XeNTaX

Game Research Forum
https://forum.xentax.com/

ArcheAge Online

https://forum.xentax.com/viewtopic.php?t=8428

Page 4 of 9

Re: ArcheAge Online

Posted: Wed Aug 15, 2012 8:45 pm
by Ekey
My bad (forgot edit post)

TableOffset need take PAK Size (22418525696 bytes) and minus TotalFiles * 0x150

Re: ArcheAge Online

Posted: Wed Aug 15, 2012 8:48 pm
by aluigi
are you sure I don't need to remove also 0x200 of the header to get the correct offset?
I mean: offset = pak_size - (files * 0x150) - 0x200

because if I do only "pak_size - (files * 0x150)" then we have an overlapping of the last 2 entries

Re: ArcheAge Online

Posted: Wed Aug 15, 2012 9:53 pm
by Ekey
Ok. Let's do it again because after patсh there some changes:

Full Header Size = (2e0)
Encrypted Data offset same = -0x200
Encrypted Data size = 0x20

In decrypted header after total files is now unknown value = 13 (0xD) (before patch this value = 0)

Code: Select all

PAK Size = 5383f8e00 (22418525696)
Total Files in PAK = 140701 (2259D) + Unknown (0xD)

Correct Table Offset : 5356e1c00 (22371245056) - from begin file or 02d16f20 (47279904) from end.
Correct Table Size : 02d16f20 (47279904)
Get Table Size:
Total Files (2259D) + Unknown (0xD) * 0x150 = 2d16f20 (<- This value can also be used as an offset from end of file for Table Offset)

Get Table Offset: from begin of file
PAK Size (5383f8e00) - Table Size (2d16f20) = 5356e1ee0 + Full Header Size (2e0) = 5356e21c0

http://img809.imageshack.us/img809/971/23997401.png

All rechecked! Image

Re: ArcheAge Online

Posted: Wed Aug 15, 2012 10:05 pm
by aluigi
well done, I have updated the script and verified all the values using those you gave me as example.

just as hypothesis, do you think 0x2e0 may be related to that new value?
like 0x2e0 = (0xd * 0x38) + 8
probably we need to wait the next versions of the game to know the answer :)

Re: ArcheAge Online

Posted: Wed Aug 15, 2012 10:17 pm
by Ekey
aluigi wrote:well done

Code: Select all

- signature of 4 bytes at offset 0x00000020 doesn't match the one
  expected by the script:

  this one: "аУQ_"
  a0 93 51 5f                                       ..Q_

  expeceted: "WIBO"
  57 49 42 4f                                       WIBO
:}
aluigi wrote: just as hypothesis, do you think 0x2e0 may be related to that new value?
like 0x2e0 = (0xd * 0x38) + 8
probably we need to wait the next versions of the game to know the answer :)
I'm just a beginner in reversing game's PAK's..... w8 0.2.2 :bleh:

Re: ArcheAge Online

Posted: Wed Aug 15, 2012 10:29 pm
by aluigi
I have removed "goto 0x20 MEMORY_FILE", now "WIBO" should be there so exactly at PAK size - 0x200

Re: ArcheAge Online

Posted: Wed Aug 15, 2012 10:36 pm
by Ekey

Code: Select all

00000000 0c  6   math SIZE = 0x200
- variable "SIZE" seems uninitialized, I use its name
             <get SIZE (0) "SIZE"
             <get 0x200 (1) 0x00000200
             >set SIZE (0) to 0x00000200

00000000 06  7   get OFFSET asize
             >set OFFSET (2) to 0x383f8e00

00000000 0c  9   math OFFSET -= SIZE
             <get OFFSET (2) 0x383f8e00
             <get SIZE (0) 0x00000200
             >set OFFSET (2) to 0x383f8c00

00000000 2b  10  callfunction DECRYPT 1
             .start_bms start: 34 0 0

00000000 26  42  encryption aes_128_cbc "\x32\x1F\x2A\xEE\xAA\x58\x4A\xB4\x9A\x6
C\x9E\x09\xD5\x9E\x9C\x6F"
- variable "aes_128_cbc" seems uninitialized, I use its name
             <get aes_128_cbc (15) "aes_128_cbc"
- encryption with algorithm aes_128_cbc and key of 16 bytes

00000000 0b  43  log MEMORY_FILE OFFSET SIZE
             <get MEMORY_FILE (16) "MEMORY_FILE"
             <get OFFSET (2) 0x383f8c00
             <get SIZE (0) 0x00000200
- create a memory file from offset 383f8c00 of 512 bytes

00000000 26  44  encryption "" ""
             <get  (17) ""
             <get  (17) ""
             <get  (17) ""

00000000 2c  45  endfunction
             .start_bms end: 34 0 0 (ret 37)

00000000 09  12  idstring MEMORY_FILE "WIBO"

- signature of 4 bytes at offset 0x00000000 doesn't match the one
  expected by the script:

  this one: "♂ч9к"
  0b e7 39 aa                                       ..9.

  expeceted: "WIBO"
  57 49 42 4f                                       WIBO

Re: ArcheAge Online

Posted: Wed Aug 15, 2012 11:49 pm
by aluigi
I have verified everything here using even the image you posted and it's all correct.

the data "56 97 b3..." is located at -0x200 so it's ok.
I hope it's not a problem of quickbms_4gb_files...

anyway I guess that most of the fields there are longlong so the nulls are just the 64bit part

Re: ArcheAge Online

Posted: Thu Aug 16, 2012 6:06 am
by iaw
Sample pak:

Code: Select all

http://download-xlgamesdn.cdn.x-cdn.com/cbt5/xlpak/106006to106040_pak
http://download-xlgamesdn.cdn.x-cdn.com/cbt5/xlpak/106040to106057_pak
wrong:

Code: Select all

math OFFSET += 0x2e0
correct:

Code: Select all

math OFFSET -= 0x2e0  #Not fixed
Filename is wrong

Re: ArcheAge Online

Posted: Thu Aug 16, 2012 2:05 pm
by Ekey
quickbms get same incorrect full PAK size.

Code: Select all

  offset   filesize   filename
------------------------------

00000000 06  2   get SIZE asize
             >set SIZE (0) to 0x383f8e00

00000000 27  3   print %SIZE%
- SCRIPT's MESSAGE:
               <get SIZE (0) 0x383f8e00
943689216
Correct -> 22418525696 (5383F8E00)

Re: ArcheAge Online

Posted: Thu Aug 16, 2012 3:00 pm
by aluigi
@iaw
thanx a lot for the files, if you have other links about newer pak versions I would be happy to check them

@Ekey
you can't use quickbms.exe on an archive bigger than 4gb

and now the new script:
*edit* check next posts

Re: ArcheAge Online

Posted: Thu Aug 16, 2012 3:18 pm
by Ekey
aluigi wrote: @Ekey
you can't use quickbms.exe on an archive bigger than 4gb
I mean quickbms_4gb_files

Image

New Script

Code: Select all

- signature of 4 bytes at offset 0x00000000 doesn't match the one
  expected by the script:

  this one: "♂ч9к"
  0b e7 39 aa                                       ..9.

  expeceted: "WIBO"
  57 49 42 4f                                       WIBO

Re: ArcheAge Online

Posted: Thu Aug 16, 2012 3:30 pm
by iaw
Sample pak Working properly

Re: ArcheAge Online

Posted: Thu Aug 16, 2012 3:43 pm
by Ekey
For main archive not work because get invalid pak size

Code: Select all

00000000 0c  6   math SIZE = 0x200
- variable "SIZE" seems uninitialized, I use its name
             <get SIZE (0) "SIZE"
             <get 0x200 (1) 0x00000200
             >set SIZE (0) to 0x00000200

00000000 06  7   get OFFSET asize
             >set OFFSET (2) to 0x383f8e00

00000000 0c  8   math OFFSET -= SIZE
             <get OFFSET (2) 0x383f8e00
             <get SIZE (0) 0x00000200
             >set OFFSET (2) to 0x383f8c00

00000000 2b  9   callfunction DECRYPT 1
             .start_bms start: 54 0 0

Re: ArcheAge Online

Posted: Thu Aug 16, 2012 3:47 pm
by iaw
The problem of quickbms_4gb_files.exe?
All times are UTC+01:00
Page 4 of 9

Powered by phpBB® Forum Software © phpBB Limited