ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Thu Dec 09, 2021 11:13 am

All times are UTC




Post new topic  Reply to topic  [ 8 posts ] 
Author Message
 Post subject: GameShield DRM
PostPosted: Fri May 14, 2021 3:02 am 
User avatar

Joined: Fri Apr 20, 2018 12:41 am
Posts: 832
I'm currently looking at a portion of multilingual games from non-modern PopCap. I eventually stumbled on the Japanese version of Peggle Nights, which requires administrative privileges to run. Upon looking up information of the file data, it is related to GameShield DRM from Yummy Interactive, despite being from a setup, the content provided from it is just documents and most importantly, an exe that is 90MB where I can see many resources crammed into it, most are related to the game nor the DRM client. I can't run the game, as it tries to locate content that doesn't exist but it may be a cheat build as it is titled that when running it. There's no PAK files I can see in the game data. Any advice on unpacking it along with the game data? Thank you so much.

https://anonymousfiles.io/cREaTXd0/

Code:
-=[ ProtectionID v0.6.9.0 DECEMBER]=-
(c) 2003-2017 CDKiLLER & TippeX
Build 24/12/17-21:05:42
Ready...
Scanning -> PeggleNights_JPN\PeggleNights.exe
File Compression State : 0 (Not Compressed)
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 92447536 (0582A330h) Byte(s) | Machine: 0x14C (I386)
Compilation TimeStamp : 0x00000000 -> Thu 01st Jan 1970 00:00:00 (GMT)
[!] Digital Signature signed by a known DRM provider -> PopCap Games
-> File Appears to be Digitally Signed @ Offset 05828DA0h, size : 01590h / 05520 byte(s)
-> File has 2 (02h) bytes of appended data starting at offset 05828D9Eh
[LoadConfig] CodeIntegrity -> Flags 0xA3F0 | Catalog 0x46 (70) | Catalog Offset 0x2000001 | Reserved 0x46A4A0
[LoadConfig] GuardAddressTakenIatEntryTable 0x8000011 | Count 0x46A558 (4629848)
[LoadConfig] GuardLongJumpTargetTable 0x8000001 | Count 0x46A5F8 (4630008)
[LoadConfig] HybridMetadataPointer 0x8000011 | DynamicValueRelocTable 0x46A66C
[LoadConfig] FailFastIndirectProc 0x8000011 | FailFastPointer 0x46C360
[LoadConfig] UnknownZero1 0x8000011
[File Heuristics] -> Flag #1 : 00000000000001001100000000100110 (0x0004C026)
[Entrypoint Section Entropy] : 7.63 (section #0) "YMY     " | Size : 0x57B35EE (91960814) byte(s)
[DllCharacteristics] -> Flag : (0x0000) -> NONE
[SectionCount] 3 (0x3) | ImageSize 0x5889000 (92835840) byte(s)
[VersionInfo] Product Name :  Peggle Nights Application
[VersionInfo] Product Version : 1.00.3.5802
[VersionInfo] File Description : Peggle Nights
[VersionInfo] File Version : 1.00.3.5802
[VersionInfo] Original FileName : PeggleNights.exe
[VersionInfo] Internal Name : Peggle Nights
[VersionInfo] Legal Copyrights : Copyright (C) 2008
[ModuleReport] [IAT] Modules -> kernel32.dll
[!] Yummy Interactive GameShield/Software Shield Protection detected !
[CdKeySerial] found "Trial version" @ VA: 0x00398720 / Offset: 0x00397920
[CdKeySerial] found "Trial version" @ VA: 0x00398782 / Offset: 0x00397982
[CdKeySerial] found "Trial version" @ VA: 0x00402BE3 / Offset: 0x00401DE3
[CdKeySerial] found "SerialNumber" @ VA: 0x006E16A0 / Offset: 0x006E08A0
[CdKeySerial] found "SerialNumber" @ VA: 0x006E3AD7 / Offset: 0x006E2CD7
[CdKeySerial] found "ActivationCode" @ VA: 0x006E3B69 / Offset: 0x006E2D69
[CdKeySerial] found "SerialNumber" @ VA: 0x006E7489 / Offset: 0x006E6689
[CdKeySerial] found "ActivationCode" @ VA: 0x006E7698 / Offset: 0x006E6898
[CdKeySerial] found "Trial version" @ VA: 0x053DF720 / Offset: 0x053DE920
[CdKeySerial] found "Trial version" @ VA: 0x053DF781 / Offset: 0x053DE981
[CdKeySerial] found "Trial version" @ VA: 0x053F4EF8 / Offset: 0x053F40F8
[CdKeySerial] found "Trial version" @ VA: 0x053F4F59 / Offset: 0x053F4159
[CdKeySerial] found "ActivationCode" @ VA: 0x057B64E5 / Offset: 0x057B4CE5
[CdKeySerial] found "ActivationCode" @ VA: 0x057B6500 / Offset: 0x057B4D00
[CdKeySerial] found "SerialNumber" @ VA: 0x057B6A3F / Offset: 0x057B523F
[CdKeySerial] found "SerialNumber" @ VA: 0x057B6A5C / Offset: 0x057B525C
[CdKeySerial] found "SerialNumber" @ VA: 0x057B6A7B / Offset: 0x057B527B
[CdKeySerial] found "ActivationCode" @ VA: 0x057B6DD4 / Offset: 0x057B55D4
[CdKeySerial] found "SerialNumber" @ VA: 0x057B6F36 / Offset: 0x057B5736
[CdKeySerial] found "SerialNumber" @ VA: 0x057B6FA0 / Offset: 0x057B57A0
[CdKeySerial] found "SerialNumber" @ VA: 0x057B6FBE / Offset: 0x057B57BE
[CdKeySerial] found "SerialNumber" @ VA: 0x057B6FD8 / Offset: 0x057B57D8
[CdKeySerial] found "SerialNumber" @ VA: 0x057B7145 / Offset: 0x057B5945
[CdKeySerial] found "SerialNumber" @ VA: 0x057B7190 / Offset: 0x057B5990
[CdKeySerial] found "ActivationCode" @ VA: 0x057B71F5 / Offset: 0x057B59F5
[CompilerDetect] -> Visual C++ 8.0 (Visual Studio 2005)
- Scan Took : 8.907 Second(s) [000001F9Dh (8093) tick(s)] [566 of 580 scan(s) done]


