Hitman (2016) *.RPKG files [REQUEST]

[Godxon 1]

Hello,
I want to extract files from new Hitman game, but script for Absolution from Aluigi don't work. Can someone please help me?

There is example of the files: https://mega.nz/#F!uVUA2YKD!KOKRyKzgInfzZNDr5GggRw

THX

[biosmanager]

I tried the scripts from http://zenhax.com/viewtopic.php?t=1201 but unfortunately they didn't work. It seems they changed the archive format.

[aluigi]

Please use the filecutter script to upload only a part of the file, open it with notepad and use 16 where it's written "math MEGABYTES = 2":
http://aluigi.org/bms/filecutter.bms

[Ekey]

They changed format. Now it's looks like this

Code: Select all

struct RPKGHeader
{
   uint32_t   dwID; // Always GKPR
   uint32_t   dwTotalFiles;
   uint32_t   dwResourceTableOffset; // Table with headers for files
   uint32_t   dwResourceTableSize;
};

struct RPKGEntry
{
   uint64_t   dwHash; // Filename hash
   uint64_t   dwOffset;
   uint32_t   dwSize; // dwSize & 0x3FFFFFFF
}

struct RPKGResources
{
   uint32_t   int dwType;
   uint32_t   int dwReferencesChunkSize;
   uint32_t   int dwStatesChunkSize;
   uint32_t   int dwDataSize;
   uint32_t   int dwSystemMemoryRequirement;
   uint32_t   int dwVideoMemoryRequirement;
};

Files data can be also compressed. I have tryed comtype_scanner but without good results. Real size can be found in resource table for each entry. Actually i do not know how to interact with that table and get headers for each files.

Cutted: https://www.sendspace.com/file/kcontd

[Godxon 1]

Please use the filecutter script to upload only a part of the file, open it with notepad and use 16 where it's written "math MEGABYTES = 2":
http://aluigi.org/bms/filecutter.bms

Here is it, Aluigi.
https://mega.nz/#F!6BkmBQ4D!QlQwHjemHq4imptQelgt6w

[aluigi]

In my opinion there is no compression.
What's there looks like a xor with an 8 bytes key that changes for every file.

[AnonBaiter]

In my opinion there is no compression.
What's there looks like a xor with an 8 bytes key that changes for every file.

So is there any way to extract them?

[Ekey]

In my opinion there is no compression.
What's there looks like a xor with an 8 bytes key that changes for every file.

I found only encryption for config files (packagedefinition.txt and thumbs.dat). It's XTEA. But I'm not sure that the same algorithm is used for encryption data in archives.

[SPooKMasTeR]

There is also this Thumbs.db file which appears to be a sort of a config file according to someone who has been digging. It maybe possible to enable the console through that file.

[BOTLANNER]

I tried the scripts from http://zenhax.com/viewtopic.php?t=1201 but unfortunately they didn't work. It seems they changed the archive format.

Is it not still .RPKG?

[aluigi]

@Ekey
I guess it's a custom obfuscation because the sequence of bytes remains almost the same except for some few bytes that change, look at offset 0x350290. That's not possible with XTEA or other block ciphers where the whole block changes when the input changes.

[Ekey]

Well, i have no ideas about that obfuscation. Denuvo does not give any chance to debug game for reversing algorithm..

[Ekey]

We have a chance to find a data obfuscation algorithm by hooking API functions CreateFileA, CreateFileW, ReadFile, SetFilePointer and etc. Actually decryption/deobfuscation algorithm are close to these API.
API Monitor v2 is great tool but it not displays the address where called from HITMAN.exe. Maybe there are similar tools with this capability?

[BOTLANNER]

The models and textures used in the game can be acquired using Ninja Ripper.

[SPooKMasTeR]

Just so you guys know I am really looking forward to decrypting these stuff. Keep the good work up guys! つ ◕_◕ ༽つTAKE MY ENERGY ༼ つ ◕_◕ ༽つ.

[id-daemon]

In my opinion there is no compression.
What's there looks like a xor with an 8 bytes key that changes for every file.

Why do you think it changes? As I can see, its always dc45a69cd3724cab

The illusion of it changing is only because all the files start with different offset. But all the files in this first 16M cut are xored with the same key

[aluigi]

I guess I checked the whole extracted file and the sequence of bytes changed at different offsets.
Just trying to remember...

[id-daemon]

I guess I checked the whole extracted file and the sequence of bytes changed at different offsets.
Just trying to remember...

yes because files are NOT PADDED

the key is the same

[aluigi]

Is it so simple?

Code: Select all

idstring "GKPR"
get FILES long
get OFFSET long
get SIZE long
for i = 0 < FILES
    get HASH longlong
    get OFFSET longlong
    get SIZE long
    putarray 0 i OFFSET
next i
get OFFSET asize
putarray 0 i OFFSET
for i = 0 < FILES
    getarray OFFSET 0 i
    math i + 1
    getarray SIZE   0 i
    math SIZE - OFFSET
    encryption xor "\xdc\x45\xa6\x9c\xd3\x72\x4c\xab"
    log "" OFFSET SIZE
next

[id-daemon]

I don't have the game or the full 3,7Gig file, but it seems so.