Jump to content
Welcome to ResHax.com! ×

QuickBMS - Scan all the supported compressions

michalss

By michalss
in Tutorials

 Share

Recommended Posts

michalss Community Regular

michalss

Posted
Posted

During the reverse engineering of an archive or an unknown file it may happen to see that it uses compression due to some parameters found in the index table and/or due to its "scrambled" content:

image.png.3154d1e0f8395211967c58587fe54c34.png

Usually there are some tricks to know if it's a known compression algorithm, for example zlib starts with 0x78, lzma with 0x5d followed by some zeroes, lzss and lzo show parts of the uncompressed content and so on.

But if we don't know the algorithm or we want to be sure of its name or we want to know what's the result which is closer to the original uncompressed file, we need to use the following script and bat file:
http://aluigi.org/papers/bms/comtype_scan2.bat
http://aluigi.org/papers/bms/comtype_scan2.bms

The following is the situation in our folder, with dump.dat that is our compressed file:

image.png.d5cf1523da575e6abb074fae4f4ab7b7.png

And this is the runtime help of comtype_scan2.bat:

image.png.1ade4274cc9767ec6561232de5efa7db.png

Let's insert this command-line to start the scan: 

comtype_scan2.bat comtype_scan2.bms dump.dat output

Please note that if we already know what is the uncompressed size, it's HIGHLY recommended to add it to the command-line like in this example: 

comtype_scan2.bat comtype_scan2.bms dump.dat output 0x7cf

During the scanning QuickBMS will show lot of messages and errors.That's perfectly normal.Usually you will notice that it freezes like in this case:

image.png.7169315cba3404a4b2abb9b0260fd194.png

No problem, press CTRL-C and type 'n':

image.png.4b9e910de2ad3a1ad0be68b8571bd3b2.png

Finally we reach the end of the scanning:

image.png.4710987ac88091bad883f0194a1668aa.png

The next step is the manual checking of the results dumped in the output folder.
There are some ways to automize this process, anyway the simplest way is ordering the files by size in decrescent order:

image.png.16c9cca0106d1635432156678058c96b.png

And then open them one-by-one with a hex editor:

image.png.c6865603e62adf115930b8b7573a6e4a.png

That 8.dmp seems to contain valid PNG data, let's try to open it with an image viewer:

image.png.09caa358b6cb28f7c086fde6db76bd2e.png

Bingo, that's the correct algorithm.

Now open defs.h text file inside the QuickBMS source code (src folder in quickbms.zip) and check what algorithm is that number 8:

image.png.009f7e01f138b4deae3f15379de00e84.png

Yeah, the algorithm is lzo1x.

Don't think that it's ever so easy to find the correct algorithm, sometimes you don't know the name of the file and its content is a custom format or a raw audio/image.

Ah, I have attached the original dump.dat in case someone wants to make his own tests.

dump.zip

 

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

ResHax.com: Empowering Curious Minds in the World of Reverse Engineering

Delving into the Art of Code Unraveling: ResHax.com - Your Gateway to the Thrilling World of Reverse Engineering, Where Curiosity Meets Innovation!

Useful links

Some useful shortcuts for important informations.

×
×
  • Create New...