_________________
Hacking Angry Birds since 2016


Last edited by LolHacksRule on Fri May 14, 2021 8:33 pm, edited 1 time in total.

Top
   
 Post subject: Re: GameShield DRM
PostPosted: Fri May 14, 2021 5:21 am 

Joined: Sun Jan 10, 2021 2:23 pm
Posts: 75
By searching for 'GameShield Manual Unpacking' I've found article by ARTeam - it doesn't looks as easy reading, but hope can help.

Resources can be ripped with several tools I've met just today.
Make sure to configure them for awaited formats before scanning.
Ravioli Scanner 2.1 can extract pictures.
Jaeder Naub 2.2.4g - even more Pictures and playable Sound. I'd recommend this personally.
Hyper Ripper module of Dragon UnPACKer 5.0.7 beta - 2 times less JPEG's, but good as well. Tool has picture preview option. Latest Nightly build gave me Error while scanning... Aborting... Stack overflow. Got to try earlier commits...
X-Ripper 1.5 - extracts sound and pictures. some pics are half corrupt.
MultiExtractor 3.3 - scans fast, finds more pictures. But ripped ogg sound is corrupt.

.pak string found in .exe, however no 7 1/2 7 signature.
Not sure, if it is it the installer or game itself.

_________________
How to search (and find!) scripts @ My Notes
Use Filecutter so more people can look in your files.
Please, don't quote if message context is clear.


Last edited by z4ruz on Fri May 14, 2021 8:05 pm, edited 1 time in total.

