Files extractors scripting

[aluigi]

LZSS is already implemented in QuickBMS because it's an enough standard algorithm where the only possible variants are some settings in it but I guess nobody modifies them.

while the LZSS+RLE specified in that post doesn't sound much "standard".

[chrrox]

The contents of this post was deleted because of possible forum rules violation.

[aluigi]

it's a big endian archive so it's enough to specify "endian big" at the beginning and any numeric "Get" operation will be automatically performed with the needed endianess :)

Code: Select all

endian big
idstring "\0CRA"    # "ARC\0" big endian
get VERSION short
get FILES short

for i = 0 < FILES
    getdstring NAME 64
    get TIMESTAMP long
    get ZSIZE long
    get SIZE long
    get OFFSET long

    clog NAME OFFSET ZSIZE SIZE
next i

[chrrox]

Ah thanks very much
I was wondering what this archive type was called.
The script works great.

[chrrox]

I made a script for this game

Code: Select all

# Game: Dysnomia (PC)
# script for QuickBMS http://aluigi.org/papers.htm#quickbms

idstring "2CCPPACK"
    get FILES long
    math FILES -= 1

for i = 0 < FILES
getdstring NAME 32
get ZSIZE long
get COMPRESSED long #either a 0 or 1 seems to always be 1
get SIZE long
get OFFSET long
get NULL long # always 00000000

    if COMPRESSED == 0
        log FULLNAME OFFSET SIZE
    else
        clog FULLNAME OFFSET ZSIZE SIZE
    endif
next i

game website
http://www.2ccp.com/dysnomia/top.html

Is it possible to do byte swapping in quickbms?
what i mean is take AB CD EF and make it BA DC FE
thanks in advance for any help

[aluigi]

uhmmm the example you showed is not byte swapping.
byte swapping is when you have a 32/24/16 bit number and you reverse the order of its bytes while in your case it's a 4 bit swapping.
anyway that type of swapping can be done with:

Code: Select all

set TMP BYTE
math TMP &= 0x0f
math BYTE &= 0xf0
math BYTE ^= TMP

so if this type of obfuscation is implemented on each file you must save each file in the memory buffer, performing these operations and then saving it on the disk like the following example:

Code: Select all

log MEMORY_FILE OFFSET SIZE
for j = 0 < SIZE
    getvarchr BYTE MEMORY_FILE j
    set TMP BYTE
    math TMP &= 0x0f
    math BYTE &= 0xf0
    math BYTE ^= TMP
    putvarchr MEMORY_FILE j BYTE
next j
log "myfilename.dat" 0 SIZE MEMORY_FILE

[chrrox]

I got a request for an extractor for this game from Kataah
The google translation of the title is
The three question marks - the cursed castle (PC)
here is the website
http://www.usm.de/produkte/cd-rom-dvd-r ... hloss.html
the file is just a zip file xored with 0x55

bms script

Code: Select all

filexor 0x55
ComType deflate
for i = 0 to 0x7FFFFFF
    idstring "PK\x03\x04"
    # get sign long
    # if sign != 0x04034b50
    #     cleanexit
    # endif

    get ver         short
    get flag        short
    get method      short
    get timedate    long
    get crc         long
    get comp_size   long
    get uncomp_size long
    get name_len    short
    get extra_len   short
    getdstring name     name_len
    getdstring extra    extra_len

    savepos offset
    CLog name offset comp_size uncomp_size
    math offset += comp_size
    goto offset
next i

[Kataah]

thx chrrox

[chrrox]

I am trying to extract the game WFFM Online I know what I want quick bms to do but I do not know how to write the script.
here is what I have so far.

Code: Select all

idstring "DIR"
#getdstring FILES 3
#getdstring POSITION 3
#math POSITION += 30
#goto - POSITION
goto 16416
getdstring DUMMY 10
for i = 0 < 50
get NULL long
get OFFSET long
get SIZE long
get VAR short
getdstring NAME 15

log NAME OFFSET SIZE
next i

from what I have gathered from the archive is there is a header file and a storage file.
the .tbl is the storage and the .data is the container of the uncompressed data.
in the table file it starts with DIR then there are 3 bits not bytes that I think might be the total number of files in an archive it could be a little later on in the header also I am not sure yet.
then I know the next 3 bits represent the start of the file table from the end of the file and then add 30 to that.
so we go to the end of the file and go back bye that string and then we add 30 to that string to get the offset of the file table.
next there is a dummy 10 bytes called dummy.txt\0
then it is a fairly strait forward file structure until it comes to the names the names are always 14 or 20 bytes in length
what I need to do is if it reads the dstring and it is greater than 14 set the length to 20.
I hope this makes sense.

here are some sample files.
http://www.MegaShare.com/854351

thanks in advance for anyone who can help me.

