Blur (xb360) .pak/PAK2, .levelstream/ARCH

[Tosyk]

Please help me to unpack this types of archives:
level.levelstream
gamedata.pak

this bms script doesn't work: http://aluigi.org/papers/bms/blur.bms

[ramzidz15]

I have the same file extracted from switch NSP pakchunk0-Switch.pak,I couldn't find a way to extract it.

[aluigi]

Open the blur.bms script and set the WORK_AROUND variable at line 11 from 0 to 1. It will immediately work.

No idea for the levelstream file.

[Tosyk]

can you check root.pak? I can't extract it

[aluigi]

Long story short the Blur format is a mess.
In this case the problem is caused by the compressed data which can't be decompressed and makes the whole extraction wrong, because the size of each file is calculated on the decompressed data but if the decompression fails (unzip_dynamic or zlib_noerror) the size of the decompressed chunk will be CHUNK_ZSIZE instead of CHUNK_SIZE.
I don't know why decompression isn't zlib or deflate.
So you can't extract anything.

[Tosyk]

It’s impossible to know the compression type to add it the script?

[Ekey]

Code for decrypt PAK filenames (simple xor) :B

Key

Code: Select all

xVXo40j3@$%\%`

Code: Select all

        private static byte[] lpKey = new byte[] {
           0x78, 0x56, 0x58, 0x6F, 0x34, 0x30, 0x6A, 0x33, 0x40, 0x24, 0x25, 0x5C, 0x25, 0x60};

        static Byte[] iDecryptData(Byte[] lpBuffer)
        {
            for (Int32 i = 0; i < lpBuffer.Length; ++i)
            {
                lpBuffer[i] ^= lpKey[(i + 1) % 14];
            }

            return lpBuffer;
        }

[Tosyk]

Code for decrypt PAK filenames (simple xor) :B

Key

Code: Select all

xVXo40j3@$%\%`

Code: Select all

        private static byte[] lpKey = new byte[] {
           0x78, 0x56, 0x58, 0x6F, 0x34, 0x30, 0x6A, 0x33, 0x40, 0x24, 0x25, 0x5C, 0x25, 0x60};

        static Byte[] iDecryptData(Byte[] lpBuffer)
        {
            for (Int32 i = 0; i < lpBuffer.Length; ++i)
            {
                lpBuffer[i] ^= lpKey[(i + 1) % 14];
            }

            return lpBuffer;
        }

Thank you, Ekey, how can I use it? How to implement it to bms? Or it's not for bms?

[aluigi]

At line 37 of blur.bms you can find the encryption command with the key.
Replace that line with the following:

Code: Select all

encryption xor "xVXo40j3@$%\\%`"

Honestly I'm not exactly sure about it because the key of Ekey is exactly the same in the script with the only difference of being shifted of one character (look at the final 'x')... mah, try and let us know.

[Tosyk]

At line 37 of blur.bms you can find the encryption command with the key.
Replace that line with the following:

Code: Select all

encryption xor "xVXo40j3@$%\\%`"

Honestly I'm not exactly sure about it because the key of Ekey is exactly the same in the script with the only difference of being shifted of one character (look at the final 'x')... mah, try and let us know.

doesn't really work as I can judge

[Ekey]

At line 37 of blur.bms you can find the encryption command with the key.
Replace that line with the following:

Code: Select all

encryption xor "xVXo40j3@$%\\%`"

Honestly I'm not exactly sure about it because the key of Ekey is exactly the same in the script with the only difference of being shifted of one character (look at the final 'x')... mah, try and let us know.

On gamedata_boot.pak works fine, idk about other pak's

[Tosyk]

I'm trying to unpack root.pak from this post viewtopic.php?p=67895&sid=5fb7d99a21e8c14ca8910e05602d48fc#p67895
the only pak I have problem with right now

[Ekey]

It works on other paks from xbox? maybe there different key?

[Tosyk]

It works on other paks from xbox? maybe there different key?

all the paks can be unpacked with original http://aluigi.org/papers/bms/blur.bms

the only error I get is from root.pak from this post: viewtopic.php?p=67895#p67895



if I change xor key then I get this error:

[Ekey]

At line 37 of blur.bms you can find the encryption command with the key.
Replace that line with the following:

Code: Select all

encryption xor "xVXo40j3@$%\\%`"

Honestly I'm not exactly sure about it because the key of Ekey is exactly the same in the script with the only difference of being shifted of one character (look at the final 'x')... mah, try and let us know.

I can offer you this variant

Code: Select all

set MEMORY_FILE10 string "
void blur_decrypt(unsigned char* lpBuffer, int dwSize)
{
  unsigned char lpKey[14] = {0x78, 0x56, 0x58, 0x6F, 0x34, 0x30, 0x6A, 0x33, 0x40, 0x24, 0x25, 0x5C, 0x25, 0x60};
  for (int i = 0; i < dwSize; i++)
  {
     lpBuffer[i] ^= lpKey[(i + 1) % 14];
  }
}
"

........
savepos OFFSET
log MEMORY_FILE OFFSET NAMES_SIZE
calldll MEMORY_FILE10 "blur_decrypt" "tcc" RET MEMORY_FILE NAMES_SIZE
math OFFSET += NAMES_SIZE
math OFFSET x= MYALIGN
goto OFFSET
........

[Tosyk]

<...>
I can offer you this variant

Code: Select all

set MEMORY_FILE10 string "
void blur_decrypt(unsigned char* lpBuffer, int dwSize)
{
  unsigned char lpKey[14] = {0x78, 0x56, 0x58, 0x6F, 0x34, 0x30, 0x6A, 0x33, 0x40, 0x24, 0x25, 0x5C, 0x25, 0x60};
  for (int i = 0; i < dwSize; i++)
  {
     lpBuffer[i] ^= lpKey[(i + 1) % 14];
  }
}
"

........
savepos OFFSET
log MEMORY_FILE OFFSET NAMES_SIZE
calldll MEMORY_FILE10 "blur_decrypt" "tcc" RET MEMORY_FILE NAMES_SIZE
math OFFSET += NAMES_SIZE
math OFFSET x= MYALIGN
goto OFFSET
........

is this a bms script? how to use this code? sorry, I'm a little bit confused

[aluigi]

Put the "set MEMORY_FILE10..." part at the beginning of the script.

The rest (from savepos to goto) overwrite the section of the script from line 36 to 42, it's easy to recognize because it's almost identical to the patch.

[Ekey]

This should solve the decryption problem, but not the decompression of the files data for xbox paks.

[Tosyk]

okay, right now I have this output


also my script look like this:

Code: Select all

# Blur (script 0.3.3)
#   note that I have tried to support multiple versions of the Blur
#   archives with the result of being possibly not 100% compatible
#   with some of them.
#   would be required a full rewrite for each version but finding
#   all the old files is a pain at the moment
#   in case of problems set WORK_AROUND to 1
# script for QuickBMS http://quickbms.aluigi.org

set MEMORY_FILE10 string

# set WORK_AROUND to 1 if you get an error
math WORK_AROUND = 0

getdstring SIGN 4
if SIGN == "2KAP"
elif SIGN == "PAK2"
    comtype xmemdecompress
    endian big
else
    cleanexit
endif
if WORK_AROUND != 0
    string SIGN r SIGN
endif

get PAK_SIZE asize

get VERSION long
get MYALIGN long
goto 0x38
get NAMES_SIZE long
if NAMES_SIZE == 0
    goto MYALIGN
    get NAMES_SIZE long
endif

savepos OFFSET
log MEMORY_FILE OFFSET NAMES_SIZE
calldll MEMORY_FILE10 "blur_decrypt" "tcc" RET MEMORY_FILE NAMES_SIZE
math OFFSET += NAMES_SIZE
math OFFSET x= MYALIGN
goto OFFSET

