!

Though it seems it can't extract some bins. Like textures.bin, in example.

0000000000078e72 264940 ui/hud_x1.igz
000000000007df45 264940 ui/hud_xenon.igz
000000000008301d 133868 ui/menu_gestures.igz

Error: the compressed zlib/deflate input is wrong or incomplete (-3)
Info: algorithm 1
offset 000000000008301d
input size 0x000000000000c52a 50474
output size 0x0000000000020aec 133868
result 0xffffffffffffffff -1

Error: the uncompressed data (-1) is bigger than the allocated buffer (527084)

Last script line before the error or that produced the error:
39 clog NAME OFFSET ZSIZE SIZE

Should I upload the file?


Top
   
PostPosted: Wed Jul 27, 2016 9:27 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 8298
Yeah, upload the archive.


Top
   
PostPosted: Wed Jul 27, 2016 9:53 am 

Joined: Sun Aug 30, 2015 12:51 pm
Posts: 48
http://www110.zippyshare.com/v/5ldWtob2/file.html

Is there a way simply de-xor/re-xor the whole res-file, just in case?


Top
   
PostPosted: Wed Jul 27, 2016 10:03 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 8298
Uhmmm there is nothing wrong in the script or in the fields (same of other files), the beginning of the decrypted data is ok (0x78 0x9c ...) but it can't be decompressed even with offzip.

The only solution was to just avoid to terminate if the decompression fails, script 0.1a.


Top
   
PostPosted: Wed Jul 27, 2016 10:54 am 

Joined: Sun Aug 30, 2015 12:51 pm
Posts: 48
aluigi wrote:
Uhmmm there is nothing wrong in the script or in the fields (same of other files), the beginning of the decrypted data is ok (0x78 0x9c ...) but it can't be decompressed even with offzip.

The only solution was to just avoid to terminate if the decompression fails, script 0.1a.

Thank you, now it extracts other files too.

Is there a way simply de-xor/re-xor the whole res-file, just in case? I mean, dump the file without encryption with possibility to re-encrypt it back. That way maybe we'll find a way to build those unencrypted files from the scratch and then just encrypt them for game to accept?

Bu the way, did you try other deflate solutions like reflate to get this broken file?


Top
   
PostPosted: Wed Jul 27, 2016 11:05 am 

Joined: Sat Aug 09, 2014 2:34 pm
Posts: 759
Script also works on Marvel Ultimate Alliance 2


Top
   
PostPosted: Wed Jul 27, 2016 11:57 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 8298
@Panzerdroid
It's not a one-run decryption, you have to decrypt every single TOC, names and file.
The script is valid for reimporting in case you are need it.
Regarding "reflate", it's not an algorithm :) The algorithm here is zlib (container for deflate data) so it works or doesn't work, no alternatives.
Maybe it's a failed decryption of that specific file? Don't know.

@Ekey
Great.
I have a script for MUA2, but the format is totally different ("AGI"/"IGA")


Top
   
PostPosted: Wed Jul 27, 2016 1:00 pm 

Joined: Sat Aug 09, 2014 2:34 pm
Posts: 759
Current script only for games from developer Zoë Mode. This two games released yesterday.

http://store.steampowered.com/app/433300
http://store.steampowered.com/app/433320


Top
   
PostPosted: Wed Jul 27, 2016 2:30 pm 

Joined: Sun Aug 30, 2015 12:51 pm
Posts: 48
191 files in textures.bin are extracted in uncompressed form. Can't find any common things in them, like strange size. What a weird file format that Zoe Mode have made!


Top
   
PostPosted: Wed Jul 27, 2016 3:04 pm 
User avatar

Joined: Fri Aug 08, 2014 1:06 am
Posts: 501
if the archives of this PC port are anything like the ones for X360 then there is a mix of compressed and uncompressed files in them and a flag is used to determine which is which, the "unsupported" files might just be uncompressed according to daemon1 here
http://forum.xentax.com/viewtopic.php?p=118195#p118195


Top
   
PostPosted: Wed Jul 27, 2016 3:24 pm 

Joined: Sun Aug 30, 2015 12:51 pm
Posts: 48
Acewell wrote:
if the archives of this PC port are anything like the ones for X360 then there is a mix of compressed and uncompressed files in them and a flag is used to determine which is which, the "unsupported" files might just be uncompressed according to daemon1 here
http://forum.xentax.com/viewtopic.php?p=118195#p118195

Maybe, but for some reason those files are extracted with typical deflate magic bytes - 78 9C.
In example, in models.bin there are 2155 such files out of 4879. Others are properly extracted. As I said above - I see no any order. Goog/"bad" files may be located in the same folder.

As Luigi, I also tried offzip and reflate on "bad" files with no luck.

So, very strange...


Top
   
PostPosted: Wed Jul 27, 2016 4:16 pm 

Joined: Sun Aug 30, 2015 12:51 pm
Posts: 48
http://www3.zippyshare.com/v/YoiLKM7j/file.html

These 2 bin files can't be extracted at all. Additional encryption?


Top
   
PostPosted: Wed Jul 27, 2016 4:33 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 8298
Ok, I have an idea. Wait...


Top
   
PostPosted: Wed Jul 27, 2016 4:45 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 8298
Script 0.1.1, now it works perfectly :D

The problem was the "signed int16" that required additional work in the script.

P.S.: wait if the script is not available yet on the server...


Top
   
PostPosted: Wed Jul 27, 2016 6:32 pm 

Joined: Sun Aug 30, 2015 12:51 pm
Posts: 48
aluigi wrote:
Script 0.1.1, now it works perfectly :D

The problem was the "signed int16" that required additional work in the script.

P.S.: wait if the script is not available yet on the server...

Available, but is 0 bytes :(


Top
   
PostPosted: Wed Jul 27, 2016 7:26 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 8298
Check it now


Top
   
PostPosted: Wed Jul 27, 2016 7:39 pm 

Joined: Sun Aug 30, 2015 12:51 pm
Posts: 48
aluigi wrote:
Check it now

Many thanks! Now it works perfectly for every file. You're a freakin' genius! :)


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 39 posts ]  Go to page 1 2 Next

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited