ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Tue May 18, 2021 3:44 am

All times are UTC




Post new topic  Reply to topic  [ 16 posts ] 
Author Message
PostPosted: Thu Oct 01, 2015 9:45 pm 
User avatar

Joined: Thu Oct 02, 2014 4:58 pm
Posts: 171
Hi! i tried this script

http://aluigi.altervista.org/bms/arcsys.bms

But looks is not working well this new game i get no errors, just it can't decompress the file

Here is an example
http://www90.zippyshare.com/v/GLmwfEqu/file.html (4,86 Mb's)

Thanks! :D


Last edited by Savage on Sat Oct 03, 2015 11:16 am, edited 1 time in total.

Top
   
PostPosted: Thu Oct 01, 2015 9:51 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 12242
That file you provided seems all encrypted.

P.S. there was no need to paste the script in the post :)


Top
   
PostPosted: Thu Oct 01, 2015 11:55 pm 
User avatar

Joined: Thu Oct 02, 2014 4:58 pm
Posts: 171
aluigi wrote:
That file you provided seems all encrypted.

All the pac files are like the example

aluigi wrote:
P.S. there was no need to paste the script in the post :)

Oki doki


Top
   
PostPosted: Fri Oct 02, 2015 1:06 am 

Joined: Sat Aug 09, 2014 2:34 pm
Posts: 1194
Encryption: Hash + mt19937 (Mersenne Twister) + Xor. It works like this:

1) Extract file name from full path
2) Convert file name to uppercase
3) Create hash from file name (simple algorithm > see below)

Code:
   unsigned int dwSeed = 137;
   unsigned int dwHash = 0;
   for(int i = 0; i < strlen(iFileName); iFileName++, i++)
   {
      dwHash = (dwHash * dwSeed) + (*iFileName);
   }


4) Initialize mt from hash
5) Decrypt data (simple algorithm > see below)

Code:
   fseek(fi, 0, SEEK_END);
   size_t dwSize = ftell(fi);
   fseek(fi, 0, SEEK_SET);
   
   ;malloc, read, etc.
   
   mt_init_genrand(dwHash);
   do
      *(DWORD *)(pBuffer + 4 * i++) ^= mt_genrand_int32();
   while (i < dwSize);


Easy :)


Top
   
PostPosted: Fri Oct 02, 2015 2:41 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 12242
I have made a script that can be reused all the times that it's used mersenne twist:
http://aluigi.org/bms/arcana_heart_3.bms

I have also verified the generated values of mt_genrand_int32 with both the script and the C file and they are correct.
The decrypted file is ok but I don't know if it's a mistake that the archived filenames look "strange".


Top
   
PostPosted: Fri Oct 02, 2015 10:18 am 

Joined: Sat Aug 09, 2014 2:34 pm
Posts: 1194
Hm... Yes something wrong. First DWORD after decrypt must be 0x46504143 (FPAC)


Top
   
PostPosted: Fri Oct 02, 2015 10:34 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 12242
Maybe there constants at the end of mt_genrand_int32 are custom? 0x9d2c5680 and 0xefc60000
The script is 1:1 with the C function, so there are no other ideas.
Have you verified everything with a C tool or that's just the result of the debug analysis?


Top
   
PostPosted: Fri Oct 02, 2015 10:42 am 

Joined: Sat Aug 09, 2014 2:34 pm
Posts: 1194
Nope, it's my fault. Here correct one.

Code:
set XSEED "0x43415046"
for i = 0 < SIZE
    callfunction mt_genrand_int32 1
    get TMP long
    math TMP ^ y
    math XSEED ^ TMP
    put XSEED long MEMORY_FILE
next i


Top
   
PostPosted: Fri Oct 02, 2015 10:47 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 12242
Well done. Script updated to version 0.1.1 :)


Top
   
PostPosted: Sat Oct 03, 2015 11:16 am 
User avatar

Joined: Thu Oct 02, 2014 4:58 pm
Posts: 171
Amazing!!, works great :D

Thanks!!


Top
   
PostPosted: Fri Apr 30, 2021 7:53 am 
User avatar

Joined: Sat Mar 02, 2019 3:24 pm
Posts: 162
I know this topic is now 5 years old.
But it looks like they made a new way to crypt .pac files from the latest update called SIXSTARS!!!!!! XTEND.
All I get is this linked below.
I uncrypted with the AH3 decryption .bms file, but the result is the same.
Any update for the script?


Attachments:
act_00.zip [172.26 KiB]
Downloaded 10 times
chara_split_00_unpacked.zip [4.87 MiB]
Downloaded 14 times
Top
   
PostPosted: Wed May 12, 2021 10:38 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 12242
PAC is still encrypted (maybe it uses a different method/key) while PK3 looks like just data without any index.


Top
   
PostPosted: Wed May 12, 2021 2:13 pm 
User avatar

Joined: Sat Mar 02, 2019 3:24 pm
Posts: 162
aluigi wrote:
PAC is still encrypted (maybe it uses a different method/key) while PK3 looks like just data without any index.

Do you plan to update your script to match these different encryption?


Top
   
PostPosted: Wed May 12, 2021 3:31 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 12242
Give me the new encryption scheme and key and I will do it.
Obviously I can't guess them from nowhere.


Top
   
PostPosted: Thu May 13, 2021 2:29 pm 

Joined: Sat Aug 09, 2014 2:34 pm
Posts: 1194
Unfortunately, I do not have this game, so I can’t help you too.

@Mysticus
Edited: I checked the script and it works fine with files from SIXSTARS!!!!!! XTEND. File you provided has the wrong name > https://steamdb.info/depot/661991/
Correct path and filename is >

Code:
SteamData/data/ahdata/act/chara/chara_split_00.pac


So, filename must be chara_split_00.pac instead chara_split_00_unpacked.pac

Therefore, the file can't be decrypted, because generated hash from filename is invalid. I renamed chara_split_00_unpacked.pac to chara_split_00.pac and it was perfectly decrypted.

If you want to decrypt files from this game then don't rename them ;)


Top
   
PostPosted: Fri May 14, 2021 6:37 pm 
User avatar

Joined: Sat Mar 02, 2019 3:24 pm
Posts: 162
@Ekey
I tried with the correct path and file name. But I still get "unpacked" file name.
What can I do?


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 16 posts ] 

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited