new AION .pak file format.need help!

[Hiam]

Pretty simple? Doesn't this old version of Themida/Xtreme Protector use an aggressive ring0 driver?
And what about some tools identifying Xtreme Protector (though that one section is named Themida)?
Are both protections used?

It's easier than that, but um both Themida, and identifing near EOF you can notice what version it is, by comparing your own protected applications, you know what version you've used. Use Peid for this, and try find a cool signature Database, I hear the next version of Peid will contain loads of signatures.

It does not use any kernel driven driver, it use hooks allthough.
Which case, you wont have to bother now, since i supplied you with a decrypted code dll.

[Rheini]

Yeah but I'm into every aspect of reverse engineering, not only game file formats
I'm really interested in how you unpacked it. There are not much tutorials out there. I only have a spanish one, but it's hard to read it using Google translation

[Hiam]

Allrighty then, well drop me a pm with your msn and i'll tell you

[Mark]

Awesome, progress. Wish you guys had some kind of "donate" button, lol.

[Rheini]

Another unpacked Crysystem.dll can be found here: http://sharebee.com/1378465c

[Jeram]

Hi guys,

I'm new to this forum and very curious about Aion's textures and sounds Is there any news about how to extract the files from the *.pak files? Since I don't much about encryption and all this stuff, the only way I can help you is uploading any needed client file to get this done.

[Hiam]

Code: Select all

_:33084D37 loc_33084D37:                           ; CODE XREF: sub_33084BD0:loc_33084C53j
___:33084D37                                         ; DATA XREF: ___:33085574o
___:33084D37                 cmp     edi, 20h        ; Compare Two Operands
___:33084D3A                 jnb     short loc_33084D74 ; Jump if Not Below (CF=0)
___:33084D3C                 mov     ecx, 1
___:33084D41
___:33084D41 loc_33084D41:                           ; CODE XREF: sub_33084BD0+1A2j
___:33084D41                 cmp     [ebp+var_8], 0  ; Compare Two Operands
___:33084D45                 jz      loc_330852FD    ; Jump if Zero (ZF=1)
___:33084D4B                 mov     edx, [ebp+var_4]
___:33084D4E                 sub     [ebp+var_8], ecx ; Integer Subtraction
___:33084D51                 movzx   edx, byte ptr [edx] ; Move with Zero-Extend
___:33084D54                 mov     ecx, edi
___:33084D56                 shl     edx, cl         ; Shift Logical Left
___:33084D58                 mov     ecx, 1
___:33084D5D                 add     [ebp+var_4], ecx ; Add
___:33084D60                 add     edi, 8          ; Add
___:33084D63                 or      eax, edx        ; Logical Inclusive OR
___:33084D65                 cmp     edi, 20h        ; Compare Two Operands
___:33084D68                 mov     [ebp+arg_8], 0
___:33084D6F                 mov     [ebp+arg_4], eax
___:33084D72                 jb      short loc_33084D41 ; Jump if Below (CF=1)

[Katadin]

I hadn't seen this forum before (doh, hours wasted!) so I only managed to get as far as noticing it was a zip file with the header changed. When I tried extracting with those 32 bytes different I got all sorts of exceptions so hopefully you wizards can work out whats changed (i.e. what the OP posted about). I'm not a super programmer, but I do like ripping apart game files and their encryption (as long as they're fairly basic!). ASM is a bit beyond me so the above code goes way over my head, but if I can get an idea of whats changed then I'll keep giving it a go

[Katadin]

If I've made any sense of that assembly above, you'd need to know what is stored in EAX and CL, and what EBP initially points to, to make any sense of how the values are being manipulated? Never done much debugging, but not sure how you'd inspect those without the program running?

I presume the scrambling of these 32 bytes is literally just to break the deflate routine and nothing more? If so my gut instinct is that those 32 bytes are just being encoded against a key, which I'd guess EAX points to. Lot of guessing, but its all I've got so far

[Hiam]

The above routine just give you a hint what to look for.

From my previous research i found that

The data is "simply" xor-ed by the pre-calculated table.
You can find the table and how it is xor-ed in Crysystem.dll.

[Katadin]

I'm going cross-eyed looking through the .dll What you said above was really helpful in finding the table, I just have no idea where to look to find out how it selects each entry. Any more hints?

Edit: nevermind, think I figured it out (very sneaky!), and hopefully thats enough to find the right "key". Getting a bit closer now!

[kalrua]

The contents of this post was deleted because of possible forum rules violation.

[Hiam]

We know, and so can we with our codes. Thats not really what the thread is about ;P

[titanic]

The contents of this post was deleted because of possible forum rules violation.

[Hiam]

Not much of a change allthough