[Request] Guild Wars 2 DAT

[xtridence]

You now have another bug on your hands instead. You cannot do 'delete[]' on a variable that was allocated with 'malloc'. Malloc'ed chunks of memory need to be freed using free(). I'm looking at the 'delete[] img' you added.

Fixed.
Used new instead of malloc.

[Nimba]

xtridence: Is it ok with you if I commit your atexreader sources to the Bitbucket repo? I'll keep it up-to-date for you if you want whenever you release a new version.

[jeckerson]

Any one know in what format .strs files are: xml, txt or some DB type? And if there are some strs parser that convert to another viewable formats?

[stalja]

Everyone is asking about strs files. I did some research of my own on the subject. The format seems to very similar, if not the same, to Guild Wars 1 strs files format. For now I have determined that plain text strings have a 6 byte header that tell the length and the type of the string. But there are some strange parts of the strs files that I was not able to decipher. In an old thread here on xentax it is suggested that these strings are encoded/compressed, but I cano not determine the compression method used. It does not look like zlib but I might be wrong because my RE skills are very novice. I did try poking around the exe to find the function that opens strs files and manipulates them and from what I was able to gather that there is one point in the exe file where this is done (00A767E5) but this is as far as my RE skills go right now.

Still, even if we decipher all of this (which I am sure is a piece of cake for some experienced RE) it remains to be determined how are these strings connected to items, icons, rewards and all that other good stuff that makes up a MMO game.

[jeckerson]

It seems that in strs only INT data is encoded, or maybe some link variables to another files, because I can easily read names and descriptions of items/skills.

It does not look like zlib but I might be wrong because my RE skills are very novice.

And how about Huffman coding?

[kthackeray]

They use the same format as GW1 with the addition of the header. Strings are referenced in structs and packet via an ID number. Each string has a 6 byte header including the size and enc info. Non UTF strings in GW1 are RC4 encrypted (with every string having a unique key) so I assume they are using the same here.

[lordsavyj]

Yeah, what they said...it's almost identical to gw.dat format (http://www.guildwiki.org/User:Dr_ishmael/Gw.dat).

I built a proof of concept in PHP (http://dev.kantanker.us/lab/) and you can see my code at (http://dev.kantanker.us/lab/code.php).

Update: Code updated to better display strings

[xtridence]

Here's a STRS reader (I did not release it earlier as the format is not fully understood yet). The format for encrypted strings is unknown.

The dump button is to combine all STRS files (in a directory) and output into a single file so that strings can be searched easily.

@Nimba: You can commit the stuff to a repository if you want. Please include the compiled files in the repository.

[Cruelbob]

I have scanned Gw2.exe for cryptographic primitives.

[jeckerson]

Here's a STRS reader (I did not release it earlier as the format is not fully understood yet). The format for encrypted strings is unknown.

The dump button is to combine all STRS files (in a directory) and output into a single file so that strings can be searched easily.

@Nimba: You can commit the stuff to a repository if you want. Please include the compiled files in the repository.

Could you explain me please meaning of Ichar and type fields?

[ral]

Thank you guys.

I don't know if anyone looked closer at the files in PF/ABNKBKCK already (which currently are .mp3 files). I just started looking at them.
They always start with 496 bytes (PF ABNKBKCK).
After that there are more Headers in the file. So far i only saw PF ASNDASND (mp3 files with Xing header) and PF MODLMODL (If there are more i'll edit it in later once my unpacker is done with everything).
If you want all files just cut the .mp3 files at every new PF Header (start with 50 46 01 00 00 00 0C 00).

The ASNDASND Header is 92 bytes.
After that one there is a MPEG Audio Header + XING Header.
I don't know much about audio files but I think there's nothing more than the audio after the headers.

Last but not least the update for those who want to update their unpacker to seperate the .strs files into german, english, french and korean Directories: (If 2nd last byte really == the language. There seem to be a lot of stuff that isn't translated if it's true)

Code: Select all

case 'srts': //GW2
	textcount++;
	CreateDirectory("GWDat/strs",NULL);
	// looking for the language
	switch (Output[OutSize-2])
	{
	case 0:
		printf("english strs");
		CreateDirectory("GWDat/strs/english",NULL);
		sprintf(newname,"GWDat/strs/english/%s.strs\0",Name);
		break;
	case 1:
		printf("korean strs");
		CreateDirectory("GWDat/strs/korean",NULL);
		sprintf(newname,"GWDat/strs/korean/%s.strs\0",Name);
		break;
	case 2:
		printf("french strs");
		CreateDirectory("GWDat/strs/french",NULL);
		sprintf(newname,"GWDat/strs/french/%s.strs\0",Name);
		break;
	case 3:
		printf("german strs");
		CreateDirectory("GWDat/strs/german",NULL);
		sprintf(newname,"GWDat/strs/german/%s.strs\0",Name);
		break;
	default:
		// other language
		printf("strs");
		sprintf(newname,"GWDat/strs/%s.strs\0",Name);
	}

[xtridence]

PF reader for those who want to delve into PF files. Note that the structure of the PF file is not completely understood yet (so the tool is not exactly that useful), however I hope that this tool might speed up some progress towards that.

@jeckerson: "lchar" refers to the character with the smallest ASCII value (assuming it followings GW specification). "type" = 16 means the text is UTF-16 (it is currently not known how to read the strings for other values).

[kthackeray]

Here's a STRS reader (I did not release it earlier as the format is not fully understood yet). The format for encrypted strings is unknown.

"type" = 16 means the text is UTF-16 (it is currently not known how to read the strings for other values).

Non UTF strings in GW1 are RC4 encrypted (with every string having a unique key) so I assume they are using the same here.

In order to read them you need the key from the server...

[jeckerson]

In order to read them you need the key from the server...

If there are some way to brute-force that keys or read packets while playing?

[kthackeray]

If there are some way to brute-force that keys or read packets while playing?

You have to get them from analyzing server packets, yes. The GW1 algorithm has already been cracked and so far there is no evidence to show that they are using something different here. I'm not sure why you would want to waste the time to brute force them just for some text. Imagine how long it would take to do so for ~198,000 strings each with a unique key.