This topic was archived here:

https://web.archive.org/web/20230000000000fw_/https://www.zenhax.com/viewtopic.php?t=14879

bruhmoment, posted Sun Feb 14, 2021 3:39 pm (62204)

---

is it possible to make tool for texts? i think it's encrypted .exe

aluigi, posted Sun Feb 14, 2021 11:54 pm (62221)

---

Have you checked if there are tools available for the other games based on the Havok Vision Engine?

Apparently that's the engine used in this game too, probably all the files and formats are the same.

bruhmoment, posted Mon Feb 15, 2021 11:04 am (62229)

---

aluigi wrote:

Have you checked if there are tools available for the other games based on the Havok Vision Engine?

Apparently that's the engine used in this game too, probably all the files and formats are the same.

do you have a full list this engine scripts? i use ctrl f quickbms script page but couldn't find

files look like this

https://prnt.sc/zlfcd6

https://prnt.sc/zlfexs

https://prnt.sc/zlfhkc

yusuf2020, posted Mon Feb 15, 2021 11:36 am (62231)

---

bruhmoment wrote:

aluigi wrote:

Have you checked if there are tools available for the other games based on the Havok Vision Engine?

Apparently that's the engine used in this game too, probably all the files and formats are the same.

do you have a full list this engine scripts? i use ctrl f quickbms script page but couldn't find

files look like this

https://prnt.sc/zlfcd6

https://prnt.sc/zlfexs

https://prnt.sc/zlfhkc

I guess you can extract datas with https://github.com/wmltogether/CriPakTools

bruhmoment, posted Mon Feb 15, 2021 12:00 pm (62232)

---

yusuf2020 wrote:

bruhmoment wrote:

aluigi wrote:

Have you checked if there are tools available for the other games based on the Havok Vision Engine?

Apparently that's the engine used in this game too, probably all the files and formats are the same.

do you have a full list this engine scripts? i use ctrl f quickbms script page but couldn't find

files look like this

https://prnt.sc/zlfcd6

https://prnt.sc/zlfexs

https://prnt.sc/zlfhkc

I guess you can extract datas with https://github.com/wmltogether/CriPakTools

not work cri

https://github.com/Kaplas80/GuJian3Manager i find this but i don't know how to use it.

yusuf2020, posted Tue Feb 16, 2021 7:06 am (62287)

---

bruhmoment wrote:

yusuf2020 wrote:

bruhmoment wrote:

do you have a full list this engine scripts? i use ctrl f quickbms script page but couldn't find

files look like this

https://prnt.sc/zlfcd6

https://prnt.sc/zlfexs

https://prnt.sc/zlfhkc

I guess you can extract datas with https://github.com/wmltogether/CriPakTools

not work cri

https://github.com/Kaplas80/GuJian3Manager i find this but i don't know how to use it.

Compile with Visual Studio.

alanm, posted Fri Nov 05, 2021 12:21 am (67370)

---

I run the .exe in IDA debugger and after lot of failed attempts found the assembly calls that decrypt game text into a memory buffer. Dumped this buffer to file, it is ~62MB in size. Its seems to contain all cutscene subtitle and UI strings. Loaded this file in Notepad and set encoding to UTF-8, I found 3 language bundle together in some format with cutsceneID and VoiceID:

Kaplas, posted Fri Nov 05, 2021 7:57 am (67375)

---

Hello alanm

Could you tell me what are the addresses of the decryption functions in the executable?

Thanks!

alanm, posted Fri Nov 05, 2021 6:29 pm (67382)

---

Hi Kaplas,
Are you the same Kaplas of Gujian3Manger? Really appreciate your good work of the GuJian3 file extractor/decryptor.

The original Steam version of .exe has encrypted .text section and it quit when a debugger is running. You need the "alternative" .exe from the web that does not have a encrypted .text section.

Load .exe into Ghidra as a PE executable.
Find the decrypt function entry by offset or byte search:
On entry: R14 contains address of the output buffer. R8 (not EAX, my bad) contains the decoded size, when R8=0x3DF0367. it is handling the text buffer.



What I did was going to the exit of the decrypt function, set a conditional breakpoint there only break when EAX=0x3DF0367. Dump the memory content starting at address pointer R14 for 0x3DF0367 bytes long

Kaplas, posted Fri Nov 05, 2021 11:07 pm (67386)

---

Thank you!!

I'll let you know if I'm able to reverse the encryption.

alanm, posted Sat Nov 06, 2021 4:10 pm (67404)

---

Hello Kaplas,
Hope you make progress with the encryption code. If the code turn out to be too convoluted to be reversed, there maybe another way to replace the text buffer using the un-encrypted .exe. This is assuming the buffer I found contain all the localization text, I did not study it in detail.

-Using a PE editor to add a new code section to .exe, this add space to the end of .exe
-Put buffer checking assembly code and a copy of the translated text buffer in the new segment space.
-Change original decrypted function epilogue code, add a jmp instruction which direct control to new code segment.
-In new segment, check output buffer size. If buffer size matches, copy translated text buffer to output buffer. jmp back to the encrypted function and return to caller.

This method works like a malware, AV probably will flag the .exe

Also the translated text cannot be longer than the original text it replaces, since altering the format of text buffer probably upset game code.

Subtitle text:

Quest text

Lazy_Cat_2k3, posted Mon Nov 08, 2021 4:15 am (67428)

---

Can we create a hook and load the translated text buffer from and external file like text.bin ?
Also if we can remove another language, there will be more space to make translated text longer.
Just some ideas like alanm said, I haven't done anything yet

alanm, posted Tue Nov 09, 2021 2:20 pm (67443)

---

Lazy_Cat_2k3 wrote:

Can we create a hook and load the translated text buffer from and external file like text.bin ?
Also if we can remove another language, there will be more space to make translated text longer.
Just some ideas like alanm said, I haven't done anything yet

Definitely can read the translated text buffer from file. Take a bit more time to code that.
Thanks for the idea of getting space from another language. Initial test look promising. All the text strings in text buffer is prefix with a hex value "0x08 ". Need to adjust that byte if text size change. The total buffer size must remain constant, for example an English text get 10 bytes longer , one must remove 10 bytes from one of the other languages text and adjust the length prefix to match the changes. Game will crash if the total buffer size change. What is needed at minimum is to write a parser to extract localizable strings from the text buffer file to a utf-8 text file for translation. And a injector script to inject translated text back to text buffer file, automatically balance the text size from different languages. The text buffer file contains a varieties of text include skills/ items/ dialog/menu/mission text etc. etc, they all have different structure and very challenging to find the display strings. It will take some time to find the tag/value pairs, if it even possible to get them all.

Lazy_Cat_2k3, posted Tue Nov 09, 2021 2:36 pm (67445)

---

Can you upload the text buffer file (decrypted ofc) ?

alanm, posted Tue Nov 09, 2021 4:13 pm (67446)

---

Here is the decrypted text buffer file. Have fun .
https://www.mediafire.com/file/m4fc3o5kqqznrgv/gujian3_text.bin/file

Lazy_Cat_2k3, posted Tue Nov 09, 2021 9:17 pm (67447)

---

After digging around, it seem like they use Lua CJSON to read text buffer file (binary json). And I don't have any experience on lua
Since size of string (1 - 2 byte ?) is always before the string , make pattern scanning some tag like "description", "hint" (0x0448696E7408), "EN" (0x02454E08), "DialogText", "text" ... is another way but will take a lot of time to find all tag.

Kaplas, posted Tue Nov 09, 2021 11:16 pm (67449)

---

alanm wrote:

Game will crash if the total buffer size change.

The encrypted section is at offset 0x132d070 in the exe file, and the first value is the uncompressed section size. If we are able to read the unencrypted section from a file, maybe changing that value let us translate without the need of keeping the section size.

Lazy_Cat_2k3, posted Wed Nov 10, 2021 4:36 pm (67459)

---

Here are all strings extracted with their offset (some strings are wrong because I haven't parsed all types and maybe I've parsed it wrong in the beggining )
https://www.mediafire.com/file/8xm20hza ... s.rar/file
The code behind:

