Possible next features of QuickBMS

[aluigi]

@Ekey
Just for your information, the hsel library is bugged and can't work correctly.
In fact the 3des encryption/decryption writes data outside the buffer crashing quickbms which has protections against these problems.
Even by fixing the problem I get wrong data.
In short it's all bugged and doesn't work.

[Ekey]

I don't know what the problem, but i have tested this source and works perfect.

[aluigi]

It works (sort-of) perfect if you don't have checks on the limits of the buffer

Code: Select all

   while(   1   <   iBlockCount)
   {
      (*(lpBlock--))   +=   (iTempLeftKey);
      (iTempLeftKey)   =   (*(lpBlock-1));
      (iBlockCount--);
   }

basically it takes data from 4 bytes before the beginning of the buffer with (*(lpBlock-1)).
I added some checks and it works but I'm not sure if the encryption is correct because looks very weak.
What I mean is that it's not a real DES but just a lame xor (complicated but still just a xor).

As default setting for quickbms I use:
eninit.iDesCount = HSEL_DES_TRIPLE;
eninit.iSwapFlag = HSEL_SWAP_FLAG_ON;
eninit.iCustomize = HSEL_KEY_TYPE_CUSTOMIZE;
eninit.iEncryptType = HSEL_ENCRYPTTYPE_1;

[aluigi]

quickbms 0.7.6 is ready so if you have any last-minute request before its release, now it's the moment

[chrrox]

New compression is released
https://github.com/solaris573/taikotools
will fix tales of games compression.

[aluigi]

thanks for the link, added to my todo list

[spider91]

Hi, can you add ERR_VALUE to clog command, like in findloc? I have compressed file with chunks and sometimes compressed size is 0x4000 lower then it should be. It seems to be around every 0x800000 bytes, but i can't understand it's logic completely. ERR_VALUE would be very useful as a workaround, cause it will be possible to do something like this:

Code: Select all

if ERR_VALUE == ""
    math ZSIZE += 0x4000
    clog MEMORY_FILE OFFSET ZSIZE SIZE
endif

[aluigi]

In my experience a similar feature was useful only with uncomplete formats or when I had to "scan/guess" a compression... definitely not worth for normal usage.
The goal of quickbms and its language is trying to be as simple and possible.

[aluigi]

Almost ready to work on quickbms 0.7.7 so it's time for sending feedbacks and error reports.

[spider91]

Can you make putvarchar working with TEMPORARY_FILE? MEMORY_FILEs are useful, but not for big files, cause it gives malloc error even with exe for 4gb files, so sometimes TEMPORARY_FILEs need to be used, but i cant change values inside them without working putvarchar

[aluigi]

The problem is that TEMPORARY_FILE is just the name of a file, so it can be used only with Open and *Log.
Instead putvarchr is a memory-related command.
The only way for you is just using goto and put on the file number that you used for the temporary file.

[spider91]

So i open file, use goto to go to needed position and how do i change value on that offset?

[aluigi]

The Put command does the job:
put 0x11223344 long 1 # if 1 is the filenumber of TEMPORARY_FILE

You must run quickbms with the -w option for being able to modify the file.

Anyway this is stuff that is not really related to extraction and to the purpose of quickbms so it's a sort of hack, I suggest you to use a programming language.

[spider91]

Yeah, it would be really better, thanks.

[NullRd]

Hello aluigi!
Do you have plans to add some... idk.. kinda JIT compiler or something else to improve performance?
Usually I'm using QuickBMS for decrypting files, but with custom algorythms it takes too much time to get a result from a script.

e.g. I want to decrypt 120 MB file with this script, and on my PC it takes about 20 minutes (dual-core athlon 2.9 GHz)
Can it be any faster?

Code: Select all

get fsize asize
log memory_file 0 fsize

for i = 0 < fsize
  xmath crypt "(i & 0xFF) * 33 + (fsize & 0xFF) + 125"
  getvarchr x memory_file i
  math x ^= crypt
  putvarchr memory_file i x
next i += 1

get fname basename
string fname += "_dec.bin"

log fname 0 fsize memory_file
exit

Later I rewrote this. Script with table of pre-calculated "crypt" values gives me 7 minutes against 20, but still it is too slow to me..

[aluigi]

Eh JIT would be cool but a core rewriting of quickbms is not possible, it takes a huge amount of time and effort for both writing and testing. Really impossible at the moment.

The solution I adopt when I need to work with custom algorithms is simply writing a C function (or a dll) and dumping it, then using it in quickbms as a MEMORY_FILE to call with CallDLL.
The only down-side of this solution is that the user will be prompted to acknoledge the usage of the dll/dumped_function before running it (for security reasons).

[NullRd]

Whoa! Calldll can run pure compiled code? Somehow I didn't noticed that before.
Since I'm familiar with x86 asm language, this feature would make my work a lot easier.
Many thanks, aluigi!

[aluigi]

Yeah CallDLL is really awesome: physical DLLs, memory dlls, dumped functions and even dumped groups of functions (since it's possible to specify the offset of the data to execute).
Theoretically you can even build the x86 code at runtime with the embedded assembler in quickbms and then running the buffer you generated

Just remember to specify the correct calling convention, for example cdecl if you use gcc/mingw (default) or stdcall for VC++.

[NullRd]

Got another question - what is the best way to put my code into a script directly?

Code: Select all

// "put string" places string as is, without converting hex codes to a hex numbers
put "\x31\xC0\x40\xC3" string memory_file

// binary type seems to be unsupported by "put" command
put "\x31\xC0\x40\xC3" binary memory_file

// this actually works, but only until the first zero byte occured
set code binary "\x31\xC0\x40\xC3"
put code string memory_file

// now I'm using this code. The only inconvenience is that I need specify actual length in bytes,
set code binary "\x31\xC0\x40\xC3"
putdstring code 4 memory_file

Another thing - I've found that I don't have a permission to write into a memory section which is containing my code.
Is there any way to use static variables?

[aluigi]

Let say your function has the following prototype:

Code: Select all

int __cdecl function(unsigned char *buff, int buff_size, int arg1234);

Use this script:

Code: Select all

set MEMORY_FILE10 binary "\x...YOUR_FUNCTION..."
log MEMORY_FILE OFFSET SIZE
calldll MEMORY_FILE10 0 cdecl RET MEMORY_FILE SIZE 1234

You can even use the x86 code automatically in the Encryption or Comtype command so that you don't have to dump the data in a MEMORY_FILE first:

Code: Select all

set MEMORY_FILE10 binary "\x...YOUR_FUNCTION..."
encryption calldll "MEMORY_FILE10 0 cdecl RET #INPUT# #INPUT_SIZE# 1234"
log "dump.dat" OFFSET SIZE
encryption "" ""

I have not understood your second question but let me know if what I have written answers to it too.