get FILES long
get DUMMY long
get DUMMY long
for i = 0 < FILES
    get NAME_OFF long
    get DUMMY long
    get SIZE long
    get TIMESTAMP longlong
    get OFFSET longlong
    if SIGN == "2KAP"
        if VERSION >= 2
            get CHUNK_SIZE long
            get CHUNK_ZSIZE long
        endif
    endif
    get ZERO long
    if ZERO == 0
        getdstring DUMMY 0x18
    endif

    if OFFSET != -1
        math OFFSET *= MYALIGN
        savepos TMP
        goto OFFSET

        math CHUNK_SIZE  = 0x10000
        math CHUNK_ZSIZE = 0

        if SIGN == "PAK2"
            get CHUNK_ZSIZE long
            #math CHUNK_ZSIZE -= 4    # ???
            savepos OFFSET
            get CHUNK_SIZE long
            if CHUNK_SIZE != SIZE
                get CHUNK_ZSIZE long
            else
                goto OFFSET
            endif
        else
            get CHUNK_SIZE long
            if CHUNK_SIZE != SIZE
                comtype unzip_dynamic   #deflate
                get CHUNK_ZSIZE long
            else
                comtype unzip_dynamic   #zlib
                goto OFFSET
                if VERSION <= 1
                    get CHUNK_ZSIZE long
                endif
            endif
        endif

        savepos OFFSET

        # lame work-around for another gamedata.pak file
        if CHUNK_SIZE u> PAK_SIZE
            math OFFSET -= 8
            math CHUNK_SIZE = SIZE
            math CHUNK_ZSIZE = SIZE
        elif CHUNK_ZSIZE u> CHUNK_SIZE
            math OFFSET -= 4
            math CHUNK_ZSIZE = CHUNK_SIZE
        endif

        goto TMP

        goto NAME_OFF MEMORY_FILE
        get NAME string MEMORY_FILE

        math TMP = CHUNK_ZSIZE
        math TMP x= MYALIGN

        math TMP2 = PAK_SIZE
        math TMP2 -= OFFSET

        savepos TMP_OFF
        if SIZE == TMP
            if SIZE > TMP2
                math SIZE = TMP2
            endif
            log NAME OFFSET SIZE
        elif SIZE == CHUNK_ZSIZE
            if SIZE > TMP2
                math SIZE = TMP2
            endif
            if SIGN == "PAK2"
                log NAME OFFSET SIZE
            else
                clog NAME OFFSET SIZE SIZE
            endif
        else
            if i == 0
                # just a compression check
                if SIGN == "PAK2"
                    comtype zlib_noerror
                    clog MEMORY_FILE3 OFFSET CHUNK_ZSIZE SIZE
                    get XSIZE asize MEMORY_FILE3
                    if XSIZE < SIZE
                        comtype xmemdecompress
                    else
                        comtype unzip_dynamic   #zlib
                    endif
                endif
            endif

            putvarchr MEMORY_FILE2 SIZE 0
            log MEMORY_FILE2 0 0
            append
            for
                clog MEMORY_FILE2 OFFSET CHUNK_ZSIZE CHUNK_SIZE
                get MYSIZE asize MEMORY_FILE2
                if MYSIZE >= SIZE
                    break
                endif
                math OFFSET += CHUNK_ZSIZE
                goto OFFSET
                get CHUNK_ZSIZE long
                savepos OFFSET
            next
            append
            log NAME 0 SIZE MEMORY_FILE2
        endif
        goto TMP_OFF
    endif
next i

[Ekey]

You should be copy this part

Code: Select all

set MEMORY_FILE10 string "
void blur_decrypt(unsigned char* lpBuffer, int dwSize)
{
  unsigned char lpKey[14] = {0x78, 0x56, 0x58, 0x6F, 0x34, 0x30, 0x6A, 0x33, 0x40, 0x24, 0x25, 0x5C, 0x25, 0x60};
  for (int i = 0; i < dwSize; i++)
  {
     lpBuffer[i] ^= lpKey[(i + 1) % 14];
  }
}
"

instead of

Code: Select all

set MEMORY_FILE10 string