Shumenol Data extraction

[daniil]

Hello everyone.
It's my first time posting here, so I can't help but be thrilled.
I will continue to use this forum to share good opinions.
Now I'm trying to extract the evp files of shumenol V7902, but it doesn't work.

The script I am using is as follows.
Tailsman's previous version evp files can be extracted using this script.
When I tried to analyze client.exe with IDA to extract this shumenol's data, it was packed.

So, when I unpacked and analyzed client.exe, the data structure was definitely different.
We are currently analyzing and unraveling using IDA, X64Dbg, and Quickbms.
But it doesn't work as intended.
If anyone can help, let's discuss it.


get NAME string
get TYPE short # 'h'
get OFFSET longlong
get ZSIZE long # 0x00077506
math ZSIZE & 0xfffffc00
get FILES long # 0x00459e
get DUMMY longlong # 0x1b0
get DUMMY longlong
idstring "mars"

if TYPE == 'h' # 'h'
print "Appropriate file"
else
print "Not proper file"
cleanexit
endif

[daniil]

Found ALGO & KEY & IVEC of encryption.
encryption ALGO KEY IVEC

The remainder is to get the method how to take OFFSET and ZSIZE and SIZE of each file.
The structure is a bit odd.

[DKDave]

It might be better if you post an actual sample of one or two .evp files so that people can look at it.

And also post the encryption method/key/ivec too!

[daniil]

Only when all are completed, I can post some example.
All the datas are what I've been struggling to find, but I will show gladly.

The number and names of file extensions and folders have been done.
The remainders also will be completed soon.

[daniil]

I already analyzed everything and created a bms file
I changed my mind when I was about to reveal it.
I'm sorry.

[daniil]

The bms file I made successfully unpacks the evp files of the latest entertainment including Zui and Shumenol.
Contact me if you need this file.
Please use the pm of this forum if you want to contact me.
If you didn't post even one time, please include your link in pm.