ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Thu Nov 21, 2019 8:02 am

All times are UTC




Post new topic  Reply to topic  [ 12 posts ] 
Author Message
PostPosted: Mon Nov 04, 2019 5:56 pm 
User avatar

Joined: Fri Apr 20, 2018 12:41 am
Posts: 376
Cannot open these SAR files, not plain ZIP/7Z/RAR. https://we.tl/t-a2YLBOoNja, they appear to contain all the game data. Offzip doesn't help.

_________________
Hacking Angry Birds since 2016


Last edited by LolHacksRule on Tue Nov 12, 2019 4:58 pm, edited 3 times in total.

Top
   
PostPosted: Mon Nov 04, 2019 7:41 pm 

Joined: Sat Aug 09, 2014 2:34 pm
Posts: 866
Probably encrypted. Share apk or ipa.


Top
   
PostPosted: Mon Nov 04, 2019 7:55 pm 
User avatar

Joined: Fri Apr 20, 2018 12:41 am
Posts: 376
https://we.tl/t-Zc5euE5oUK

_________________
Hacking Angry Birds since 2016


Top
   
PostPosted: Mon Nov 04, 2019 7:56 pm 

Joined: Sat Aug 09, 2014 2:34 pm
Posts: 866
Temporary script : viewtopic.php?p=38006#p38006


Top
   
PostPosted: Mon Nov 04, 2019 8:00 pm 
User avatar

Joined: Fri Apr 20, 2018 12:41 am
Posts: 376
Sorry about that, I think the APK is partially incomplete... But thanks anyway also sorry about this accidental repost on this game.

_________________
Hacking Angry Birds since 2016


Top
   
PostPosted: Mon Nov 04, 2019 9:07 pm 

Joined: Sat Aug 09, 2014 2:34 pm
Posts: 866
Do you have iOS version ?


Top
   
PostPosted: Mon Nov 04, 2019 10:59 pm 
User avatar

Joined: Fri Apr 20, 2018 12:41 am
Posts: 376
Err no, I focus only on Android. https://we.tl/t-wLv4GHHaUt proper upload of APK split.

_________________
Hacking Angry Birds since 2016


Top
   
PostPosted: Mon Nov 04, 2019 11:19 pm 

Joined: Sat Aug 09, 2014 2:34 pm
Posts: 866
Nwm. I just found algorithm for decrypt. At the moment, I’m studying it how it works.


Top
   
PostPosted: Tue Nov 05, 2019 4:01 pm 

Joined: Sat Aug 09, 2014 2:34 pm
Posts: 866
Well, there was a problem with decompressing data. Some files cannot be decompressed (95% of files :)). Always same error.

Code:
Info:  algorithm   478
       offset      00000008
       input size  0x00000199 409
       output size 0x00000a6a 2666
       result      0xffffffe0 -32
       
Error: the uncompressed data (-32) is bigger than the allocated buffer (2666)
       It usually means that data is not compressed or uses another algorithm


I will tryed to use comtype scanner, but it didn’t give good results. Header of compressed files always start like:

Code:
dwSignature -> ZSTD
dwDecompressedSize


PS: Files data decrypted correctly!

Example files is attached. Maybe someone can tell what the problem is? :)

Edited: I compiled ZSTD library from source's and tool give error like :

Code:
Decoding error (36) : Dictionary mismatch


Edited2: Everything works fine on textures, but something is wrong on files like plaintext (json, lua, dat and etc..).

Some pics.
Image
Image
Image


Attachments:
examples.rar [3.36 MiB]
Downloaded 13 times
Top
   
PostPosted: Tue Nov 05, 2019 7:46 pm 

Joined: Sat Aug 09, 2014 2:34 pm
Posts: 866
Okay, i solved this puzzle. A dictionary file is sometimes present in archives and named like:

Code:
pkgcdict_pc.dat
pkgcdict_ios.dat
pkgcdict_android.dat


We can use it for decompress. Example decompress file with using zstd tool > loc\english\pc\locale.json

Code:
zstd -D pkgcdict_pc.dat --decompress locale.json


We get normal unpacked data

https://pastebin.com/5ni2rvdP

Now the most important question: How can we use this dictionary to work in QuickBMS? :)

Edited: I tryed use dictionary like that but doesn't work. Bug? :?

Code:
set DICTIONARY compressed ".....compressed_dict_here...."
strlen DICTIONARY_SIZE DICTIONARY 1
comtype zstd DICTIONARY DICTIONARY_SIZE


Attachments:
pkgcdict_pc.zip [39.42 KiB]
Downloaded 11 times
Top
   
PostPosted: Sun Nov 10, 2019 2:38 pm 

Joined: Sat Aug 09, 2014 2:34 pm
Posts: 866
I could not get QuickBMS to work with the dictionary, so I wrote my unpacking tool! Tested on

Code:
Marvel Puzzle Quest (PC and Android)
SEGA Heroes: Match-3 RPG Quest (Android)


Code:
[Usage]
    SARUnpacker <m_File> <m_OutputDirectory>


Code:
[Example]
    SARUnpacker D:\Android_BaseContent.sar D:\Unpacked\Android_BaseContent


Attachments:
SARUnpacker-bin.rar [379.59 KiB]
Downloaded 12 times
Top
   
PostPosted: Mon Nov 18, 2019 7:35 pm 
User avatar

Joined: Fri Apr 20, 2018 12:41 am
Posts: 376
Thank you so much! Some JSON files aren't auto-double-decompressed and have ZSTD in the compressed data. There's also a new JSON binary data serializer used in newer versions, not asking how to break it but I'll see soon (looks tough), LBC files have two LuaJit files compiled in them with the exact same data. Also how would I repack them?

Code:
LJ LBC data:

5bytes: Always F3 82 C8 A3 01, header
3bytes: zero
1byte: 20
3bytes: zero
1-3bytes: LuaJit binary size, data count above 255 uses 1-2 extra bytes in little endian.
1byte: zero
1-3bytes: Some data size? Filesize?, data count above 255 uses 1-2 extra bytes in little endian.
1byte: zero
1-3bytes: LuaJit binary size, data count above 255 uses 1-2 extra bytes in little endian.
9bytes: zero
beyond: LuaJit binary data, always repeated twice, idk why.

_________________
Hacking Angry Birds since 2016


Last bumped by LolHacksRule on Mon Nov 18, 2019 7:35 pm.


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 12 posts ] 

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited