Files extractors scripting

[chrrox]

Wind Fantasy Online
I am lazy so you must paste the index file at the end of the archive to extract the file but then it works. I will work on learning how to work with memory files better.
http://ago.gameflier.com/
This game uses an unknown "to me" image format and 3d model format.

Code: Select all

goto 0xDD6752
math FILES += 470
comtype inflate
for i = 0 < FILES
getdstring UNK 0x14
get ZSIZE long
get SIZE long
get NSIZE long
getdstring UNK2 0xA
get OFFSET long
getdstring NAME NSIZE
clog NAME OFFSET ZSIZE SIZE
next i

[chrrox]

Final Quest Online
http://fq.space.co.kr/

Code: Select all

idstring "NF"
goto 0x200
get UNK1 long
get SIZE long
get ZSIZE long
get UNK2 long
savepos OFFSET
get NAME filename
string NAME -= 4
set EXT STRING ".png" 
string NAME += EXT
clog NAME OFFSET ZSIZE SIZE
next i

[chrrox]

Cars Online
http://cars.wasabii.com.tw/

Code: Select all

get NULL long
math FILES += 0x28bc
for i = 0 < FILES
getdstring NULL 0x8
get OFFSET long
get SIZE long
math OFFSET += 0x28BD4
log NAME OFFSET SIZE
math NAME += 1
next i

sorry no names for these files.
mainly dds files and some model files.

[chrrox]

Lost Eden Texture Extractor and converter.
http://losteden.jp/start
http://download.losteden.jp/losteden/cl ... taller.exe

Code: Select all

math files += 0xFFFF
set DDS string ".dds"
for i = 0 < FILES
get NAME filename
STRING NAME -= 4
math COUNTER += 1
string NAME += COUNTER
string NAME += DDS
get SIZE long
get ZSIZE long
savepos OFFSET
clog MEMORY_FILE OFFSET ZSIZE SIZE
append
math SIZE -= 0x1e
log NAME 0x1e SIZE MEMORY_FILE
append
math OFFSET += ZSIZE
goto OFFSET
next i

[chrrox]

Luna Online pak extractor
http://luna.gpotato.com/
http://luna.gpotato.com/?m=download

Code: Select all

get NULL long
get FILES long
goto 0x5c
for i = 0 < FILES
get UNK1 long
get SIZE long
get NSIZE long
math NSIZE += 1
get UNK2 long
getdstring NULL 0x10
getdstring NAME NSIZE
savepos OFFSET
log NAME OFFSET SIZE
math OFFSET += SIZE
goto OFFSET
next i

[chrrox]

City Of Heroes .pigg extractor
ill create some more extractors converters for this game but I don't want to make one script to big.
http://www.cityofheroes.com/trial/index.html

Code: Select all

goto 0xc
get FILES long
math OFFSET2 += FILES
math OFFSET2 *= 0x30
math OFFSET2 += 0x1c
savepos TABLE1
for i = 0 < FILES
get V4 long
get FILENUMBER long
get SIZE long
get UNK2 long
get OFFSET long
get NULL2 long
get FFFFFFFF long
get UNK3 long
get UNK4 long
get UNK5 long
get UNK6 long
get ZSIZE long
savepos TABLE1
goto OFFSET2
get NSIZE long
getdstring NAME NSIZE
clog NAME OFFSET ZSIZE SIZE
savepos OFFSET2
goto TABLE1
next i

why do they compress their data 2x lol.
sample file
http://www.MegaShare.com/1337914

[chrrox]

Heva Online Quick bms script.
Client Download
http://windybeta.xcdnplus.co.kr/windyde ... VO_CBT.exe
Website
http://windybeta.xcdnplus.co.kr

Code: Select all

idstring "PlayBuster package archive v0.01"
get UNK1 short
math FILES += 0xFFFF
for i = 0 < FILES
get NSIZE long
get UNK2 long
get UNK3 long
get ZSIZE long
get SIZE long
get ZSIZE2 long
get UNK4 long
getdstring NAME NSIZE
savepos OFFSET
clog NAME OFFSET ZSIZE SIZE
math OFFSET += ZSIZE
goto OFFSET
next i

I attached some sample models that should be simple to decode.

[chrrox]

The contents of this post was deleted because of possible forum rules violation.

[chrrox]

Here is a extractor script fot NAYA online
纳雅外传OL
http://nywz.hitogame.com/Index.aspx
http://download1.hitogame.com/Naya_Setup_0.2.0.0.exe

Code: Select all

idstring "RVP"
math FILES += 0xFFFFFF
get NULL1 long
get FTABLE long
get FTABLESIZE long
goto FTABLE
for i = 0 < files
get NSIZE long
getdstring NAME NSIZE
get ZIP byte
get OFFSET long
get ZSIZE long
get SIZE long
if ZIP == 1
clog NAME OFFSET ZSIZE SIZE
else
log NAME OFFSET ZSIZE
endif
math COUNTER += 1
print "%COUNTER%"
next i

The model format is Open Scene Graph for models and animations but I can not find a windows viewer or a compiled version of open scene graph.

[aluigi]

@any developer
well, the development of QuickBMS continues with new enhancements and support to other useful and less useful stuff (and yes, the usual bugfixes).
for example in the new version I have decided to use the OpenSSL library that through its EVP interface allows to use any encryption algorithm supported by this great library (included any ecb, cbc, ofb and other modes) using the same function! :)

regarding the various algorithms I guess that for the moment there is nothing else to add natively, after all if the algorithms used by the games are not standards like zlib or lzo there is not much to do.
anyway I have added the possibility to choose the parameters of the lzss algorithm, so for example for a game like The Settlers II would be enough to specify 'comtype lzss "10 4 2 0"' for supporting its compression with non-default parameters.

and the following is a small funny/crazy/mad/stupid thing I have created in a couple of minutes, it's a conversion in BMS scripting of the LZSS algorithm to prove that the custom compression algorithms can be implemented even in the scripting language... obviously the performances are not excellents (22 seconds for decompressing 20 megabytes) but it works and is a good demonstration:

Code: Select all

# example of lzss decompression function written in 100% bms scripting!!!
# remember that QuickBMS supports the LZSS algorithm natively so this one
# is only a funny demonstration of a script-only function

set NAME string "unpacked.dat"
get ZSIZE asize
math SIZE = ZSIZE
math SIZE *= 10
log MEMORY_FILE 0 ZSIZE
callfunction LZSS_BMS_DUMP

# you must set: MEMORY_FILE (input), ZSIZE (input size), MEMORY_FILE2 (output), SIZE (max size)
startfunction LZSS_BMS_DUMP
    set EI long 12
    set EJ long 4
    set P long 2
    set rless long P
    set init_chr long 0x20

    set N long 1
    math N <<= EI
    set F long 1
    math F <<= EJ

    # pre-allocate memory for faster performances
    putvarchr MEMORY_FILE3 N 0
    for i = 0 < N
        putvarchr MEMORY_FILE3 i init_chr
    next i
    putvarchr MEMORY_FILE2 SIZE 0

    math r = N
    math r -= F
    math r -= rless
    math N -= 1
    math F -= 1

    math src = 0
    math dst = 0
    math srcend = ZSIZE
    math dstend = SIZE

    math flags = 0
    for src = 0 < srcend
        if flags & 0x100
        else
            getvarchr flags MEMORY_FILE src
            math src += 1
            math flags |= 0xff00
        endif
        if flags & 1
            getvarchr c MEMORY_FILE src
            math src += 1
            putvarchr MEMORY_FILE2 dst c
            math dst += 1
            putvarchr MEMORY_FILE3 r c
            math r += 1
            math r &= N
        else
            getvarchr i MEMORY_FILE src
            math src += 1
            getvarchr j MEMORY_FILE src
            math src += 1
            math TMP = j
            math TMP >>= EJ
            math TMP <<= 8
            math i |= TMP
            math j &= F
            math j += P
            for k = 0 <= j
                math TMP = i
                math TMP += k
                math TMP &= N
                getvarchr c  MEMORY_FILE3 TMP
                putvarchr MEMORY_FILE2 dst c
                math dst += 1
                putvarchr MEMORY_FILE3 r c
                math r += 1
                math r &= N
            next k
        endif
        math flags >>= 1
    next
    math SIZE = dst
    log NAME 0 SIZE MEMORY_FILE2
endfunction

