Dumped functions

[aluigi]

yesterday I wrote a simple and small tool which takes a dumped function as input (practically the functions exported from an executable into a raw file) and produces a C source code with all the fixed/static references converted into local variables allocated through an init function.

it's the same identical job I did with unlz2k a couple of days ago but it's all automatic so that the user needs only to clean the resulted source code and adding the initialization of some pieces of memory or the NOPing of some parts of the dumped function "if" needed.

I have already tested it with the same lz2k dumped function and works perfectly but I would like to test some other "real" examples so if someone has a pre-compiled custom compression/encryption function (x86 32bit) which uses static addresses (otherwise there is no need of the tool) I can test it.

yeah I know that I could do the tests with other known functions and examples but then where is the fun if the result is not really useful and necessary? :)

[chrrox]

The contents of this post was deleted because of possible forum rules violation.

[aluigi]

uhmmm I guess you are off-topic because I referred to something completely different :)

anyway I have given a look at this HFS archives and they are just ZIP files with a different "magic" (HF\1\2 instead of PK\3\4) and with encrypted filenames and files.
so the files are first encrypted and then compressed which means that you can extract and decompress the files without problems but their content is encrypted (no xor, no rot).

that's an unusual and senseless thing because when you encrypt a file before its compression you increase the differences in the bytes with the result of an unoptimized compression.

I have already tried to use the md5 hash of some passwords ("csm...") with the rc4 algorithm (the Crypt* functions) without success.

if you want to make a quick test disable the update in some way (for example try it offline) and put the byte 0xcc at offset 0x4C4E39 of engine.dll, when the debugger will popup you will see the password in the stack window.

*edit* I have attached a simple script in case you are curious of the content of the extracted files

[aluigi]

I have also tried using the ICE encryption with both the hexadecimal keys "\xbf\x01\x00\xde\x55\x27\x9a\x01" and "\x36\xaf\xa5\x05\x4c\xfb\x1d\x71" but still no success.

anyway a bad thing of the ice encryption is the setting of the key and its level... really chaotic

[chrrox]

Were you looking more along the lines of a game like devil may cry 4 that uses an unkown compression?

[aluigi]

I thought that everything about dm4 was finished.
if the decompression algorithm is still not known it could be a good candidate for the testing of my tool.

P.S.: has someone checked if it was XMemDecompress?
exist a raw decompressed block somewhere to test? (only the compressed data without headers)

[aluigi]

confirmed, it's XMemDecompress

[brycechen]

umm since i was looking for the mabinogi heros's dumping files, hope you don't mind i could post a reply and ask some question.

are there any bms files i could have for dumping mabinogi heros ?

[Chessman]

confirmed, it's XMemDecompress

how to find XMemDecompress functions?
in one dll of the dlls in the bin directory?

[epopoe]

Here is a sample of mobinogi hero's hfs file.

http://www.sendspace.com/file/8tk710

[aluigi]

don't go off-topic