This topic was archived here:

https://web.archive.org/web/20230000000000fw_/https://www.zenhax.com/viewtopic.php?t=4146

StreamThread, posted Sat Apr 29, 2017 9:20 am (22708)

---

Hello

Help, please, recognize decryption of Vital Engine 2 GRP archives (Xenus: Boiling Point game). I want to make unpacker\packer script on Quick BMS (for making fan-made patches in future).
I'm reverse engineering engine .dll's and found 'unpack' function, but I can't understand it. All what I'm found I saved to gfUnpack.c file in attach. I could missed some external functions, so notify me if some will not enough.

Also I provide filecutted GRP archive, in which saved only files info block (should contain fileNames length's, fileNames strings, Offsets..)

Struct of archive header block:

Code:

IDString    'FPRG'
Long        version
Long        nFileInfo  --Count of files;
Long        fat_size  --nFileInfo block size;

Thanks.

gfUnpack.c

aluigi, posted Sat Apr 29, 2017 9:40 am (22711)

---

Just use the already existent script and replace 0x735a with 47536
http://aluigi.org/bms/fprg.bms

I don't know if exists a way to guess this value or to identify what archives use one of the 2 values, version is ever 1 for both I guess

*edit* added this second init value as comment in the script as remainder

aluigi, posted Sat Apr 29, 2017 9:58 am (22714)

---

Ah, what's the original size of the sample you provided?

StreamThread, posted Sat Apr 29, 2017 10:02 am (22715)

---

aluigi wrote:

Ah, what's the original size of the sample you provided?

2859709129

That is full size.

StreamThread, posted Sat Apr 29, 2017 10:18 am (22716)

---

aluigi wrote:

I don't know if exists a way to guess this value or to identify what archives use one of the 2 values, version is ever 1 for both I guess

Maybe 'setPassword' function "linked" with this values? It is also from 'gf' section from vital.dll.

Code:

void __cdecl gfSetPassword(GFILE *file, char *password)
{
  char *v2; // eax@5
  signed int v3; // ecx@5
  char v4; // al@8
  char v5; // al@11
  char v6; // al@14
  char v7; // al@17
  char v8; // al@20
  char v9; // al@23
  char v10; // cl@26

  if ( password )
  {
    v2 = (char *)memNew(8u);
    file->password = v2;
    v3 = 0;
    if ( *password )
    {
      *v2 = *password;
      v3 = 1;
    }
    else
    {
      *v2 = 23;
    }
    v4 = password[v3];
    if ( v4 )
    {
      file->password[1] = v4;
        v3;
    }
    else
    {
      file->password[1] = 24;
    }
    v5 = password[v3];
    if ( v5 )
    {
      file->password[2] = v5;
        v3;
    }
    else
    {
      file->password[2] = 25;
    }
    v6 = password[v3];
    if ( v6 )
    {
      file->password[3] = v6;
        v3;
    }
    else
    {
      file->password[3] = 26;
    }
    v7 = password[v3];
    if ( v7 )
    {
      file->password[4] = v7;
        v3;
    }
    else
    {
      file->password[4] = 27;
    }
    v8 = password[v3];
    if ( v8 )
    {
      file->password[5] = v8;
        v3;
    }
    else
    {
      file->password[5] = 28;
    }
    v9 = password[v3];
    if ( v9 )
    {
      file->password[6] = v9;
        v3;
    }
    else
    {
      file->password[6] = 29;
    }
    v10 = password[v3];
    if ( v10 )
      file->password[7] = v10;
    else
      file->password[7] = 30;
  }
  else
  {
    if ( file->password )
      memDeleteDbg(file->password);
    file->password = 0;
  }
}

Yes, version "1" in Codename:Outbreak and Boiling Point games (in all patches)

aluigi, posted Sat Apr 29, 2017 10:45 am (22717)

---

The format has only 4 fields: ID, version, files and size
if version is 1 for both the games then there is no way to guess the value used to initialize the key.

makc_ar, posted Thu Sep 14, 2017 5:26 am (26489)

---

How about .grp (filecutter https://mega.nz/#!AWpjRRRK!EjtzSJM8Ks2h ... 80FojhG5os) Xenus 2. White gold. http://store.steampowered.com/app/54623 ... White_gold?

aluigi, posted Thu Sep 14, 2017 3:56 pm (26502)

---

No idea, it has a different encryption and some fields in the header are missing.

makc_ar, posted Thu Sep 14, 2017 4:18 pm (26504)

---

.grp Tales of Terror: Estate of the Heart Collector's Edition?
Trial Game here: http://www.bigfishgames.com/games/11382 ... e-heart-ce

aluigi, posted Thu Sep 14, 2017 4:39 pm (26506)

---

My script works perfectly, why?

StreamThread, posted Fri Sep 15, 2017 2:14 pm (26524)

---

Tales of Therror is also a Deep Shadow's game. Big Fish Games is publisher. So, their 'technologies' can used in that game.

makc_ar, for unpacking a White Gold archives you can use GRP Unpacker by Badmofo.

aluigi, posted Fri Sep 15, 2017 3:46 pm (26526)

---

@StreamThread
Am I wrong or what that tool does is simply calling the gfUnpack("*.grp") function of vital.dll?
Quickbms script (*edit* updated, but not tested):

Code:

get PATH INPUT_FOLDER
calldll "vital.dll" "stFileSystemInit" "stdcall" RET PATH
calldll "vital.dll" "?gfUnpack@@YAXXZ" "stdcall" RET "*.grp"
calldll "vital.dll" "stFileSystemClose" "stdcall" RET

That's what I saw in the source code available on https://web.archive.org/web/20151106040 ... Unpack.zip (because the original website no longer exists)

makc_ar, posted Fri Sep 15, 2017 3:58 pm (26528)

---

Thanks!
I used this toolset: http://www.moddb.com/mods/jungle-space-stone/downloads

StreamThread, posted Fri Sep 15, 2017 4:59 pm (26529)

---

aluigi wrote:

@StreamThread
what that tool does is simply calling the gfUnpack("*.grp") function of vital.dll?

Possibly. Official unpack tool gfbuild.exe for Boiling Point is do. About Badmofo's GF Unpack tool I dont know. But tool distributive contain main engine files (vital.dll, etc), so can be.

aluigi wrote:

Quickbms script (*edit* updated, but not tested):

Code:

get PATH INPUT_FOLDER
calldll "vital.dll" "stFileSystemInit" "stdcall" RET PATH
calldll "vital.dll" "?gfUnpack@@YAXXZ" "stdcall" RET "*.grp"
calldll "vital.dll" "stFileSystemClose" "stdcall" RET

I can't try this on White Gold or Precursors games, but with Boiling Point doesn't work. Not found gfUnpack function. From vatal.dll function name is "?gfUnpack@@YAXPAD", but with changes not found.