Unreal Engine 4 pak-file Unpacker / unreal_tournament_4.bms [UE4 global topic]

[spiritovod]

Just fyi, aluigi has updated official UE4 script to support 4.25 games and now it's incompatible with OverHIT (not sure about other hardcoded workarounds). If you want to unpack it, use my latest variant of the script or any previous version of it.

[senha1k2]

Hello

I need help to find the Key for Life is Strange 2

Here the LIS2-Win64-Shipping.exe

https://drive.google.com/file/d/1t5ord1lsfJYHqks1NtwuFHaj2bg1smQk/view?usp=sharing

[spiritovod]

@senha1k2: LIS2 is not encrypted. Considering that the game doesn't have UWP build at the moment and it should work with default script, I have no idea, what the problem is. Explain your issue in more details.

[spiritovod]

Script with v11 paks support (for 4.26 games) added to my base post. It only supports paks at the moment, but utoc/ucas support may be added later.

Please note that it isn't backward compatible with 4.25- games, because it's a temporary solution, so use default script for 4.25 games and below. It was not tested much, because there are very few 4.26 games at the moment, so if you have problems with it, report them here.

--------------------------------------------------------------------

unreal_tournament_4_0.4.26_paks_only script updated, it now works properly with files over 4GB.

[momemtumz]

pubg mobile dont work pls hep

[doodle160]

Unpaking Friday the 13th with this script gives this error

Error: [myfseek] offset 0x8750217967b15906 in file 0 can't be reached

Last script line before the error or that produced the error:
99 log MEMORY_FILE10 OFFSET SIZE

Press ENTER or close the window to quit

How would I fix this?

[spiritovod]

@doodle160: Use corresponding script from specific scripts bundle with proper key (both are available via my signature). If it will not work, tell what version of the game you're trying to extract.

---------------------------------------------------------------

Script for decrypting and encrypting Dragon Quest XI S saves.

Update: Updated version of the script supports saves from microsoft store (game pass), steam and switch versions of DQ XI S - but there is no auto-detect feature, so you should edit script manually (I've added comments in it for that reason). Also, you can encrypt saves back with the same script, just open the script and edit it according to corresponding comment.
Please note that saves from different versions can be incompatible with each other due to differences in internal format, this script only allow you to decrypt and encrypt saves with different keys.

Update 2: It appeared that keys are different not between platforms, but between different game versions (full / demo). Comments in the script were adjusted with that info, and the key for full versions is now uncommented by default. Please re-download the script if needed.

Update 3:
Here are all changes between PC (gamepass / steam) and switch saves of DQ XI S, based on data001.sav from gamepass and switch versions (see attachment):
1) First 4 bytes are version flag, it's 0x1 for full versions and 0x100 for demo versions. Note that saves are using values in little endian format (for example, 1 will be 01000000 in little endian and 00000001 in big endian for "long" variable).
2) Next 4 bytes are total save size (it will be [file size - 8 bytes]).
3) At 0xC offset it's most likely platform flag, always 8E for PC and 89 for switch.
4) At 0x35 offset there is actual save size, calculated from 0x8 offset (obviously first 8 bytes are system info for decrypting, not related to actual save).
5) At 0x39 offset it's internal offset, where save info starts after save's header, calculated from the 0x0 for some reason. Here is the first noticeable difference between gamepass and switch versions - for gamepass that offset is always pointing to byte after 04000000 (0x4 in little endian), while for switch that offset is always pointing to beginning of 04000000, and this gap is filled with additional 4 zero bytes in PC version.
6) I don't quite understand, what is the offset at 0xB7, but it can be blindly adjusted accordingly, since it's just an offset.
7) Around 0x022BD8 offset for PC version there are additional 0x5C bytes, which is appeared to be controls settings. Switch version doesn't have that block of data at all. Can be copied "as is" from any of your existing saves. You can find it with "05??000000" + "next byte is not null" (switch) / "next byte is 0xFF" (PC) pattern - for switch ?? will be save slot value (like 07 for data007). Also, controls block size can be different, so after finding the pattern (for PC) take 12 bytes after "05" and next will be main part size in little endian.
8) Now to the end of file. It seems the game doesn't use padding schemes for encryption, and that's why end of file (EOF) is adjusted for the save size to be multiple of 16 (AES is encrypting data in 16-byte blocks, so if no padding is used, data should be adjusted to fill blocks fully).
9) Last 8 bytes will be always zero, and starting from [EOF - 16 bytes] there are 4 bytes with actual save size (the same as at 0x35 offset). For example, if you're converting switch save to gamepass, you're adding 4 bytes in the header and 0x5C controls block, that means you should increase actual save size by 0x5C + 4 = 0x60 (and also that unknown offset from [6]).
10) Next 4 bytes are CRC-32 of actual save size data in little endian. For example CC558260 will be 608255CC in the save.
11) Next calculate 0x8 offset + actual save size. Now take a look at [8], it's time to calculate if additional padding is required between current offset and actual save size offset. If current offset is not multiple of 16, it should be adjusted accordingly (i.e. filled with additional zero bytes).

After all those adjustments you can encrypt save back and it should work on different platform. Thanks to Niko of Death for sample saves and some important info. Samples in the attachment.

Update 4: Test script for converting saves automatically (only [switch -> pc] at the moment) is now available in the attachment.

Update 5: "convert" script now works in both directions ([switch -> pc] by default, for [pc -> switch] change option to 0 in the first string). Also, "decrypt-encrypt" script is now more automated and it's also updating CRC checksum during encryption, if you'll make some manual edits without changing size of the save (decryption is default option, for encryption set it to 0 in the first string).

[Killnus]

anyone know Re ZERO Starting Life in Another World The Prophecy of the Throne aes key?

[spiritovod]

@Killnus: Latest Re:Zero game is not UE4 game, but you can find more info about it in that post.

[surugaya]

I'm a noob developer, and I have no idea how to get keys from mobile games. Can someone help me for aes key of uworigin closed beta first version? Thanks in advance!
Android only, zlib https://drive.google.com/file/d/1zOt4v2 ... sp=sharing

[spiritovod]

@surugaya: Uncharted Waters Origin key added to the list (see my signature).

[surugaya]

WOW! It's easy for you:) May I ask you again next time because there maybe exists another updates, or can I learn how to find this key? Thank you so much:)

[spiritovod]

@surugaya: You can find all required tools via my signature.

[leesuhong330]

anyone how can use quickbms in fallen doll 0.32?
maybe pak file is encrypted

https://mega.nz/file/h94XVIQb#bSSj9SRRR ... 8wLgiGj-Bo

[spiritovod]

@leesuhong330: You can find key for the latest version (0.33) via my signature. If you want to request the key for this particular version, go to rin forums and also provide required file (it's all written there).

[Andazu]

@doodle160: Use corresponding script from specific scripts bundle with proper key (both are available via my signature). If it will not work, tell what version of the game you're trying to extract.

---------------------------------------------------------------

Script for decrypting and encrypting Dragon Quest XI S saves.

Update: Updated version of the script supports saves from microsoft store (game pass), steam and switch versions of DQ XI S - but there is no auto-detect feature, so you should edit script manually (I've added comments in it for that reason). Also, you can encrypt saves back with the same script, just open the script and edit it according to corresponding comment.
Please note that saves from different versions can be incompatible with each other due to differences in internal format, this script only allow you to decrypt and encrypt saves with different keys.

Update 2: It appeared that keys are different not between platforms, but between different game versions (full / demo). Comments in the script were adjusted with that info, and the key for full versions is now uncommented by default. Please re-download the script if needed.

Update 3:
Here are all changes between PC (gamepass / steam) and switch saves of DQ XI S, based on data001.sav from gamepass and switch versions (see attachment):
1) First 4 bytes are version flag, it's 0x1 for full versions and 0x100 for demo versions. Note that saves are using values in little endian format (for example, 1 will be 01000000 in little endian and 00000001 in big endian for "long" variable).
2) Next 4 bytes are total save size (it will be [file size - 8 bytes]).
3) At 0xC offset it's most likely platform flag, always 8E for PC and 89 for switch.
4) At 0x35 offset there is actual save size, calculated from 0x8 offset (obviously first 8 bytes are system info for decrypting, not related to actual save).
5) At 0x39 offset it's internal offset, where save info starts after save's header, calculated from the 0x0 for some reason. Here is the first noticeable difference between gamepass and switch versions - for gamepass that offset is always pointing to byte after 04000000 (0x4 in little endian), while for switch that offset is always pointing to beginning of 04000000, and this gap is filled with additional 4 zero bytes in PC version.
6) I don't quite understand, what is the offset at 0xB7, but it can be blindly adjusted accordingly, since it's just an offset.
7) Around 0x022BD8 offset for PC version there are additional 0x5C bytes, which is appeared to be controls settings. Switch version doesn't have that block of data at all. Can be copied "as is" from any of your existing saves. You can find it with "05??000000" + "next byte is not null" (switch) / "next byte is 0xFF" (PC) pattern - for switch ?? will be save slot value (like 07 for data007). Also, controls block size can be different, so after finding the pattern (for PC) take 12 bytes after "05" and next will be main part size in little endian.
8) Now to the end of file. It seems the game doesn't use padding schemes for encryption, and that's why end of file (EOF) is adjusted for the save size to be multiple of 16 (AES is encrypting data in 16-byte blocks, so if no padding is used, data should be adjusted to fill blocks fully).
9) Last 8 bytes will be always zero, and starting from [EOF - 16 bytes] there are 4 bytes with actual save size (the same as at 0x35 offset). For example, if you're converting switch save to gamepass, you're adding 4 bytes in the header and 0x5C controls block, that means you should increase actual save size by 0x5C + 4 = 0x60 (and also that unknown offset from [6]).
10) Next 4 bytes are CRC-32 of actual save size data in little endian. For example CC558260 will be 608255CC in the save.
11) Next calculate 0x8 offset + actual save size. Now take a look at [8], it's time to calculate if additional padding is required between current offset and actual save size offset. If current offset is not multiple of 16, it should be adjusted accordingly (i.e. filled with additional zero bytes).

After all those adjustments you can encrypt save back and it should work on different platform. Thanks to Niko of Death for sample saves and some important info. Samples in the attachment.

Update 4: Test script for converting saves automatically (only [switch -> pc] at the moment) is now available in the attachment.

Update 5: "convert" script now works in both directions ([switch -> pc] by default, for [pc -> switch] change option to 0 in the first string). Also, "decrypt-encrypt" script is now more automated and it's also updating CRC checksum during encryption, if you'll make some manual edits without changing size of the save (decryption is default option, for encryption set it to 0 in the first string).

It was a larger project to homebrew my switch and make this work but it did! Thank you so much for this. Making a YouTube tutorial on this would be a nice bonus, i could give it a shot if need be. If you have a donation link i would be happy to show my gratitude there! Good shit dude, thanks again.

[spiritovod]

@Andazu: I think the most hard part in all that routine would be getting saves from switch and putting them back. And I don't even have the game, so those scripts were created only because Niko provided a lot of samples and explicit info about his findings. Also, if you want to donate, please donate to some actual modders.

-------------------------------------------------------------------------------------------

Script for "Beyond a Steel Sky" was added to specific scripts bundle. It may be also helpful for games using zstd as main compression algorithm.

Also, some scripts from specific scripts bundle were renamed to get rid of most abbreviations. Now they contain complete game title if possible (except PUBG scripts, but that abbreviation is known to almost everyone).

[TGGAMING]

Hey @spiritovod maybe now you can do something about pubg mobile
Because i think we need new key now !
First we got error something like that :

"Error: [myfseek] offset 0x8750217967b15906 in file 0 can't be reached

Last script line before the error or that produced the error:
99 log MEMORY_FILE10 OFFSET SIZE

Press ENTER or close the window to quit "

But now key error again can you help out with it.
Try with new version :
http://www.mediafire.com/file/wnu1brja9 ... d.apk/file

[RDR2EXE]

How to open encrypted .pak file
game name=Predator: Hunting Grounds

[spiritovod]

@RDR2EXE: Latest UE4 script should work with the game. You can find it along with required key via my signature.