hope you like the idea and in case of doubts about the scripting language or what is possible or not possible to do with it remember to read quickbms.txt or to contact me or to watch the various existent bms scripts.

[brienj]

aluigi, I don't know if this is where we can request for you to add something to QuickBMS, but I was wondering if you could possibly add BPE (Byte Pair Encoding) to the program? Thanks.

[aluigi]

bpe has been added just in this version, the function comes from the known bpd.c code.
and yes, any new idea or discussion can be made in this thread, the only requirement is that any new algorithm to implement natively in quickbms must be a standard (like zlib, lzo, lzma, any library) or at least used in more than one game.

[chrrox]

Here is the new format for the dragon nest archives they got rid of the recursive archive format.

Math Files += 0xFFFFFF
findloc RES_START string "mapdata"
goto RES_START
savepos RES_START
math RES_START -= 1
goto RES_START
for i = 0 < FILES
getdstring NAME 0x100
get UNK1 long
get SIZE long
get ZSIZE long
get OFFSET long
get UNK3 long
getdstring NULL1 0x28
clog NAME OFFSET ZSIZE SIZE
next i

client http://dragonnest.nefficient.co.kr/Rele ... onNest.cab

[aluigi]

well, I have just finished to add a new function that in my opinion could be very useful in some cases and I don't talk only about the simple extraction but moreover to who encounters a custom algorithm and must choice if it's more convenient to spend time trying to reverse it or trying to use it directly in its binary form.

practically it's the ability of importing and using an external function from an executable or a dll or even a raw file, like the dumped content of a function.

the particularity of this CallDLL command is that it's highly customizable, for example is possible to choose not only the name of the function to import (if it's an exported function) but even to choose the offset where is located (useful for internal/non-exported functions) and the calling convention: stdcall or cdecl.

it's important to note that there is a technical obstacle to avoid the usage of functions from executables where are used fixed/static variables.
in short words if the executable cannot be loaded at the same address for which it has been designed (image base) then is not possible to access these variables or only in some cases when the memory is allocated there but with possible corruptions.

for example by default any executable is designed to use the image base 00400000 but that zone of the memory is already occupied, and no I don't talk about our program (the caller) where it's enough to change its image base to bypass the problem but I talk about the memory (stack/heap) allocated there since the starting of our program (you can verify it with ollydbg).

and obviously loading the imported executable in a different address (for example 00f20000) means that the static variable which was located (for example) at offset 006c5000 is no longer accessible because the whole range allocated by the exe has been moved.
wow, I hope someone is following me :)

obviously there are no problems for those functions that don't use static fields and for the dlls, so be happy.

in conclusion this little command should help the testing of custom binary-only algorithms without reversing them and maybe even using them directly in the extraction code like I did in my internal tests for the lz2k algorithm.

oh, naturally it's ever possible to use the command for importing plugins, for example a dll written by us with the custom decryption code necessary to decrypt the data of a game and that will avoid to force its implementation in bms-language saving a lot of performances.

[chrrox]

Culpa Innata
http://store.steampowered.com/app/12310/
This game uses nif file format so you can import fully rigged models and animations into your favorite program that supports nif.

Code: Select all

#QuickBMS Script
idstring "SFS1"
get FILES short
for i = 0 < FILES
get NSIZE short
getdstring NAME NSIZE
get OFFSET long
savepos NTABLE
goto OFFSET
get SIZE long
savepos OFFSET
log NAME OFFSET SIZE
goto NTABLE
next i