GameShield DRM

[LolHacksRule]

I'm currently looking at a portion of multilingual games from non-modern PopCap. I eventually stumbled on the Japanese version of Peggle Nights, which requires administrative privileges to run. Upon looking up information of the file data, it is related to GameShield DRM from Yummy Interactive, despite being from a setup, the content provided from it is just documents and most importantly, an exe that is 90MB where I can see many resources crammed into it, most are related to the game nor the DRM client. I can't run the game, as it tries to locate content that doesn't exist but it may be a cheat build as it is titled that when running it. There's no PAK files I can see in the game data. Any advice on unpacking it along with the game data? Thank you so much.

https://anonymousfiles.io/cREaTXd0/

Code: Select all

-=[ ProtectionID v0.6.9.0 DECEMBER]=-
(c) 2003-2017 CDKiLLER & TippeX
Build 24/12/17-21:05:42
Ready...
Scanning -> PeggleNights_JPN\PeggleNights.exe
File Compression State : 0 (Not Compressed)
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 92447536 (0582A330h) Byte(s) | Machine: 0x14C (I386)
Compilation TimeStamp : 0x00000000 -> Thu 01st Jan 1970 00:00:00 (GMT)
[!] Digital Signature signed by a known DRM provider -> PopCap Games
-> File Appears to be Digitally Signed @ Offset 05828DA0h, size : 01590h / 05520 byte(s)
-> File has 2 (02h) bytes of appended data starting at offset 05828D9Eh
[LoadConfig] CodeIntegrity -> Flags 0xA3F0 | Catalog 0x46 (70) | Catalog Offset 0x2000001 | Reserved 0x46A4A0
[LoadConfig] GuardAddressTakenIatEntryTable 0x8000011 | Count 0x46A558 (4629848)
[LoadConfig] GuardLongJumpTargetTable 0x8000001 | Count 0x46A5F8 (4630008)
[LoadConfig] HybridMetadataPointer 0x8000011 | DynamicValueRelocTable 0x46A66C
[LoadConfig] FailFastIndirectProc 0x8000011 | FailFastPointer 0x46C360
[LoadConfig] UnknownZero1 0x8000011
[File Heuristics] -> Flag #1 : 00000000000001001100000000100110 (0x0004C026)
[Entrypoint Section Entropy] : 7.63 (section #0) "YMY     " | Size : 0x57B35EE (91960814) byte(s)
[DllCharacteristics] -> Flag : (0x0000) -> NONE
[SectionCount] 3 (0x3) | ImageSize 0x5889000 (92835840) byte(s)
[VersionInfo] Product Name :  Peggle Nights Application
[VersionInfo] Product Version : 1.00.3.5802
[VersionInfo] File Description : Peggle Nights
[VersionInfo] File Version : 1.00.3.5802
[VersionInfo] Original FileName : PeggleNights.exe
[VersionInfo] Internal Name : Peggle Nights
[VersionInfo] Legal Copyrights : Copyright (C) 2008
[ModuleReport] [IAT] Modules -> kernel32.dll
[!] Yummy Interactive GameShield/Software Shield Protection detected !
[CdKeySerial] found "Trial version" @ VA: 0x00398720 / Offset: 0x00397920
[CdKeySerial] found "Trial version" @ VA: 0x00398782 / Offset: 0x00397982
[CdKeySerial] found "Trial version" @ VA: 0x00402BE3 / Offset: 0x00401DE3
[CdKeySerial] found "SerialNumber" @ VA: 0x006E16A0 / Offset: 0x006E08A0
[CdKeySerial] found "SerialNumber" @ VA: 0x006E3AD7 / Offset: 0x006E2CD7
[CdKeySerial] found "ActivationCode" @ VA: 0x006E3B69 / Offset: 0x006E2D69
[CdKeySerial] found "SerialNumber" @ VA: 0x006E7489 / Offset: 0x006E6689
[CdKeySerial] found "ActivationCode" @ VA: 0x006E7698 / Offset: 0x006E6898
[CdKeySerial] found "Trial version" @ VA: 0x053DF720 / Offset: 0x053DE920
[CdKeySerial] found "Trial version" @ VA: 0x053DF781 / Offset: 0x053DE981
[CdKeySerial] found "Trial version" @ VA: 0x053F4EF8 / Offset: 0x053F40F8
[CdKeySerial] found "Trial version" @ VA: 0x053F4F59 / Offset: 0x053F4159
[CdKeySerial] found "ActivationCode" @ VA: 0x057B64E5 / Offset: 0x057B4CE5
[CdKeySerial] found "ActivationCode" @ VA: 0x057B6500 / Offset: 0x057B4D00
[CdKeySerial] found "SerialNumber" @ VA: 0x057B6A3F / Offset: 0x057B523F
[CdKeySerial] found "SerialNumber" @ VA: 0x057B6A5C / Offset: 0x057B525C
[CdKeySerial] found "SerialNumber" @ VA: 0x057B6A7B / Offset: 0x057B527B
[CdKeySerial] found "ActivationCode" @ VA: 0x057B6DD4 / Offset: 0x057B55D4
[CdKeySerial] found "SerialNumber" @ VA: 0x057B6F36 / Offset: 0x057B5736
[CdKeySerial] found "SerialNumber" @ VA: 0x057B6FA0 / Offset: 0x057B57A0
[CdKeySerial] found "SerialNumber" @ VA: 0x057B6FBE / Offset: 0x057B57BE
[CdKeySerial] found "SerialNumber" @ VA: 0x057B6FD8 / Offset: 0x057B57D8
[CdKeySerial] found "SerialNumber" @ VA: 0x057B7145 / Offset: 0x057B5945
[CdKeySerial] found "SerialNumber" @ VA: 0x057B7190 / Offset: 0x057B5990
[CdKeySerial] found "ActivationCode" @ VA: 0x057B71F5 / Offset: 0x057B59F5
[CompilerDetect] -> Visual C++ 8.0 (Visual Studio 2005)
- Scan Took : 8.907 Second(s) [000001F9Dh (8093) tick(s)] [566 of 580 scan(s) done]

[z4ruz]

By searching for 'GameShield Manual Unpacking' I've found article by ARTeam - it doesn't looks as easy reading, but hope can help.

Resources can be ripped with several tools I've met just today.
Make sure to configure them for awaited formats before scanning.
Ravioli Scanner 2.1 can extract pictures.
Jaeder Naub 2.2.4g - even more Pictures and playable Sound. I'd recommend this personally.
Hyper Ripper module of Dragon UnPACKer 5.0.7 beta - 2 times less JPEG's, but good as well. Tool has picture preview option. Latest Nightly build gave me Error while scanning... Aborting... Stack overflow. Got to try earlier commits...
X-Ripper 1.5 - extracts sound and pictures. some pics are half corrupt.
MultiExtractor 3.3 - scans fast, finds more pictures. But ripped ogg sound is corrupt.

.pak string found in .exe, however no 7 1/2 7 signature.
Not sure, if it is it the installer or game itself.

[LolHacksRule]

It's most likely the packaged executable itself, installing the game using the given setup or unpacking it gives this big executable which is the game combined with the data. I have read that article, but I'm not sure if that can help unpack the game data as well.

UPDATE: Upon looking at the executable, I found this about the data offset format.

Code: Select all

13bytes: 01 00 00 00 04 00 00 00 64 61 74 61 (Data header)
1byte: Name combined with location size
3bytes: 00
?bytes: File location
?bytes: File data size - 10 (Where is the 10 from?)
11bytes: 00 00 00 00 00 00 00 01 00 00 00 00 00 80 00 00 00
?bytes: File data

[z4ruz]

Noteworthy, on error you can write some commands to lua debugging console, like print. exit will close the cmd window, but main window will stay open. The similar happens if you create empty file at requested path, but the error would be "Unable to find function CreateLinkedObject".
Notes to self: if searching for strings, try Unicode version as well (chars 00 separated).
Executable doesn't have main.lua string, but has main.luc, which is PopCap's custom Lua format.
https://github.com/wxarmstrong/PopLua-Disassembler - did you finally got it working?

Normal setups of PeggleNights (from PopCap site) have the drm folder inside, if opened as archive. Object, launched with that folder around, throws new error - "Unable to find function InternalErrorScreen". And blank window, as previously.

[LolHacksRule]

I'm pretty sure it's because PopCap's DRM wrapper client that runs the game is also present in the exe and when there's no scripts directory, it shows the debug console on bootup. I tried that with worldwide releases and that happens as well so it isn't specific. I don't think the PopLua Disassembler will work as those Luc files from DRM (and also some proprietary resource generator according to BejTwist JP leftovers) are Unicode and it doesn't look like there's code to detect that format.

[z4ruz]

Peggle.bms

[LolHacksRule]

Thank you so much. I don't have any other games protected by GameShield so it may work on other games protected as well by this version of the protector.

[LolHacksRule]

UPDATE: Well it worked, but the files aren't exactly extracted properly as 01 00 00 00 04 00 00 00 64 61 is copied to the end of every file, luckily adding the line fsize - 10 removes the bytes that aren't necessary and mostly results in readable files, unfortunately not all are readable, for example, a portion of JP2 files are incorrectly written so I cannot use the manually extracted game data with the manually extracted exe.