xmoezzz/KrkrExtract

花鐘カナデ*グラム Chapter1 problems

tommy030314 opened this issue · 6 comments

tommy030314 commented

can you add a Support for "花鐘カナデ*グラム Chapter1" game?
It cannot be opened even with garbro.

xmoezzz commented

Just spend a little time investigating the new archive format:

  • This module implements accessing encrypted archives (as unusual)
    image
    • Name of the DLL file is a little bit confusing, but in fact, It's cxdec.dll(via PDB path)
  • sub_1000D7E0 implements specific chunk registration (Hxv4, etc...)
  • sub_1001F5F0 implements decryption...

It's not easy to detect this routine automatically then invoke

xmoezzz commented

almost done.
seems like a serialized object(Dict)
image

tommy030314 commented

thanks!

xmoezzz commented

finally, I decided to write something here before archiving this project, and I've made this decision for a long time in my mind.
I'am trying maintain this project for several years, even though there is almost no other contributor.

By using some tricks, KrkrExtract can also be extracting everything automatically you want as usual:

  • make sure V2Link is called and cxdec.dll (maybe random name) is loaded
  • after hooking ZLIB_uncompress (which is provided by stub), as long as a plugin invokes the stub, we can get the both decrypted and uncompressed raw buffer here
81 00 00 00 08 03 00 00 00 08 94 D4 A9 7C 61 49 86 21 81 00 00 02 AA 03 00 00 00 20 2E A4 AA EC 
6A 09 F9 D1 7E 2A 5A 7A C4 22 FB 64 B6 A4 21 95 C5 5C F6 77 2F B3 0C 0F A0 12 0C 8D 81 00 00 00 
02 04 00 00 00 00 00 00 00 00 04 C7 54 2A 3C 5F 9C 3F 7C 03 00 00 00 20 CE A9 33 9B 36 F1 58 15
  • serialized, sub_10010C70 can read this buffer into tTJSVariant
  • setup vector exception handler
  • set hardware breakpoint at the initial 4bytes of this buffer
  • your vector exception handler will receive single-step event when someone is trying r/w this area ([bufer_start, buffer_start + 4])
  • using MSVC macro _ReturnAddress to obtain the return address (within the caller)
    • you can hook here, or
    • trying to find out the callee address(sub_10010C70 in this case)
  • now, you can inspect the tTJSVariant object (inspecting a tjs2 object in pure c++ is a bit painful)
  • there are 3 kinds of objects in this case:
    • integer: file chunk index
    • binary data: 32bytes hash or something else
    • object: has a member named Array
  • I closed IDA pro and Windbg

BUT THE STORY NEVER ENDS HERE

  • game company(M2) has already learned something from past mistakes, including not decrypting filename on demand

image

  • I don't want to struggle into the quagmire of "encryption and decryption"

Want Can We Do Next?

  • go deep and reserving this binary, or
  • just hook tTJSBinaryStream * ::TVPCreateBinaryStreamAdapter(IStream *) and extract everything accessing by the game process
  • AND this is my final answer (In fact this project has been created for several years)
  • Good luck
  • 👀1
marcussacana commented

@xmoeproject quote that in the readme if you plan to archive the project.
It's sad but at the same time it was a long journey, as such it was just a matter of time.
Thank you for your hard work those years.

By the way, do you think will be possible use hashs to identify and reload anonymous decrypted blobs content while hooking the ZLIB_uncompress function?
If yes, at least don't looks like will be the end to the fan translation to this engine yet.

afterdelight commented

any alternative for this project??