This topic was archived here:

https://web.archive.org/web/20230000000000fw_/https://www.zenhax.com/viewtopic.php?t=4259

xLumexMoonx, posted Mon May 29, 2017 8:03 pm (23622)

---

does anyone how to unpack the assets.wad

Here Simple:

http://www.mediafire.com/file/jexvgaawh ... assets.rar

aluigi, posted Tue May 30, 2017 4:37 pm (23653)

---

That WAD archive seems encrypted. It starts with an "AGAR" magic (like the one used for danganronpa) but it's all encrypted (probably blowfish or *tea) from offset 0x10.

xLumexMoonx, posted Sat Jun 03, 2017 12:45 am (23778)

---

aluigi wrote:

That WAD archive seems encrypted. It starts with an "AGAR" magic (like the one used for danganronpa) but it's all encrypted (probably blowfish or *tea) from offset 0x10.

.... to bad .....

well guess I'll upload file *.exe if someone find the key encrypted.

Here Simple:

http://www.mediafire.com/file/zoij7g5f6 ... kofxiv.rar

aluigi, posted Sat Jun 03, 2017 10:40 am (23787)

---

Is that assets.wad you provided just a small part of the original file?
As far as I can see the real assets.wad should be very big.

P.S.: in case it's a cut file I need to know what are the first 100 bytes at offset 0x5997ac8

xLumexMoonx, posted Sat Jun 03, 2017 11:36 am (23791)

---

aluigi wrote:

Is that assets.wad you provided just a small part of the original file?
As far as I can see the real assets.wad should be very big.

P.S.: in case it's a cut file I need to know what are the first 100 bytes at offset 0x5997ac8

i understand ...

here other simple:

http://www.mediafire.com/file/1oxsffrww ... assets.rar

aluigi, posted Sat Jun 03, 2017 12:27 pm (23795)

---

Yeah but that sample doesn't answer my previous question
The information table in the archives you have provided say that assets.wad is a lot bigger so I asked you if the files you uploaded are the original.

aluigi, posted Sat Jun 03, 2017 2:12 pm (23797)

---

Anyway who cares.
This is my script:
http://aluigi.org/bms/kofxiv.bms

It should work with most of the files, unfortunately I can't dedicate more time to it.

Darko, posted Sat Jun 03, 2017 7:55 pm (23802)

---

The script actually works on the assets.wad of 16gb.

aluigi, posted Sun Jun 04, 2017 12:23 am (23806)

---

That's a very good news.
Have you also checked how many files (better to say files types) are invalid?

Darko, posted Sun Jun 04, 2017 2:47 am (23814)

---

aluigi wrote:

That's a very good news.
Have you also checked how many files (better to say files types) are invalid?

It extracted 99% of the files but some png files are not visible (I don't know why).

https://www.mediafire.com/?crx3ie5jgegiaiz

At least every sound and video file can be played using any codec pack and media player classic. Sounds are ogm and videos are ivf. Also i didn't find any problem with dds textures, those are visible with noesis.

aluigi, posted Sun Jun 04, 2017 3:28 am (23815)

---

Ah right png because 0x89 wasn't in the filter for guessing the key.
Script 0.1.1, hopefully there will be no problems with the other files with this little change.

Darko, posted Sun Jun 04, 2017 7:25 am (23818)

---

Some png's are still corrupt lol

Panzerdroid, posted Thu Jun 15, 2017 9:47 pm (24150)

---

It seems that the current 0.1.1 scripts extracts files from retail WAD not as from betas, maybe they've changed keys or header or whatever.

Just a little % of files is extracted normally. Most looks like garbage, some of them starts normally, but then it goes encrypted content. And DDSs looks like they have headers moved inside the body. OGGs, PNGs, etc are not playable.

Here's the 100 MB cut from the beginning of the file.
http://www49.zippyshare.com/v/lktw79ib/file.html

I hope Luigi can look into the issue. Thanks in advance!

aluigi, posted Thu Jun 15, 2017 10:26 pm (24151)

---

Script 0.1.2
Unfortunately the problem is ever that stupid secondary useless header that doesn't have a size (or at least I wasn't able to find it) and so I have to "guess" it. I used another work-around that works with both the old and new sample.

Panzerdroid, posted Fri Jun 16, 2017 12:54 am (24152)

---

Thanks, now files extract correctly!

Darko, posted Fri Jun 16, 2017 3:41 pm (24170)

---

I'm still having some problems with the big wad file, some files are still encrypted. If you want, I could try to upload the big wad file to mega and send you the links via pm.

chrrox, posted Sat Jun 17, 2017 8:18 am (24178)

---

here is a script you can use to get the png's you want.

Code:

putarray 0 0  "\x98\x3b\xa6\xcc\xa7\x52\x32\xf9\x23\xbb\xe8\x7d\x39\x6c\xb7\x4e"
putarray 0 1  "\x13\xc7\xe8\x81\xd9\x8c\x75\x16\xf3\x2f\xbb\xf4\x21\x56\xb1\xa6"
putarray 0 2  "\x38\x50\x7b\x33\xee\xe5\xf0\x53\x4c\x5d\x2f\xc7\xf1\x65\xb8\x4a"
putarray 0 3  "\xc4\x55\x7f\x7c\xba\xb4\x42\x91\xee\x51\x2e\x37\xeb\x23\xaf\x54"
putarray 0 4  "\x23\xeb\x2d\xe6\xf7\x49\x92\x7c\x82\xfd\xec\x8e\xdc\x9f\x3e\xbc"
putarray 0 5  "\xcb\x49\xd8\x7c\xcc\x59\x7b\xca\x2d\xe2\x24\xb7\x19\x36\x37\x4d"
putarray 0 6  "\x2d\x3a\xfb\x28\x54\x21\x50\xb4\xa0\x77\xb8\xbb\xbf\xe8\xb1\x67"
putarray 0 7  "\xe3\x6f\xb2\xef\x65\x2b\xa2\x3a\x58\x2a\xba\x1f\xae\x68\xec\xbc"
putarray 0 8  "\xe7\x1e\x3d\xd6\xf5\xe2\x87\x9f\x68\xa1\x8b\xbb\xc7\xd4\xf2\x7d"
putarray 0 9  "\x3e\x3a\x10\xe4\xc1\x7b\xdf\x72\x39\x46\x40\x16\xfe\x94\x6b\xb5"
putarray 0 10 "\x20\x59\x25\xb9\xa6\x6b\x77\xc0\xbd\x4e\xe0\xbd\x1a\x25\x64\x3b"
putarray 0 11 "\x3f\xd0\x85\x35\x18\xd3\x8c\x59\x89\xc6\xd6\x61\x82\xb8\x5f\x75"
putarray 0 12 "\x25\x2b\xbc\xe5\x3a\xb3\x8b\x75\xb1\x2c\x7a\xdf\x98\xe6\x57\x8b"
putarray 0 13 "\x81\x6a\xcb\xb0\x8b\x17\x15\x10\x40\x53\x7b\x4a\x8a\xce\x77\x18"
putarray 0 14 "\x44\xc9\xcb\xd2\xb1\x76\xed\x2b\x18\xc6\x95\xc9\xd9\xda\x5a\xec"
putarray 0 15 "\x6b\x88\xa6\xd4\x16\x57\x3d\xd0\xb2\x4d\x1f\xf2\x48\x73\x17\x44"
get size asize
get bname basename
string bname   "_"
for i = 0 < 16
getarray KEY 0 i
string KEY x KEY
encryption blowfish KEY "" 0 16
set name bname
string name   i
string name   ".png"
log name 0 size
next i

just run his original script from command line with the -l so it just lists all the files and offsets. and add > log.txt at the end.
now find a corrupt png like Chara/ADY/Effect/CMN_Shockwave7.png
offset 000000000597aac8
size 142202
copy this data from the wad file to a new file.
now run this script on it
you can see test_13.png worked
the original script tried to use key "2D 3A FB 28 54 21 50 B4 A0 77 B8 BB BF E8 B1 67"
but the correct key was "81 6A CB B0 8B 17 15 10 40 53 7B 4A 8A CE 77 18"

a 2nd sample
offset size name
0000000007a9756a 3162662 Chara/AGL/AGL_COL_HAIR.png
original key "13 C7 E8 81 D9 8C 75 16 F3 2F BB F4 21 56 B1 A6"
correct key "20 59 25 B9 A6 6B 77 C0 BD 4E E0 BD 1A 25 64 3B"

Darko, posted Tue Jun 20, 2017 2:08 pm (24218)

---

Thanks

chrrox, posted Sat Jun 24, 2017 7:30 am (24268)

---

All of the files that do not decrypt correctly are getting key 0 as their encryption key. not sure if this helps.
looking at the files compared to the decryption keys it seems like it might have something to do with the file size.

Brilleas, posted Sat Jun 24, 2017 10:46 pm (24282)

---

Can I rip a model.I can't find a script for model T_T.

UncleFestor, posted Sun Jul 02, 2017 4:57 am (24367)

---

EDIT: Using a different method, no need for a script

UncleFestor, posted Fri Jul 07, 2017 6:19 am (24443)

---

chrrox wrote:

here is a script you can use to get the png's you want.

Code:

putarray 0 0  "\x98\x3b\xa6\xcc\xa7\x52\x32\xf9\x23\xbb\xe8\x7d\x39\x6c\xb7\x4e"
putarray 0 1  "\x13\xc7\xe8\x81\xd9\x8c\x75\x16\xf3\x2f\xbb\xf4\x21\x56\xb1\xa6"
putarray 0 2  "\x38\x50\x7b\x33\xee\xe5\xf0\x53\x4c\x5d\x2f\xc7\xf1\x65\xb8\x4a"
putarray 0 3  "\xc4\x55\x7f\x7c\xba\xb4\x42\x91\xee\x51\x2e\x37\xeb\x23\xaf\x54"
putarray 0 4  "\x23\xeb\x2d\xe6\xf7\x49\x92\x7c\x82\xfd\xec\x8e\xdc\x9f\x3e\xbc"
putarray 0 5  "\xcb\x49\xd8\x7c\xcc\x59\x7b\xca\x2d\xe2\x24\xb7\x19\x36\x37\x4d"
putarray 0 6  "\x2d\x3a\xfb\x28\x54\x21\x50\xb4\xa0\x77\xb8\xbb\xbf\xe8\xb1\x67"
putarray 0 7  "\xe3\x6f\xb2\xef\x65\x2b\xa2\x3a\x58\x2a\xba\x1f\xae\x68\xec\xbc"
putarray 0 8  "\xe7\x1e\x3d\xd6\xf5\xe2\x87\x9f\x68\xa1\x8b\xbb\xc7\xd4\xf2\x7d"
putarray 0 9  "\x3e\x3a\x10\xe4\xc1\x7b\xdf\x72\x39\x46\x40\x16\xfe\x94\x6b\xb5"
putarray 0 10 "\x20\x59\x25\xb9\xa6\x6b\x77\xc0\xbd\x4e\xe0\xbd\x1a\x25\x64\x3b"
putarray 0 11 "\x3f\xd0\x85\x35\x18\xd3\x8c\x59\x89\xc6\xd6\x61\x82\xb8\x5f\x75"
putarray 0 12 "\x25\x2b\xbc\xe5\x3a\xb3\x8b\x75\xb1\x2c\x7a\xdf\x98\xe6\x57\x8b"
putarray 0 13 "\x81\x6a\xcb\xb0\x8b\x17\x15\x10\x40\x53\x7b\x4a\x8a\xce\x77\x18"
putarray 0 14 "\x44\xc9\xcb\xd2\xb1\x76\xed\x2b\x18\xc6\x95\xc9\xd9\xda\x5a\xec"
putarray 0 15 "\x6b\x88\xa6\xd4\x16\x57\x3d\xd0\xb2\x4d\x1f\xf2\x48\x73\x17\x44"
get size asize
get bname basename
string bname   "_"
for i = 0 < 16
getarray KEY 0 i
string KEY x KEY
encryption blowfish KEY "" 0 16
set name bname
string name   i
string name   ".png"
log name 0 size
next i

How would i reimport the png back into the wad file? Using the regular script corrupts the file.

thethiny, posted Thu Jul 27, 2017 11:32 pm (25066)

---

I have a question regarding the script.

For the "Guessing" part, it runs the blowfish algorithm 16 times on the PNG until it matches the header. But how does injecting work? I mean you have to encrypt now. You can't "guess" the encryption key, because each output of the 16 is considered working. Someone please correct me.




Anyways, I fixed the PNG decryption and here it goes:

Code:

# The King of Fighters XIV (script 0.1.2)
# script for QuickBMS http://quickbms.aluigi.org

idstring "AGAR"
get DUMMY long  # 1
get DUMMY long  # 1
get DUMMY long  # 0
get SIZE long
savepos OFFSET

# TOC
set KEY binary "\xfa\x52\x38\x8c\x66\xd6\x55\xfa\x1a\xfc\x2b\x6f\x97\xd8\x41\x41\xa9\x90\xb4\x41\xd4\xd2\xca\xb7\xa3\x82\xaf\x6d\x8d\xf7\x83\x2f\x82\xaf\x27\xa6\x1e\xc5\x26\x29\x9c\x1c\x6e\x23\xf5\xe4\xa0\xbe\x13\x4f\x13\xe1\x71\xf6\xfe\x31"
math KEYSZ = 0x38

callfunction SET_ENCRYPTION 1
log MEMORY_FILE OFFSET SIZE 0 XSIZE

math BASE_OFF = OFFSET
math BASE_OFF   XSIZE
math BASE_OFF x 8

# weird directory structure
set KEY binary "\x45\xaa\xb7\x2a\x4f\xb3\x1d\xe1\x66\x39\x2f\x5b\xd8\x23\x1f\xa4\xa3\xda\x89\xe5\x5e\x28\x9e\x18\x2c\x68\x71\x39\xec\x8d\xd6\x1a\xcd\xd3\xf8\x3d\xe5\x59\xe5\xd5\x8d\x19\x58\x6a\x9c\x9a\xd3\x81\x3c\xdd\xab\x81\xd8\x46\xda\xb7"
math KEYSZ = 0x38

# lame work-around!!!
math SIZE * 4
math SIZE | 0x80000000
callfunction SET_ENCRYPTION 1
log MEMORY_FILE2 BASE_OFF SIZE
findloc TMP binary "\xef\x4a\xdb" MEMORY_FILE2
math BASE_OFF   TMP
print "guessed base offset %BASE_OFF|X%"

# keys for the files
putarray 0 0  "\x98\x3b\xa6\xcc\xa7\x52\x32\xf9\x23\xbb\xe8\x7d\x39\x6c\xb7\x4e"
putarray 0 1  "\x13\xc7\xe8\x81\xd9\x8c\x75\x16\xf3\x2f\xbb\xf4\x21\x56\xb1\xa6"
putarray 0 2  "\x38\x50\x7b\x33\xee\xe5\xf0\x53\x4c\x5d\x2f\xc7\xf1\x65\xb8\x4a"
putarray 0 3  "\xc4\x55\x7f\x7c\xba\xb4\x42\x91\xee\x51\x2e\x37\xeb\x23\xaf\x54"
putarray 0 4  "\x23\xeb\x2d\xe6\xf7\x49\x92\x7c\x82\xfd\xec\x8e\xdc\x9f\x3e\xbc"
putarray 0 5  "\xcb\x49\xd8\x7c\xcc\x59\x7b\xca\x2d\xe2\x24\xb7\x19\x36\x37\x4d"
putarray 0 6  "\x2d\x3a\xfb\x28\x54\x21\x50\xb4\xa0\x77\xb8\xbb\xbf\xe8\xb1\x67"
putarray 0 7  "\xe3\x6f\xb2\xef\x65\x2b\xa2\x3a\x58\x2a\xba\x1f\xae\x68\xec\xbc"
putarray 0 8  "\xe7\x1e\x3d\xd6\xf5\xe2\x87\x9f\x68\xa1\x8b\xbb\xc7\xd4\xf2\x7d"
putarray 0 9  "\x3e\x3a\x10\xe4\xc1\x7b\xdf\x72\x39\x46\x40\x16\xfe\x94\x6b\xb5"
putarray 0 10 "\x20\x59\x25\xb9\xa6\x6b\x77\xc0\xbd\x4e\xe0\xbd\x1a\x25\x64\x3b"
putarray 0 11 "\x3f\xd0\x85\x35\x18\xd3\x8c\x59\x89\xc6\xd6\x61\x82\xb8\x5f\x75"
putarray 0 12 "\x25\x2b\xbc\xe5\x3a\xb3\x8b\x75\xb1\x2c\x7a\xdf\x98\xe6\x57\x8b"
putarray 0 13 "\x81\x6a\xcb\xb0\x8b\x17\x15\x10\x40\x53\x7b\x4a\x8a\xce\x77\x18"
putarray 0 14 "\x44\xc9\xcb\xd2\xb1\x76\xed\x2b\x18\xc6\x95\xc9\xd9\xda\x5a\xec"
putarray 0 15 "\x6b\x88\xa6\xd4\x16\x57\x3d\xd0\xb2\x4d\x1f\xf2\x48\x73\x17\x44"
math KEYSZ = 0x10

get FILES long MEMORY_FILE
for i = 0 < FILES
    get NAMESZ long MEMORY_FILE
    getdstring NAME NAMESZ MEMORY_FILE
    get SIZE long MEMORY_FILE
    get DUMMY long MEMORY_FILE  # 0xffffffff or zero
    get OFFSET longlong MEMORY_FILE
    math OFFSET   BASE_OFF

    # lame guessing, the algorithm to know the idx is probably very easy so I leave you the fun
    if SIZE & 0x80000000
    callfunction LAME_GUESS_IDX 1
    endif

    math KEY_IDX & 0xf
    getarray KEY 0 KEY_IDX
    string KEY x KEY

    callfunction SET_ENCRYPTION 1
    log NAME OFFSET SIZE 0 XSIZE
next i

startfunction SET_ENCRYPTION
    if SIZE & 0x80000000    # DUMMY is -1 else is zero
        math SIZE & 0x7fffffff
        math XSIZE = SIZE
        math XSIZE x 8
        encryption blowfish KEY "" 0 KEYSZ
    else
        math XSIZE = SIZE
        encryption "" ""
    endif
endfunction

startfunction LAME_GUESS_IDX
    for KEY_IDX = 0 < 16
        getarray KEY 0 KEY_IDX
        string KEY x KEY
        encryption blowfish KEY "" 0 KEYSZ
        log MEMORY_FILE3 OFFSET 8
        math OK = 0
      #
      get TMP byte MEMORY_FILE3
      if TMP == 0x89
         math OK   1
      endif
      get TMP byte MEMORY_FILE3
      if TMP == 0x50
         math OK   1
      endif
      get TMP byte MEMORY_FILE3
      if TMP == 0x4E
         math OK   1
      endif
      get TMP byte MEMORY_FILE3
      if TMP == 0x47
         math OK   1
      endif
      get TMP byte MEMORY_FILE3
      if TMP == 0x0D
         math OK   1
      endif
      get TMP byte MEMORY_FILE3
      if TMP == 0x0A
         math OK   1
      endif
      get TMP byte MEMORY_FILE3
      if TMP == 0x1A
         math OK   1
      endif
      get TMP byte MEMORY_FILE3
      if TMP == 0x0A
         math OK   1
      endif
      #
        if OK >= 8
            break
        endif
    next KEY_IDX
endfunction

This will work for extracting PNGs. I dunno about injection I don't have the game. Also this corrupts DDS/CSV and other formats, this is only for PNG.

UncleFestor, posted Thu Jul 27, 2017 11:54 pm (25067)

---

Works for injecting also. Thanks