Skip to content

A reverse-engineering puzzle

thoughtful emoticon

I have a proprietary file format on my hands. Yes, I’m hacking apart one more renai game to see what’s inside. Unless you can handle code speak, I suggest you don’t read further.

Took me a couple of hours to puzzle out the main virtual filesystem format — nothing unusual here, a fairly silly index with limited filename length, some filenames in Shift-JIS, some odd junk like repeated values in the index which aren’t used at all, the works. But the real problem is the compression type flag in there.

There’s three compression types. 0×00 is raw storage, which was obvious. 0×01 is an LZSS flavor, which took me some 20 hours straight to decipher — it always starts with a control byte, stores references as AABC where BAA is the reference to a 0×1000 ring buffer (with a 0×12 offset for some silly reason) and C is the run length-3. Thankfully I had a set of files which were repackaged by a translator of the game who neglected to write a compression procedure, so I knew what to compare with and soon after I started writing actual code, it all came together, so I have extracted the majority of the content, including even a few forgotten PSD files.

The 0×02 compression type is what puzzles me utterly. Here’s an example of a file extracted without decompression:

 FE 6A BC D4 33 15 4E AC F4 CA E5 97 72 2F B1 C0 
 54 0F 7F F6 62 0A F4 A6 1B 96 78 53 C1 00 FD 82 
 86 A8 D0 3B 1A 27 02 8C 7D D1 6C 36 93 FB 78 33 
 61 B8 7C 34 BA 68 8B 3B 6D 2E 85 B1 0B 3F BF 51 
 63 2D F6 04 78 61 C0 FE 71 B5 92 B2 42 CB DE E1 
 1D 2C BB 55 DC F4 53 C7 1D 1B E3 61 27 BB EC 7A 
 51 71 0C 5C AB 1C 7F AD 47 65 EE D7 7D 53 8B 69 
 DE 9A 3A F1 ED 4C 4B 91 66 5A DD 79 CC 23 42 36 
 69 48 93 FF 18 48 F2 E2 37 37 03 09 5A FC 7D 20 
 CC E0 1E 5F 24 C0 0D FF 2A 1D 0B 70 32 93 85 D9 
 A8 49 CE D5 3C 78 86 72 3D C7 39 F1 BB 64 9B 38

I’m fairly certain this is a BMP file, very likely the kind with a palette, so the first two unpacked bytes should be “BM”, (0×42 0x4d) but beyond that I have nothing to compare with and no clue as to what kind of compression could this be. While it’s not impossible that there’s some kind of silly encryption at work, it’s unlikely, since nothing else is encrypted and there’s nothing that looks like it could be an encryption key anywhere.

Can anyone tell me what in blazes this is?

This was written by rn3aoh. Posted on Saturday, May 26, 2007, at 22:50. Filed under Computers. Bookmark the permalink. Follow comments here with the RSS feed. Post a comment or leave a trackback.

Post a Comment

Your email is never published nor shared. Required fields are marked *
*
*