ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Tue Sep 26, 2017 9:09 am

All times are UTC




Post new topic  Reply to topic  [ 14 posts ] 
Author Message
PostPosted: Sat Apr 29, 2017 9:20 am 

Joined: Fri May 27, 2016 2:28 pm
Posts: 43
Hello

Help, please, recognize decryption of Vital Engine 2 GRP archives (Xenus: Boiling Point game). I want to make unpacker\packer script on Quick BMS (for making fan-made patches in future).
I'm reverse engineering engine .dll's and found 'unpack' function, but I can't understand it. All what I'm found I saved to gfUnpack.c file in attach. I could missed some external functions, so notify me if some will not enough.

Also I provide filecutted GRP archive, in which saved only files info block (should contain fileNames length's, fileNames strings, Offsets..)

Struct of archive header block:

Code:
IDString    'FPRG'
Long        version
Long        nFileInfo  --Count of files;
Long        fat_size  --nFileInfo block size;



Thanks.


Attachments:
gfUnpack.c [2.96 KiB]
Downloaded 17 times
newgrp.zip [539.41 KiB]
Downloaded 18 times
Top
   
PostPosted: Sat Apr 29, 2017 9:40 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 6721
Just use the already existent script and replace 0x735a with 47536
http://aluigi.org/bms/fprg.bms

I don't know if exists a way to guess this value or to identify what archives use one of the 2 values, version is ever 1 for both I guess

*edit* added this second init value as comment in the script as remainder


Top
   
PostPosted: Sat Apr 29, 2017 9:58 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 6721
Ah, what's the original size of the sample you provided?


Top
   
PostPosted: Sat Apr 29, 2017 10:02 am 

Joined: Fri May 27, 2016 2:28 pm
Posts: 43
aluigi wrote:
Ah, what's the original size of the sample you provided?


2859709129

That is full size.


Top
   
PostPosted: Sat Apr 29, 2017 10:18 am 

Joined: Fri May 27, 2016 2:28 pm
Posts: 43
aluigi wrote:
I don't know if exists a way to guess this value or to identify what archives use one of the 2 values, version is ever 1 for both I guess


Maybe 'setPassword' function "linked" with this values? It is also from 'gf' section from vital.dll.

Code:
void __cdecl gfSetPassword(GFILE *file, char *password)
{
  char *v2; // eax@5
  signed int v3; // ecx@5
  char v4; // al@8
  char v5; // al@11
  char v6; // al@14
  char v7; // al@17
  char v8; // al@20
  char v9; // al@23
  char v10; // cl@26

  if ( password )
  {
    v2 = (char *)memNew(8u);
    file->password = v2;
    v3 = 0;
    if ( *password )
    {
      *v2 = *password;
      v3 = 1;
    }
    else
    {
      *v2 = 23;
    }
    v4 = password[v3];
    if ( v4 )
    {
      file->password[1] = v4;
      ++v3;
    }
    else
    {
      file->password[1] = 24;
    }
    v5 = password[v3];
    if ( v5 )
    {
      file->password[2] = v5;
      ++v3;
    }
    else
    {
      file->password[2] = 25;
    }
    v6 = password[v3];
    if ( v6 )
    {
      file->password[3] = v6;
      ++v3;
    }
    else
    {
      file->password[3] = 26;
    }
    v7 = password[v3];
    if ( v7 )
    {
      file->password[4] = v7;
      ++v3;
    }
    else
    {
      file->password[4] = 27;
    }
    v8 = password[v3];
    if ( v8 )
    {
      file->password[5] = v8;
      ++v3;
    }
    else
    {
      file->password[5] = 28;
    }
    v9 = password[v3];
    if ( v9 )
    {
      file->password[6] = v9;
      ++v3;
    }
    else
    {
      file->password[6] = 29;
    }
    v10 = password[v3];
    if ( v10 )
      file->password[7] = v10;
    else
      file->password[7] = 30;
  }
  else
  {
    if ( file->password )
      memDeleteDbg(file->password);
    file->password = 0;
  }
}



Yes, version "1" in Codename:Outbreak and Boiling Point games (in all patches)


Top
   
PostPosted: Sat Apr 29, 2017 10:45 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 6721
The format has only 4 fields: ID, version, files and size
if version is 1 for both the games then there is no way to guess the value used to initialize the key.


Top
   
PostPosted: Thu Sep 14, 2017 5:26 am 
User avatar

Joined: Sun Aug 17, 2014 7:27 pm
Posts: 676
How about .grp (filecutter https://mega.nz/#!AWpjRRRK!EjtzSJM8Ks2h ... 80FojhG5os) Xenus 2. White gold. http://store.steampowered.com/app/54623 ... White_gold?


Top
   
PostPosted: Thu Sep 14, 2017 3:56 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 6721
No idea, it has a different encryption and some fields in the header are missing.


Top
   
PostPosted: Thu Sep 14, 2017 4:18 pm 
User avatar

Joined: Sun Aug 17, 2014 7:27 pm
Posts: 676
.grp Tales of Terror: Estate of the Heart Collector's Edition?
Trial Game here: http://www.bigfishgames.com/games/11382 ... e-heart-ce


Top
   
PostPosted: Thu Sep 14, 2017 4:39 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 6721
My script works perfectly, why?


Top
   
PostPosted: Fri Sep 15, 2017 2:14 pm 

Joined: Fri May 27, 2016 2:28 pm
Posts: 43
Tales of Therror is also a Deep Shadow's game. Big Fish Games is publisher. So, their 'technologies' can used in that game.

makc_ar, for unpacking a White Gold archives you can use GRP Unpacker by Badmofo.


Top
   
PostPosted: Fri Sep 15, 2017 3:46 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 6721
@StreamThread
Am I wrong or what that tool does is simply calling the gfUnpack("*.grp") function of vital.dll?
Quickbms script (*edit* updated, but not tested):
Code:
get PATH INPUT_FOLDER
calldll "vital.dll" "stFileSystemInit" "stdcall" RET PATH
calldll "vital.dll" "?gfUnpack@@YAXXZ" "stdcall" RET "*.grp"
calldll "vital.dll" "stFileSystemClose" "stdcall" RET
That's what I saw in the source code available on https://web.archive.org/web/20151106040 ... Unpack.zip (because the original website no longer exists)


Top
   
PostPosted: Fri Sep 15, 2017 3:58 pm 
User avatar

Joined: Sun Aug 17, 2014 7:27 pm
Posts: 676
Thanks!
I used this toolset: http://www.moddb.com/mods/jungle-space-stone/downloads

Image


Top
   
PostPosted: Fri Sep 15, 2017 4:59 pm 

Joined: Fri May 27, 2016 2:28 pm
Posts: 43
aluigi wrote:
@StreamThread
what that tool does is simply calling the gfUnpack("*.grp") function of vital.dll?


Possibly. Official unpack tool gfbuild.exe for Boiling Point is do. About Badmofo's GF Unpack tool I dont know. But tool distributive contain main engine files (vital.dll, etc), so can be.

aluigi wrote:
Quickbms script (*edit* updated, but not tested):
Code:
get PATH INPUT_FOLDER
calldll "vital.dll" "stFileSystemInit" "stdcall" RET PATH
calldll "vital.dll" "?gfUnpack@@YAXXZ" "stdcall" RET "*.grp"
calldll "vital.dll" "stFileSystemClose" "stdcall" RET


I can't try this on White Gold or Precursors games, but with Boiling Point doesn't work. Not found gfUnpack function. From vatal.dll function name is "?gfUnpack@@YAXPAD", but with changes not found.


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 14 posts ] 

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited