ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Tue Nov 30, 2021 12:40 pm

All times are UTC




Post new topic  Reply to topic  [ 13 posts ] 
Author Message
PostPosted: Tue Aug 17, 2021 12:42 pm 

Joined: Tue Aug 17, 2021 11:58 am
Posts: 9
hello people, so my current dilemma at the moment is what exactly do I do with these unmarked files?
I have done asset extraction via assetstudio and UABE before as those are pretty straight forward but these files have really got me confused.
Ill explain what I have done so far, I have done the very simple asset extraction found within the main directory of the game.

I then discovered that files I have been looking for werent there (voicelines) I figured they must have been somewhere else.

In the game there is an option to (download all assets) and doing so created a folder that was 3GB in size in a secret 2nd directory for the game (screenshot1)

The location of the 3GB's worth of data is located in the folder called "r" and within it are various folders varying in size (screenshot2)

Within one of the folders are hundreds of files varying in size but they have no extension (screenshot3)

so the question now is what do I do now?
I really appreciate any help I can get as all this is for the fandom of Overlord and escaping the grip of gacha gaming


Attachments:
File comment: the insides of one of the folders
Screenshot_3.png [50.44 KiB]
Not downloaded yet
File comment: the location of assets totaling to 3gb
Screenshot_2.png [27.85 KiB]
Not downloaded yet
File comment: the location of the second directory
Screenshot_1.png [32.9 KiB]
Not downloaded yet
Top
   
PostPosted: Tue Aug 17, 2021 1:16 pm 
User avatar

Joined: Mon Nov 23, 2020 6:01 pm
Posts: 88
Just a screenshot of filenames probably isn't that useful as the files could be absolutely anything.

It's probably best to upload a few samples for people to look at. They could be compressed or encrypted.

You could also open some of them in a hex editor to see if they contain any recognisable information such as headers that might relate to specific file types, for example "RIFF" for some audio files.

_________________
"You now stand on the cusp of two realities, about to leave all that you know behind. I have called many mortals here in ages past to call forth judgement and test the spirit in the hearts of men."


Top
   
PostPosted: Tue Aug 17, 2021 1:46 pm 

Joined: Tue Aug 17, 2021 11:58 am
Posts: 9
DKDave wrote:
Just a screenshot of filenames probably isn't that useful as the files could be absolutely anything.

It's probably best to upload a few samples for people to look at. They could be compressed or encrypted.

You could also open some of them in a hex editor to see if they contain any recognisable information such as headers that might relate to specific file types, for example "RIFF" for some audio files.


Attachments:
e.rar [4.13 MiB]
Downloaded 43 times
Top
   
PostPosted: Tue Aug 17, 2021 2:08 pm 

Joined: Tue Aug 17, 2021 11:58 am
Posts: 9
DKDave wrote:
Just a screenshot of filenames probably isn't that useful as the files could be absolutely anything.

It's probably best to upload a few samples for people to look at. They could be compressed or encrypted.

You could also open some of them in a hex editor to see if they contain any recognisable information such as headers that might relate to specific file types, for example "RIFF" for some audio files.


I have uploaded a few samples in the previous post and I also stuck one of the samples into a hex editor

only problem is this of course is all moon runes to me

I have also been looking around the forum and it seems that there was indeed some files encrypted and a user by the name of "chrrox" posted what seems to be a way to unencrypt files

what files they would unencrypt I do not know as the sample files have long been deleted

i will post the decrypt xor key he had posted

00 ff ff ff ff ff ff 00 00 00 00 00 00 00


Attachments:
File comment: hex editor and mystery file
Screenshot_4.png [96.58 KiB]
Not downloaded yet
Top
   
PostPosted: Tue Aug 17, 2021 4:30 pm 
User avatar

Joined: Mon Nov 23, 2020 6:01 pm
Posts: 88
I've had a look at your samples and they seem to be just Xor encrypted Unity files. The only issue is that the Xor key seems different for each file, although they are just a mixture of 00s and FFs.

The keys for each file are as follows:

"2e..." is "\x00\xff\xff\xff\x00\x00\x00\x00"
"34..." is "\x00\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"98..." is "\x00\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00"

They all load into Asset Studio fine with those keys applied. Unless there's a table somewhere with the key for each file, then there may be a way to work it out, although I can't see how exactly at the minute - it may be possible to do a loop until you get one that works...

_________________
"You now stand on the cusp of two realities, about to leave all that you know behind. I have called many mortals here in ages past to call forth judgement and test the spirit in the hearts of men."


Top
   
PostPosted: Tue Aug 17, 2021 4:52 pm 

Joined: Tue Aug 17, 2021 11:58 am
Posts: 9
DKDave wrote:
I've had a look at your samples and they seem to be just Xor encrypted Unity files. The only issue is that the Xor key seems different for each file, although they are just a mixture of 00s and FFs.

The keys for each file are as follows:

"2e..." is "\x00\xff\xff\xff\x00\x00\x00\x00"
"34..." is "\x00\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"98..." is "\x00\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00"

They all load into Asset Studio fine with those keys applied. Unless there's a table somewhere with the key for each file, then there may be a way to work it out, although I can't see how exactly at the minute - it may be possible to do a loop until you get one that works...


that's good to hear that they are indeed the files I have been looking for and I'm thankful you have confirmed it
If I manually have to do all 3gb's worth of assets I will do it but if you can bear with me a little longer how is it that I do this decrypting.
I've read some of the earlier threads and they seem to say to do some sort of script but that is the farthest I have gotten when it comes to this sort of thing.

Again thank you for putting up with me.


Top
   
PostPosted: Tue Aug 17, 2021 6:37 pm 
User avatar

Joined: Mon Nov 23, 2020 6:01 pm
Posts: 88
I don't know if they have the voice lines or not, or whether this will work for every file, but the attached QuickBMS script attempts to decrypt the file by trying a number of Xor keys. The keys all seem to follow a pattern, so I've just set up a list of possible ones. There may be other non-Unity files in those folders as well, which this script won't decrypt. If you give it a try on a number of files to see if you have much success. It works on your 3 samples at least.

You can download QuickBMS from Luigi's site here: http://aluigi.altervista.org/quickbms.htm - it's easy enough to use.

Attachment:
overlord.zip [467 Bytes]
Downloaded 50 times

_________________
"You now stand on the cusp of two realities, about to leave all that you know behind. I have called many mortals here in ages past to call forth judgement and test the spirit in the hearts of men."


Top
   
PostPosted: Tue Aug 17, 2021 6:54 pm 

Joined: Tue Aug 17, 2021 11:58 am
Posts: 9
DKDave wrote:
I don't know if they have the voice lines or not, or whether this will work for every file, but the attached QuickBMS script attempts to decrypt the file by trying a number of Xor keys. The keys all seem to follow a pattern, so I've just set up a list of possible ones. There may be other non-Unity files in those folders as well, which this script won't decrypt. If you give it a try on a number of files to see if you have much success. It works on your 3 samples at least.

You can download QuickBMS from Luigi's site here: http://aluigi.altervista.org/quickbms.htm - it's easy enough to use.

overlord.zip


Thanks a lot, I will do my best and make sure to report back any progress I have made.

I will also upload the data and post a link in case anyone else wants to use the other assets from the game, though that will be for another day


Top
   
PostPosted: Tue Aug 17, 2021 9:49 pm 

Joined: Tue Aug 17, 2021 11:58 am
Posts: 9
DKDave wrote:
I don't know if they have the voice lines or not, or whether this will work for every file, but the attached QuickBMS script attempts to decrypt the file by trying a number of Xor keys. The keys all seem to follow a pattern, so I've just set up a list of possible ones. There may be other non-Unity files in those folders as well, which this script won't decrypt. If you give it a try on a number of files to see if you have much success. It works on your 3 samples at least.