Top
   
 Post subject: Re: GameShield DRM
PostPosted: Fri May 14, 2021 3:36 pm 
User avatar

Joined: Fri Apr 20, 2018 12:41 am
Posts: 832
It's most likely the packaged executable itself, installing the game using the given setup or unpacking it gives this big executable which is the game combined with the data. I have read that article, but I'm not sure if that can help unpack the game data as well.

UPDATE: Upon looking at the executable, I found this about the data offset format.

Code:
13bytes: 01 00 00 00 04 00 00 00 64 61 74 61 (Data header)
1byte: Name combined with location size
3bytes: 00
?bytes: File location
?bytes: File data size - 10 (Where is the 10 from?)
11bytes: 00 00 00 00 00 00 00 01 00 00 00 00 00 80 00 00 00
?bytes: File data

_________________
Hacking Angry Birds since 2016


Top
   
 Post subject: Re: GameShield DRM
PostPosted: Fri May 14, 2021 11:47 pm 

Joined: Sun Jan 10, 2021 2:23 pm
Posts: 75
Noteworthy, on error you can write some commands to lua debugging console, like print. exit will close the cmd window, but main window will stay open. The similar happens if you create empty file at requested path, but the error would be "Unable to find function CreateLinkedObject".
Notes to self: if searching for strings, try Unicode version as well (chars 00 separated).
Executable doesn't have main.lua string, but has main.luc, which is PopCap's custom Lua format.
https://github.com/wxarmstrong/PopLua-Disassembler - did you finally got it working?

Normal setups of PeggleNights (from PopCap site) have the drm folder inside, if opened as archive. Object, launched with that folder around, throws new error - "Unable to find function InternalErrorScreen". And blank window, as previously.

_________________
How to search (and find!) scripts @ My Notes
Use Filecutter so more people can look in your files.
Please, don't quote if message context is clear.


Top
   
 Post subject: Re: GameShield DRM
PostPosted: Sat May 15, 2021 4:09 am 
User avatar

Joined: Fri Apr 20, 2018 12:41 am
Posts: 832
I'm pretty sure it's because PopCap's DRM wrapper client that runs the game is also present in the exe and when there's no scripts directory, it shows the debug console on bootup. I tried that with worldwide releases and that happens as well so it isn't specific. I don't think the PopLua Disassembler will work as those Luc files from DRM (and also some proprietary resource generator according to BejTwist JP leftovers) are Unicode and it doesn't look like there's code to detect that format.

_________________
Hacking Angry Birds since 2016


Top
   
 Post subject: Re: GameShield DRM
PostPosted: Fri May 21, 2021 9:39 am 

Joined: Sun Jan 10, 2021 2:23 pm
Posts: 75
Attachment:
Peggle.bms [317 Bytes]
Downloaded 198 times

_________________
How to search (and find!) scripts @ My Notes
Use Filecutter so more people can look in your files.
Please, don't quote if message context is clear.


Top
   
 Post subject: Re: GameShield DRM
PostPosted: Fri May 21, 2021 3:36 pm 
User avatar

Joined: Fri Apr 20, 2018 12:41 am
Posts: 832
Thank you so much. I don't have any other games protected by GameShield so it may work on other games protected as well by this version of the protector.

_________________
Hacking Angry Birds since 2016


Top
   
 Post subject: Re: GameShield DRM
PostPosted: Sat May 22, 2021 2:36 am 
User avatar

Joined: Fri Apr 20, 2018 12:41 am
Posts: 832
UPDATE: Well it worked, but the files aren't exactly extracted properly as 01 00 00 00 04 00 00 00 64 61 is copied to the end of every file, luckily adding the line fsize - 10 removes the bytes that aren't necessary and mostly results in readable files, unfortunately not all are readable, for example, a portion of JP2 files are incorrectly written.

_________________
Hacking Angry Birds since 2016


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 8 posts ] 

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited