ZenHAX

Hello guys, well I wanna say thanks for all this hard work doing here, special thanks to aluigi, zaramot and Ekey, they supporting very well, so now I come with this game I check graphics and really are awesome 3D MMORGP, so well checking files I got format is .PG, so well maybe somebody can take a look into this format? ok many thanks again for all help give and have a nice day guys, see you next time.

Web: http://tianyu.163.com/
Download: http://tianyu.163.com/download/

Samples

http://puu.sh/brkWh/954a2846fd.7z

I don't see the ZSIZE field but I suspect it's obfuscated at the end of the archive.

The following is a quick and lame work-around to unpack the archived files.
It may have some problems with some files but it's worth to try.

comtype lzo1x
idstring "2gab"
get ARCHIVE_SIZE asize
    findloc OFFSET string "ZZZZ" 0 ""
for OFFSET = OFFSET < ARCHIVE_SIZE
    math OFFSET += 4
    goto OFFSET
    get SIZE long
    savepos OFFSET

    findloc NEXT_OFFSET string "ZZZZ" 0 ""
    if NEXT_OFFSET == ""
        math NEXT_OFFSET = ARCHIVE_SIZE
    endif
    xmath ZSIZE "NEXT_OFFSET - OFFSET"

    clog "" OFFSET ZSIZE SIZE
    math OFFSET = NEXT_OFFSET
next

many thanks for your try, but the bad thing is we can't got real names of files and extentions, like Models unpacked with .dat for default, and this is not the native format and well just unpack some files, after descompress some files give this error.

Currently there are no other solutions, problems like that are normal using this method.

Main table encrypted. Format same from game JianLong. Here decryption algo from JianLong (keys can be different)

struct BAGHeader
{
   DWORD   dwID;
   DWORD   dwTotalFiles;
   DWORD   dwTableOffset;
};

//1bag
dwTotalFiles ^ 0xe7356461
dwTableOffset ^ 0xcb449442

//2bag
dwTotalFiles ^ 0x27252421
dwTableOffset ^ 0x3b343432

DWORD __cdecl JLBAGDecrypt(int dwVersion, int dwOffset, int pScrBuffer, int pDstBuffer, int dwCount)
{
  int i;
  int j;
  int k;
  int ScrBuffer = 0;
  int DstBuffer = 0;

  ScrBuffer = pScrBuffer;
  DstBuffer = pDstBuffer;

  i = dwCount;

  if ( dwVersion == 0x62616731 ) // 1bag
  {
    if ( i )
    {
      j = 0;
      do
      {
        *(DWORD *)(j + DstBuffer) = dwOffset ^ *(DWORD *)((char *)ScrBuffer + j) ^ 0x698346BD;
        *(DWORD *)(j + DstBuffer + 4) = dwOffset ^ *(DWORD *)(ScrBuffer + j + 4) ^ 0x867389FE;
        *(DWORD *)(j + DstBuffer + 8) = dwOffset ^ *(DWORD *)(ScrBuffer + j + 8) ^ 0xABEDC59D;
        dwOffset += 12;
        j += 12;
        --i;
      }
      while ( i );
    }
  }
  else
  {
    if ( dwVersion == 0x62616732 ) // 2bag
    {
      if ( i )
      {
        k = 0;
        do
        {
          *(DWORD *)(k + DstBuffer) = dwOffset ^ *(DWORD *)((char *)ScrBuffer + k) ^ 0x5953565D;
          *(DWORD *)(k + DstBuffer + 4) = dwOffset ^ *(DWORD *)(ScrBuffer + k + 4) ^ 0x6663696E;
          *(DWORD *)(k + DstBuffer + 8) = dwOffset ^ *(DWORD *)(ScrBuffer + k + 8) ^ 0x7B7D757D;
          dwOffset += 12;
          k += 12;
          --i;
        }
        while ( i );
      }
    }
  }
  return (int)szOutBuf;
}

Entries don't contain names only hashes.

Also you can look bms script > http://forum.xentax.com/viewtopic.php?p=82822#p82822

Well done, the following is my script:
http://aluigi.org/papers/bms/others/1gab_2gab_bag.bms

aluigi I have a question, thanks for this hard work and same for ekey, so my question is how is possible got file names of archives? only dumping information from memory? how chinese make his tools for got file names and we can't got it with quickbms? like others games you support before? thats my question because i'm so curious, ok thanks again for your support.

The filenames are stored as hashes so usually the way is dumping all the filenames read by the game with hooking (for example in a function that takes the filename as argument) and then building a database with these filenames and the relative hashes.
When you find an hash, you take a look at the database and replace it with the filename.

This is something I would like to implement in quickbms, a simple way to use a database and automatically replacing names.
Something like:
get_name_hash NAME MEMORY_FILE
where MEMORY_FILE is the buffer containing all the database

ummm well very interesting, I try check it later, but really this would be cool if you can add this support to soon, anyway thanks a lot for hard work again, grateful for all you try do here, take care Luigi