[aluigi]

test the following:

Code: Select all

open FDDE TBL 1
open FDDE DATA 0

idstring 1 "DIR\x1a"
get TOTAL_SIZE long 1
get OFFSET long 1   # not sure
get FILES long 1

math OFFSET += 0x4000
goto OFFSET 1
get DUMMY long 1

for i = 0 < FILES
    get DUMMY long 1    # don't know, the file doesn't seem compressed
    get OFFSET long 1
    get SIZE long 1
    get NAME string 1
    padding 4 1

    log NAME OFFSET SIZE
next i

[chrrox]

That worked great thanks a million
here is a link to the game wffm online
http://wffm.mgame.com/?mainMX=wffm

I found another game from the same company with almost an identical format this is what I have
the game is Holic 2 Online
http://holic2.mgame.com/?mainMX=holic2

Code: Select all

idstring "DIR"
goto 4
get NULL long
get UNK1 long
get FILEEND long
get FTBLOFF long
get FTBLLENGTH long
get FILEEND2 long
get FILES long

math FTBLOFF += 4100
goto FTBLOFF

for i = 0 < FILES
get OFFSET long
get SIZE long
getdstring NAME 18 # i need it to pick up all 18 bytes then dump the 0's and keep the offset from the last 0

log NAME OFFSET SIZE
next i

The only thing I am stuck on is the names they are always 18 bytes reserved for the name but there is a varying amount of trailing 0's after the name ends.
Here is a sample archive.
http://www.MegaShare.com/860055

[aluigi]

here it's used also a sort of "relative padding" which wasn't used (at least not in the files you provided) in the other game... mah very strange, luckily I noticed it:

Code: Select all

idstring "DIR\x1a"
goto 12
get TOTAL_SIZE long
get INFO_OFFSET long
get TOTAL_SIZE long
get DUMMY long
get FILES long

math INFO_OFFSET += 0x1000
goto INFO_OFFSET

for i = 0 < FILES
    get DUMMY long
    get OFFSET long
    get SIZE long
    get NAME string

    savepos TMP_OFFSET  # horrible relative padding
    math TMP_OFFSET -= INFO_OFFSET
    math TMP_OFFSET %= 4;
    if TMP_OFFSET > 0
        set TMPSZ long 4
        math TMPSZ -= TMP_OFFSET
        getdstring DUMMY TMPSZ
    endif

    log NAME OFFSET SIZE
next i

[chrrox]

Thanks so much I think I figured out the texture format in this game they are dds files with their header removed I have pasted valid header files on them and they show up fine.
I think the models may also be direct x files missing their headers I will post anything more I learn from these files.

[fatduck]

Very Interesting Scripts! I just wonder what is the "padding" in BMS means!

Code: Select all

    padding 4 1

I can understandard in your second script, you can use the math method to jump over the variable padding

Code: Select all

    savepos TMP_OFFSET  # horrible relative padding
    math TMP_OFFSET -= INFO_OFFSET
    math TMP_OFFSET %= 4;
    if TMP_OFFSET > 0
        set TMPSZ long 4
        math TMPSZ -= TMP_OFFSET
        getdstring DUMMY TMPSZ
    endif

If "padding" do the same things as the above maths method, it will be a lot fool friendly them !

[aluigi]

the Padding command does a very simple job, gets the current offset of the specified file (the second argument, 1 in that script) and checks if it's correctly padded to the size specified in the first argument.
so, for example, if the current offset is 23 and we choose a "padding 16" the current offset will become 32.

in the latest script is not possible to use the Padding command because the offsets are relative to the offset where are located the files informations, this is the first time I see a relative padding used in a file format so it's a very rare event