ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Wed May 12, 2021 8:37 pm

All times are UTC




Post new topic  Reply to topic  [ 15 posts ] 
Author Message
PostPosted: Wed Apr 28, 2021 8:25 pm 

Joined: Mon Apr 26, 2021 9:38 pm
Posts: 9
Hello!

In this topic I want to learn how to extract files from 2 archives I have.
Maybe this topic become kind of a tutorial, with time.
I will write here what I have done and results, and some wisdom people will guide me to which tutorial I should step next.


Point 0. What I have
There is 2 archives. Lets call them assets1.bin and assets2.bin.
assets1.bin - was in a game files. 650 mb
assets2.bin - was inside a simple game archive. 500 mb


Point 1. What have been done firstly
Searching in the internet. Gave 0 results, source is not popular game.
Internal Total Commander unpacker. 0
Dragon Unpacker. 0


Point 2. Quick BMS start page
Dowloaded all the scripts. Go to searching by key words.

Opened assets1.bin with hex.
First 4 hex is: 5C 08 3F 07
Second 4 hex is: 25 0C 00 00
Searching - no match.

Opened assets2.bin with hex.
First 4 hex is: 5C 08 3F 07
Second 4 hex is: 31 0C 00 00
Searching - no match.
With spaces and without.

From the top part of both files I can see to signs: GSUBM and DYNA
May be this info will help in future.


Point 3. Where to start?
I have opened several qbms scripts and found that inside of them is not to much code.
For example:
age_of_empires_3.bms
company_heroes.bms
heroes_might_magic_3.bms

I think it's should be possible to make the same for my archives.

So, which tutorial or research I should start at?


Last edited by MonikaZEN on Wed May 12, 2021 6:00 am, edited 1 time in total.

Top
   
PostPosted: Wed Apr 28, 2021 9:43 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 12183
I guess it's much more simple to specifiy the name of the game and provide the files for analysis.


Top
   
PostPosted: Thu Apr 29, 2021 4:56 am 

Joined: Mon Apr 26, 2021 9:38 pm
Posts: 9
[spoiler]Starships by Sid Meier

assets1.bin (PC version)
assets2.bin (iPad version)

[/spoiler]

P.S. Is it possible to make a !spoiler BBcode?


Last edited by MonikaZEN on Wed May 12, 2021 5:57 am, edited 1 time in total.

Top
   
PostPosted: Thu Apr 29, 2021 7:49 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 12183
Here is the script for quickbms:
http://aluigi.org/bms/sid_starships.bms

The format is very simple as visible from the script.

There is no "spoiler" mod on the forum and there is no need to mask the name of the game.


Top
   
PostPosted: Thu Apr 29, 2021 8:15 am 

Joined: Mon Apr 26, 2021 9:38 pm
Posts: 9
Holy Lightning Speedster! That was fast.

What measures can I perform to obtain a normal names of files?


Top
   
PostPosted: Thu Apr 29, 2021 8:43 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 12183
You need all the original filenames (usually captured via hooking/debugging) and then figuring out what's the CRC algorithm used on them.

So, no, there is no way.


Top
   
PostPosted: Thu Apr 29, 2021 11:03 am 

Joined: Sat Aug 09, 2014 2:34 pm
Posts: 1189
fnv32 :)


Top
   
PostPosted: Thu Apr 29, 2021 2:17 pm 

Joined: Mon Apr 26, 2021 9:38 pm
Posts: 9
aluigi wrote:
*** no way.
You mean that the archive itself does not contain such information, and that is why - no way?

Ekey wrote:
fnv32 :)
fnv32 is a hash function: https://en.wikipedia.org/wiki/Fowler–Noll–Vo_hash_function
1. How can I be sure that this case uses fnv32?
2. If so - is it possible to use reversed fnv32 function on current hashed names to gain original names?

I can provide near of 95% of original file names.


Top
   
PostPosted: Thu Apr 29, 2021 4:11 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 12183
If you have almost all the file names (the whole relative path) then it's easy to do the job since there is a command of quickbms for doing that, something like the following to replace the current 'string NAME p "%08x." NAME_CRC':
Code:
namecrc NAME NAME_CRC  "names.txt" 32 "" "32 0 0 38 0 1"


Top
   
PostPosted: Fri Apr 30, 2021 2:50 am 
User avatar

Joined: Tue Oct 13, 2015 1:26 pm
Posts: 546
MonikaZEN wrote:
1. How can I be sure that this case uses fnv32?
If Ekey said it is, then it is.
MonikaZEN wrote:
2. If so - is it possible to use reversed fnv32 function on current hashed names to gain original names?
No, this is mathematically impossible. See this topic and you will understand how Hash + FileNameList + QuickBMS works, then you should be able to do the same with your case.

_________________
Tribo Gamer Brasil


Top
   
PostPosted: Fri Apr 30, 2021 6:47 am 

Joined: Mon Apr 26, 2021 9:38 pm
Posts: 9
aluigi wrote:
If you have almost all the file names (the whole relative path)

Pity but no. I can retrieve only last part of relative file path. File name without path. :(

Delutto wrote:
See this topic and you will understand how Hash + FileNameList + QuickBMS works, then you should be able to do the same with your case.

Thanks. I have read this thread. As I can understand:

1. Ekey deciphered the algo as Murmur 2 and created an FPHook (dinput8).
FPHook extracts full file path of used file from RAM to log. (full path file list)

2. Delutto, you, using algo, created a File Names Compare Hash List.
And a tool (Frostpunk_DAT_Tool), which not only unpack but same time compare a hashed names from the list and replace the orginal path of files.

In case of fnv32 algo QBMS will automatically compare hash names with file paths. Am I right?
If so, then my case need FPHook analog.

Where should I start to make FPHook for steam version of Starships64.exe?
Am I need a tutorial for a debugger to start with?


Top
   
PostPosted: Fri Apr 30, 2021 10:00 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 12183
MonikaZEN wrote:
In case of fnv32 algo QBMS will automatically compare hash names with file paths. Am I right?

Exactly, by using the instruction I provided in my previous post and creating a file called names.txt with all the file names (as expected by the game), one per line.


Top
   
PostPosted: Wed May 12, 2021 6:02 am 

Joined: Mon Apr 26, 2021 9:38 pm
Posts: 9
Market request: $15 for File Path Hook for Starships


Top
   
PostPosted: Wed May 12, 2021 10:56 am 

Joined: Sat Aug 09, 2014 2:34 pm
Posts: 1189
I was wrong about fnv32, I checked the iOS version more closely and I conclude that the file hashing algorithm is CRC32 with polynomial 0xEDB88320.

Unfortunately, I do not have this game in Steam to check the PC version and make a hook. I can try to do this for the pirated version (not sure if it will be works in Steam version).


Top
   
PostPosted: Wed May 12, 2021 6:54 pm 

Joined: Mon Apr 26, 2021 9:38 pm
Posts: 9
Ekey wrote:
Unfortunately, I do not have this game in Steam to check the PC version and make a hook. I can try to do this for the pirated version (not sure if it will be works in Steam version).

It's OK. Conversely I can use the version on which you will make a research.


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 15 posts ] 

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited