Cars: Race-O-Rama .XBR

[itsmeft24]

I am trying to extract the files from the game's XBR archive with their original filenames. However, the archive doesn't seem to contain them anywhere. After consulting the rainbow_studios.BMS script for answers, I can see that they are hashed. Does anyone know how I should go about determining the algorithm?

Example Filename: C\Global\Chars\McQ\Tex\McQ_Body.dds
Location in Cars3.XBR: 0xFBEE000
Location as defined in Table: 0x0001F7DC (Multiply by 0x800 to get real location)
Hash as defined in Table: 0x89BF733F
Size as defined in Table: 0x40080

[itsmeft24]

I noticed that nobody has taken a look at it yet. I am bumping this post. If you have any clue, please let me know!

[Ekey]

You need to find a hashing algorithm. As I can see, this game did not come out on PC and therefore it will be problematic to do it

[itsmeft24]

I have tried the likes of Adler32 and CRC-32 to no avail. Do you think it is something custom or standard?

[itsmeft24]

Hmm... Would it be beneficial if I uploaded the default.xex binary? (This version is 360)

[Ekey]

It can be any 32-bit algorithm, not only CRC32. For example fnv32, murmur, rs, pjw, elf, bkdr, sdbm, djb, ap and more like this. It can also be custom algorithm

[itsmeft24]

I see... I will try some of those and get back to you.

[Ekey]

Anyway, there is nothing much we can do without reverse engineering.

[itsmeft24]

Upon closer inspection, the hashes of files that are close to each other are similar...

For example, the files Res\Data\C\Global\Chars\VehicleInfo.x360.mtl and Res\Data\C\Global\Chars\VehicleInfo.x360.res:

VehicleInfo.x360.mtl: Hash: 0xc9ea38c0, Size: 0x1ad28, Offset: 0x48ddf800
VehicleInfo.x360.res: Hash: 0xc9ea4c1d, Size: 0x13c594, Offset: 0x48dfa800

[itsmeft24]

It turns out they use DJB-2 in this game, or at least in the Xbox 360 version. Regardless, thank you so much!

[Ekey]

In that case, you need to find the initial hash for this algorithm (default is 5381 / 0x1505)

[Ekey]

I also want to warn you that the structure defined in rainbow_studios.bms is incorrect. Entry table is started from 0x18 offset and have next structure > hash, size, offset

[itsmeft24]

They say hindsight is 2020. Looking back, there were TONS of signs pointing to DJB-2. MOT files (animation data) having DJB-2 default primes at the footer, the function itself being inlined into so many parts of the game's code (at least the Wii versions, though they don't use this archive), and it being used in BPB files for speeding up parameter lookups.

Also this reply is almost a year late lol most of these discoveries were made months ago, soon after I realized it was DJB-2

Note: A big resource for reverse-engineering Race-O-Rama is the Wii version. Though it behaves very differently from the Xbox 360/PS3 versions, looking at it can help to better understand how the game works. Simply load main.dol into Ghidra (with the appropriate plugin) with the cars3.wii.map symbol map (lmao incinerator left that shit in) and everything all starts to make sense...