Moonlight Blade

[Googlemo]

Hello, I would like to ask you guys a question, if its possible for you to open client's files(I don't need to put them back together either, at least for now!) of this game:
Moonlight Blade

[aluigi]

Why don't you use Google?
viewtopic.php?t=2844
viewtopic.php?t=3926

Then you opened one topic for 2 games, without providing samples and in the wrong section.
Please pay more attention next time, thanks.

[Googlemo]

I saw first topic, but I assumed .sfc files are for models and graphics stuff not really what Im looking for.

[aluigi]

What's the file you want to extract?
Upload it.

[Googlemo]

Im not sure, as I need files with texts, Would be amazing if you could help me locating it, here some samples that may be what we need:

https://yadi.sk/d/BV-8wFEX3JxDGr

[aluigi]

I can confirm that the scripts are:
http://aluigi.org/bms/qq_sfc.bms
http://aluigi.org/bms/dzs_qq.bms

I have just updated dzs_qq.bms because it didn't decompress the files, I hope to have not broken compatibility with other archived

[Ekey]

Filenames is encrypted with AES/256/ECB mode. Key is (VFS_DEFAULT_AES_KEY)

[aluigi]

Do you have a sample archive for testing my script?

[Ekey]

https://www.sendspace.com/file/c2fa8m

[aluigi]

Thanks, do you know if the TOC is EVER encrypted or only when the filenames are encrypted too?

[Ekey]

0x38 offset in each archive > byte is flag (1 - encrypted), next 16 bytes is a MD5 hash of encryption key

[aluigi]

ok, I still have some doubts about the various formats and samples I have seen in the past... but I no longer have them so my only option is keeping the original "heuristic" file-dumping part of the script and adding the new encryption and TOC handling.
Script 0.3:
http://aluigi.org/bms/dzs_qq.bms

It seems to work well with the provided sample, can't guarantee if it works with the others but it's enough to set OLD_SCRIPT to 1 for using the old version of the script.

[Ekey]

Works fine

[flowersun]

Works fine

Great Job! I have another question about .SFC file in moonlight blade(http://aluigi.altervista.org/bms/qq_sfc.bms). Do you know what's the 8 bytes dummy header of each subfile? It seems to be some kind of hash of origin filename. Such as
icon_64_ShiShiZhuangCaiLiao_XiQue => 0c8c28b400ac6e0e
ICON_40_Blue => 0d770a0303e3bd67
I'm wondering is there any hope to find out the function? It will be much useful.

[Ekey]

8 bytes is a hash of file name in upper case

[flowersun]

8 bytes is a hash of file name in upper case

Did you mean first do toUpperCase("ICON_40_Blue") => "ICON_40_BLUE",
and then calculate the hash of 'ICON_64_BLUE' ? So do you know what's the hash function? Thanks a lot.

[Ekey]

Simple algorithm

C#

Code: Select all

        static UInt64 iGetHashFromString(string m_String)
        {
            UInt64 dwHash = 0x1712E27F4D2960DB;
            m_String = m_String.ToUpper();
            for (int i = 0; i < m_String.Length; i++)
            {
                dwHash = (dwHash * 67) + ((byte)m_String[i]);
            }
            return dwHash;
        }

[flowersun]

Simple algorithm

C#

Code: Select all

        static UInt64 iGetHashFromString(string m_String)
        {
            UInt64 dwHash = 0x1712E27F4D2960DB;
            m_String = m_String.ToUpper();
            for (int i = 0; i < m_String.Length; i++)
            {
                dwHash = (dwHash * 67) + ((byte)m_String[i]);
            }
            return dwHash;
        }

You're awesome!!! How did you found this piece of code? Decompile client or write by yourself? I have tested it, but unfortunately the hash string couldn't match. Something like hash value of "aaa1.png" minus hash value of "aaa2.png" should be 20151121(67^4). And that could be shown from this snippet. So I'm wondering if I should concat some prefix to filename like "/huashu40.tga" or is the dwHash init value mistyped?
Sorry for my bad English and thanks a lot again!! I'm also glad to receive PM.

[Ekey]

You're awesome!!! How did you found this piece of code? Decompile client or write by yourself?

Reverse engineering and debugging client.

I have tested it, but unfortunately the hash string couldn't match. Something like hash value of "aaa1.png" minus hash value of "aaa2.png" should be 20151121(67^4). And that could be shown from this snippet. So I'm wondering if I should concat some prefix to filename like "/huashu40.tga"

No

the dwHash init value?

Yes

mistyped

No

And that could be shown from this snippet. So I'm wondering if I should concat some prefix to filename like "/huashu40.tga" or is the dwHash init value mistyped?
Sorry for my bad English and thanks a lot again!! I'm also glad to receive PM.

No, prefixes are not needed here. You can check hashes in archive > TableBin.sfc

Code: Select all

B4E123F458669A32 - CACHE\DATA\CLIENTTABLE_KR\ACTIVITYCOMMONREWARDTABLE.BIN

[flowersun]

ok, I still have some doubts about the various formats and samples I have seen in the past... but I no longer have them so my only option is keeping the original "heuristic" file-dumping part of the script and adding the new encryption and TOC handling.
Script 0.3:
http://aluigi.org/bms/dzs_qq.bms

It seems to work well with the provided sample, can't guarantee if it works with the others but it's enough to set OLD_SCRIPT to 1 for using the old version of the script.

Hello, I could provide one quite small vfs example file(8kb), but it extract nothing. I tried extract the filename list first, and it seems to contain 2 files. Using 0.3.1 version script, it can extract about 70% files on average(tested more than 10 vfs files), and some of the files is broken. Hopes you can find out where the problem lies by inspecting this file. I could provide one 3gb big file if needed.
Thanks for your great work! Hope for good news!

---
uploaded the 3gb file, data_bas_1.vfs:
https://mega.nz/#!0F4XzbTZ!Am2ha92fyz_I ... EKP5dtJzvw
one broken extracted file path example, only 3MB, should be exactly 4MB:

\DATA\IMAGESETS\MAP\WORLDMAP\YY_MINIMAP.DDS