[REQUEST] ANDROID: Angry Birds: Transformers .PAKS

[Ecelon]

I was hoping someone could help extract .PAK archives from Angry Birds: Transformers. The heading is XPK9, and I've uploaded some samples too: https://drive.google.com/open?id=1kD3gc ... nIp7fhah2i

Thanks guys;

UPDATE So I checked the files, and all of them have screwy headers. After changing Optimus' head to XPK2, I extracted some files using Aluigis XPK2 script:

Code: Select all

# F1 2016 obb (2KPX/XPK2) (script 0.1.1)
# script for QuickBMS http://quickbms.aluigi.org

comtype lz4
idstring "\x02KPX"  # KPX/XPK
get FOLDERS long
get FILES long
get DUMMY long

math FOLDER_BASE = 20
math FILE_BASE = FOLDERS
math FILE_BASE *= 32
math FILE_BASE += FOLDER_BASE
math NAME_BASE = FILES
math NAME_BASE *= 32
math NAME_BASE += FILE_BASE

goto FILE_BASE
for i = 0 < FILES
    get NAME_OFF long
    get DUMMY long
    get SIZE long
    get OFFSET long
    get ZIP long
    get CRC long
    get ZSIZE long
    get DUMMY long

    math NAME_OFF += NAME_BASE
    savepos TMP
    goto NAME_OFF
    get NAME string
    goto TMP

    putarray 0 i NAME
    putarray 1 i SIZE
    putarray 2 i OFFSET
    putarray 3 i ZIP
    putarray 4 i ZSIZE
next i

goto FOLDER_BASE
for i = 0 < FOLDERS
    get NAME_OFF long
    get DUMMY long
    get XFILES_POS long
    get DUMMY long
    get XFOLDERS_POS long
    get DUMMY long
    get XFILES long
    get XFOLDERS long

    math NAME_OFF += NAME_BASE
    savepos TMP
    goto NAME_OFF
    get NAME string
    goto TMP

    putarray 5 i NAME
    putarray 6 i XFILES
    putarray 7 i XFOLDERS
    putarray 8 i XFILES_POS
    putarray 9 i XFOLDERS_POS
next i

getarray NAME         5 0
getarray XFILES       6 0
getarray XFOLDERS     7 0
getarray XFILES_POS   8 0
getarray XFOLDERS_POS 9 0
set PATH string ""
set NAME string ""
callfunction EXTRACT

startfunction EXTRACT
    string PATH += NAME
    string PATH += /
    math FILES = XFILES
    math FOLDERS = XFOLDERS
    math FILES_POS = XFILES_POS
    math FOLDERS_POS = XFOLDERS_POS

    for i = 0 < FILES
        math T = FILES_POS
        math T += i
        getarray NAME   0 T
        getarray SIZE   1 T
        getarray OFFSET 2 T
        getarray ZIP    3 T
        getarray ZSIZE  4 T
        set FNAME string PATH
        string FNAME += NAME
        if ZIP == 0
            log FNAME OFFSET SIZE
        else
            clog FNAME OFFSET ZSIZE SIZE
        endif
    next i

    for i = 0 < FOLDERS
        math T = FOLDERS_POS
        math T += i
        getarray NAME         5 T
        getarray XFILES       6 T
        getarray XFOLDERS     7 T
        getarray XFILES_POS   8 T
        getarray XFOLDERS_POS 9 T
        callfunction EXTRACT
    next i
endfunction

[aluigi]

Script 0.1.2:
http://aluigi.org/bms/xpk2.bms

[LolHacksRule]

Script 0.1.2:
http://aluigi.org/bms/xpk2.bms

Cool, I found a debug menu in the files extracted from the .paks, this script also worked on the OBB but that gave multiple .paks, worked on them as well, but there is one problem, store2.pak doesn't decompress, every other .pak does. Anywho is recompiling the .paks possible after modifications?

[godskin]

Script 0.1.2:
http://aluigi.org/bms/xpk2.bms

Cool, I found a debug menu in the files extracted from the .paks, this script also worked on the OBB but that gave multiple .paks, worked on them as well, but there is one problem, store2.pak doesn't decompress, every other .pak does. Anywho is recompiling the .paks possible after modifications?

stop *SPAM* this forum model
not hack forum

[LolHacksRule]

Script 0.1.2:
http://aluigi.org/bms/xpk2.bms

Cool, I found a debug menu in the files extracted from the .paks, this script also worked on the OBB but that gave multiple .paks, worked on them as well, but there is one problem, store2.pak doesn't decompress, every other .pak does. Anywho is recompiling the .paks possible after modifications?

stop *SPAM* this forum model
not hack forum

Sorry, but can store2.pak be decompressable soon?

[aluigi]

upload store2.pak

[LolHacksRule]

upload store2.pak

Here it is as of v1.35.8

"D─σ╕║ o┬♥¢l ↨îÇS" is the first ten digits in the header.

[aluigi]

It's all encrypted, nothing to do.

[LolHacksRule]

It's all encrypted, nothing to do.

store2.pak updates via hotfixes so here is v1.35.8.3's hotfix. Some bytes changed, try comparing the APK version (old) to this new one. Maybe that will help you with decrypting the pak.

