ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Mon Dec 18, 2017 7:02 am

All times are UTC




Post new topic  Reply to topic  [ 8 posts ] 
Author Message
 Post subject: Quake Champions
PostPosted: Sat Jun 24, 2017 2:05 pm 

Joined: Tue May 30, 2017 1:10 am
Posts: 21
Has anyone look at the beta for Quake Champions? Data is stored in a unknown .pak format. Actually, I think there's two types of .pak files. One .pak format stores unrelated chromium data, which looks uncompressed.

The other .pak format stores the game data, but the format is unrecognized. It looks like there's some kind of entry list at the end of the file. All files end with the same 64-bit ID (1P.D.KS1). One of the .pak files is almost 16 GB, so they could store 64-bit offsets, but they look odd to me. From there, I can't make much of anything.

Image


Top
   
 Post subject: Re: Quake Champions
PostPosted: Wed Jul 12, 2017 11:58 am 

Joined: Fri Jun 02, 2017 2:15 pm
Posts: 11
I too would be interested in this - it's a bit beyond me though, seems to have encryption throughout the archive footer and files directory.

You can go here to get a free Beta key for the game... https://quake.bethesda.net/en/signup
This directs you how to download the game - it has a number of PAK files in the client\preload\paks directory - most are 25-200MB in size, and 1 at nearly 16GB in size.

This is the general archive structure...

Code:
// FILE DATA
  // for each file
      X - File Data
   
// DIRECTORY
  // for each file
    X - Unknown (Encrypted)
    1 - null
    2 - Unknown (4)
    4 - Unknown (4)
 
// ARCHIVE FOOTER
  2 - Header (PK)
  2 - Version? ((bytes)5,6)
  4 - null
  4 - Unknown
  4 - Directory Length
  8 - Directory Offset
  X - Unknown
  40 - Encrypted Footer Info


I suspect somewhere in the 40-byte Encrypted Footer it will contain a pointer to the "PK" field in the ARCHIVE FOOTER, after which you can find the offset and length of the DIRECTORY.

The entries in the DIRECTORY are of varying length, but are similar sized (ie. all in the range of say 80-120 bytes in length), so I suspect the encrypted part probably stores filenames and directory paths, and hopefully some length and offset information for each file.

The file data doesn't appear to be encrypted, and I don't think it's compressed either. Certainly, when downloading the data from the website at the top, it only downloaded about 10-11GB for the install, but it takes up about 17GB on my PC, so I'm pretty certain the PAK files are not compressed on my PC (but were obviously compressed when downloading from the website)

Would anyone with encryption expertise care to take a look at this?

Thanks, much appreciated.


Top
   
 Post subject: Re: Quake Champions
PostPosted: Wed Aug 16, 2017 12:34 pm 

Joined: Fri Jun 02, 2017 2:15 pm
Posts: 11
I have uploaded 3 of the archives here - if anyone can take a look at the encryption, it'd be greatly appreciated.

https://drive.google.com/open?id=0B7gEf ... TM4dmNXdVE

Somewhere in the 40-bytes at the end of the archive, it should contain a pointer to the "PK" field (which seems to be a few thousand bytes before the end of the archive). Once we can get that, we can grab the Directory Offset field.

Then, at the Directory Offset, we can clearly see a repeating pattern of file entries, of varying length, so they almost certainly contain a filename in them, as well as probably Length and Offset details.

Thanks for your help guys


Top
   
 Post subject: Re: Quake Champions
PostPosted: Wed Aug 16, 2017 3:31 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 7251
I launched offzip -a -z -15 and it worked very well because all or almost all the files are compressed and they don't use chunks.
There are only 0x1e bytes between each compressed files and they are just zeroes, so no info there.

I tried to search the compressed sizes, uncompressed sizes and offsets in the archive but found no references so it means that the TOC is encrypted, in fact the last part of the archive is divided in 3 parts: a long sequence of "random" bytes (encrypted TOC), some 64bit numbers and the 40bytes RSA signature.


Top
   
 Post subject: Re: Quake Champions
PostPosted: Thu Aug 17, 2017 10:59 am 

Joined: Fri Jun 02, 2017 2:15 pm
Posts: 11
Thanks for trying Aluigi, at least thats better than nothing :-)

Let me know if you think it'd be useful to look at any of the EXEs for a way to crack the encryption, or if you need anything else from me.


Top
   
 Post subject: Re: Quake Champions
PostPosted: Fri Aug 25, 2017 12:41 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 7251
Here we go :D
http://aluigi.org/bms/quake_champions.bms

The encryption algorithm is a 64bit random number generator taken from "Numerical Recipes 3rd edition" and using the first 64bit seed of the last 40 bytes and an ivec of 32 bytes still take from the last 40 bytes.


Top
   
 Post subject: Re: Quake Champions
PostPosted: Sat Aug 26, 2017 11:53 am 

Joined: Fri Jun 02, 2017 2:15 pm
Posts: 11
Wow, awesome work, I won't even begin to fathom how you worked that one out, what a nice complicated bit of work :-) Think you'll find lots of people happy to have access to these files.


Top
   
 Post subject: Re: Quake Champions
PostPosted: Sat Sep 02, 2017 2:04 am 

Joined: Tue May 30, 2017 1:10 am
Posts: 21
Amazing work. Thanks for the help!


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 8 posts ] 

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited