Engineers shak-otay Posted 22 hours ago Engineers Posted 22 hours ago Hello, I tried to decompress an UFC 4 .mcd file which has "chunzstd" signature. After removing the 48 bytes header (so the file to start with 28B52FFD) I used quickbms with comtype zstd, at no avail (comtype LZO1Z didn't work, too). Maybe someone can lend a helping hand? comtype zstd set NAME string "" string NAME + "zstd-decompressed.bin" clog NAME 0 0xCB540 0x100000 The 4th parameter for clog is the uncompressed size, where I tried different values (3rd param = compressed size, 2nd: offset into file). (I see, using 48 here instead of 0 I could have spared removing the header...) head_conor_mcgregor_model_CB540-withoutHeader.zip
DKDave Posted 21 hours ago Posted 21 hours ago 1 hour ago, shak-otay said: Hello, I tried to decompress an UFC 4 .mcd file which has "chunzstd" signature. After removing the 48 bytes header (so the file to start with 28B52FFD) I used quickbms with comtype zstd, at no avail (comtype LZO1Z didn't work, too). Maybe someone can lend a helping hand? comtype zstd set NAME string "" string NAME + "zstd-decompressed.bin" clog NAME 0 0xCB540 0x100000 The 4th parameter for clog is the uncompressed size, where I tried different values (3rd param = compressed size, 2nd: offset into file). (I see, using 48 here instead of 0 I could have spared removing the header...) head_conor_mcgregor_model_CB540-withoutHeader.zip 811.59 kB · 2 downloads It's not just 1 block of data, there are multiple compressed ZSTD blocks in your sample file that have to be joined together - e.g. at 0, 0x129b0, 0x31dd0, etc.. It looks as though each file is preceded by the compressed size and anotherr value, except the first block, which looks to be a compressed size of 0x129a0. You might have cut that bit off in your sample. Each block seems to decompress to 0x40000 bytes except for the last one, which is shorter. I guess the header might have some useful info. 1
Engineers Solution Rabatini Posted 21 hours ago Engineers Solution Posted 21 hours ago 1 hour ago, shak-otay said: Hello, I tried to decompress an UFC 4 .mcd file which has "chunzstd" signature. After removing the 48 bytes header (so the file to start with 28B52FFD) I used quickbms with comtype zstd, at no avail (comtype LZO1Z didn't work, too). Maybe someone can lend a helping hand? comtype zstd set NAME string "" string NAME + "zstd-decompressed.bin" clog NAME 0 0xCB540 0x100000 The 4th parameter for clog is the uncompressed size, where I tried different values (3rd param = compressed size, 2nd: offset into file). (I see, using 48 here instead of 0 I could have spared removing the header...) head_conor_mcgregor_model_CB540-withoutHeader.zip 811.59 kB · 0 downloads Actually your file is a container with a bunch os zstd files. attached the first file decompressed. I did a tool, long time ago, i will search here. head_conor_mcgregor_model_CB540.mcd.zip 1
Engineers shak-otay Posted 20 hours ago Author Engineers Posted 20 hours ago (edited) Thanks to both of you. Yeah, I should have looked for more 28B52FFD in the file, how naive I am, sometimes... Works with the first block: comtype zstd set NAME string "" string NAME + "zstd-decompressed.bin" clog NAME 0 76192 0x100000 edit: for the 2nd block I used clog NAME 0 128017 262144 Decompressed file looks ok... For 3rd and 4th block, too, ... Edited 19 hours ago by shak-otay
Engineers Rabatini Posted 18 hours ago Engineers Posted 18 hours ago Try this tool, made some adjust to read your file. zstd decompressor.zip 1
Engineers shak-otay Posted 18 hours ago Author Engineers Posted 18 hours ago (edited) Haha, too late, I just finished it manually... But thanks, really appreciated. (Oh, well, 7 scanners of virustotal flag the exe. (I know, might be false positives, but more than 5 are a lot...) I'll test it later in a VM. Edited 18 hours ago by shak-otay
Engineers Rabatini Posted 18 hours ago Engineers Posted 18 hours ago 1 minute ago, shak-otay said: Haha, too late I just finished it manually... But thanks, really appreciated. (Oh, well, 7 scanners of virustotal flag the exe. (I know, might be false positives, but more than 5 are a lot...) False positive, i did not put my trojans to take your credit card in this one!!! hahahaha
Engineers shak-otay Posted 18 hours ago Author Engineers Posted 18 hours ago (edited) 23 minutes ago, Rabatini said: False positive, i did not put my trojans to take your credit card in this one!!! hahahaha Yeah, I guess so. Some dev chains seem to produce suspicious code. edit: used your exe sandboxed, but it extracts the first frame only from head_conor_mcgregor_model_CB540.mcd? .joined contains first frame only. Edited 18 hours ago by shak-otay
Engineers Rabatini Posted 18 hours ago Engineers Posted 18 hours ago 23 minutes ago, shak-otay said: Yeah, I guess so. Some dev chains seem to produce suspicious code. edit: used your exe sandboxed, but it extracts the first frame only from head_conor_mcgregor_model_CB540.mcd? .joined contains first frame only. No! it should be like that
Engineers shak-otay Posted 16 hours ago Author Engineers Posted 16 hours ago Ok, 5 frames. (Maybe the sandbox forces closing?) (Anyways. As I wrote I've already concatenated all 12 manually extracted blocks and working with it.)
Engineers Rabatini Posted 14 hours ago Engineers Posted 14 hours ago (edited) Well, use my old c++ tool, it should work now, tried to rewrote in python for training python syntax, and maybe i did something wrong. ZstdMagicExtractor.zip ZstdMagicExtractor-release version.zip Edited 14 hours ago by Rabatini 1
Engineers shak-otay Posted 13 hours ago Author Engineers Posted 13 hours ago Haha, should have looked 1 hour ago but I was too busy extracting head_conor_mcgregor_diffuse.gnf manually... The good news: tried ZstdMagicExtractor and the .joind file is identical to the manually decompressed/concatenated .gnf. Thanks again!
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now