Assets I probably found in it, based on dissembled .so code, note this is for the ARMV7 architecture:

BattlePass.xml
BundleDefinitions.xml
CraftingMaterials.xml
gacha.xml
ParsedList.txt (Code says its illegal names for name entry)
LiveEventOffersRelease.xml
Offers.xml
ShockwavesSpire.xml
TournamentBoostsRelease.xml
Economy.xml
PopupCoordinator.xml
CurrencyShop.xml
CraftingRecipes.xml

dissembled .so code relating to store2.pak:

Code: Select all

BL              _Z12Util_OpenPakiPKciPciN13EXGSMemHeapID4EnumE ; Util_OpenPak(int,char const*,int,char *,int,EXGSMemHeapID::Enum)
LDR             R1, =(aDataStore2Pak - 0x470E88)
LDR             R3, =(aStore2 - 0x470E8C)
MOV             R2, R4
STR             R6, [SP,#0x18+var_18]
MOV             R0, #4
STR             R5, [SP,#0x18+var_14]
ADD             R1, PC, R1 ; "Data/Store2.pak"
ADD             R3, PC, R3 ; "STORE2"
off_470EF0      DCD aDataStore2Pak - 0x470E88
; DATA XREF: std::_Function_handler<void ()(void),CApp::MainLoadingFunc(CXGSJob *,void *)::{lambda(void)#2}>::_M_invoke(std::_Any_data const&)+80↑r
; "Data/Store2.pak"
off_470EF4      DCD aStore2 - 0x470E8C  ; DATA XREF: std::_Function_handler<void ()(void),CApp::MainLoadingFunc(CXGSJob *,void *)::{lambda(void)#2}>::_M_invoke(std::_Any_data const&)+84↑r
; "STORE2"
BL              _Z12Util_OpenPakiPKciPciN13EXGSMemHeapID4EnumE ; Util_OpenPak(int,char const*,int,char *,int,EXGSMemHeapID::Enum)
LDR             R1, =(aDataStore2Pak - 0x47271C)
LDR             R3, =(aStore2 - 0x472720)
MOV             R2, R4
STR             R6, [SP,#0x18+var_18]
MOV             R0, #4
STR             R5, [SP,#0x18+var_14]
ADD             R1, PC, R1 ; "Data/Store2.pak"
ADD             R3, PC, R3 ; "STORE2"
off_472784      DCD aDataStore2Pak - 0x47271C
; DATA XREF: CApp::MainLoadingOpenPAKFiles(void)+80↑r
; "Data/Store2.pak"
off_472788      DCD aStore2 - 0x472720  ; DATA XREF: CApp::MainLoadingOpenPAKFiles(void)+84↑r
; "STORE2"

There's also PAK encryption key mentioned.

[LolHacksRule]

Screw it, I'm finding the key on my own.

[LolHacksRule]

Found these mentioned for pakEncryptionKey:

Code: Select all

OFFSETS FOR ENCRYPTION KEY (ARM64 2.0.5.0):
Address   Function   Instruction
.text:00000000004202F4   _Z14UtilStaticInitv                   ADRP            X1, #_ZL19s_uPakEncryptionKey@PAGE ; s_uPakEncryptionKey
.text:0000000000420300   _Z14UtilStaticInitv                   ADD             X1, X1, #_ZL19s_uPakEncryptionKey@PAGEOFF ; src
.text:0000000000420364   _Z14UtilStaticInitv                   STR             X8, [X20,#(_ZL20s_puPakEncryptionKey - 0xE399C0)] ; s_puPakEncryptionKey
.text:0000000000420388   _Z16UtilStaticTidyupv                   LDR             X0, [X19,#(_ZL28s_puPakEncryptionKeyMemAlloc - 0xE399C0)] ; void *
.text:0000000000420398   _Z16UtilStaticTidyupv                   STR             Q0, [X19,#(_ZL20s_puPakEncryptionKey - 0xE399C0)] ; s_puPakEncryptionKey
.text:0000000000422304   _Z12Util_OpenPakiPKciPciN13EXGSMemHeapID4EnumE                   LDR             X8, [X25,#(_ZL20s_puPakEncryptionKey - 0xE399C0)] ; s_puPakEncryptionKey
.rodata:00000000009E0150      ; s_uPakEncryptionKey
.bss:0000000000E399E0      ; s_puPakEncryptionKey
.bss:0000000000E399E8      ; s_puPakEncryptionKeyMemAlloc

There's no info on the encryption type, I'm guessing its another XXTEA encryption. I think I found it.

[LolHacksRule]

Here's the latest store2.pak (2.0.5.0). Oh and here's the libs (Android), I won't focus on iOS sorry.

[LolHacksRule]

An update released (2.0.6.0), I'll provide the libs soon (if you already played the game and downloaded all data, do not start it online or it will force getting the update for every bootup).

[LolHacksRule]

Rovio made the worst possible cash grab in this game (characters locked under a money-based paywall with NO WAY OF GETTING THEM FOR WITHOUT SPENDING MONEY) so I'm revealing the key publically. I don't know how to make a script to decrypt the file but here's the key if someone wants to.

[LolHacksRule]

"\x" isn't part of the key, its just formated for use in a QuickBMS script.

[LolHacksRule]

The game was updated, TWICE. I'll only provide 2.0.8's libs if asked for.

[LolHacksRule]

Anyone wants to make a script for me?

[LolHacksRule]

Here's the libs for 2.0.8, forget it I'll always update them

[LolHacksRule]

Bump again

[LolHacksRule]

Another bump? This is the only PAK file in the game that cannot be decompressed due to encryption.