XeNTaX

I need help decompressing the files within the zip archives from Forza Horizon 4

use forza studio 4.1 to decrypt forza archives

ForzaStudio will only unpack decrypted archives.

Did you have any success?

Is there a fh4 zip extractor?

In continuation of the conversation started in Forza Apex database - gamedb.slt about encrypted zip archives in Forza Horizon 5 v1.405.2.0 (Steam) [EMPRESS] (ForzaHorizon5.exe CRC32: BFCEECA8).
I found a way to extract .txt and .dat files for now. The archive header is not encrypted, so we can see the name, size and crc32 of the stored files.
After CreateFile breakpoint reached, place another one at <vcruntime140.dll.memmove> or at more stable 0000000145509E3D with the condition: qword(rdx) == 656C74746F726854 || byte(rdx) == 30 && byte(rdx + 1) == 0D && byte(rdx + 2) == 0A, where 656C74746F726854 is the beginning of .txt file "Throttle" in big endian, and 30 0D 0A is the first line of .dat file "0\r\n". To save the result use: savedata :memdump:,rdx,r8.


It calls in the following order: The call stack related to decompressing the encrypted zip file. There are other .zip files encrypted in the same way, such as "media\Stripped\TIDETables.zip". It loads right after the game executable is launched, so this is a good place to start. It contains files with "BXML" at the beginning: qword(rdx) == 4C4D5842.

Once I got G_V8NM_American_Truck_1_Eng.zip/Acc_01_Acc_2438_ADPCM.wav file, but I can't reproduce it anymore. Now the game crashes or all threads are suspended. Luckily I took two screenshots and saved the file. I used the car FOR_SVTRaptor_12.


All mentioned files are in an attachment (four .txt and .dat, and one .wav).

@Doliman100 I think I love you. The information you're providing to the Forza community right now is invaluable, thank you so much.

I found a way to extract both files compressed with the common methods and files compressed with method 22. The game usues some method of class IOSys::CCompressedFileStream (d:\p4\woodstock_hf\engine\iosys\Src\CompressedFileStream.cpp) for this. So, if someone wants to make a quickbms script for decompressing method 22, you are welcome. By the way, the ForzaHorizon5.exe file from the EMPRESS crack (v1.405.2.0, CRC32: BFCEECA8) can be decompiled by IDA Pro, because EMPRESS has already unpacked it. This version has an Arxan log that can be downloaded separately. You can use it to see some class names and their methods. At the moment, I don't know how to get the file names, only the full path to the archive. To extract media\Audio\EngineSynth\*.zip files, you can place a breakpoint at these two addresses. They are right after the call to that decompress function. 0. In x64dbg/memdumps/ directory, create folders with the names of the zip files you want to export.
1. Debug > Run
2. Command
For txt: savedata memdumps\{utf8([rbp+258]+1E)}{utf8([rbp-40])},qword(rsp+58),r14d
For wav and dat: savedata memdumps\{utf8([rbp+F]+1E)}{utf8([rbp-59])},qword(r14),dword(rsi)
3. Goto step 1
If you have doubts about what you've saved, you can always compare it to CRC32.

I tested it with TOY_SupraRZ_98 "Toyota Supra RZ (1998)". Here are 7 decompressed zip files that it uses.
https://mega.nz/folder/jsQFmSZD#5Y65-CrrT8PLMa2bvdX3GA

amazing! Ill try extracting some more samples with this!

as for making a quickbms script, i don't have the necessary knowledge, but maybe some one who reads this can!

i was successfully able to extract the .txt's, but when trying to extract the wav's i'm having a memory allocation error and the software crashes, is there any aditional step for the wavs?

i'm able to successfuly create the breakpoint

What version of Forza Horizon 5 are you using? What is the exact error message? At what step does the error occur? Does this happen right after entering the command for wav and dat files in step 2? What car and zip file are you trying?

I think I reproduced it. The problem was the wrong type of the size variable. Now I have defined it explicitly. Try these commands instead:

Hi, sorry for the lack of information in the preivous post, but yes! indeed your new approach works! thank you for your work, you've finnally put an end in this 2 year long quest!

for anyone else who'd like to try, i've used the 1.405 verison, with empress crack.

i, and i think the whole community, truly appreaciate the work you've done

i wish you the best!

I confirmed that method 22 is encrypted the same way as stage 1 of .slt powered by Arxan TransformIT. After decryption, this is the usual method 8 (Deflate).

is it there a known "decryptor" for such a method?