RayGigant (data0x.bin)

[sigroon365]

It seems that *.bin files are encrypted.

https://drive.google.com/file/d/0B8JGJb-FRy_bb3RsR2Voa0ZtaGc/view?usp=sharing

[aluigi]

Ehmmm... that bin is just a video

[sigroon365]

Ehmmm... that bin is just a video

Opps! How about this file?
1) Original file 4gb https://drive.google.com/file/d/0B8iw-j0BGWKIdktQenNpcmtuMTQ/view?usp=sharing
2) Filecutted samples https://www.sendspace.com/file/0akoq3

[aluigi]

It seems obfuscated probably with a custom algorithm.

[sigroon365]

It seems obfuscated probably with a custom algorithm.

Oh, that's too bad!

[Ekey]

Code: Select all

char Decrypt(int pScrBuffer, unsigned int *pDstBuffer, unsigned int dwSize, int dwKey, int dwFlag)
{
  int v5;
  unsigned int v6;
  int v7;
  unsigned int *v8;
  unsigned int v9;
  int v10;
  int v11;
  unsigned int v12;
  unsigned int *v13;
  int v14;
  unsigned int v15;
  int v16;
  int v17;
  char v18;
  int v20;
  int v21;
  int v22;
  int v23;
  int v24;

  v5 = dwFlag;
  v6 = dwSize;
  v7 = pScrBuffer;
  v21 = pScrBuffer;
  v8 = pDstBuffer;
  v9 = dwSize;
  if ( !(dwFlag & 3) )
  {
    if ( dwSize >> 2 )
    {
      v24 = (dwFlag + 3) << 24;
      v10 = (dwFlag + 1) << 8;
      v11 = (dwFlag + 2) << 16;
      v20 = v7 - (DWORD)v8;
      v12 = dwSize >> 2;
      v22 = (dwFlag + 1) << 8;
      v23 = (dwFlag + 2) << 16;
      v13 = v8;
      do
      {
        v14 = (unsigned __int16)(v10 & 0xFF00) | v11 & 0xFF0000;
        v10 = v24;
        v24 += 0x4000000;
        v15 = (unsigned __int8)v5 | v10 & 0xFF000000 | v14;
        v5 += 4;
        LOWORD(v10) = v22 + 1024;
        *v13 = dwKey ^ *(unsigned int *)((char *)v13 + v20) ^ v15;
        v11 = v23 + 0x40000;
        v23 += 0x40000;
        v22 += 1024;
        ++v13;
        --v12;
      }
      while ( v12 );
      v7 = v21;
      v6 = dwSize;
    }
    v9 = v6 & 3;
    v16 = v6 - v9;
    v8 = (unsigned int *)((char *)v8 + v16);
    v7 += v16;
  }
  if ( v9 )
  {
    v17 = (int)v8 - v7;
    do
    {
      v18 = *(BYTE *)(++v7 - 1) ^ v5 ^ *((BYTE *)&dwKey + (v5 & 3));
      ++v5;
      *(BYTE *)(v7 + v17 - 1) = v18;
      --v9;
    }
    while ( v9 );
  }
  return 1;
}

Two headers at begin and at the end of archive with size 0x20.

Usage

Code: Select all

Decrypt((int)&SrcBuf, (unsigned int *)&DstBuf, 0x20u, 0xFABACEDA, 0);

I am lazy to restore this code, but it works anyway

[sigroon365]

Thank you. is there someone who can use it to decrypt the bin file?

[aluigi]

I'm not interested, after a quick look it seems to take time and the huge size of the archive doesn't help.
Anyway the following is a test ONLY FOR WHO WANTS TO MAKE TESTS WITH QUICKBMS (this is not an extraction script and will never work with a huge file like that):

Code: Select all

math KEY = 0xFABACEDA
set MEMORY_FILE3 binary "\x55\x89\xe5\x57\x56\x53\x83\xec\x24\x8b\x45\x18\x8b\x55\x10\xa8\x03\x0f\x85\xbf\x00\x00\x00\x89\xd6\xc1\xee\x02\x0f\x84\xa5\x00\x00\x00\x8b\x7d\x14\x8d\x48\x02\x8d\x58\x01\xc1\xe6\x02\x89\x45\xd8\xc1\xe1\x10\xc1\xe3\x08\x89\x7d\xe0\x8b\x7d\x0c\x89\x4d\xec\x8d\x48\x03\x89\x5d\xe8\x29\xc7\xc1\xe1\x18\x89\x7d\xd4\x8b\x7d\x08\x89\x4d\xf0\x8d\x0c\x06\x29\xc7\x89\x4d\xdc\x89\x7d\xd0\x8b\x7d\xf0\x0f\xb6\xc8\x81\xe3\x00\xff\x00\x00\x81\x45\xe8\x00\x04\x00\x00\x83\xc0\x04\x81\xe7\x00\x00\x00\xff\x09\xcf\x8b\x4d\xec\x81\x45\xec\x00\x00\x04\x00\x81\xe1\x00\x00\xff\x00\x09\xd9\x0f\xb7\x5d\xe8\x09\xf9\x8b\x7d\xf0\x89\x4d\xe4\x8b\x4d\xd0\x81\x45\xf0\x00\x00\x00\x04\x66\x31\xff\x09\xfb\x8b\x7d\xe0\x33\x7c\x01\xfc\x8b\x4d\xe4\x31\xf9\x3b\x45\xdc\x8b\x7d\xd4\x89\x4c\x07\xfc\x75\x9d\x8b\x45\xd8\x01\xf0\x89\xd1\x83\xe1\x03\x29\xca\x01\x55\x0c\x01\x55\x08\x89\xca\x85\xd2\x74\x23\x01\xc2\x8b\x5d\x08\x8b\x75\x0c\x29\xc3\x29\xc6\x89\xc7\x88\xc1\x32\x0c\x03\x83\xe7\x03\x40\x32\x4c\x3d\x14\x39\xd0\x88\x4c\x06\xff\x75\xe9\x83\xc4\x24\xb0\x01\x5b\x5e\x5f\x5d\xc3"

encryption calldll "MEMORY_FILE3 0 cdecl RET #INPUT# #OUTPUT# #INPUT_SIZE# KEY 0"

math SIZE = 0x10000000 # the size of the archive is too big for quickbms
log "dump.dat" 0 SIZE

[sigroon365]

Ok. thank you!

[Ekey]

https://github.com/Ekey/RG.BIN.Tool

PS: Sorry for necropost