SNK Heroines Tag Team Frenzy

[Darko]

I hope someone can take a look to this file:

http://www.mediafire.com/file/7rbha57t9 ... i.wad/file

[aluigi]

It has an "AGAR" magic like in danganronpa and The King of Fighters XIV.
I think the format derives from kof but unfortunately the script doesn't work.
Since the format uses encrypted data there is not much I can do at the moment.

[Darko]

Ok, Thanks aluigi, I'm gonna wait to see if someone can take a look to this crap .

[chrrox]

kof 14 function in ida
https://pastebin.com/EWPi4maF

same function in snk heroines
https://pastebin.com/wewXvTky

[aluigi]

So I bet it just uses a different key.

[datkofguy]

most likely, no luck using aes-finder on the game though.

[LarsMasters]

Is it me or why none ever try research on the game file from Steam ver.? It is a wad file type, but the kofxiv script might not working. I'll upload the sample when I get home

[LarsMasters]

This is the sample. Neither assets.wad works on kofxiv script. From PC ver.

Thief Arthur's file: https://mega.nz/#!QWwGQKJI!r0905hgGz4St ... M9dnOrbuT4

[Doctor Loboto]

Here's one of the archives from the PC version, for the sake of those who can't access Switch Files and the like. I think it would be easier to extract from PC than other formats, since consoles tend to be...weird about their compressions and formats.

https://www.dropbox.com/s/16818fsa81nj9 ... c.wad?dl=0

[Ekey]

Since the format uses encrypted data there

Right, there used CAST128 (CAST5) as encryption. There is a problem with the algorithm, it is modified, the initialization of the key is removed and used already initialized key data.

Code: Select all

struct cast5_ctx {
   uint32_t K[32]; //<-------
};

Data of key is:

Code: Select all

static uint32_t K[32] = {
       0x65B3CD12, 0x080A74CE, 0xB8161A7D, 0x40A9C59A,
       0x1C214F73, 0x062A54CF, 0x509FEE42, 0x3FE50C3D,
       0x07A37254, 0xCC09AF7D, 0x907608F9, 0x45EAD42E,
       0xE5E4BA5C, 0xD95CD309, 0x2EACFB9C, 0x323A49E9,
       0x6D8DFA8F, 0x3D9CDD72, 0xF41CF5BA, 0x92C23079,
       0x29367382, 0x18220DDF, 0xCE482A16, 0xF380E8FB,
       0x5A19B243, 0xEE059CB9, 0x3D1871DA, 0xDD578885,
       0x6AC30D82, 0x27B658AA, 0xC6D39A98, 0xCCBEB258};

And we can use it something like this: (code part from libtomcrypt)

Code: Select all

   R ^= FI(L, cast5_ctx->K[15], cast5_ctx->K[31]);
   L ^= FIII(R, cast5_ctx->K[14], cast5_ctx->K[30]);
   R ^= FII(L, cast5_ctx->K[13], cast5_ctx->K[29]);
   L ^= FI(R, cast5_ctx->K[12], cast5_ctx->K[28]);
   R ^= FIII(L, cast5_ctx->K[11], cast5_ctx->K[27]);
   L ^= FII(R, cast5_ctx->K[10], cast5_ctx->K[26]);
   R ^= FI(L, cast5_ctx->K[9], cast5_ctx->K[25]);
   L ^= FIII(R, cast5_ctx->K[8], cast5_ctx->K[24]);
   R ^= FII(L, cast5_ctx->K[7], cast5_ctx->K[23]);
   L ^= FI(R, cast5_ctx->K[6], cast5_ctx->K[22]);
   R ^= FIII(L, cast5_ctx->K[5], cast5_ctx->K[21]);
   L ^= FII(R, cast5_ctx->K[4], cast5_ctx->K[20]);
   R ^= FI(L, cast5_ctx->K[3], cast5_ctx->K[19]);
   L ^= FIII(R, cast5_ctx->K[2], cast5_ctx->K[18]);
   R ^= FII(L, cast5_ctx->K[1], cast5_ctx->K[17]);
   L ^= FI(R, cast5_ctx->K[0], cast5_ctx->K[16]);

It's works partially, in other matters, as usual

PS: Well, for those who are interested, here is a terrible pseudocode > here

[Ekey]

Okay, I have a some free time for reverse engineering this format. So, what we have:

Header:

Code: Select all

uint32_t dwMagic; //always > 0x52414741 (AGAR)
int32_t dwVersionA; //always > 1
int32_t dwVersionB; //always > 2, revious is 1
int32_t dwReserved; //always > 0
uint32_t dwTableSize; //value needs to be checked, if == 0x80000000 means encrypted

Entry table encrypted by modifed CAST-128, there is also another table here looks like root table, contains a list of directories and filenames (anyway nothing useful for us )
Some files data encrypted by Blowfish and compressed.

Entry Table:

Code: Select all

int32_t dwFileNameLength;
string m_FileName[dwFileNameLength];
int32_t dwSize;
uint32_t dwFlags;
int64_t dwOffset;

The most interesting thing here is the flags, values can be just 0 (Not encrypted or compressed), 0x80000000 (encrypted only) and 0xc0000000 (encrypted and compressed).
I resolved problem with encryption is but now i have problem with compression algorithm. I can't identify algorithm => Pseudo-Code (example files in attach)

LZ series ?

Code: Select all

0, 1, 2, 1, 0, 4, 4, 4, 0, 0, 0, -1, -4, 1, 2, 3

Edited: Probably LZ4 (Ty Yretenai)

Can someone help ?

[Ekey]

Done

Binaries: here
Source: here

[Mysticus]

Thanks for the tools, Ekey!
However, it says "[ERROR]: SNK.LZ4.dll module not found!!" despite being in the folder to me.

[Ekey]

Hmmm, i just checked and it works perfectly. Can you make screenshot of your folder?

[Mysticus]

[Ekey]

Ah, i think I know what the problem, you need to unlock exe and dll . Anyway, i updated the tool to 0.2 and now this library is not needed anymore

https://github.com/Ekey/SNK.WAD.Tool/releases