Code:

            while (input.Position             {
                byte Type = input.ReadValueU8();
                int sizeString = 0;
                switch (Type)
                {
                    case 8:
                        sizeString = input.ReadValueU8();
                        output.WriteLine(input.ReadString(sizeString));
                        break;
                    case 9:
                        sizeString = input.ReadValueU16();
                        output.WriteLine(input.ReadString(sizeString));
                        break;
                    case 3:
                        input.ReadBytes(1);
                        break;
                    case 4:
                        input.ReadBytes(2);
                        break;
                    case 5:
                        input.ReadBytes(3);
                        break;
                    case 6:
                        input.ReadBytes(3);
                        break;
                    case 7:
                        input.ReadBytes(8);
                        break;
                    case 10:
                        input.ReadBytes(3);
                        break;
                    case 11:
                        input.ReadBytes(4);
                        break;
                    case 16:
                        input.ReadBytes(4);
                        break;
                }
            }

alanm, posted Thu Nov 11, 2021 6:38 am (67464)

---

Kaplas wrote:

The encrypted section is at offset 0x132d070 in the exe file, and the first value is the uncompressed section size. If we are able to read the unencrypted section from a file, maybe changing that value let us translate without the need of keeping the section size.

A quick test reducing the size at offset 0x132d070 a little bit causing the game quit. there may be other check depends on the size.

The text buffer hook now read text from external file.

alanm, posted Thu Nov 11, 2021 6:56 am (67465)

---

Lazy_Cat_2k3 wrote:

Here are all strings extracted with their offset (some strings are wrong because I haven't parsed all types and maybe I've parsed it wrong in the beggining )
https://www.mediafire.com/file/8xm20hza ... s.rar/file
The code behind:

The extracted file looks pretty complete. how to tell which strings are wrong?

What would be even better is if we can further reduce this file down to only show the localized strings of the 3 language version. , for example for a dialog line, the keyID shows up only once but with 3 language dialog text strings show up one after another. By doing that the translator know exactly which strings require translation since it will have 3 lines of texts pair with one key.

There are clues in the strings file that tell us where a language block started. Default Chinese text block started with tag "Content", traditional Chinese block started with tag "CHT" and English block started with tag "EN"

Lazy_Cat_2k3, posted Thu Nov 11, 2021 7:59 am (67467)

---

alanm wrote:

A quick test reducing the size at offset 0x132d070 a little bit causing the game quit.

Mostly, the decryption/decompression algorithm won't work if we provide the wrong decrypted/decompressed size.
There're several solutions like: understanding the algorithm (maybe Kaplas still works on it), remove the decryption code (hard way) or change the size only after it decrypted the original buffer (should test), also try increasing the size (if the algorithm use this size just to create buffer to store decrypted data, then a larger buffer shouldn't be a problem)

Lazy_Cat_2k3, posted Thu Nov 11, 2021 8:18 am (67468)

---

alanm wrote:

The extracted file looks pretty complete. how to tell which strings are wrong?

If strings's wrong, it will look like these images.
viewtopic.php?f=12&t=14879#p67370

alanm wrote:

What would be even better is if we can further reduce this file down to only show the localized strings of the 3 language version. , for example for a dialog line, the keyID shows up only once but with 3 language dialog text strings show up one after another. By doing that the translator know exactly which strings require translation since it will have 3 lines of texts pair with one key.

It's possible, but since it's json file with lots of format and tag, it will take more time to hardcoded these stuff.
I'm still thinking the easier way like extract text only if it match these tag (EN, Dialog, ...).

alanm, posted Fri Nov 12, 2021 9:19 am (67480)

---

Lazy_Cat_2k3 wrote:

alanm wrote:

A quick test reducing the size at offset 0x132d070 a little bit causing the game quit.

Mostly, the decryption/decompression algorithm won't work if we provide the wrong decrypted/decompressed size.
There're several solutions like: understanding the algorithm (maybe Kaplas still works on it), remove the decryption code (hard way) or change the size only after it decrypted the original buffer (should test), also try increasing the size (if the algorithm use this size just to create buffer to store decrypted data, then a larger buffer shouldn't be a problem)

Had tried the following
-change the size to match the new text buffer only after decrypted the original buffer. game quitted after return to caller
-increase buffer size in .exe. game quitted before reaching the decrypt call.

Changing text buffer size is still not fesible. I am looking into how to insert translated strings back to the binary json buffer. need to shrink the unused language text to make more room if need.

alanm, posted Fri Nov 12, 2021 3:53 pm (67484)

---

Good news. Found the buffer size checksum checking code of text buffer. Should not have problem with bigger buffer now.