Skip to content
View in the app

A better way to browse. Learn more.

ResHax

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.
Help us keep the site running.

UFC 4 .mcd - variation of zstd compression?

Featured Replies

  • Supporter

Hello, I tried to decompress an UFC 4 .mcd file which has "chunzstd" signature.  After removing the 48 bytes header (so the file to start with 28B52FFD) I used quickbms with comtype zstd, at no avail (comtype LZO1Z didn't work, too).

Maybe someone can lend a helping hand?

comtype zstd
set NAME string ""
string NAME + "zstd-decompressed.bin"
clog NAME 0 0xCB540 0x100000

The 4th parameter for clog is the uncompressed size, where I tried different values (3rd param = compressed size, 2nd: offset into file).

(I see, using 48 here instead of 0 I could have spared removing the header...)

head_conor_mcgregor_model_CB540-withoutHeader.zip

Solved by Rabatini

1 hour ago, shak-otay said:

Hello, I tried to decompress an UFC 4 .mcd file which has "chunzstd" signature.  After removing the 48 bytes header (so the file to start with 28B52FFD) I used quickbms with comtype zstd, at no avail (comtype LZO1Z didn't work, too).

Maybe someone can lend a helping hand?

comtype zstd
set NAME string ""
string NAME + "zstd-decompressed.bin"
clog NAME 0 0xCB540 0x100000

The 4th parameter for clog is the uncompressed size, where I tried different values (3rd param = compressed size, 2nd: offset into file).

(I see, using 48 here instead of 0 I could have spared removing the header...)

head_conor_mcgregor_model_CB540-withoutHeader.zip 811.59 kB · 2 downloads

It's not just 1 block of data, there are multiple compressed ZSTD blocks in your sample file that have to be joined together - e.g. at 0, 0x129b0, 0x31dd0, etc..  It looks as though each file is preceded by the compressed size and anotherr value, except the first block, which looks to be a compressed size of 0x129a0.  You might have cut that bit off in your sample.  Each block seems to decompress to 0x40000 bytes except for the last one, which is shorter.  I guess the header might have some useful info.

 

 

  • Supporter
  • Solution
1 hour ago, shak-otay said:

Hello, I tried to decompress an UFC 4 .mcd file which has "chunzstd" signature.  After removing the 48 bytes header (so the file to start with 28B52FFD) I used quickbms with comtype zstd, at no avail (comtype LZO1Z didn't work, too).

Maybe someone can lend a helping hand?

comtype zstd
set NAME string ""
string NAME + "zstd-decompressed.bin"
clog NAME 0 0xCB540 0x100000

The 4th parameter for clog is the uncompressed size, where I tried different values (3rd param = compressed size, 2nd: offset into file).

(I see, using 48 here instead of 0 I could have spared removing the header...)

head_conor_mcgregor_model_CB540-withoutHeader.zip 811.59 kB · 0 downloads

Actually your file is a container with a bunch os zstd files.

attached the first file decompressed.

I did a tool, long time ago, i will search here.

head_conor_mcgregor_model_CB540.mcd.zip

  • Author
  • Supporter

Thanks to both of you. Yeah, I should have looked for more 28B52FFD in the file, how naive I am, sometimes...

Works with the first block:

comtype zstd
set NAME string ""
string NAME + "zstd-decompressed.bin"
clog NAME 0 76192 0x100000

edit: for the 2nd block I used

clog NAME 0 128017 262144

Decompressed file looks ok...

For 3rd and 4th block, too, ...

Edited by shak-otay

  • Author
  • Supporter

Haha, too late, I just finished it manually...:classic_blink:

But thanks, really appreciated.

(Oh, well, 7 scanners of virustotal flag the exe. (I know, might be false positives, but more than 5 are a lot...)

I'll test it later in a VM.

Edited by shak-otay

  • Supporter
1 minute ago, shak-otay said:

Haha, too late I just finished it manually...

But thanks, really appreciated.

(Oh, well, 7 scanners of virustotal flag the exe. (I know, might be false positives, but more than 5 are a lot...)

False positive, i did not put my trojans to take your credit card in this one!!! hahahaha

  • Author
  • Supporter
23 minutes ago, Rabatini said:

False positive, i did not put my trojans to take your credit card in this one!!! hahahaha

Yeah, I guess so. Some dev chains seem to produce suspicious code.

edit: used your exe sandboxed, but it extracts the first frame only from head_conor_mcgregor_model_CB540.mcd?

.joined contains first frame only.

Edited by shak-otay

  • Supporter
23 minutes ago, shak-otay said:

Yeah, I guess so. Some dev chains seem to produce suspicious code.

edit: used your exe sandboxed, but it extracts the first frame only from head_conor_mcgregor_model_CB540.mcd?

.joined contains first frame only.

No!

it should be like that

image.thumb.png.b3eb57b9430550c9edf14937922cc47b.png

 

  • Author
  • Supporter

Ok, 5 frames. (Maybe the sandbox forces closing?)

ZSTD-Rabatini.png.d4b08687280bb2c91621844257a2b746.png

(Anyways. As I wrote I've already concatenated all 12 manually extracted blocks and working with it.)

  • Author
  • Supporter

Haha, should have looked 1 hour ago but I was too busy extracting head_conor_mcgregor_diffuse.gnf manually...:classic_sad:

The good news: tried ZstdMagicExtractor and the .joind file is identical to the manually decompressed/concatenated .gnf.

Thanks again!

 

Create an account or sign in to comment

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.