I need help decompressing the files within the zip archives from Forza Horizon 4
Important information: this site is currently scheduled to go offline indefinitely by end of the year.
[Help] Forza Horizon 4 zip archives
-
- beginner
- Posts: 27
- Joined: Sun Mar 13, 2011 4:02 am
- Has thanked: 14 times
- Been thanked: 3 times
-
- beginner
- Posts: 23
- Joined: Thu Oct 28, 2021 9:17 am
- Has thanked: 3 times
- Been thanked: 33 times
Re: [Help] Forza Horizon 4 zip archives
In continuation of the conversation started in Forza Apex database - gamedb.slt about encrypted zip archives in Forza Horizon 5 v1.405.2.0 (Steam) [EMPRESS] (ForzaHorizon5.exe CRC32: BFCEECA8).
I found a way to extract .txt and .dat files for now. The archive header is not encrypted, so we can see the name, size and crc32 of the stored files.
After CreateFile breakpoint reached, place another one at <vcruntime140.dll.memmove> or at more stable 0000000145509E3D with the condition: qword(rdx) == 656C74746F726854 || byte(rdx) == 30 && byte(rdx + 1) == 0D && byte(rdx + 2) == 0A, where 656C74746F726854 is the beginning of .txt file "Throttle" in big endian, and 30 0D 0A is the first line of .dat file "0\r\n". To save the result use: savedata :memdump:,rdx,r8.
It calls in the following order:
The call stack related to decompressing the encrypted zip file.
There are other .zip files encrypted in the same way, such as "media\Stripped\TIDETables.zip". It loads right after the game executable is launched, so this is a good place to start. It contains files with "BXML" at the beginning: qword(rdx) == 4C4D5842.
Once I got G_V8NM_American_Truck_1_Eng.zip/Acc_01_Acc_2438_ADPCM.wav file, but I can't reproduce it anymore. Now the game crashes or all threads are suspended. Luckily I took two screenshots and saved the file. I used the car FOR_SVTRaptor_12.
All mentioned files are in an attachment (four .txt and .dat, and one .wav).
I found a way to extract .txt and .dat files for now. The archive header is not encrypted, so we can see the name, size and crc32 of the stored files.
After CreateFile breakpoint reached, place another one at <vcruntime140.dll.memmove> or at more stable 0000000145509E3D with the condition: qword(rdx) == 656C74746F726854 || byte(rdx) == 30 && byte(rdx + 1) == 0D && byte(rdx + 2) == 0A, where 656C74746F726854 is the beginning of .txt file "Throttle" in big endian, and 30 0D 0A is the first line of .dat file "0\r\n". To save the result use: savedata :memdump:,rdx,r8.
It calls in the following order:
Code: Select all
Exh_Acc_G_I6TTC_Asian_Street_1.txt
Exh_Acc_G_I6TTC_Asian_Street_1_Acc_Sweep_GS.dat
Exh_Dec_G_I6TTC_Asian_Street_1.txt
Exh_Dec_G_I6TTC_Asian_Street_1_Dec_Sweep_GS.dat
Code: Select all
0000000145509E3D: calls memmove, rdx has decrypted file content
0000000145508C1C
0000000140F45C66
0000000140F3BC2A
Once I got G_V8NM_American_Truck_1_Eng.zip/Acc_01_Acc_2438_ADPCM.wav file, but I can't reproduce it anymore. Now the game crashes or all threads are suspended. Luckily I took two screenshots and saved the file. I used the car FOR_SVTRaptor_12.
All mentioned files are in an attachment (four .txt and .dat, and one .wav).
You do not have the required permissions to view the files attached to this post.
Re: [Help] Forza Horizon 4 zip archives
@Doliman100 I think I love you. The information you're providing to the Forza community right now is invaluable, thank you so much.
-
- beginner
- Posts: 23
- Joined: Thu Oct 28, 2021 9:17 am
- Has thanked: 3 times
- Been thanked: 33 times
Re: [Help] Forza Horizon 4 zip archives
I found a way to extract both files compressed with the common methods and files compressed with method 22. The game usues some method of class IOSys::CCompressedFileStream (d:\p4\woodstock_hf\engine\iosys\Src\CompressedFileStream.cpp) for this. So, if someone wants to make a quickbms script for decompressing method 22, you are welcome. By the way, the ForzaHorizon5.exe file from the EMPRESS crack (v1.405.2.0, CRC32: BFCEECA8) can be decompiled by IDA Pro, because EMPRESS has already unpacked it. This version has an Arxan log that can be downloaded separately. You can use it to see some class names and their methods.
At the moment, I don't know how to get the file names, only the full path to the archive. To extract media\Audio\EngineSynth\*.zip files, you can place a breakpoint at these two addresses. They are right after the call to that decompress function.
