XeNTaX

The contents of this post was deleted because of possible forum rules violation.

It is just filesystem You can merge all files to 1. All files inside are compressed with LZSS. here is no problem. Problem is file win_000.nfs. I think it is AES encrypted file with information about files inside. I am able to decompress files from win_000.??? files, but I was unable to decrypt that "index" file to get info about offsets, sizes etc.

try using "AC2211234495ACA27E805986108BEEDD4D01D3970B9D4CA93D7BE1BBEDDA8458" as key

i am using the tool DeLZSS but have no idea how to use the command to input the key.

OrangeC wrote:i am using the tool DeLZSS but have no idea how to use the command to input the key.

It is not standard LZSS, but custom one

Vash wrote:try using "AC2211234495ACA27E805986108BEEDD4D01D3970B9D4CA93D7BE1BBEDDA8458" as key

Well, key is ok, file decrypted How did you get it? I found only something like "BF238E52208261B11FB50901E78E45AC4660153565F09295305484E1F05166EC"

i did some asm researches

Nice! So I decrypt the .000, combine all the files into one archive, and how would I go about to decompress it?

Wow, you guys are fast. Good work.

Vash wrote:i did some asm researches

Is there a guide or something else that explains how to do "asm researches" to find such keys?

Well, learn assembler http://siyobik.info/index.php?document=x86_32bit_asm
Get a disassembler http://www.hex-rays.com/idapro/idadownfreeware.htm (or a debugger later on http://ollydbg.de/)
and get yourself lots of experience

A whole bunch of tutorials can be found here: http://www.tuts4you.com/download.php?list.19

@XRaptor:
before the edit I read you had difficulties with the aes decryption, you can test it on the fly using quickbms and a script like the following: easy :)

then you have written that it's a "custom lzss", can you be more specific?
yesterday I decompressed the first file of the first package perfectly without problems with the classical lzss and its default parameters.

@Polefish:
usually it's more simple than how it looks:
- find the AES signatures (I wrote signsrch just for it)
- set a memory breakpoint in the signature which is used during the setting of the key (aes rcon in this case, unfortunately it's not referenced in the code otherwise was better to bp the code directly)
- obviously you need to know assembler, knowing a bit how to use a debugger and naturally knowing something about how the encryption algorithms are used (from a programmer's point of view, not the algorithm itself) and what mean the signatures found

in this case the disassembler is useless because the key is probably built at runtime
anyway I don't have the game so that's the max I can say/hypothize about this specific case :)

Bugtest wrote: then you have written that it's a "custom lzss", can you be more specific?
yesterday I decompressed the first file of the first package perfectly without problems with the classical lzss and its default parameters.

Well, maybe it is classical lzss, I cant tell what is standard I just found there is just flag byte then data bytes and no "stop" and "start" byte in files. So some files can longer than data to decompress (maybe some align or my fault). The same is getting offset in buffer and length to copy from info bytes. I found there is xx yz where yxx = offset in buffer and z + MIN_LENGTH is lenght. Sometimes in other games I found that offset must be counted by the other way. But yes, algorithm is standard lzss So sorry for mix-ups I'm not perfect

XRaptor wrote:Well, maybe it is classical lzss, I cant tell what is standard

Well most implementations are "custom" to be exact.
The original paper only suggested using a flag bit that is saved directly before each data chunk.
Mostly those bits are combined to 1 or 2 bytes today though.

can you list some of these games/applications which use custom lzss algorithms?
the other time you listed only settlers, do you know others?

because I have ever encountered the classical lzss one like in this game, all the games based on the Cauldron engine, Zork Nemesis and something else that I don't remember in this moment.

I need to know all these exceptions which use different settings of the lzss algorithm for deciding or not to add the manual setting of these fields in quickbms (ok I will do for sure but I would like to have at least a "statistic" for my curiosity).

Well, as I said, I don't know any implementation that uses a single bit cause this involves ugly bitwise operations.
Mostly 8 flag bits are combined, sometimes 16.

More common are variations on the parameters window size and how offset/length are encoded.

I don't know any game though except Settlers 2.