GPK: Difference between revisions

From Game Research Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 21: Line 21:


==Research==
==Research==
Strange format... First 5120 bytes looks like program code but is the same code for every archive. Data itself might not be protected but index data, including offsets are. game engine might have anti-debugger functions. Something to do with exceptions. Passing the ones that come up to the application rather than the debugger seems to solve the issue for now.
Strange format... First 5120 bytes look like program code but is the same code for every archive. Data itself might not be protected but index data, including offsets are. There may be some anti-debugging code. If the debugger eats up the exception that it throws, the program never catches it so it knows it's being debugged and exits. Passing the exception to the program appears to get around this.


read fileSize-16
When loading a archive, the game does the following...


read fileSize-32
reads the last 16 bytes in the file (read offset(fileSize - 16) for 16 bytes).


read fileSize - (4byteValue@fileSize-24) for 4byteValue@fileSize-24
reads 16 bytes, 32 bytes before the end of the file (read offset (fileSize - 32) for 16 bytes).


The last 4 bytes of the data that was just read is a number, that number is the size of the protected space that is at the end of the file - 32 bytes.


The program reads a number that appears to be the size of a protected area. It loads this protected area into memory. In memory, it XOR's each byte of the protected data by 0x82. It then reads the first 4 bytes of the memory that was just XOR'ed and reads it as a 4 byte integer. It then uses this number for something. The program than uses the rest of the memory but excludes the first 4 bytes so the memory space it is working with is 4 bytes less now. Holy shit, wtf am I reading? Is this really that complex? I managed to see the unprotected filenames a few times and appear to be store as a wide width string. However, how it's actually being processes is unknown yet. There is no pattern in the protected versions of the memory to suggest all that white space between characters. The first 4 bytes could actually be the uncompressed filesize of the rest of the data. Which... yeah. This is fucking annoying.
The program then tries to process the protected area. It XOR's the protected space in memory by a number that might change for each byte. Once that is done, the first 4 bytes is a number the program uses for an unknown purpose. It always appears larger than what the protected space is so chances are, it could actually be compressed/encoded data and the number at the front is really just the uncompressed size. Needs more research.

Revision as of 02:29, 7 July 2015

Used in the following game(s):

  • Schooldays HQ

Structure

Header
Size Content Description
5120 Bytes Unknown Microsoft.Net assembly *.EXE
? Bytes Data full archive data
12 Bytes Unknown
4 Bytes Unknown
16 Bytes Unknown

Research

Strange format... First 5120 bytes look like program code but is the same code for every archive. Data itself might not be protected but index data, including offsets are. There may be some anti-debugging code. If the debugger eats up the exception that it throws, the program never catches it so it knows it's being debugged and exits. Passing the exception to the program appears to get around this.

When loading a archive, the game does the following...

reads the last 16 bytes in the file (read offset(fileSize - 16) for 16 bytes).

reads 16 bytes, 32 bytes before the end of the file (read offset (fileSize - 32) for 16 bytes).

The last 4 bytes of the data that was just read is a number, that number is the size of the protected space that is at the end of the file - 32 bytes.

The program then tries to process the protected area. It XOR's the protected space in memory by a number that might change for each byte. Once that is done, the first 4 bytes is a number the program uses for an unknown purpose. It always appears larger than what the protected space is so chances are, it could actually be compressed/encoded data and the number at the front is really just the uncompressed size. Needs more research.