Important information: this site is currently scheduled to go offline indefinitely by end of the year.
Operation Flashpoint 2: Dragon Rising .000, .001, .002, etc.
-
- advanced
- Posts: 72
- Joined: Sun Oct 26, 2008 2:41 am
- Has thanked: 3 times
- Been thanked: 4 times
Operation Flashpoint 2: Dragon Rising .000, .001, .002, etc.
The contents of this post was deleted because of possible forum rules violation.
- XRaptor
- mega-veteran
- Posts: 226
- Joined: Sat Jul 12, 2008 4:42 pm
- Location: Prague
- Has thanked: 6 times
- Been thanked: 47 times
- Contact:
Re: Operation Flashpoint 2: Dragon Rising .000, .001, .002, etc.
It is just filesystem You can merge all files to 1. All files inside are compressed with LZSS. here is no problem. Problem is file win_000.nfs. I think it is AES encrypted file with information about files inside. I am able to decompress files from win_000.??? files, but I was unable to decrypt that "index" file to get info about offsets, sizes etc.
- XRaptor
- mega-veteran
- Posts: 226
- Joined: Sat Jul 12, 2008 4:42 pm
- Location: Prague
- Has thanked: 6 times
- Been thanked: 47 times
- Contact:
Re: Operation Flashpoint 2: Dragon Rising .000, .001, .002, etc.
It is not standard LZSS, but custom oneOrangeC wrote:i am using the tool DeLZSS but have no idea how to use the command to input the key.
Last edited by XRaptor on Wed Oct 07, 2009 2:26 pm, edited 1 time in total.
- XRaptor
- mega-veteran
- Posts: 226
- Joined: Sat Jul 12, 2008 4:42 pm
- Location: Prague
- Has thanked: 6 times
- Been thanked: 47 times
- Contact:
Re: Operation Flashpoint 2: Dragon Rising .000, .001, .002, etc.
Well, key is ok, file decrypted How did you get it? I found only something like "BF238E52208261B11FB50901E78E45AC4660153565F09295305484E1F05166EC"Vash wrote:try using "AC2211234495ACA27E805986108BEEDD4D01D3970B9D4CA93D7BE1BBEDDA8458" as key
-
- advanced
- Posts: 72
- Joined: Sun Oct 26, 2008 2:41 am
- Has thanked: 3 times
- Been thanked: 4 times
Re: Operation Flashpoint 2: Dragon Rising .000, .001, .002, etc.
Nice! So I decrypt the .000, combine all the files into one archive, and how would I go about to decompress it?
-
- veteran
- Posts: 94
- Joined: Sat Jun 20, 2009 1:47 pm
- Has thanked: 16 times
- Been thanked: 13 times
Re: Operation Flashpoint 2: Dragon Rising .000, .001, .002, etc.
Wow, you guys are fast. Good work.
Is there a guide or something else that explains how to do "asm researches" to find such keys?Vash wrote:i did some asm researches
-
- Moderator
- Posts: 652
- Joined: Wed Oct 18, 2006 9:48 pm
- Location: Germany
- Has thanked: 19 times
- Been thanked: 46 times
- Contact:
Re: Operation Flashpoint 2: Dragon Rising .000, .001, .002, etc.
Well, learn assembler http://siyobik.info/index.php?document=x86_32bit_asm
Get a disassembler http://www.hex-rays.com/idapro/idadownfreeware.htm (or a debugger later on http://ollydbg.de/)
and get yourself lots of experience
A whole bunch of tutorials can be found here: http://www.tuts4you.com/download.php?list.19
Get a disassembler http://www.hex-rays.com/idapro/idadownfreeware.htm (or a debugger later on http://ollydbg.de/)
and get yourself lots of experience
A whole bunch of tutorials can be found here: http://www.tuts4you.com/download.php?list.19
- aluigi
- VVIP member
- Posts: 1916
- Joined: Thu Dec 08, 2005 12:26 pm
- Location: www.ZENHAX.com
- Has thanked: 4 times
- Been thanked: 664 times
- Contact:
Re: Operation Flashpoint 2: Dragon Rising .000, .001, .002, etc.
@XRaptor:
before the edit I read you had difficulties with the aes decryption, you can test it on the fly using quickbms and a script like the following:easy :)
then you have written that it's a "custom lzss", can you be more specific?
yesterday I decompressed the first file of the first package perfectly without problems with the classical lzss and its default parameters.
@Polefish:
usually it's more simple than how it looks:
- find the AES signatures (I wrote signsrch just for it)
- set a memory breakpoint in the signature which is used during the setting of the key (aes rcon in this case, unfortunately it's not referenced in the code otherwise was better to bp the code directly)
- obviously you need to know assembler, knowing a bit how to use a debugger and naturally knowing something about how the encryption algorithms are used (from a programmer's point of view, not the algorithm itself) and what mean the signatures found
in this case the disassembler is useless because the key is probably built at runtime
anyway I don't have the game so that's the max I can say/hypothize about this specific case :)
before the edit I read you had difficulties with the aes decryption, you can test it on the fly using quickbms and a script like the following:
Code: Select all
get SIZE asize
encryption aes "\xAC\x22\x11\x23\x44\x95\xAC\xA2\x7E\x80\x59\x86\x10\x8B\xEE\xDD\x4D\x01\xD3\x97\x0B\x9D\x4C\xA9\x3D\x7B\xE1\xBB\xED\xDA\x84\x58"
log "decrypted.dat" 0 SIZE
then you have written that it's a "custom lzss", can you be more specific?
yesterday I decompressed the first file of the first package perfectly without problems with the classical lzss and its default parameters.
@Polefish:
usually it's more simple than how it looks:
- find the AES signatures (I wrote signsrch just for it)
- set a memory breakpoint in the signature which is used during the setting of the key (aes rcon in this case, unfortunately it's not referenced in the code otherwise was better to bp the code directly)
- obviously you need to know assembler, knowing a bit how to use a debugger and naturally knowing something about how the encryption algorithms are used (from a programmer's point of view, not the algorithm itself) and what mean the signatures found
in this case the disassembler is useless because the key is probably built at runtime
anyway I don't have the game so that's the max I can say/hypothize about this specific case :)
- XRaptor
- mega-veteran
- Posts: 226
- Joined: Sat Jul 12, 2008 4:42 pm
- Location: Prague
- Has thanked: 6 times
- Been thanked: 47 times
- Contact:
Re: Operation Flashpoint 2: Dragon Rising .000, .001, .002, etc.
Well, maybe it is classical lzss, I cant tell what is standard I just found there is just flag byte then data bytes and no "stop" and "start" byte in files. So some files can longer than data to decompress (maybe some align or my fault). The same is getting offset in buffer and length to copy from info bytes. I found there is xx yz where yxx = offset in buffer and z + MIN_LENGTH is lenght. Sometimes in other games I found that offset must be counted by the other way. But yes, algorithm is standard lzss So sorry for mix-ups I'm not perfectBugtest wrote: then you have written that it's a "custom lzss", can you be more specific?
yesterday I decompressed the first file of the first package perfectly without problems with the classical lzss and its default parameters.
-
- Moderator
- Posts: 652
- Joined: Wed Oct 18, 2006 9:48 pm
- Location: Germany
- Has thanked: 19 times
- Been thanked: 46 times
- Contact:
Re: Operation Flashpoint 2: Dragon Rising .000, .001, .002, etc.
Well most implementations are "custom" to be exact.XRaptor wrote:Well, maybe it is classical lzss, I cant tell what is standard
The original paper only suggested using a flag bit that is saved directly before each data chunk.
Mostly those bits are combined to 1 or 2 bytes today though.
- aluigi
- VVIP member
- Posts: 1916
- Joined: Thu Dec 08, 2005 12:26 pm
- Location: www.ZENHAX.com
- Has thanked: 4 times
- Been thanked: 664 times
- Contact:
Re: Operation Flashpoint 2: Dragon Rising .000, .001, .002, etc.
can you list some of these games/applications which use custom lzss algorithms?
the other time you listed only settlers, do you know others?
because I have ever encountered the classical lzss one like in this game, all the games based on the Cauldron engine, Zork Nemesis and something else that I don't remember in this moment.
I need to know all these exceptions which use different settings of the lzss algorithm for deciding or not to add the manual setting of these fields in quickbms (ok I will do for sure but I would like to have at least a "statistic" for my curiosity).
the other time you listed only settlers, do you know others?
because I have ever encountered the classical lzss one like in this game, all the games based on the Cauldron engine, Zork Nemesis and something else that I don't remember in this moment.
I need to know all these exceptions which use different settings of the lzss algorithm for deciding or not to add the manual setting of these fields in quickbms (ok I will do for sure but I would like to have at least a "statistic" for my curiosity).
-
- Moderator
- Posts: 652
- Joined: Wed Oct 18, 2006 9:48 pm
- Location: Germany
- Has thanked: 19 times
- Been thanked: 46 times
- Contact:
Re: Operation Flashpoint 2: Dragon Rising .000, .001, .002, etc.
Well, as I said, I don't know any implementation that uses a single bit cause this involves ugly bitwise operations.
Mostly 8 flag bits are combined, sometimes 16.
More common are variations on the parameters window size and how offset/length are encoded.
I don't know any game though except Settlers 2.
Mostly 8 flag bits are combined, sometimes 16.
More common are variations on the parameters window size and how offset/length are encoded.
I don't know any game though except Settlers 2.