Skip to content
View in the app

A better way to browse. Learn more.
ResHax

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.
Help us keep the site running.

Eternal magic/???? .kfs

ZenHAX
in Zenhax

Featured Replies

  • Author
  • Localization

Ekey, posted Wed Dec 25, 2019 7:49 pm (52785)

Seems data is xor'ed. Upload main executable with all modules.
  • Author
  • Localization

Drawing, posted Sat Jan 04, 2020 9:13 pm (52978)

any news ?
If you need other files just ask
  • Author
  • Localization

atom0s, posted Sun Jan 05, 2020 3:15 am (52981)

em_start.exe has some KFS file reading/referencing in it.

Key: Z.j^eihLui4e923@91WkBN19f_3x?Ubq
Key Size: 32

Decryption method is done via:
Code:
sub_417880((int)off_4224B0, dword_4224B8, (int)v8, v9, 0);

Code:
int __cdecl sub_417880(int a1, int a2, int a3, int a4, int a5)
{
  int v5; // edx
  int i; // eax

  v5 = a5 % a2;
  for ( i = 0; i < a4;   i )
  {
    *(_BYTE *)(i   a3) -= *(_BYTE *)(v5     a1);
    if ( v5 >= a2 )
      v5 = 0;
  }
  return 0;
}


off_4224B0 points to the encryption key.
dword_4224B8 points to the encryption key size. (32)
v8 is a pointer to a buffer of the data to decrypt.
v9 is the size of the buffer.

Should be all the info needed to decrypt it.
  • Author
  • Localization

Ekey, posted Sun Jan 05, 2020 6:41 am (52983)

Ok, decryption is simple :)

Code:
unsigned char lpKey[32] = {
    0x5A, 0x2E, 0x6A, 0x5E, 0x65, 0x69, 0x68, 0x4C, 0x75, 0x69, 0x34, 0x65, 0x39, 0x32, 0x33, 0x40, 
    0x39, 0x31, 0x57, 0x6B, 0x42, 0x4E, 0x31, 0x39, 0x66, 0x5F, 0x33, 0x78, 0x3F, 0x55, 0x62, 0x71};
  
void iDecrypt(unsigned char* lpBuffer, int dwSize)
{
   for (int i = 0; i    {
      lpBuffer[i] -= lpKey[i % 32];
   }
}


The header and entry table is at the end of the file.

Code:
fseek(fi, -16, SEEK_END);


Code:
struct KFSHeader
{
   uint32_t   dwID; //0xFF0D2C3A
   uint32_t   dwTotalFiles;
   uint32_t   dwTableSize;
   uint32_t   dwTableOffset;
};

struct KFSEntry
{
   uint16_t   wFileNameLength; //shl 1 or *2 = as you wish :)
   uint8_t    bUnknown1; //0
   uint32_t   dwUnknown1; //1
   uint32_t   dwSize;
   uint32_t   dwZSize;
   uint32_t   dwOffset; //???? -> IMUL ECX,DWORD PTR DS:[EAX],0x9E3779B1 , AND ECX,0x7FFFFFFF
};


Currently not clear with dwOffset field.
  • Author
  • Localization

Drawing, posted Mon Jan 13, 2020 3:44 pm (53205)

waiting for aluigi's help :D
Guest
This topic is now closed to further replies.
Go to topic listing

Account

Navigation

Search

Search

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.