ZenHAX

Good afternoon. Faced a problem. In the archive, each file has an identifier - 4 bytes. How do I know the decryption algorithm for this identifier?

For example (in big endian)

23 77 cb 6f - directory.txt

d9 65 77 b7 - AUDIO/RELEASE/MENU/MENU.FEV

d9 65 79 55 - AUDIO/RELEASE/MENU/MENU.FSB

What is this algorithm that creates such short names?

P.S. Game - split/second. Game used lzss compression. separately for each file

quickbms has a script for scanning various crc algorithms but didn't find any result matching the crc and string you provided.
I tried using the following inputs:
AUDIO/RELEASE/MENU/MENU.FEV
AUDIO\RELEASE\MENU\MENU.FEV
audio/release/menu/menu.fev
audio\release\menu\menu.fev

It may be a different algorithm or a crc of the type instead of the filename, no idea.

How did you get those names?

_________________
Tribo Gamer Brasil

not the guy who posted. Did some REing (used the Reloaded exe to bypass Securom's anti-debug) and

bp 0x571390 "ds esp+4;g"

in WinDBG spits out filename combined with the archive name. Was quicker for poking around than hooking a printf into that code.

When poking around with Ghidra and using a plugin for C++ parsing (they thankfully left RTTI data around) the entrance is in ArkLoader class. THats where that WinDBG breakpoint breaks and prints the value and immediately resumes.

Poking around the functions atm since the algorithm has to be near the function that handles file

Got some progress. Hash function iterates bytewise over the filename, then multiplies the "old" value of checksum with 31 and then add the new byte. Got 30% or so coverage of the ARK files so far and still missing some files where i should have the name for... (running the game with -noark and the name-extracted files at correct spot triggers a crash, filename of the failed file is known since i watch with process-monitor)