ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Wed Oct 18, 2017 3:06 pm

All times are UTC




Post new topic  Reply to topic  [ 9 posts ] 
Author Message
PostPosted: Thu Oct 05, 2017 2:11 pm 

Joined: Fri Feb 03, 2017 8:47 pm
Posts: 6
Hey, I got referred to here for help on this.

I tried a few file extractors like Xripper and dragon unpcker, but they can't seem to look into TipTop.dat. I assume it is the archive since it is the largest file. Both the exe and dat file is included.

http://www.jeffmakesgames.com/misc/TipTop.zip

As for what Tip Top is, it's a very old Popcap game.


Last edited by JeffMakesGames on Thu Oct 05, 2017 11:49 pm, edited 1 time in total.

Top
   
PostPosted: Thu Oct 05, 2017 9:34 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 6870
I'm quite sure that the obfuscation used in the whole archive is a custom bit rotation of each byte because the byte 0 remains 0.
Can you upload the executable too?
Just in case someone wants to do the job without doing tentatives by hand


Top
   
PostPosted: Thu Oct 05, 2017 11:48 pm 

Joined: Fri Feb 03, 2017 8:47 pm
Posts: 6
Sure thing!

I took both files and packed them into a zip and will update the link above.


Last edited by JeffMakesGames on Thu Oct 05, 2017 11:53 pm, edited 1 time in total.

Top
   
PostPosted: Thu Oct 05, 2017 11:51 pm 

Joined: Sat Aug 09, 2014 2:34 pm
Posts: 715
Code:
char ttd_decrypt(unsigned char *pBuffer, int dwSize)
{
  unsigned char t1;
  unsigned char t2;
  unsigned char t3;
  char temp;
  char result;

  if ( dwSize )
  {
    do
    {
      t1 = *pBuffer & 0xFA | 4 * (*pBuffer & 1) | (*pBuffer >> 2) & 1;
      t2 = t1 & 0xBD | 32 * (t1 & 2) | (t1 >> 5) & 2;
      t3 = t2 & 0x77 | (t2 >> 4) & 8 | 16 * (t2 & 0xF8);
      temp = 2 * (t3 & 0x10) | (t3 >> 1) & 0x10;
      result = t3 & 0xCF;
      *pBuffer++ = result | temp;
      --dwSize;
    }
    while ( dwSize );
  }
  return result;
}


Top
   
PostPosted: Fri Oct 06, 2017 12:25 am 

Joined: Fri Feb 03, 2017 8:47 pm
Posts: 6
Is that a bms script?


Top
   
PostPosted: Fri Oct 06, 2017 11:45 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 6870
Now yes:
http://aluigi.org/bms/tiptop_deluxe.bms


Top
   
PostPosted: Fri Oct 06, 2017 5:01 pm 

Joined: Fri Feb 03, 2017 8:47 pm
Posts: 6
Hmm, for some reason, the script did not work.

When trying to run it, QuickBMS says: The script has requested to load a function from the dll MEMORY_FILE10. Do you want to continue? (Y/N)

Telling it yes results in an error:

- Library MEMORY_FILE10 loaded at address 08530000

Error: The input library is handled as raw data so can't have a function name.

Last script line before the error or that produced the error:
35 call dll MEMORY_FILE10 "ttd_decrypt" "tcc" MEMORY_FILE SIZE


Top
   
PostPosted: Fri Oct 06, 2017 5:33 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 6870
You are using an old version of quickbms.
Latest is 0.8.1


Top
   
PostPosted: Fri Oct 06, 2017 6:22 pm 

Joined: Fri Feb 03, 2017 8:47 pm
Posts: 6
Yay! Got it! Thanks! :D


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 9 posts ] 

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited