yesterday I wrote a simple and small tool which takes a dumped function as input (practically the functions exported from an executable into a raw file) and produces a C source code with all the fixed/static references converted into local variables allocated through an init function.
it's the same identical job I did with unlz2k a couple of days ago but it's all automatic so that the user needs only to clean the resulted source code and adding the initialization of some pieces of memory or the NOPing of some parts of the dumped function "if" needed.
I have already tested it with the same lz2k dumped function and works perfectly but I would like to test some other "real" examples so if someone has a pre-compiled custom compression/encryption function (x86 32bit) which uses static addresses (otherwise there is no need of the tool) I can test it.
yeah I know that I could do the tests with other known functions and examples but then where is the fun if the result is not really useful and necessary? :)
Important information: this site is currently scheduled to go offline indefinitely by end of the year.
Dumped functions
- aluigi
- VVIP member
- Posts: 1916
- Joined: Thu Dec 08, 2005 12:26 pm
- Location: www.ZENHAX.com
- Has thanked: 4 times
- Been thanked: 664 times
- Contact:
-
- Moderator
- Posts: 2602
- Joined: Sun May 18, 2008 3:01 pm
- Has thanked: 57 times
- Been thanked: 1422 times
Re: Dumped functions
The contents of this post was deleted because of possible forum rules violation.
- aluigi
- VVIP member
- Posts: 1916
- Joined: Thu Dec 08, 2005 12:26 pm
- Location: www.ZENHAX.com
- Has thanked: 4 times
- Been thanked: 664 times
- Contact:
Re: Dumped functions
uhmmm I guess you are off-topic because I referred to something completely different :)
anyway I have given a look at this HFS archives and they are just ZIP files with a different "magic" (HF\1\2 instead of PK\3\4) and with encrypted filenames and files.
so the files are first encrypted and then compressed which means that you can extract and decompress the files without problems but their content is encrypted (no xor, no rot).
that's an unusual and senseless thing because when you encrypt a file before its compression you increase the differences in the bytes with the result of an unoptimized compression.
I have already tried to use the md5 hash of some passwords ("csm...") with the rc4 algorithm (the Crypt* functions) without success.
if you want to make a quick test disable the update in some way (for example try it offline) and put the byte 0xcc at offset 0x4C4E39 of engine.dll, when the debugger will popup you will see the password in the stack window.
*edit* I have attached a simple script in case you are curious of the content of the extracted files
anyway I have given a look at this HFS archives and they are just ZIP files with a different "magic" (HF\1\2 instead of PK\3\4) and with encrypted filenames and files.
so the files are first encrypted and then compressed which means that you can extract and decompress the files without problems but their content is encrypted (no xor, no rot).
that's an unusual and senseless thing because when you encrypt a file before its compression you increase the differences in the bytes with the result of an unoptimized compression.
I have already tried to use the md5 hash of some passwords ("csm...") with the rc4 algorithm (the Crypt* functions) without success.
if you want to make a quick test disable the update in some way (for example try it offline) and put the byte 0xcc at offset 0x4C4E39 of engine.dll, when the debugger will popup you will see the password in the stack window.
*edit* I have attached a simple script in case you are curious of the content of the extracted files
You do not have the required permissions to view the files attached to this post.
- aluigi
- VVIP member
- Posts: 1916
- Joined: Thu Dec 08, 2005 12:26 pm
- Location: www.ZENHAX.com
- Has thanked: 4 times
- Been thanked: 664 times
- Contact:
Re: Dumped functions
I have also tried using the ICE encryption with both the hexadecimal keys "\xbf\x01\x00\xde\x55\x27\x9a\x01" and "\x36\xaf\xa5\x05\x4c\xfb\x1d\x71" but still no success.
anyway a bad thing of the ice encryption is the setting of the key and its level... really chaotic
anyway a bad thing of the ice encryption is the setting of the key and its level... really chaotic
-
- Moderator
- Posts: 2602
- Joined: Sun May 18, 2008 3:01 pm
- Has thanked: 57 times
- Been thanked: 1422 times
Re: Dumped functions
Were you looking more along the lines of a game like devil may cry 4 that uses an unkown compression?
- aluigi
- VVIP member
- Posts: 1916
- Joined: Thu Dec 08, 2005 12:26 pm
- Location: www.ZENHAX.com
- Has thanked: 4 times
- Been thanked: 664 times
- Contact:
Re: Dumped functions
I thought that everything about dm4 was finished.
if the decompression algorithm is still not known it could be a good candidate for the testing of my tool.
P.S.: has someone checked if it was XMemDecompress?
exist a raw decompressed block somewhere to test? (only the compressed data without headers)
if the decompression algorithm is still not known it could be a good candidate for the testing of my tool.
P.S.: has someone checked if it was XMemDecompress?
exist a raw decompressed block somewhere to test? (only the compressed data without headers)
- aluigi
- VVIP member
- Posts: 1916
- Joined: Thu Dec 08, 2005 12:26 pm
- Location: www.ZENHAX.com
- Has thanked: 4 times
- Been thanked: 664 times
- Contact:
Re: Dumped functions
umm since i was looking for the mabinogi heros's dumping files, hope you don't mind i could post a reply and ask some question.
are there any bms files i could have for dumping mabinogi heros ?
are there any bms files i could have for dumping mabinogi heros ?
Re: Dumped functions
how to find XMemDecompress functions?aluigi wrote:confirmed, it's XMemDecompress
in one dll of the dlls in the bin directory?
- aluigi
- VVIP member
- Posts: 1916
- Joined: Thu Dec 08, 2005 12:26 pm
- Location: www.ZENHAX.com
- Has thanked: 4 times
- Been thanked: 664 times
- Contact: