Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Sun May 26, 2019 6:57 pm

All times are UTC

Post new topic  Reply to topic  [ 24 posts ]  Go to page Previous 1 2
Author Message
PostPosted: Sun Jan 14, 2018 4:18 am 

Joined: Wed Feb 22, 2017 12:08 am
Posts: 4
Firmwares for SOHO routers are using LZMA to pack firmwares, there is tool called binwalk, its written in python and if you using python 2 and have python-lzma installed binwalik will validate found headers an false-positives will be excluded from search, something simmilar could be done for quickbms I think, its idea

PostPosted: Thu Aug 16, 2018 7:27 am 

Joined: Thu Aug 16, 2018 7:22 am
Posts: 1
aluigi wrote:
Good. Anyway I have added view view the phen375 results zstd to the list in the first post since it uses a magic number that allow to guess it at 100%.

Was looking for zstd compression recognising technique and was about to ask in a thread. But here I found 100% success technique. Thanks for mentioning the magic number, this solves my problem I was facing in my current project.

Last edited by DavidDineen on Sun Feb 17, 2019 9:35 am, edited 4 times in total.

PostPosted: Wed Dec 12, 2018 10:00 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 10284
In case someone is interested in some statistics, I have collected the most used compression algorithms used in my 2'023 quickbms scripts.
Some games uses zip-like archives and that means some numbers may be inflated, some scripts cover multiple formats and some algorithms may be invoked twice in few scripts just because they are for more than one format.
zlib    545
deflate 119
lzma    87
xmemdecompress (lzx) 61
lzss    56
lzo1x   49
gzip    49
lz4     44
lz77wii 21
oodle   21
bzip2   16
dk2/EA  15
zstd    10
custom  10

PostPosted: Sat Mar 23, 2019 12:52 am 
User avatar

Joined: Fri Mar 30, 2018 2:48 am
Posts: 175
Thanks! This has been very helpful lately :)
Just want to add how I spot RefPack/dk2 nowadays.
First off...
0xXX = random value.
RefPack/dk2 compression mostly looks like this "0xXX\0xFB" (where the 0xFB seems to be the tell tale sign of refpack.) and then right after is the Decompressed Size as a 4byte 32 bit integer / long. (to further confirm that it in fact is refpack/dk2.)
So all in all it looks like this "0xXX\0xFB\0x00\0x1B\0x62\0x1C"

Depending on the strength of the compression the strings can still be sorta readable like this: "c:\datatemp\inter\PS2\Neutral\Chapâs\Hogwarts\ZoneãONE_HW_Viaduct_E.nãnce_DD\LefTextur�'àET_BURNâOOK_PAPER.ss€"

If you see this pattern, use comtype dk2

Be kind to everyone, even those you do not like.

Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 24 posts ]  Go to page Previous 1 2

All times are UTC

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited