XeNTaX Forum Index
Forum MultiEx Commander Tools Tools Home
It is currently Wed Sep 19, 2018 3:32 pm

All times are UTC + 1 hour


Forum rules


Please click here to view the forum rules



Post new topic Reply to topic  [ 18 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Next Car Game
PostPosted: Mon Nov 25, 2013 11:32 pm 
Offline
veteran

Joined: Mon Apr 23, 2007 11:25 pm
Posts: 100
Has thanked: 2 times
Have thanks: 7 times














You can make the ads go away by registering

Could someone have a look at the new bug bear game format? The underlying format looks to be similar if not the same as previous bfs files from this developer (looking in the memory) but there appears to be some decryption which is occurring first.
I found what looks like a 24 byte key at 0x944CC0 - 7D 21 12 DD A6 4F 3E 28 50 C3 3C D9 99 45 37 C9 EC 66 BB 00 00 00 00 00
which could be 3DES? But some quick tests don't come back with the expected results.
Debugging with IDA there appears to be a decryption function after one of the references to the key sub_734DF0

Here is the first 32768 bytes of the file (0x8000 is the size of the first chunk to get decrypted)
https://dl.dropboxusercontent.com/u/9950356/start.bin

If anyone needs the exe just drop me a message.

update:
I'm pretty sure the encryption used is now tea - http://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm
I'll do another update if i make any progress.


Top
 Profile  
 
 Post subject: Re: Next Car Game
PostPosted: Tue Nov 26, 2013 9:49 pm 
Offline
M-M-M-Monster veteran
M-M-M-Monster veteran

Joined: Wed Mar 31, 2010 6:54 am
Posts: 1624
Has thanked: 61 times
Have thanks: 780 times
Bfs used by double encryption with different algos (not XTEA). Full archive and file data.

1st - You need decrypt full archive by blocks with size 0x2000 (algo N1)
2nd - After decrypt you need read header, calc table size and decrypt it again (algo N2)

Algo 1 - Decrypt archive

Code:
unsigned int pKey[] = { 0xDD12217D, 0x283E4FA6, 0xD93CC350, 0xC9374599,0x00BB66EC };

void __cdecl bfs_decrypt_block(int pBuffer, int pKey, signed int pBlockSize)
{
  int pCounter;
  unsigned int pPosition;
  int i;

  if ( pBlockSize > 1 )
  {
    pPosition = *(DWORD *)(pBuffer + 4 * pBlockSize - 4);
    pCounter = 0;
    i = pBlockSize - 1;
    if ( i > 0 )
    {
      do
      {
        *(DWORD *)(pBuffer + 4 * pCounter) -= ((pPosition ^ 0x9E3779B9)
                                              + (*(DWORD *)(pBuffer + 4 * pCounter + 4) ^ *(DWORD *)(pKey + 4 * (((BYTE)pCounter ^ 0xFE) & 3)))) ^ ((4 * pPosition ^ (*(DWORD *)(pBuffer + 4 * pCounter + 4) >> 5)) + ((pPosition >> 3) ^ 16 * *(DWORD *)(pBuffer + 4 * pCounter + 4)));
        pPosition = *(DWORD *)(pBuffer + 4 * pCounter++);
      }
      while ( pCounter < i );
    }
    *(DWORD *)(pBuffer + 4 * pCounter) -= ((pPosition ^ 0x9E3779B9)
                                          + (*(DWORD *)pBuffer ^ *(DWORD *)(pKey + 4 * (((BYTE)pCounter ^ 0xFE) & 3)))) ^ ((4 * pPosition ^ (*(DWORD *)pBuffer >> 5)) + ((pPosition >> 3) ^ 16 * *(DWORD *)pBuffer));
  }
}

void bfs_decrypt (int pData, int pSize) {
    int pBlockSize = 0x2000;
    int pNextBlock = 0x8000;
    int pBlocks = pSize/ pNextBlock;
    for (int i = 0; i < pBlocks; i++, pData += pNextBlock)
        bfs_decrypt_block((int)pData, (int)&pKey, pBlockSize);
}


Algo 2 - Decrypt file data

Code:
unsigned int pKey_Data[] = { 0x2EB1D439, 0x40CD499C, 0x8BF71712, 0xB1F443F8, 0x00BBA5C4 };

void __cdecl bfs_decrypt_data(unsigned int *pBuffer, int pKey, unsigned int pSize)
{
  unsigned int v3;
  unsigned int v4;
  unsigned int v5;
  int v6;
  int v7;
  int v8;
  char v9;
  int v10;
  unsigned int v11;

  v3 = pSize;
  if ( pSize > 1 )
  {
    v5 = *pBuffer;
    v4 = 0x9E3779B9 * (0x34 / pSize + 6);
    v11 = 0x9E3779B9 * (0x34 / pSize + 6);
    do
    {
      v6 = v3 - 1;
      v10 = (v4 >> 2) & 3;
      if ( v3 != 1 )
      {
        do
        {
          pBuffer[v6] -= ((v11 ^ v5) + (pBuffer[v6 - 1] ^ *(DWORD *)(pKey + 4 * (v10 ^ v6 & 3)))) ^ ((4 * v5 ^ (pBuffer[v6 - 1] >> 5)) + ((v5 >> 3) ^ 16 * pBuffer[v6 - 1]));
          --v6;
          v5 = pBuffer[v6 + 1];
        }
        while ( v6 );
        v3 = pSize;
      }
      v7 = (v5 >> 3) ^ 16 * pBuffer[v3 - 1];
      v8 = 4 * v5 ^ (pBuffer[v3 - 1] >> 5);
      v3 = pSize;
      *pBuffer -= ((v11 ^ v5) + (pBuffer[pSize - 1] ^ *(DWORD *)(pKey + 4 * (v10 ^ v6 & 3)))) ^ (v8 + v7);
      v5 = *pBuffer;
      v9 = v11 == 0x61C88647u;
      v4 = v11 + 0x61C88647;
      v11 += 0x61C88647u;
    }
    while ( !v9 );
  }
}

void bbfs_decrypt_data (int pData, int dwLength)
{
   bbfs_decrypt_block_data((unsigned int*)pData, (int)pKey_Data, dwLength);
}


Last edited by Ekey on Sat Feb 22, 2014 7:17 pm, edited 3 times in total.

Top
 Profile  
 
 Post subject: Re: Next Car Game
PostPosted: Tue Nov 26, 2013 11:15 pm 
Offline
veteran

Joined: Mon Apr 23, 2007 11:25 pm
Posts: 100
Has thanked: 2 times
Have thanks: 7 times
awesome, thanks!

Edit:
I'm guessing you ripped those functions out of the executable but any idea how to encrypt?


Top
 Profile  
 
 Post subject: Re: Next Car Game
PostPosted: Wed Nov 27, 2013 12:27 pm 
Offline
veteran

Joined: Mon May 06, 2013 2:58 pm
Posts: 122
Has thanked: 119 times
Have thanks: 10 times
this game looks tits.

I hope we can not just decrypt but also import in the future cause some of the cars I do would be great in soft body. but I'd have to see how they compartmentalize their meshes and also how it's skinned and dummied before that. I know past flatouts were modable to a degree as my buddies used to do this and well this is bugbear after all. I might ask them if this game will be modable. till then I can only play the demo and dream of the car damage to my favorite cars.


Top
 Profile  
 
 Post subject: Re: Next Car Game
PostPosted: Wed Nov 27, 2013 12:52 pm 
Offline
veteran

Joined: Mon Apr 23, 2007 11:25 pm
Posts: 100
Has thanked: 2 times
Have thanks: 7 times
octaviousrex wrote:
this game looks tits.

I hope we can not just decrypt but also import in the future cause some of the cars I do would be great in soft body. but I'd have to see how they compartmentalize their meshes and also how it's skinned and dummied before that. I know past flatouts were modable to a degree as my buddies used to do this and well this is bugbear after all. I might ask them if this game will be modable. till then I can only play the demo and dream of the car damage to my favorite cars.


Well, if we can't work out how to encrypt the files again I think we might be able to just remove the decryption calls in the executable and it will carry on with the already decrypted archive. This is just theory though, whether it will work in practice is another question.


Top
 Profile  
 
 Post subject: Re: Next Car Game
PostPosted: Wed Nov 27, 2013 2:08 pm 
Offline
M-M-M-Monster veteran
M-M-M-Monster veteran

Joined: Wed Mar 31, 2010 6:54 am
Posts: 1624
Has thanked: 61 times
Have thanks: 780 times
Currently nothing useful here simple tool for decrypt only archives.

Code:
[Usage]
        NCGDecrypt <pInFile> <pOutFile>

[Example]
        NCGDecrypt 00__nextcargame__ 00__nextcargame__.dec


Attachments:


You do not have the required permissions to view the files attached to this post. Register to gain access.



Last edited by Ekey on Sat Nov 30, 2013 10:30 am, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Next Car Game
PostPosted: Fri Nov 29, 2013 8:03 pm 
Offline
veteran

Joined: Mon Apr 23, 2007 11:25 pm
Posts: 100
Has thanked: 2 times
Have thanks: 7 times
I got a slightly different size: 3195
decrypted tables:
00 - https://db.tt/SGq4rzMx
01 - https://db.tt/pPNGQOrp

Any idea how the files are contained? From previous versions I guessed zlib but offzip doesn't result in much.


Top
 Profile  
 
 Post subject: Re: Next Car Game
PostPosted: Sat Nov 30, 2013 10:18 am 
Offline
M-M-M-Monster veteran
M-M-M-Monster veteran

Joined: Wed Mar 31, 2010 6:54 am
Posts: 1624
Has thanked: 61 times
Have thanks: 780 times
Ok.. 3195 it's not table size, seems rounds for full table.

Code:
struct BBFSHeader
{
   BYTE    pID[4];   //bbfs
   DWORD   dwVersion;
   WORD    wTableSize;
   WORD    wUnknown;
   DWORD   dwFilesCount;   //???
   DWORD   dwType;   //1 ???
};


Code:
BBFSHeader pHeader;
int dwRounds = pHeader.wTableSize - 20 >> 2

bfs_decrypt_data(pBuffer, &Key, dwRounds)


Top
 Profile  
 
 Post subject: Re: Next Car Game
PostPosted: Tue Dec 03, 2013 8:44 pm 
Offline
veteran

Joined: Mon Apr 23, 2007 11:25 pm
Posts: 100
Has thanked: 2 times
Have thanks: 7 times
Probably not much use but here's a list of filenames (yes I'm aware there's duplicates, I couldn't be bothered to filter them out)
http://pastebin.com/6WABkCXn

Working on hooking file requests and replacing them.

Edit (04/12/2013)
Making progress :)

http://pastebin.com/MbEs8a8u


Top
 Profile  
 
 Post subject: Re: Next Car Game
PostPosted: Wed Dec 11, 2013 12:51 am 
Offline
veteran

Joined: Mon May 06, 2013 2:58 pm
Posts: 122
Has thanked: 119 times
Have thanks: 10 times
seems someone was able to grab a tire from the game.

http://tf3dm.com/3d-model/tire-21722.html

Image

not sure if this is a help or not they seem to have been able to get the tire into Cinema 4D as that is the main format shown.


Top
 Profile  
 
 Post subject: Re: Next Car Game
PostPosted: Wed Dec 11, 2013 11:56 am 
Offline
n00b

Joined: Sun Apr 22, 2012 3:48 pm
Posts: 17
Has thanked: 8 times
Have thanks: 5 times
octaviousrex wrote:
seems someone was able to grab a tire from the game.

http://tf3dm.com/3d-model/tire-21722.html

Image

not sure if this is a help or not they seem to have been able to get the tire into Cinema 4D as that is the main format shown.


3D Rippers..


Top
 Profile  
 
 Post subject: Re: Next Car Game
PostPosted: Sat Feb 22, 2014 7:13 pm 
Offline
M-M-M-Monster veteran
M-M-M-Monster veteran

Joined: Wed Mar 31, 2010 6:54 am
Posts: 1624
Has thanked: 61 times
Have thanks: 780 times
Post updated. Added key for data's (2nd algo). After decrypting we get table without file names but with hashes (every hash by 0x14). here example table from 00__nextcargame__ archive. Any ideas?


Top
 Profile  
 
 Post subject: Re: Next Car Game
PostPosted: Sat Mar 01, 2014 11:03 am 
Offline
VVIP member
VVIP member
User avatar

Joined: Thu Dec 08, 2005 12:26 pm
Posts: 1925
Location: www.ZENHAX.com
Has thanked: 4 times
Have thanks: 644 times
have you tried the script I released some months ago?
http://aluigi.org/papers/bms/others/next_car_game.bms


Top
 Profile  
 
 Post subject: Re: Next Car Game
PostPosted: Sat Mar 01, 2014 11:14 am 
Offline
M-M-M-Monster veteran
M-M-M-Monster veteran

Joined: Wed Mar 31, 2010 6:54 am
Posts: 1624
Has thanked: 61 times
Have thanks: 780 times
Oh my God. I thought there just 2 encryption algo :D. Thanks Luigi.


Top
 Profile  
 
 Post subject: Re: Next Car Game
PostPosted: Wed Apr 02, 2014 4:29 am 
Offline
veteran

Joined: Mon May 06, 2013 2:58 pm
Posts: 122
Has thanked: 119 times
Have thanks: 10 times
dimon4ik6565 wrote:
octaviousrex wrote:
seems someone was able to grab a tire from the game.

http://tf3dm.com/3d-model/tire-21722.html

Image

not sure if this is a help or not they seem to have been able to get the tire into Cinema 4D as that is the main format shown.


3D Rippers..


actually I've tried all but 3D VIA PRINTSCREEN because via won't work for me at all and none of the rippers will go ingame. so this still makes one ask the question as to what could be used to rip it. will check out the tools thanks.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 18 posts ]  Go to page 1, 2  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group