ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Mon Aug 21, 2017 2:05 pm

All times are UTC




Post new topic  Reply to topic  [ 9 posts ] 
Author Message
PostPosted: Mon Sep 08, 2014 11:56 pm 
User avatar

Joined: Thu Aug 14, 2014 8:52 pm
Posts: 181
Hello guys, well I wanna say thanks for all this hard work doing here, special thanks to aluigi, zaramot and Ekey, they supporting very well, so now I come with this game I check graphics and really are awesome 3D MMORGP, so well checking files I got format is .PG, so well maybe somebody can take a look into this format? ok many thanks again for all help give and have a nice day guys, see you next time.

Web: http://tianyu.163.com/
Download: http://tianyu.163.com/download/

Samples

http://puu.sh/brkWh/954a2846fd.7z


Top
   
PostPosted: Tue Sep 09, 2014 10:22 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 6453
I don't see the ZSIZE field but I suspect it's obfuscated at the end of the archive.

The following is a quick and lame work-around to unpack the archived files.
It may have some problems with some files but it's worth to try.
Code:
comtype lzo1x
idstring "2gab"
get ARCHIVE_SIZE asize
    findloc OFFSET string "ZZZZ" 0 ""
for OFFSET = OFFSET < ARCHIVE_SIZE
    math OFFSET += 4
    goto OFFSET
    get SIZE long
    savepos OFFSET

    findloc NEXT_OFFSET string "ZZZZ" 0 ""
    if NEXT_OFFSET == ""
        math NEXT_OFFSET = ARCHIVE_SIZE
    endif
    xmath ZSIZE "NEXT_OFFSET - OFFSET"

    clog "" OFFSET ZSIZE SIZE
    math OFFSET = NEXT_OFFSET
next


Top
   
PostPosted: Tue Sep 09, 2014 12:27 pm 
User avatar

Joined: Thu Aug 14, 2014 8:52 pm
Posts: 181
many thanks for your try, but the bad thing is we can't got real names of files and extentions, like Models unpacked with .dat for default, and this is not the native format :( and well just unpack some files, after descompress some files give this error.

Image


Top
   
PostPosted: Tue Sep 09, 2014 12:34 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 6453
Currently there are no other solutions, problems like that are normal using this method.


Top
   
PostPosted: Tue Sep 09, 2014 12:51 pm 

Joined: Sat Aug 09, 2014 2:34 pm
Posts: 713
Main table encrypted. Format same from game JianLong. Here decryption algo from JianLong (keys can be different)

Code:
struct BAGHeader
{
   DWORD   dwID;
   DWORD   dwTotalFiles;
   DWORD   dwTableOffset;
};


Code:
//1bag
dwTotalFiles ^ 0xe7356461
dwTableOffset ^ 0xcb449442


Code:
//2bag
dwTotalFiles ^ 0x27252421
dwTableOffset ^ 0x3b343432


Code:
DWORD __cdecl JLBAGDecrypt(int dwVersion, int dwOffset, int pScrBuffer, int pDstBuffer, int dwCount)
{
  int i;
  int j;
  int k;
  int ScrBuffer = 0;
  int DstBuffer = 0;

  ScrBuffer = pScrBuffer;
  DstBuffer = pDstBuffer;

  i = dwCount;

  if ( dwVersion == 0x62616731 ) // 1bag
  {
    if ( i )
    {
      j = 0;
      do
      {
        *(DWORD *)(j + DstBuffer) = dwOffset ^ *(DWORD *)((char *)ScrBuffer + j) ^ 0x698346BD;
        *(DWORD *)(j + DstBuffer + 4) = dwOffset ^ *(DWORD *)(ScrBuffer + j + 4) ^ 0x867389FE;
        *(DWORD *)(j + DstBuffer + 8) = dwOffset ^ *(DWORD *)(ScrBuffer + j + 8) ^ 0xABEDC59D;
        dwOffset += 12;
        j += 12;
        --i;
      }
      while ( i );
    }
  }
  else
  {
    if ( dwVersion == 0x62616732 ) // 2bag
    {
      if ( i )
      {
        k = 0;
        do
        {
          *(DWORD *)(k + DstBuffer) = dwOffset ^ *(DWORD *)((char *)ScrBuffer + k) ^ 0x5953565D;
          *(DWORD *)(k + DstBuffer + 4) = dwOffset ^ *(DWORD *)(ScrBuffer + k + 4) ^ 0x6663696E;
          *(DWORD *)(k + DstBuffer + 8) = dwOffset ^ *(DWORD *)(ScrBuffer + k + 8) ^ 0x7B7D757D;
          dwOffset += 12;
          k += 12;
          --i;
        }
        while ( i );
      }
    }
  }
  return (int)szOutBuf;
}


Entries don't contain names only hashes.

Also you can look bms script > http://forum.xentax.com/viewtopic.php?p=82822#p82822


Top
   
PostPosted: Tue Sep 09, 2014 1:39 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 6453
Well done, the following is my script:
http://aluigi.org/papers/bms/others/1gab_2gab_bag.bms


Top
   
PostPosted: Wed Sep 10, 2014 3:00 am 
User avatar

Joined: Thu Aug 14, 2014 8:52 pm
Posts: 181
aluigi I have a question, thanks for this hard work and same for ekey, so my question is how is possible got file names of archives? only dumping information from memory? how chinese make his tools for got file names and we can't got it with quickbms? like others games you support before? thats my question because i'm so curious, ok thanks again for your support.


Top
   
PostPosted: Wed Sep 10, 2014 8:59 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 6453
The filenames are stored as hashes so usually the way is dumping all the filenames read by the game with hooking (for example in a function that takes the filename as argument) and then building a database with these filenames and the relative hashes.
When you find an hash, you take a look at the database and replace it with the filename.

This is something I would like to implement in quickbms, a simple way to use a database and automatically replacing names.
Something like:
get_name_hash NAME MEMORY_FILE
where MEMORY_FILE is the buffer containing all the database


Top
   
PostPosted: Wed Sep 10, 2014 6:31 pm 
User avatar

Joined: Thu Aug 14, 2014 8:52 pm
Posts: 181
ummm well very interesting, I try check it later, but really this would be cool if you can add this support to soon, anyway thanks a lot for hard work again, grateful for all you try do here, take care Luigi


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 9 posts ] 

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited