ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Wed Jan 29, 2020 5:54 pm

All times are UTC




Post new topic  Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Sat Dec 14, 2019 11:56 pm 

Joined: Mon Dec 29, 2014 8:49 pm
Posts: 39
So I cam across an old xbox game that uses the most annoying encryption of all time. It injects FF at seemingly random intervals (mostly 9).
I think its a zip/ pak file not too sure (Signature: DF? 50 4B 03 04 14 E9 32)
Anyone have any tips on dealing with this?


Attachments:
Untitled1.zip [275.26 KiB]
Downloaded 22 times
Top
   
PostPosted: Sun Dec 15, 2019 1:36 am 

Joined: Mon Dec 29, 2014 8:49 pm
Posts: 39
Image

I think it is a zip file but there are characters injected at fixed intervals
like 0xDF means the next one is in 9 bytes 0xFF in 8 bytes
This was my working assumption until they started potentially xoring
so it is ridiculous

I made the assumption due to the consistent nature of the padding


Top
   
PostPosted: Sun Dec 15, 2019 11:24 am 

Joined: Tue Sep 01, 2015 9:44 am
Posts: 25
It looks like LZSS compression. From the data after decompression, it seems that only the PK file header of ZIP is added, but there is no compression, not double compression.
Just a hint, it may not be correct.


Last edited by Allen on Wed Jan 15, 2020 4:43 am, edited 1 time in total.

Top
   
PostPosted: Mon Dec 16, 2019 10:28 pm 

Joined: Mon Dec 29, 2014 8:49 pm
Posts: 39
That's a little confusing considering there are multiple pk headers in the file .
I'm still new to this. What tool did you use for your decompression (python is refusing to install lzss for me right now)

I tried using offzip on the file you uploaded but no luck so it is probably not a zip at all

Image


Top
   
PostPosted: Mon Dec 23, 2019 2:50 pm 

Joined: Tue Sep 01, 2015 9:44 am
Posts: 25
I reviewed the data today and found that it is LZSS compression, but the buffer size is 1024 bytes. Not 4096.
lzss.c in the attachment can be used after compilation.
test_lzss.exe is a C # program that I ported from C.
test_lzss usage, drag directly file to the program.
You can also refer to the C source code to port to Python.


Attachments:
Untitled1_decom.zip [367.5 KiB]
Downloaded 14 times
Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 5 posts ] 

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
cron
Powered by phpBB® Forum Software © phpBB Limited