One-knife Reverse Analysis of the decompression process of an online game Resource

Suspicious identification file header: whzlib, 2003
File composition:
1. nam file (ANSI encoded, displayed properly using Windows-936)
2. idx File
3. dat file
 
It is assumed that the file name, index, and specific data are used.
Contains mesh (pmf file, model), Texture (tga file, material), Animation (paf file, Animation), Skeleton (psf file, Skeleton)
 
Select a small PM. nam (idx, dat) file for analysis.
The file sizes are as follows:
PM. nam 2135 bytes
PM. idx 4387 bytes
PM. dat 236,701 bytes
 
PM. nam contains a total of 128 file names + 1 empty file placeholder = 129 files
 
 
. Nam
The first two bytes of the file. 01 indicates the file, 02 indicates the path to enter, and 03 indicates the path to exit.
Data format = 1-Byte File Name Length + file name + 0x00 end
Example:
File Header 00000000 h: 01 00 ;..
Data 00000002 h: 0C 33 44 4D 6F 64 65 6C 2E 74 78 74 00; .3DModel.txt.
0000000fh: 0F 41 63 74 69 6F 6E 6C 69 73 74 2E 74 78 74 00; .Actionlist.txt.
...
 
. Idx
97 bytes in the file header, for example:
00000000 h: 77 68 7A 6C 69 62 2C 20 32 30 30 33 00 00 00 00; whzlib, 2003 ....
00000010 h: 02 00 00 00 00 00 00 00 00 00 00 00 ;................
00000020 h: 00 00 00 00 00 00 00 00 00 00 00 00 ;................
00000030 h: 00 00 00 00 00 00 00 00 00 00 00 00 ;................
00000040 h: 02 00 00 00 00 01 BA 00 00 00 00 00 00 00 ;......?........
00000050 h: 00 00 00 00 00 00 00 00 9F 00 00 00 05 01 00 ;.........?.....
 
The data is fixed to 33 bytes, for example:
00000060 h: 00 01 02 00 00 00 EA E0 E4 4C F2 3A 93 89 2B 62; ...... why? Accept + B
00000070 h: 50 91 85 B6 2D 4F A3 BC 8E 6B 00 00 00 7F 5F; P? O <strong ...._
00000080 h: 00 ;.
33 bytes of placeholder data, for example:
1.
00002205 h: 00 03 00 00 00 00 00 00 00 00 00 00 00 ;................
00002215 h: 00 00 00 00 00 00 00 00 00 00 00 00 ;................
00002225 h: 00 00 ;..
2.
000003bbh: 03 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................
000003cbh: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................
000003dbh: 00 ;.
 
Therefore, the number of files contained in the package can be calculated using the following formula:
Total number of files = (number of file bytes-97)/33-Number of placeholder data entries
Example mb. idx = (8743-97)/33-4 = 258 files (the path name is also considered as a file)
The actual number of files should be 258-number of paths
 
Speculation about the index data format:
00000082 h: 01 0F 00 00 00 31 5F AD 4D CD 48 C2 26 C5 04 D2;... 1 _ blank ???
00000092 h: 04 AB 33 8D 59 E3 20 79 40 5C 10 00 00 C4 08 00 ;.? Why? Y @\...?.
000000a2h: 00 ;.
Retrieves the last eight bytes.
For 5C 10 00 00 C4 08 00
5C 10 00 is the index location in the dat file.
It is estimated that C4 08 00 is the size of the extracted file, that is, 2244 bytes in decimal format.
---- Byte storage method: Big tail method ----
Index Location 5 ~ 24 suspected 20-byte SHA1 Summary
00000087 h: 31 5F AD 4D CD 48 C2 26 C5 04 D2 04 AB 33 8D 59; 1 _ commandid ???? Bytes
00000097 h: E3 20 79 40 ;? Y @
 
Index location 0 ~ 4-byte extraction:
00000061 h: 01 02 00 00 00 ;.....
00000082 h: 01 0F 00 00 ;.....
201700a3h: 01 1F 00 00 ;.....
201700c4h: 01 2D 00 00 00 ;.-...
201700e5h: 01 42 00 00 00;. B...
00000106 h: 01 4E 00 00 00;. N...
...
...
00002182 h: 01 AC 0F 00 00 ;.?..
201721a3h: 01 C8 0F 00 00 ;.?..
201721c4h: 01 D8 0F 00 00 ;.?..
201721e5h: 01 E5 0F 00 00 ;.?..
Suspected to be the index of the file name location in nam !!!!
The first byte may be 01 02 03. It is assumed that 01 indicates a normal file, 02 indicates entering the next path, and 03 indicates returning to the previous path.
 
. Dat
The first 25 bytes are the data header information, and the last 4 bytes indicate raw data size. The first 21 bytes without segmentation are fixed as follows:
00000000 h: 00 01 00 00 00 00 00 00 00 00 00 00 00 ;................
00000010 h: 00 00 00 01 ;.....
 
Listen 105ch: 00 01 00 00 00 00 00 00 00 00 00 00 00 00 ;................
201710000ch: 00 00 00 01 ;.....
 
Example of multiple segments (29 bytes ):
00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B0 14 00 00 01 AB 14 00 00
 
00 02 indicates the number of segments, followed by 18 bytes 00 (Reserved bits), followed by the compression mark, '0x01 'indicates that the data has been compressed, and 0 indicates that the data is not compressed, then the segment length. In this example, 00 00 14 AB indicates the first segment length, and 00 00 14 B0 indicates the start offset of the second segment,
However, the data length in the second segment is stored in the offset 14B0-5 ~ In 14B0. (Example: 01 DA 0A 00 00)
00 00 0A DA is the data length of the second segment.
 
The proposed raw data cannot be decompressed using zlib. It is estimated that the data may be encrypted and can only be followed in OD. The original program adds a vmp shell and can be debugged using a specially crafted OD.
In fact, there are two solutions, one is hook, the other is completely reverse push, but I have spent so much effort in front of it, and in the end I am still using the hook, it is too embarrassing, so... Continue.
Run the vm_return command with the ximo Zeus file. When the F9 command is used, the original program data in the memory zone has been restored. When the F9 command is used, the CreateFile command is disconnected. Pay attention to the stack zone, f9 shows the sequence of opening files step by step.
The open sequence is idx-> dat-> nam. Wait until the required data group is opened. after the nam file, it breaks down to ReadFile and returns to the main thread. It roughly looks at the data restoration process, which is very simple and basically has no technical content.
The following operations are used for decryption: 1. decrypt by byte XOR a string 2.DES ECB (8-byte key is required) 3. Decompress zlib
The codes 1 and 2 are as follows:
/* Simple XOR decryption */
Char xorkeyword [16] = "shuangjianhebing ";
Unsigned long B _step = 0;
Unsigned int key_step = 0;
For (B _step = 0; B _step <raw_size; ++ B _step ){
Raw_data [B _step] ^ = xorkeyword [key_step ++];
Key_step = (key_step> = 16 )? 0: key_step;
}
/* Start DES decryption */
Unsigned long des_size = 0;
Unsigned char * des_data = NULL;
Unsigned char * cpy_data = NULL;
 
Des_size = (long) (raw_size/8) * 8;
Des_data = malloc (des_size );
Cpy_data = malloc (des_size );
If (des_data! = NULL & cpy_data! = NULL ){
Memcpy (des_data, raw_data, des_size );
 
DES_cblock key = {'\ x12',' \ x06 ',' \ x1d ',' \ x04 ',' \ x0c ',' \ x0e ',' \ x04 ', '\ x0e '};
DES_key_schedule keysched;
DES_set_key (C_Block *) key, & keysched );
Unsigned int temp_step = 0;
For (temp_step = 0; temp_step <(des_size/8); ++ temp_step)
DES_ecb_encrypt (C_Block *) (des_data + temp_step * 8), (C_Block *) (cpy_data + temp_step * 8), & keysched, DES_DECRYPT );
 
Memcpy (raw_data, cpy_data, des_size );
}
Else {
Free (raw_data );
Free (des_data );
Free (cpy_data );
Error ("\ n error: Memory Allocation failed! ");
}
 
Free (des_data );
Free (cpy_data );
/* DES decryption completed */
Here, DES decryption is a direct use of openssl (artifact AH), and then you can decompress the data with zlib, but some files are segmented more, decompress the package and work together.
 
In fact, I want to say that although I have not recorded much content, it took me more than a week before and after, so easy!
PS: At first, I just wanted to extract the original music I liked from the game resources, and finally decompress all the game resources, including 2 GB of files, isn't it a little too high ....

Author: Dragon's freezing point