You can download QuickBMS from Luigi's site here: http://aluigi.altervista.org/quickbms.htm - it's easy enough to use.

overlord.zip


Doing a quick report before I go to bed
after using the script a large majority of the files were decrypted but around 1GB's worth of files remained encrypted (screenshot5)

I have also included a sample file of what I believe contains an encrypted voicefile (voicefilerar) that I had been monitoring with process monitor and it seems that if my guess is correct most of the voicelines within the game are located within a folder name 'v"

Im hoping you can see whats up with the file and see if it truly is the voice files I have been looking for


Attachments:
voicefile.rar [262.19 KiB]
Downloaded 42 times
Screenshot_5.png [15.03 KiB]
Not downloaded yet
Top
   
PostPosted: Wed Aug 18, 2021 6:27 am 

Joined: Tue Aug 17, 2021 11:58 am
Posts: 9
DKDave wrote:
I don't know if they have the voice lines or not, or whether this will work for every file, but the attached QuickBMS script attempts to decrypt the file by trying a number of Xor keys. The keys all seem to follow a pattern, so I've just set up a list of possible ones. There may be other non-Unity files in those folders as well, which this script won't decrypt. If you give it a try on a number of files to see if you have much success. It works on your 3 samples at least.

You can download QuickBMS from Luigi's site here: http://aluigi.altervista.org/quickbms.htm - it's easy enough to use.

overlord.zip


2nd update
I have subjugated the folder named "v" with the xor script and was surprised that no files were decrypted

I had then made a copy of the script and added a few more permutations and compared the results side by side (screenshot1)
in the screenshot you can see that instead of 1% the new script now says 3%

I dont know what exactly this means but hopefully you can help this just a little bit more


Attachments:
screenshot_1.png [45.69 KiB]
Not downloaded yet
Top
   
PostPosted: Wed Aug 18, 2021 11:25 am 
User avatar

Joined: Mon Nov 23, 2020 6:01 pm
Posts: 88
Looking at the voice file, that's an AFS2 audio archive. You can play those in Foobar with the vgmstream plugin if you rename them to .afs2. However, the audio data is encrypted differently to the simple Unity file xor encryption, so it just sounds like noise. You will need a proper decryption key for the audio files. This will usally be stored in the executable file somewhere, but that's not my area of expertise - probably the hcs64.com forum might be better to ask for that side of things.

You probably don't get anything from the "v" folder because they're likely to be all AFS2 files.

_________________
"You now stand on the cusp of two realities, about to leave all that you know behind. I have called many mortals here in ages past to call forth judgement and test the spirit in the hearts of men."


Top
   
PostPosted: Wed Aug 18, 2021 12:16 pm 

Joined: Tue Aug 17, 2021 11:58 am
Posts: 9
DKDave wrote:
Looking at the voice file, that's an AFS2 audio archive. You can play those in Foobar with the vgmstream plugin if you rename them to .afs2. However, the audio data is encrypted differently to the simple Unity file xor encryption, so it just sounds like noise. You will need a proper decryption key for the audio files. This will usally be stored in the executable file somewhere, but that's not my area of expertise - probably the hcs64.com forum might be better to ask for that side of things.

You probably don't get anything from the "v" folder because they're likely to be all AFS2 files.



Ahhh it seems another roadblock stands in my way.
I'll get to that once I finish what I have first promised.

I will finish decrypting the rest of the contents within the game, upload them and post the link here when all is done.

Thank you so very much DkDave, without your help there is no way I would have gained all this info.

I will continue to learn so that hopefully when others ask for assistance I can also respond with my own knowledge.


Top
   
PostPosted: Mon Aug 23, 2021 4:26 pm 

Joined: Tue Aug 17, 2021 11:58 am
Posts: 9
Update 3


Attachments:
script.txt [781 Bytes]
Downloaded 46 times
Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 13 posts ] 

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited