ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Tue May 18, 2021 5:25 am

All times are UTC




Post new topic  Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Sun May 02, 2021 6:06 am 

Joined: Sun May 02, 2021 6:04 am
Posts: 2
I changed the name of the program to inti_encdec since it also works for other Inti Creates games. The version in the zip can now decode/encode larger files which are found in games other than COTM1/COTM2. It can also now decode/encode the system and game save data files in COTM1 and COTM2! (but probably not any of the other games, the save keys are different between COTM1 and COTM2 so probably the other games all use their own keys too).

I have also added file lists for other games to the zip (thanks RandomTBush @ xentax) plus added the missing files to the COTM1/COTM2 lists


(also just posted this on xentax)

Hello everyone, I managed to find out very little information about these games from the interwebs, so maybe someone will find this useful.

Here's a tool for decrypting/encrypting (if you can really call it encryption, it's not using AES or any other real encryption algorithm) datafiles from COTM1 and COTM2. Not all files encrypted, and I think some are compressed in addition to being encrypted. It's a very simple single file C program, should compile and work fine with gcc, clang, msvc, pretty much anything.

It may also work for some other Inti Creates games, but I haven't tried.

I have no idea where the game code reads or calculates the keys for the "encryption algorithm", but it seems there are four different possible keys used with the same decryption code, one per data type ("obj", "bft", "set" or "scroll").

The same keys seem to work for both COTM1 and COTM2 on all platforms.

Also, in the PC versions of both games, the filenames have been obfuscated changing each file's name to the MD5 hash of the actual filename. It is possible to recover the original filenames by logging them as the game accesses them (by eg. hacking the binary to report them via OutputDebugStringA), or using file listings from console versions which don't have obfuscated filenames. Note that for some filenames, you'll need to add a platform specific "Win/" directory prefix before hashing the filename (on Switch, these files would be in an actual "NX/" subdirectory inside the romfs, for some reason there is no equivalent subdirectory inside the PS4 version's package).

Using these methods, I have recovered original filenames for all but two of the files in the the DataHash directory on PC for COTM2. (I played through the game multiple times taking different routes, but the logger didn't catch anything which would match those two when MD5 hashed, unfortunately it's not really feasible to brute force the remaining ones, at least not with only a single albeit reasonably powerful GPU, the filenames could be up to 20-30 characters or even more, and may contain at least lowercase and capital letters, numbers, underscores and a single dot.)

For COTM1, I have recovered 261 of 296 filenames based on file listings from console versions. I'll need to play through it a few times with a logger patched one day...

Next up is going to be figuring out the actual map and background graphics formats. I want to write a program which can show the maps. :-)

Btw. if you want to look at them, use the "set" key for map*.stb files and "scroll" key for map*.scb files. *.osb files use the "obj" key.

The zip includes the encdec.c program and MD5 filename hash lists for COTM1 and COTM2.

Attachment:
inti_encdec.zip [185.72 KiB]
Downloaded 12 times


oh yeah, if you rename map00.stb to map01.stb (look at the hash lists), you'll get a debug map (in both games) when you start the game! nothing that interesting or useful there, though.

edit: fixed the argv enum I added just before upload...

edit2: figured out how the keys are calculated, but i'm too tired to update the zip

Code:
#define WTFSTRING "90210"
#define BASEKEY 0xA1B34F58CAD705B2LL

uint64_t type2key (char *type)
{
  uint64_t key;
  int i, l;
  char buf[12];
 
  strcpy(buf,type);
  strcat(buf,WTFSTRING);
 
  l = strlen(buf);
 
  key = BASEKEY;
 
  for (i=0; i<l; i++)
  {
    key += buf[i];
    key *= 141;
  }
 
  return key;
}


gives correct keys for inputs "obj", "bft", "set" or "scroll"
(also, the bft key seems to be for the font data files)

edit3: the compression seems to be just regular zlib compression with a 4-byte header (int32) telling how much space to reserve for decompressed output.

yes!
Attachment:
curse.png [88.6 KiB]
Not downloaded yet

Attachment:
curse2.png [44.11 KiB]
Not downloaded yet


I still don't know what the huge 0-byte fills at the end of those scroll/font datafiles are for though (nor the actual header & stage tile layout format)

I have tested decoding & re-encoding the map01 files with it and the game still loads it fine. :) Next up will be figuring out the actual map formats...


Top
   
PostPosted: Tue May 04, 2021 4:06 am 

Joined: Sun May 02, 2021 6:04 am
Posts: 2
"major" update to the zip in first post:

  • Turns out, the key is NOT supposed to be reset every 384kB, large files (which some Inti games other than COTM1/COTM2 have) can now be unpacked and repacked successfully. Thanks to RandomTBush @ xentax for testing this.
  • Added system and game save data decryption/encryption for COTM1 and COTM2. The same code (actually it's just the same obfuscation applied twice with different keys) could also work for other Inti games, but game specific keys/keystrings are required.
  • Added three new possible asset types/keys to the list "txt20170401", "snd90210", "json180601", cannot be tested with any files from COTM1/COTM2. (unless with something from inside one of the large archive files..?)

(the save data may well be checksummed in addition to the obfuscation, I haven't tried to edit it yet)

I may need to update the tool to use memorymapped files, compress/decompress in chunks and/or encode/decode inside the same buffer to reduce memory use a bit if there are compatible games with even larger files out there...


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 2 posts ] 

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited