XeNTaX Forum Index
Forum MultiEx Commander Tools Tools Home
It is currently Thu Dec 13, 2018 9:09 am

All times are UTC + 1 hour


Forum rules


Please click here to view the forum rules



Post new topic Reply to topic  [ 16 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: unity3d Variant?
PostPosted: Sun Nov 10, 2013 8:51 am 
Offline
advanced

Joined: Sun Jul 03, 2011 4:40 am
Posts: 62
Has thanked: 51 times
Have thanks: 1 time














You can make the ads go away by registering

i use aluigi unity3d_webplayer.bms,no luck:(
get error:the requested amount of bytes to allocate is negative 0xff68ddf5


Attachments:


You do not have the required permissions to view the files attached to this post. Register to gain access.



Top
 Profile  
 
 Post subject: Re: unity3d Variant?
PostPosted: Sun Nov 10, 2013 8:52 am 
Offline
advanced

Joined: Sun Jul 03, 2011 4:40 am
Posts: 62
Has thanked: 51 times
Have thanks: 1 time
head: UnityWeb


Attachments:


You do not have the required permissions to view the files attached to this post. Register to gain access.



Top
 Profile  
 
 Post subject: Re: unity3d Variant?
PostPosted: Sun Nov 10, 2013 9:48 am 
Offline
M-M-M-Monster veteran
M-M-M-Monster veteran
User avatar

Joined: Fri Apr 20, 2012 9:24 am
Posts: 2534
Location: Nexus, searching for Jim Kirk
Has thanked: 605 times
Have thanks: 1297 times
The offset 0x99003C is bigger than file size (0x1DE31).
To get a clue what's going wrong here you should
get an elder unity3d file that's being unpacked by the script.

_________________
Bigchillghost, Reverse Engineering a Game Model: http://forum.xentax.com/viewtopic.php?f=29&t=17889
extracting simple models: http://forum.xentax.com/viewtopic.php?f=29&t=10894
Make_H2O-ForzaHor3-jm9.zip


Top
 Profile  
 
 Post subject: Re: unity3d Variant?
PostPosted: Sun Nov 10, 2013 9:54 am 
Offline
M-M-M-Monster veteran
M-M-M-Monster veteran

Joined: Wed Mar 31, 2010 6:54 am
Posts: 1636
Has thanked: 62 times
Have thanks: 807 times
Try this script

http://aluigi.altervista.org/papers/bms ... player.bms


Top
 Profile  
 
 Post subject: Re: unity3d Variant?
PostPosted: Sun Nov 10, 2013 9:58 am 
Offline
M-M-M-Monster veteran
M-M-M-Monster veteran
User avatar

Joined: Fri Apr 20, 2012 9:24 am
Posts: 2534
Location: Nexus, searching for Jim Kirk
Has thanked: 605 times
Have thanks: 1297 times
That's the script in question. Did it work for you??
(The unity3d file seems to be the problem.)

edit: I tried MBMain.unity3d from the last link in barracuda's post: viewtopic.php?f=10&t=10085&p=86378&hilit=unity3d#p86378

and it's unpacked by Aluigi's script without any problems.
The offset in the header is 0x0000003C. Used it on mappy's sample
(since the headers being very similar up to 0x003F) but of no avail.

_________________
Bigchillghost, Reverse Engineering a Game Model: http://forum.xentax.com/viewtopic.php?f=29&t=17889
extracting simple models: http://forum.xentax.com/viewtopic.php?f=29&t=10894
Make_H2O-ForzaHor3-jm9.zip


Top
 Profile  
 
 Post subject: Re: unity3d Variant?
PostPosted: Sun Nov 10, 2013 1:58 pm 
Offline
beginner

Joined: Thu Jul 07, 2011 9:14 pm
Posts: 39
Has thanked: 9 times
Have thanks: 3 times
mappy2012 wrote:
i use aluigi unity3d_webplayer.bms,no luck:(
get error:the requested amount of bytes to allocate is negative 0xff68ddf5


Have you tried this one? -> viewtopic.php?f=33&t=10739


Top
 Profile  
 
 Post subject: Re: unity3d Variant?
PostPosted: Wed Nov 13, 2013 9:51 pm 
Offline
VVIP member
VVIP member
User avatar

Joined: Thu Dec 08, 2005 12:26 pm
Posts: 1925
Location: www.ZENHAX.com
Has thanked: 4 times
Have thanks: 644 times
I'm checking the file and the bms script, looks like OFFSET is a 16bit field but it's not clear what's different in the lzma algorithm.


Top
 Profile  
 
 Post subject: Re: unity3d Variant?
PostPosted: Sat Nov 16, 2013 6:44 pm 
Offline
beginner

Joined: Sat Nov 24, 2012 2:15 pm
Posts: 32
Has thanked: 3 times
Have thanks: 26 times
The offset seems to be at byte 60, like in other typical .unity files for that version. However, if my program tries to read the stream, it will instantly hit EOF. No idea, why.

What's the name of the game?


Top
 Profile  
 
 Post subject: Re: unity3d Variant?
PostPosted: Thu Mar 20, 2014 2:14 am 
Offline
ultra-veteran
ultra-veteran
User avatar

Joined: Thu Feb 03, 2011 11:18 am
Posts: 476
Has thanked: 42 times
Have thanks: 300 times
I was just sent a unity3d file that failed to work with aluigi's script. I started analyzing it back to back with other files, including one that had the same issue.
The problem is not the same as mappy's sample, but nevertheless it's a "variant" worth looking into. I'd like to share my findings and maybe get some help/clarifications.

Samples:
game.unity3d - Lamborghini Huracan web game
SP.unity3d - Sucker Punch web game

1. The first long after the version string (let's call it SIZE like in the script) doesn't seem to be related to the compressed size. Instead it works by coincidence, and sometimes it doesn't.

2. After the OFFSET there are 2 longs, usually 0x1 and 0x1. I don't know what the first one is, but the second indicates pairs of longs, compressed size and uncompressed size.
If there is only one pair, like in most cases, the values are correct as compressed and uncompressed size. Also SIZE - OFFSET = compressed size (the coincidence I was talking about).

Here's where things get interesting. If there is more than one pair like in these samples, only the last pair works. The others appear to be compressed and uncompressed sizes, but they don't do anything and I only see a single lzma stream anyway.
Another interesting fact is that SIZE - OFFSET still matches the first pair, but as I've said it doesn't work for decompression.

The samples have 2 and 18 pairs respectively. So if I use only the last pair the decompression works. And of course, unity3d files with only one pair work as well.
However this seems like a workaround and not a solution. I'd like to understand what the other pairs are and what they're supposed to do.

Here's aluigi's script edited with the above in mind:
Code:
# Unity Web Player (unity3d files)
# script for QuickBMS http://quickbms.aluigi.org

endian big
comtype lzma86head
idstring "UnityWeb"
get DUMMY long
get VER byte
get VER string
get VER string
get SIZE long   #unknown size
get DUMMY short
get OFFSET short
get ONE long
get PAIRS long
for i = 0 < PAIRS
    get ZSIZE long   #last one is actual compressed size
    get SIZE long   #last one is decompressed size
next i

get FSIZE long   #unity3d filesize
#sometimes there is a long before the compressed stream

get NAME filename
string NAME += "_unpacked"
#unpacker only
#clog NAME OFFSET ZSIZE SIZE
set PATH string NAME

clog MEMORY_FILE OFFSET ZSIZE SIZE
get FILES long MEMORY_FILE
for i = 0 < FILES
    get NAME string MEMORY_FILE
    get OFFSET long MEMORY_FILE
    get SIZE long MEMORY_FILE
    set FNAME string PATH
    string FNAME += /
    string FNAME += NAME
    log FNAME OFFSET SIZE MEMORY_FILE
next i

_________________
Please post any requests or issues with my tools in the appropriate topics.
I'm sorry if I don't reply or if I ignore PMs. My time is very limited.


Top
 Profile  
 
 Post subject: Re: unity3d Variant?
PostPosted: Thu Mar 20, 2014 10:38 am 
Offline
VVIP member
VVIP member
User avatar

Joined: Thu Dec 08, 2005 12:26 pm
Posts: 1925
Location: www.ZENHAX.com
Has thanked: 4 times
Have thanks: 644 times
so it looks like they introduced chunks, rights?


Top
 Profile  
 
 Post subject: Re: unity3d Variant?
PostPosted: Thu Mar 20, 2014 11:08 am 
Offline
VVIP member
VVIP member
User avatar

Joined: Thu Dec 08, 2005 12:26 pm
Posts: 1925
Location: www.ZENHAX.com
Has thanked: 4 times
Have thanks: 644 times
anyway I have updated the script with the additional info of Chipicao, but this doesn't change the behaviour of the script because lzma in quickbms is used dynamically so it automatically finds the uncompressed size, only the compressed one matters.

Regarding the first file (battle.unity3d) it's damaged because it's the only one that can't be decompressed even if you just select the lzma stream.


Top
 Profile  
 
 Post subject: Re: unity3d Variant?
PostPosted: Thu Mar 20, 2014 11:23 am 
Offline
ultra-veteran
ultra-veteran
User avatar

Joined: Thu Feb 03, 2011 11:18 am
Posts: 476
Has thanked: 42 times
Have thanks: 300 times
aluigi wrote:
Regarding the first file (battle.unity3d) it's damaged because it's the only one that can't be decompressed even if you just select the lzma stream.
Just to confirm, I tried dropping the file in my browser and Unity says it's corrupted as well.
Image

_________________
Please post any requests or issues with my tools in the appropriate topics.
I'm sorry if I don't reply or if I ignore PMs. My time is very limited.


Top
 Profile  
 
 Post subject: Re: unity3d Variant?
PostPosted: Sat Apr 05, 2014 3:59 am 
Offline
advanced

Joined: Sun Jul 03, 2011 4:40 am
Posts: 62
Has thanked: 51 times
Have thanks: 1 time
the game name is xianjian,web Online Game

HP: www.xianjian.com/
DL page: http://www.xianjian.com/v5/download.html
Direct link: http://weiduan.xianjian.com/xinxianjian_v1.12.exe


Top
 Profile  
 
 Post subject: Re: unity3d Variant?
PostPosted: Tue Jun 17, 2014 11:23 am 
Offline
ultra-veteran
ultra-veteran
User avatar

Joined: Thu Feb 03, 2011 11:18 am
Posts: 476
Has thanked: 42 times
Have thanks: 300 times
I've been contacted by the user chococat9001 regarding unity files with a .bytes extension. They contain additional content and are downloaded when you run the game.
They are identical to UnityWeb but with a different header "string". Instead of "UnityWeb" it has eight 0xFA bytes.
Image

I thought I'd have a go at adapting the script, and I also wanted to include a case for uncompressed "UnityRaw" files.
So I tried to read 8 bytes with getdstring, but it fails the "==" condition with "\xfa\xfa\xfa\xfa\xfa\xfa\xfa\xfa".
UnityWeb and UnityRaw files work fine. Any idea what's happening?

Code:
endian big
get NAME filename
getdstring FTYPE 8
if FTYPE == "UnityWeb" || FTYPE == "\xfa\xfa\xfa\xfa\xfa\xfa\xfa\xfa"
    comtype lzma86head
elif FTYPE == "UnityRaw"
else
    print "%NAME% is not a recognized Unity archive"
    cleanexit
endif

get DUMMY long
get VER1 byte
get VER2 string
get VER3 string
get SIZE long
get DUMMY short # not supported at the moment
get OFFSET short

get DUMMY long
get ENTRIES long
for i = 0 < ENTRIES # last entry remain saved
    get ZSIZE long
    get SIZE long
next i
get LAST_OFFSET long
get DUMMY byte

string NAME += "_unpacked"
#unpacker only
#clog NAME OFFSET SIZE SIZE
set PATH string NAME

if FTYPE == "UnityRaw"
    log MEMORY_FILE OFFSET SIZE
else
    clog MEMORY_FILE OFFSET ZSIZE SIZE
endif

get FILES long MEMORY_FILE
for i = 0 < FILES
    get NAME string MEMORY_FILE
    get OFFSET long MEMORY_FILE
    get SIZE long MEMORY_FILE
    set FNAME string PATH
    string FNAME += /
    string FNAME += NAME
    log FNAME OFFSET SIZE MEMORY_FILE
next i

_________________
Please post any requests or issues with my tools in the appropriate topics.
I'm sorry if I don't reply or if I ignore PMs. My time is very limited.


Top
 Profile  
 
 Post subject: Re: unity3d Variant?
PostPosted: Mon Jun 30, 2014 4:21 pm 
Offline
beginner

Joined: Sat Nov 24, 2012 2:15 pm
Posts: 32
Has thanked: 3 times
Have thanks: 26 times
I think I figured out the format that Xianjian is using. The game uses the default Unity asset bundle file format, but in combination with a fairly simple XOR scrambler to break the files for other programs. Here's the Java code to fix the data:

Code:
public static void unscramble(byte[] data) {
    byte[] key = new byte[]{};
    for (int exp = 5; 1 << exp < data.length; exp++) {
        data[1 << exp] ^= key[exp % key.length];
    }
}


So basically: XOR byte 32 with key[5], then XOR byte 64 with key[6], then XOR byte 128 with key[7] and so on. The descrambled asset bundle is then loaded using AssetBundle.CreateFromMemory(), as explained in the official documentation.

Edit: removed the key in case it's against the forum rules, it's in the Disunity repo in case anyone needs it.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 16 posts ]  Go to page 1, 2  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: PaulPhoenix31139 and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group