Could someone have a look at the new bug bear game format? The underlying format looks to be similar if not the same as previous bfs files from this developer (looking in the memory) but there appears to be some decryption which is occurring first.
I found what looks like a 24 byte key at 0x944CC0 - 7D 21 12 DD A6 4F 3E 28 50 C3 3C D9 99 45 37 C9 EC 66 BB 00 00 00 00 00
which could be 3DES? But some quick tests don't come back with the expected results.
Debugging with IDA there appears to be a decryption function after one of the references to the key sub_734DF0
Here is the first 32768 bytes of the file (0x8000 is the size of the first chunk to get decrypted)
https://dl.dropboxusercontent.com/u/9950356/start.bin
If anyone needs the exe just drop me a message.
update:
I'm pretty sure the encryption used is now tea - http://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm
I'll do another update if i make any progress.
Important information: this site is currently scheduled to go offline indefinitely by end of the year.
Next Car Game
-
- M-M-M-Monster veteran
- Posts: 1823
- Joined: Wed Mar 31, 2010 6:54 am
- Has thanked: 92 times
- Been thanked: 1058 times
Re: Next Car Game
Bfs used by double encryption with different algos (not XTEA). Full archive and file data.
1st - You need decrypt full archive by blocks with size 0x2000 (algo N1)
2nd - After decrypt you need read header, calc table size and decrypt it again (algo N2)
Algo 1 - Decrypt archive
Algo 2 - Decrypt file data
1st - You need decrypt full archive by blocks with size 0x2000 (algo N1)
2nd - After decrypt you need read header, calc table size and decrypt it again (algo N2)
Algo 1 - Decrypt archive
Code: Select all
unsigned int pKey[] = { 0xDD12217D, 0x283E4FA6, 0xD93CC350, 0xC9374599,0x00BB66EC };
void __cdecl bfs_decrypt_block(int pBuffer, int pKey, signed int pBlockSize)
{
int pCounter;
unsigned int pPosition;
int i;
if ( pBlockSize > 1 )
{
pPosition = *(DWORD *)(pBuffer + 4 * pBlockSize - 4);
pCounter = 0;
i = pBlockSize - 1;
if ( i > 0 )
{
do
{
*(DWORD *)(pBuffer + 4 * pCounter) -= ((pPosition ^ 0x9E3779B9)
+ (*(DWORD *)(pBuffer + 4 * pCounter + 4) ^ *(DWORD *)(pKey + 4 * (((BYTE)pCounter ^ 0xFE) & 3)))) ^ ((4 * pPosition ^ (*(DWORD *)(pBuffer + 4 * pCounter + 4) >> 5)) + ((pPosition >> 3) ^ 16 * *(DWORD *)(pBuffer + 4 * pCounter + 4)));
pPosition = *(DWORD *)(pBuffer + 4 * pCounter++);
}
while ( pCounter < i );
}
*(DWORD *)(pBuffer + 4 * pCounter) -= ((pPosition ^ 0x9E3779B9)
+ (*(DWORD *)pBuffer ^ *(DWORD *)(pKey + 4 * (((BYTE)pCounter ^ 0xFE) & 3)))) ^ ((4 * pPosition ^ (*(DWORD *)pBuffer >> 5)) + ((pPosition >> 3) ^ 16 * *(DWORD *)pBuffer));
}
}
void bfs_decrypt (int pData, int pSize) {
int pBlockSize = 0x2000;
int pNextBlock = 0x8000;
int pBlocks = pSize/ pNextBlock;
for (int i = 0; i < pBlocks; i++, pData += pNextBlock)
bfs_decrypt_block((int)pData, (int)&pKey, pBlockSize);
}
Code: Select all
unsigned int pKey_Data[] = { 0x2EB1D439, 0x40CD499C, 0x8BF71712, 0xB1F443F8, 0x00BBA5C4 };
void __cdecl bfs_decrypt_data(unsigned int *pBuffer, int pKey, unsigned int pSize)
{
unsigned int v3;
unsigned int v4;
unsigned int v5;
int v6;
int v7;
int v8;
char v9;
int v10;
unsigned int v11;
v3 = pSize;
if ( pSize > 1 )
{
v5 = *pBuffer;
v4 = 0x9E3779B9 * (0x34 / pSize + 6);
v11 = 0x9E3779B9 * (0x34 / pSize + 6);
do
{
v6 = v3 - 1;
v10 = (v4 >> 2) & 3;
if ( v3 != 1 )
{
do
{
pBuffer[v6] -= ((v11 ^ v5) + (pBuffer[v6 - 1] ^ *(DWORD *)(pKey + 4 * (v10 ^ v6 & 3)))) ^ ((4 * v5 ^ (pBuffer[v6 - 1] >> 5)) + ((v5 >> 3) ^ 16 * pBuffer[v6 - 1]));
--v6;
v5 = pBuffer[v6 + 1];
}
while ( v6 );
v3 = pSize;
}
v7 = (v5 >> 3) ^ 16 * pBuffer[v3 - 1];
v8 = 4 * v5 ^ (pBuffer[v3 - 1] >> 5);
v3 = pSize;
*pBuffer -= ((v11 ^ v5) + (pBuffer[pSize - 1] ^ *(DWORD *)(pKey + 4 * (v10 ^ v6 & 3)))) ^ (v8 + v7);
v5 = *pBuffer;
v9 = v11 == 0x61C88647u;
v4 = v11 + 0x61C88647;
v11 += 0x61C88647u;
}
while ( !v9 );
}
}
void bbfs_decrypt_data (int pData, int dwLength)
{
bbfs_decrypt_block_data((unsigned int*)pData, (int)pKey_Data, dwLength);
}
Last edited by Ekey on Sat Feb 22, 2014 7:17 pm, edited 3 times in total.
My Github repo
-
- veteran
- Posts: 109
- Joined: Mon May 06, 2013 2:58 pm
- Location: united states
- Has thanked: 119 times
- Been thanked: 8 times
Re: Next Car Game
this game looks tits.
I hope we can not just decrypt but also import in the future cause some of the cars I do would be great in soft body. but I'd have to see how they compartmentalize their meshes and also how it's skinned and dummied before that. I know past flatouts were modable to a degree as my buddies used to do this and well this is bugbear after all. I might ask them if this game will be modable. till then I can only play the demo and dream of the car damage to my favorite cars.
I hope we can not just decrypt but also import in the future cause some of the cars I do would be great in soft body. but I'd have to see how they compartmentalize their meshes and also how it's skinned and dummied before that. I know past flatouts were modable to a degree as my buddies used to do this and well this is bugbear after all. I might ask them if this game will be modable. till then I can only play the demo and dream of the car damage to my favorite cars.
-
- veteran
- Posts: 100
- Joined: Mon Apr 23, 2007 11:25 pm
- Has thanked: 2 times
- Been thanked: 7 times
Re: Next Car Game
Well, if we can't work out how to encrypt the files again I think we might be able to just remove the decryption calls in the executable and it will carry on with the already decrypted archive. This is just theory though, whether it will work in practice is another question.octaviousrex wrote:this game looks tits.
I hope we can not just decrypt but also import in the future cause some of the cars I do would be great in soft body. but I'd have to see how they compartmentalize their meshes and also how it's skinned and dummied before that. I know past flatouts were modable to a degree as my buddies used to do this and well this is bugbear after all. I might ask them if this game will be modable. till then I can only play the demo and dream of the car damage to my favorite cars.
-
- M-M-M-Monster veteran
- Posts: 1823
- Joined: Wed Mar 31, 2010 6:54 am
- Has thanked: 92 times
- Been thanked: 1058 times
Re: Next Car Game
Currently nothing useful here simple tool for decrypt only archives.
Code: Select all
[Usage]
NCGDecrypt <pInFile> <pOutFile>
[Example]
NCGDecrypt 00__nextcargame__ 00__nextcargame__.dec
You do not have the required permissions to view the files attached to this post.
Last edited by Ekey on Sat Nov 30, 2013 10:30 am, edited 1 time in total.
My Github repo
-
- veteran
- Posts: 100
- Joined: Mon Apr 23, 2007 11:25 pm
- Has thanked: 2 times
- Been thanked: 7 times
Re: Next Car Game
I got a slightly different size: 3195
decrypted tables:
00 - https://db.tt/SGq4rzMx
01 - https://db.tt/pPNGQOrp
Any idea how the files are contained? From previous versions I guessed zlib but offzip doesn't result in much.
decrypted tables:
00 - https://db.tt/SGq4rzMx
01 - https://db.tt/pPNGQOrp
Any idea how the files are contained? From previous versions I guessed zlib but offzip doesn't result in much.
-
- M-M-M-Monster veteran
- Posts: 1823
- Joined: Wed Mar 31, 2010 6:54 am
- Has thanked: 92 times
- Been thanked: 1058 times
Re: Next Car Game
Ok.. 3195 it's not table size, seems rounds for full table.
Code: Select all
struct BBFSHeader
{
BYTE pID[4]; //bbfs
DWORD dwVersion;
WORD wTableSize;
WORD wUnknown;
DWORD dwFilesCount; //???
DWORD dwType; //1 ???
};
Code: Select all
BBFSHeader pHeader;
int dwRounds = pHeader.wTableSize - 20 >> 2
bfs_decrypt_data(pBuffer, &Key, dwRounds)
My Github repo
-
- veteran
- Posts: 100
- Joined: Mon Apr 23, 2007 11:25 pm
- Has thanked: 2 times
- Been thanked: 7 times
Re: Next Car Game
Probably not much use but here's a list of filenames (yes I'm aware there's duplicates, I couldn't be bothered to filter them out)
http://pastebin.com/6WABkCXn
Working on hooking file requests and replacing them.
Edit (04/12/2013)
Making progress
http://pastebin.com/MbEs8a8u
http://pastebin.com/6WABkCXn
Working on hooking file requests and replacing them.
Edit (04/12/2013)
Making progress
http://pastebin.com/MbEs8a8u
-
- veteran
- Posts: 109
- Joined: Mon May 06, 2013 2:58 pm
- Location: united states
- Has thanked: 119 times
- Been thanked: 8 times
Re: Next Car Game
seems someone was able to grab a tire from the game.
http://tf3dm.com/3d-model/tire-21722.html
not sure if this is a help or not they seem to have been able to get the tire into Cinema 4D as that is the main format shown.
http://tf3dm.com/3d-model/tire-21722.html
not sure if this is a help or not they seem to have been able to get the tire into Cinema 4D as that is the main format shown.
-
- n00b
- Posts: 17
- Joined: Sun Apr 22, 2012 3:48 pm
- Has thanked: 8 times
- Been thanked: 5 times
Re: Next Car Game
3D Rippers..octaviousrex wrote:seems someone was able to grab a tire from the game.
http://tf3dm.com/3d-model/tire-21722.html
not sure if this is a help or not they seem to have been able to get the tire into Cinema 4D as that is the main format shown.
-
- M-M-M-Monster veteran
- Posts: 1823
- Joined: Wed Mar 31, 2010 6:54 am
- Has thanked: 92 times
- Been thanked: 1058 times
Re: Next Car Game
Post updated. Added key for data's (2nd algo). After decrypting we get table without file names but with hashes (every hash by 0x14). here example table from 00__nextcargame__ archive. Any ideas?
My Github repo
- aluigi
- VVIP member
- Posts: 1916
- Joined: Thu Dec 08, 2005 12:26 pm
- Location: www.ZENHAX.com
- Has thanked: 4 times
- Been thanked: 664 times
- Contact:
Re: Next Car Game
have you tried the script I released some months ago?
http://aluigi.org/papers/bms/others/next_car_game.bms
http://aluigi.org/papers/bms/others/next_car_game.bms
-
- M-M-M-Monster veteran
- Posts: 1823
- Joined: Wed Mar 31, 2010 6:54 am
- Has thanked: 92 times
- Been thanked: 1058 times
-
- veteran
- Posts: 109
- Joined: Mon May 06, 2013 2:58 pm
- Location: united states
- Has thanked: 119 times
- Been thanked: 8 times
Re: Next Car Game
actually I've tried all but 3D VIA PRINTSCREEN because via won't work for me at all and none of the rippers will go ingame. so this still makes one ask the question as to what could be used to rip it. will check out the tools thanks.dimon4ik6565 wrote:3D Rippers..octaviousrex wrote:seems someone was able to grab a tire from the game.
http://tf3dm.com/3d-model/tire-21722.html
not sure if this is a help or not they seem to have been able to get the tire into Cinema 4D as that is the main format shown.