Skip to content
View in the app

A better way to browse. Learn more.
ResHax

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.
Help us keep the site running.

Magic 2015 - Duels of the Planeswalkers (ZED archives)

ZenHAX
in Zenhax

Featured Replies

  • Author
  • Localization

logoliv, posted Mon Mar 23, 2015 10:45 pm (4042)

Hi all,

The 2015 version of Duels of the Planeswalkers uses now ZED files as archives (and no more directly WAD files), the problem is they are encrypted and as a consequence we're not able to mod the game...
Here's a link about the progress the modders made.

I join for convenience an extract of the file we would like to decode (just the beginning because the entire size is 320 Mb...)
Thanks in advance for any help.
  • Author
  • Localization

logoliv, posted Tue Mar 24, 2015 12:04 pm (4048)

If someone is interested and needs a complete ZED file, you can always download a demo on Steam here
  • Author
  • Localization

aluigi, posted Tue Mar 24, 2015 4:07 pm (4055)

I gave a quick look at them.
Basically their bytes are simply xored with the preceeding byte:
data[i] ^= data[i - 1];
And the first byte xored with 0x53.

And the archives are just a customized ZIP format with the central directory linking directly to the compressed data.
The problem is that the first part of this compressed data is obfuscated in a certain way.

For example in the demo there is a compressed file at offset 0x66389 of 0x100 bytes that decompresses to 0x110 bytes.
These 0x100 bytes are scrambled in a certain way that they become 0x99 bytes that are xored as written before and passed directly to the zlib inflate.
The problem is just the part that shrinks the data to 0x99 bytes which is not a classical input->output obfuscation but it looks more like "precomp" used to rip games (just to give you an idea of what I mean).
  • Author
  • Localization

logoliv, posted Tue Mar 24, 2015 10:32 pm (4073)

Thanks for taking the time to look Luigi.
When you talk about offset 0x66389, do you speak from DATA_000.ZED or did you looked at another ZED file (like audio or movies) ?
It seems that only the data file is encrypted, and by the way it's the only one we need to decompress because all cards are coded in it.
  • Author
  • Localization

aluigi, posted Tue Mar 24, 2015 10:47 pm (4075)

I refer to DATA_000.ZED because the other archives use a different non-encrypted format.
  • Author
  • Localization

logoliv, posted Tue Mar 24, 2015 10:58 pm (4076)

ok, so i have 3 questions :

1) how did you find the value 0x53 that is xored with the first byte ?
2) how do you proceed ? simply from left to right (xor the second byte with the result of the first xor) or storing the i-1 byte before xor (xor the second byte with the value that the first byte had before it was xored) ?
3) finally, did you managed to have a decoded file like :
  • Author
  • Localization

aluigi, posted Tue Mar 24, 2015 11:13 pm (4077)

1)
via debugger with the help of offbreak

2)
from the reverse order so from the last byte till the the second one (because the first is xored with 0x53)

3)
no because this is a completely different format where you have a customized ZIP files where instead of the central directory ("PK\3\4") you have just the deflate data.
  • Author
  • Localization

logoliv, posted Wed Mar 25, 2015 1:27 pm (4093)

Thanks for yours explanations, the problematic point is now more clear to me. I also understand that i clearly don't have the knowledge to go further at all... do you think there's a way to find the scrambling algorithm ?
  • Author
  • Localization

aluigi, posted Wed Mar 25, 2015 4:01 pm (4096)

With time and desire many things are possible :)

The project was interesting but currently I don't have a plan for retrieving this last part of information, I really think it's some public algorithm because the code was quite complex and not caused by obfuscations.
Maybe someone else is interested.
  • Author
  • Localization

logoliv, posted Wed Mar 25, 2015 6:51 pm (4101)

Someone has found a good clue on the scramble algorithm... Please could you just give a look at the post and tell me if it helps ?
  • Author
  • Localization

aluigi, posted Thu Mar 26, 2015 6:40 am (4111)

I think that's the correct one :)
Currently I don't have RSA implemented in quickbms so I can't do something now.
Guest
This topic is now closed to further replies.
Go to topic listing

Account

Navigation

Search

Search

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.