Sega Heroes/Marvel Puzzle Quest (ANDROID/ALLPLATS) *.SAR

[LolHacksRule]

Cannot open these SAR files, not plain ZIP/7Z/RAR. https://we.tl/t-a2YLBOoNja, they appear to contain all the game data. Offzip doesn't help.

[Ekey]

Probably encrypted. Share apk or ipa.

[LolHacksRule]

https://we.tl/t-Zc5euE5oUK

[Ekey]

Temporary script : viewtopic.php?p=38006#p38006

[LolHacksRule]

Sorry about that, I think the APK is partially incomplete... But thanks anyway also sorry about this accidental repost on this game.

[Ekey]

Do you have iOS version ?

[LolHacksRule]

Err no, I focus only on Android. https://we.tl/t-wLv4GHHaUt proper upload of APK split.

[Ekey]

Nwm. I just found algorithm for decrypt. At the moment, I’m studying it how it works.

[Ekey]

Well, there was a problem with decompressing data. Some files cannot be decompressed (95% of files ). Always same error.

Code: Select all

Info:  algorithm   478
       offset      00000008
       input size  0x00000199 409
       output size 0x00000a6a 2666
       result      0xffffffe0 -32
       
Error: the uncompressed data (-32) is bigger than the allocated buffer (2666)
       It usually means that data is not compressed or uses another algorithm

I will tryed to use comtype scanner, but it didn’t give good results. Header of compressed files always start like:

Code: Select all

dwSignature -> ZSTD
dwDecompressedSize

PS: Files data decrypted correctly!

Example files is attached. Maybe someone can tell what the problem is?

Edited: I compiled ZSTD library from source's and tool give error like :

Code: Select all

Decoding error (36) : Dictionary mismatch

Edited2: Everything works fine on textures, but something is wrong on files like plaintext (json, lua, dat and etc..).

Some pics.

[Ekey]

Okay, i solved this puzzle. A dictionary file is sometimes present in archives and named like:

Code: Select all

pkgcdict_pc.dat
pkgcdict_ios.dat
pkgcdict_android.dat

We can use it for decompress. Example decompress file with using zstd tool > loc\english\pc\locale.json

Code: Select all

zstd -D pkgcdict_pc.dat --decompress locale.json

We get normal unpacked data

https://pastebin.com/5ni2rvdP

Now the most important question: How can we use this dictionary to work in QuickBMS?

Edited: I tryed use dictionary like that but doesn't work. Bug?

Code: Select all

set DICTIONARY compressed ".....compressed_dict_here...."
strlen DICTIONARY_SIZE DICTIONARY 1
comtype zstd DICTIONARY DICTIONARY_SIZE

[Ekey]

I could not get QuickBMS to work with the dictionary, so I wrote my unpacking tool! Tested on

Code: Select all

Marvel Puzzle Quest (PC and Android)
SEGA Heroes: Match-3 RPG Quest (Android)

Code: Select all

[Usage]
    SARUnpacker <m_File> <m_OutputDirectory>

Code: Select all

[Example]
    SARUnpacker D:\Android_BaseContent.sar D:\Unpacked\Android_BaseContent

[LolHacksRule]

Thank you so much! Some JSON files aren't auto-double-decompressed and have ZSTD in the compressed data. There's also a new JSON binary data serializer used in newer versions, not asking how to break it but I'll see soon (looks tough), LBC files have two LuaJit files compiled in them with the exact same data. Also how would I repack them?

Code: Select all

LJ LBC data:

5bytes: Always F3 82 C8 A3 01, header
3bytes: zero
1byte: 20
3bytes: zero
1-3bytes: LuaJit binary size, data count above 255 uses 1-2 extra bytes in little endian.
1byte: zero
1-3bytes: Some data size? Filesize?, data count above 255 uses 1-2 extra bytes in little endian.
1byte: zero
1-3bytes: LuaJit binary size, data count above 255 uses 1-2 extra bytes in little endian.
9bytes: zero
beyond: LuaJit binary data, always repeated twice, idk why.

[zeaofsuos]

ADMIN, DELETE.

[billymays]

Sorry for the necropost, but I was wondering if Ekey (or someone else) could help with reconstructing a SAR. It should be theoretically simple, I want to reconstruct Android_ClientSettings.sar with contains just one file (a JSON), and I could probably even work from the SARUnpacker source if Ekey is willing to provide it. Like I said, it's just trying to repack a single file.

[plizard]

Hi, sorry for the necropost

First off, EKey's tool works wonderfully. However, I was wondering if anyone could help me understand why this all works, as I'm trying to get a better grasp of things.

From reading through it all, it seems like, quickBMS is first used to decompress the *.sar archive based on the bms script provided by aluigi. Afterwards, it seems like zstd is used to apply the dictionary key to the individual extracted items. My guess is the tool just encapsulates both steps? However, where I seem to be at a loss is why it seems to work with the pc_config.sar file. When I open it up in HxD, I don't see a ZSTD header, yet the tool seems to work on it just fine. Is there something that I'm missing?

Thanks in advance

[Ekey]

I'm a lazy ass, so if someone wants to make a packer, then I attach the source code :B

[plizard]

Hi Ekey,

Thanks for the source code! I'll try to take a look at it later. In the meantime, maybe you can help me with something. I tried running your tool on the latest updates, and got this error:

Code: Select all

Demiurge Studios SAR Unpacker
(c) 2019 Ekey (h4x0r) / v1.0.0.0

Unhandled Exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.IO.IOException: Unknown frame descriptor
   at Zstandard.Net.ZstandardInterop.ThrowIfError(UIntPtr code)
   at Zstandard.Net.ZstandardStream.Read(Byte[] buffer, Int32 offset, Int32 count)
   at System.IO.Stream.InternalCopyTo(Stream destination, Int32 bufferSize)
   at System.IO.Stream.CopyTo(Stream destination)
   at SARUnpacker.Core.Compression.ZSTD.iDecompress(Byte[] lpSrcBuffer, Int32 dwZSize)
   at ????????.????????(String ?????T??, String ????????)
   at SARUnpacker.Program.Main(String[] args)
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at CompressShell.Main(String[] args)

I'm not quite sure if they changed the way they did compression. I have the *.sar file uploaded here:
https://filebin.net/fij4amv0vmcidthx

Thanks in advance

[Ekey]

Probably something has changed in the encryption. Where is this file from?

[plizard]

So the game goes through two different types of updates: a release update every two weeks, and a daily data push. This file came from the daily data push. When you run the game, it downloads the update files into your <user>/appdata/local/demiurge studios/marvel puzzle quest/data folder.

There was a release update yesterday, and your tool worked fine on that config file, but failed on the configUpdate file, where it's been working on in the past.

[Ekey]

Well, problem in building encryption key

replace this line in Reader.cs

Code: Select all

string lpEncryptionKey = String.Format("{0}{1}", wBuildVersionMinor + wBuildVersionMajor, dwBuildChangeList);

to this

Code: Select all

string lpEncryptionKey = String.Format("{0}{1}", wBuildVersionMajor, dwBuildChangeList);