Unreal Engine 4 pak-file Unpacker / unreal_tournament_4.bms [UE4 global topic]

[gladias9]

As stated above, Back 4 Blood .paks aren't supported by current scripts. Needs update

[spiritovod]

@ardvent, @gladias9: The game is using slightly different package format, which could be easily fixed in the script, but it seems they've customized encryption as well, while both index and assets(?) are encrypted. And denuvo+EAC doesn't make it easier to analyze at all.
I'll update this post later, but for now situation looks more like the one with latest Tony Hawk's Pro Skater (which was never solved, afaik). Just to avoid questions about correct key, it's 0x30A725CE..., though as you can understand it's quite useless in case of custom encryption.

Update: The thing is that you can actually extract every package from the current distro of open beta, except the first one. This approach looks strange and more like a flaw, so currently I'm very uncertain is it worth to release a solution or wait until beta will end (or even longer) to avoid possible fixes on that side. Here is POC for the idea though.

[ardvent]

@ardvent, @gladias9: The game is using slightly different package format, which could be easily fixed in the script, but it seems they've customized encryption as well, while both index and assets(?) are encrypted. And denuvo+EAC doesn't make it easier to analyze at all.
I'll update this post later, but for now situation looks more like the one with latest Tony Hawk's Pro Skater (which was never solved, afaik). Just to avoid questions about correct key, it's 0x30A725CE..., though as you can understand it's quite useless in case of custom encryption.

Update: The thing is that you can actually extract every package from the current distro of open beta, except the first one. This approach looks strange and more like a flaw, so currently I'm very uncertain is it worth to release a solution or wait until beta will end (or even longer) to avoid possible fixes on that side. Here is POC for the idea though.

This has been helpful, and I've been able to test the PoC, but the PAK provided differs from the one in the game files, how were you able to decrypt the index? Was the key 0x30A725CE?

Edit, additionally UnrealKey came up with nothing for the EXE

Edit: I see that is an address, but I'm having trouble looking it up in HxD i'll investigate further.

[Kyser7]

I'm struggling to correctly deserialize FloatCurve (or CurveFloat, depending where you read) ATT property files at the moment.

I've got two different tools which can actually deserialize the curvefloat uasset/uexp files, but both give incorrect results. I've attached an example.

JohnWickParse / uasset-data-extract results (attached) are missing the "value" property for the curve keys, umodel can't parse it, and fmodel results (attached) gives garbled numbers which don't make sense.

Fmodel looks the most complete, but most of the values are jumping randomly between tiny (1e-43) and huge (1e22) values, which makes no sense for a curve meant to run from about 20 to 5000 or 6000.

I'm pretty new to UnrealEngine in general, so I haven't made much progress so far - from the looks most of the deserialization functions have been found by trial and error.

[spiritovod]

@Kyser7: quickbms is designed more for extraction / repacking things rather than deserializing complex structures. It's better to ask such questions at more relevant places, like Fmodel community at discord or UE forums - or check UE documentation / source code. For now it seems you're a bit confused with definitions, since FloatCurve may be an instance of UCurveFloat object or FRichCurve struct, both of them are not that simple. Judging by the sample, you're interested in FRichCurveKey, but there is possibility that the game in question is using custom implementation of that part, hence those strange results in Fmodel - which it's designed mainly for Fortnite with its own differences from stock engine, so for other random UE4 games produced data may be incorrect and you'll need to parse it manually.

---------------------------------------------------------

Back 4 Blood script added to specific scripts bundle. It's compatible only with paks with decrypted indices due to custom encryption, used in PC version. You can find such paks in special version of OBT build, provided in the game topic.

[Kyser7]

@spiritovod Thanks. I believe they are FRichCurve (splines), but that could just be the deserializer incorrectly interpreting the struct type. Sadly already asked at both FModel and QuickBMS communities, and haven't managed to pique anybodies interest enough to investigate on my behalf. If the answer is I need to learn the UE source code and fork QuickBMS/FModel/Whatever to correctly parse the struct, then I suppose that is what I need to do... just hoping someone else on here may see it and go "Oh yeah, I know that issue". I was somewhat surprised that FRichCurves/UCurveFloats aren't already correctly deserialized, considering how much they get used in animations and such.

[Kein]

I'm struggling to correctly deserialize FloatCurve (or CurveFloat, depending where you read) ATT property files at the moment.

I have already extracted all values for the Isle, it is in the table sheet posted earlier on subreddit.

@spiritovod
The b4b script just skips every file in pakchunk0-WindowsNoEditor.pak - there is no way to extract it manually? It has the most useful data

[spiritovod]

@Kein: This skipping part was added only to ensure that encrypted assets will be properly skipped in other archives. Apparently, they exist only in the first pak and I could simply exclude it and don't add that part to the script, but oh well...
The only way to do it "manually" is to fully automate it, like writing a plugin for debugger to dump certain registers at certain breakpoints - or to reverse decryption scheme. In this case it looks like only key expansion function is modified, so you can grab expanded key and use it with default AES implementation, but I may be wrong. Anyway, it's only a beta and anything can change in the full release.

[LiangZong]

Arena Breakout / 暗区突围

Apk Link:https://dlcdn-live.uam.qq.com/Public/TechnicalTest/UAGame-Android-Shipping-arm64-es2_v1.0.52.52.0_253553.signed.shell.apk

The AES Key for this game could not be found, the SO file is encrypted.

4.26 game

[spiritovod]

@LiangZong: Aside from customized package format, the game is using custom AES encryption, so the key is useless anyway without reversing changes in the encryption algorithm.

[wolf7808]

Kings Bounty 2 - Unreal tournament.bms

img

[spiritovod]

@wolf7808: "latest_UE4_bms-script", available via my signature, should work with the game.

[halloweeks]

Not working all script in pubg mobile 1.5 version

[spiritovod]

@halloweeks: Please read this post. The reason behind that is because most of recent Tencent games are using custom encryption and I can't even tell it's the same algorithm.

[Jacob Darka]

When attempting to extract Psychonauts 2's files quickbms gets stuck like this



Any idea on how to fix that?

[spiritovod]

@Jacob Darka: It's 4.26 game, so you need to use 4.26 script from my signature.

[bad for me]

@Jacob Darka: It's 4.26 game, so you need to use 4.26 script from my signature.

pubgm 1.5 very normal use and coming soon new version 1.6.0 old offset can no longer open or decompress. let me know what i have to do

[spiritovod]

@bad for me: It will not work anymore, since they've completely stripped additional headers in 1.6.0 (at least in the beta). With the way how padding bytes are filled with random data now, it's not possible to simply guess correct compressed chunk size, which is required for zstd decompressor to work properly.

[bad for me]

so now we can't open pak with offset anymore?

I can't create an account on this website

You can request AES keys on rin forums (the list with keys is also there)
AES keys finder and latest UE4 bms scripts: in this post

[spiritovod]

@bad for me: Yes, raw_extract script will not work now for versions 1.6.0 and above due to the reason explained above. As for registration at rin forums, I have no idea, try to use a normal email (not one-time one) and use VPN or Tor in case of connection problems.