DAT (Ever17): Difference between revisions
No edit summary |
No edit summary |
||
Line 32: | Line 32: | ||
There is a subroutine in the EXE that will take 1 byte from the JPG that is stored in memory, subtracted it by a number, then put it back. It does this 256 times, or the whole 256 byte chunk of data that is obstructed and only for locations between 4352 and 4608. The number that is subtracted from the raw value is not the same for each byte. | There is a subroutine in the EXE that will take 1 byte from the JPG that is stored in memory, subtracted it by a number, then put it back. It does this 256 times, or the whole 256 byte chunk of data that is obstructed and only for locations between 4352 and 4608. The number that is subtracted from the raw value is not the same for each byte. | ||
Subtraction numbers are generated by adding up the 14 characters | Subtraction numbers are generated by adding up the 14 characters in the file name and taking the last value (looking at it like a 8 bit number so, if total is 0x00000AE4, you only take E4). This is the first difference number out of 256, numbers then use the previous number to make the new number so... Please note, the case of the letters in the file name is important! | ||
'a' starts off as the value of the previous number. | 'a' starts off as the value of the previous number. |
Revision as of 05:48, 15 July 2014
Seen/used in the follow game(s):
- Ever17
Structure
Header | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Size | Content | Description | ||||||||||||
4Bytes | Magic/ID | |||||||||||||
4Bytes | File Count | |||||||||||||
8Bytes | 0x00 Filler | |||||||||||||
Index | ||||||||||||||
Size | Content | Description | ||||||||||||
4Bytes | Offset | Starts from zero. | ||||||||||||
4Bytes | File Size | Stored value is actual size doubled | ||||||||||||
24Bytes | File name |
Notes for 'wallpaper.dat' Extracting images straight from the container file will produce broken images. There is nothing wrong with the extraction process but rather the files themselves. Starting from offset 4352 and ending at 4608 in every single JPG, this 256 byte has been modified in some way.
There is a subroutine in the EXE that will take 1 byte from the JPG that is stored in memory, subtracted it by a number, then put it back. It does this 256 times, or the whole 256 byte chunk of data that is obstructed and only for locations between 4352 and 4608. The number that is subtracted from the raw value is not the same for each byte.
Subtraction numbers are generated by adding up the 14 characters in the file name and taking the last value (looking at it like a 8 bit number so, if total is 0x00000AE4, you only take E4). This is the first difference number out of 256, numbers then use the previous number to make the new number so... Please note, the case of the letters in the file name is important!
'a' starts off as the value of the previous number.
Order | Expression |
---|---|
1 | d = a + (a*2) |
2 | d = d + (d*8) |
3 | a = a+(d*4)+1243 |
One unknown thing so far that needs to be figured out for a condition that will do the following
0040D25F and eax, 8000FFFFh
0040D264 jns short loc_40D26D
Probably not even been needed. Changes register from 0x00000AE4 to 0x000000E4 for example.
Current task-> Rewrite archive tool for packing and unpacking. Fix flaws in wallpaper fix tool. Also think about renamming wallpaper fix tool if other files extracted show same thing, such as scripts.