0. In x64dbg/memdumps/ directory, create folders with the names of the zip files you want to export.
1. Debug > Run
2. Command
For txt: savedata memdumps\{utf8([rbp+258]+1E)}{utf8([rbp-40])},qword(rsp+58),r14d
For wav and dat: savedata memdumps\{utf8([rbp+F]+1E)}{utf8([rbp-59])},qword(r14),dword(rsi)
3. Goto step 1
If you have doubts about what you've saved, you can always compare it to CRC32.
I tested it with TOY_SupraRZ_98 "Toyota Supra RZ (1998)". Here are 7 decompressed zip files that it uses.
https://mega.nz/folder/jsQFmSZD#5Y65-CrrT8PLMa2bvdX3GA
Code: Select all
0000000140F3B840: DecompressFile
rcx: looks like IOSys::CCompressedFileStream *
[rcx+30]: pointer to some class
[[[rcx+30]]+110]: GetVolumePath
utf8([[rcx+30]+30]): volume_path "C:\Program Files (x86)\DODI-Repacks\Forza Horizon 5\media\stripped\tidetables.zip"
r8: char *destination
r9: int filesize
Code: Select all
0000000140760C36 txt
000000014075D762 wav + dat
1. Debug > Run
2. Command
For txt: savedata memdumps\{utf8([rbp+258]+1E)}{utf8([rbp-40])},qword(rsp+58),r14d
For wav and dat: savedata memdumps\{utf8([rbp+F]+1E)}{utf8([rbp-59])},qword(r14),dword(rsi)
3. Goto step 1
If you have doubts about what you've saved, you can always compare it to CRC32.
I tested it with TOY_SupraRZ_98 "Toyota Supra RZ (1998)". Here are 7 decompressed zip files that it uses.
https://mega.nz/folder/jsQFmSZD#5Y65-CrrT8PLMa2bvdX3GA
Code: Select all
G_I6TTC_Asian_Street_1_Eng
G_I6TTC_Asian_Street_1_Int
G_I6TTC_Asian_Street_1_Exh
G_I6TTC_Asian_Street_1_InL
G_I6TTC_Asian_Street_1_InR
Turbo_I6TC_Asian_Street_6_Tbo
Transmission_V6TTM_American_Supercar_1_Trn
Last edited by Doliman100 on Fri Jul 21, 2023 9:20 am, edited 1 time in total.
Re: [Help] Forza Horizon 4 zip archives
amazing! Ill try extracting some more samples with this!
as for making a quickbms script, i don't have the necessary knowledge, but maybe some one who reads this can!
as for making a quickbms script, i don't have the necessary knowledge, but maybe some one who reads this can!
Re: [Help] Forza Horizon 4 zip archives
i was successfully able to extract the .txt's, but when trying to extract the wav's i'm having a memory allocation error and the software crashes, is there any aditional step for the wavs?
i'm able to successfuly create the breakpoint
i'm able to successfuly create the breakpoint
-
- beginner
- Posts: 23
- Joined: Thu Oct 28, 2021 9:17 am
- Has thanked: 3 times
- Been thanked: 33 times
Re: [Help] Forza Horizon 4 zip archives
What version of Forza Horizon 5 are you using? What is the exact error message? At what step does the error occur? Does this happen right after entering the command for wav and dat files in step 2? What car and zip file are you trying?
-
- beginner
- Posts: 23
- Joined: Thu Oct 28, 2021 9:17 am
- Has thanked: 3 times
- Been thanked: 33 times
Re: [Help] Forza Horizon 4 zip archives
I think I reproduced it. The problem was the wrong type of the size variable. Now I have defined it explicitly. Try these commands instead:
Code: Select all
savedata memdumps\{utf8([rbp+258]+1E)}{utf8([rbp-40])},qword(rsp+58),r14d
savedata memdumps\{utf8([rbp+F]+1E)}{utf8([rbp-59])},qword(r14),dword(rsi)
Re: [Help] Forza Horizon 4 zip archives
Hi, sorry for the lack of information in the preivous post, but yes! indeed your new approach works! thank you for your work, you've finnally put an end in this 2 year long quest!
for anyone else who'd like to try, i've used the 1.405 verison, with empress crack.
i, and i think the whole community, truly appreaciate the work you've done
i wish you the best!
for anyone else who'd like to try, i've used the 1.405 verison, with empress crack.
i, and i think the whole community, truly appreaciate the work you've done
i wish you the best!
-
- beginner
- Posts: 23
- Joined: Thu Oct 28, 2021 9:17 am
- Has thanked: 3 times
- Been thanked: 33 times
Re: [Help] Forza Horizon 4 zip archives
I confirmed that method 22 is encrypted the same way as stage 1 of .slt powered by Arxan TransformIT. After decryption, this is the usual method 8 (Deflate).