XeNTaX

I have no idea, the OneStat is a mere pagecounter. http://www.onestat.com

Mr.Mouse wrote:I have no idea, the OneStat is a mere pagecounter. http://www.onestat.com

umm...bad news?
I got the onestat cookie again:

I still don't think that is harmful.

Mr.Mouse wrote:I still don't think that is harmful.

if you say so Mr.Stuart (no intent on being rude)

That's okay.

Hmmm.... Looks like all links are completely dead.... Actually i'm looking for some guide[AND/OR]tutorial on how to reverese games themselfes (for example when you want to know which encryption/compression used in package). Google doesn't talk much about reverse engeneering, probably i'm asking him wrong

the problem is that it's not a matter of guides but of practice.
for example the symmetric encryption algorithms (ecb versions, so without ivec) can be usually recognized because if the file has a series of identical bytes (for example 16 or 32 zeros) you can see the same pattern repeated inside all those pseudo-garbage bytes.
but the fact that you have an idea abou the algorithm doesn't help to figure it, in that case it's needed debugging and signsrch.

for the xor/rot related obfuscations instead it's a bit different because the xor key or the xor byte is visible when there are sequences of zeros, otherwise if in doubt I use a quick scanner which tests and visualizes the data after having passed it with all the bytes from 0x00 to 0xff.

the rest is practice, for example during the debugging you see a strange algorithm which uses 16 bit registers and then you say "uhmmm I have already worked with something similar some years ago" and then you see that it's the IDEA algorithm and so on.

other helps could come from the semi-debug messages of the executable (like happened with Shift for XMemDecompress) but it's something not much common.

obviously this was for the encryption part, because for the fields of the archive it's just a matter of hex editor and calculator

http://wiki.xentax.com/index.php/DGTEFF You can still read that if you need a place to start. There's also a piece on my reverse engineering of the Painkiller XOR encryption algorithm.

But in general, it's like Bugtest said: practice and I would say experience.

I've spend thousands of hours on figuring out file formats be simply using a hex editor and a calculator (preferably one that has hexadecimal numbering functions as well).

When I was at Craptain's place some years ago, he saw me do it on a new file and was amazed by the speed by which I figured it out, but really,that was the years of experience doing the job, you start to spot immediately the structure of the standard formats.

You must look at it as a game, a puzzle. You will come across difficult ones, but even the more the satisfaction of demystifying it.

Yet, it all starts with a hex editor and a calculator.

I have no problems with just extracting files. Hex editor + win calc in engineer mode + some logic. That's right. But extracted files without knowlege of their format are useless.

I'm looking for a way to discover what exactly the given "game.exe" doing with some file in archive in order to decompress/decrypt it. Is there any specific soft for such research? I've heard about debuggers, disassemblers, decompilers... But info is smooth and not even about games..

So my question is - what tools to use to work with "game.exe", not with package ^__^

Disassemblers, eg OllyDbg, Ida Pro etc

uhmmm I can list what I use in general, maybe it's useful also to other people interested in the reversing of file formats:
- ollydbg: the debugger
- xvi32: the hex editor, it's unsupported, not much optimized and with some bugs but it's confortable
- signsrch: to know the algorithms used in the executable and knowing where to set the breakpoints for verifying them
- calcc: the only calculator I use
- byte2hex/hex2byte/byte2c: for converting the various dumps of memory/files/pieces of data in various formats, very used
- offzip: to scan the archive if contains zlib or deflate data blocks
- some small testers of common algorithms like lzo, lzss, lzw and blast
- findxor: for scanning various xor and rot values
- mycrc: sometimes for confirming if a field is a crc/hash
- fcomp: for comparing some results like the uncompressed data obtained by me and the correct one obtained by the game
- xor: for verifying a xor key or retrieving it from a xored and plain-text data
- quickrva: used in some occasions but it's not useful when reversing formats
- chd: used only to know the hex values of some strings on the fly
- something else that I have forgotten as usual

Rheini can you upload the file again? I missed the file by 2 years but I really want to get into this stuff.
or if any one still have the file, do you mind mirroring it? thanks a lot

MuffinMan123 wrote:Rheini can you upload the file again? I missed the file by 2 years but I really want to get into this stuff.
or if any one still have the file, do you mind mirroring it? thanks a lot

This thread is four pages long; that's a lot of posts. It would help if you quoted the post containing the link you're talking about.

Rheini wrote:http://uploaded.to/?id=ce51hh
Version 4

Rheini wrote:1024bar.7z

I am assuming 1024bar is also version 4, just reuploading back in 2009, but every link is dead now.

so no one kept a copy of the file somewhere?