Apex Protection - LZMA Problem.

Extraction and unpacking of game archives and compression, encryption, obfuscation, decoding of unknown files
Ekey
Posts: 1383
Joined: Sat Aug 09, 2014 2:34 pm

Apex Protection - LZMA Problem.

Post by Ekey »

I have problem with decompressing one section from EXE. Protector used LZMA compression. Quick structure

Code: Select all

DWORD dwID; // APZP
DWORD dwSize; // Decompressed size > 12857344
DWORD dwZSize; // Compressed data size without header > 2237191


Next wee can see LZMA header like

Code: Select all

5D 00 00 00 01 00 00 00 00 00 00 00 00 05 00 00 00 00


I fixed header to

Code: Select all

5D 00 00 80 00 00 30 C4 00 00 00 00 00 00


Now

Code: Select all

lzma d "2_axZ.section_header_fixed" "3_axZ.section_decompressed"


The problem is that decompressed size less of the size specified in the header => i got after decompress 10624885. But I am sure that the section is not fully unpacked, because dumped from memory variant section size just is ~12800000+-.

Section: here
Victim: here

Any ideas? :?
Top
aluigi
Site Admin
Posts: 12984
Joined: Wed Jul 30, 2014 9:32 pm

Re: Apex Protection - LZMA Problem.

Post by aluigi »

I tried using lzma_dynamic and lzma2_dynamic on offset 0xc and various other offsets without luck.
The good thing of lzma_dynamic is that it tries ALL the available lzma modes (all those you see in quickbms.txt) so it should be able to get the working one in any case and without limits of uncompressed size.
Top
Ekey
Posts: 1383
Joined: Sat Aug 09, 2014 2:34 pm

Re: Apex Protection - LZMA Problem.

Post by Ekey »

comtype scanner give no results... wtf.. :|
Top

Return to “Game Archive”