Magic 2015 - Duels of the Planeswalkers (ZED archives)

[logoliv]

Hi all,

The 2015 version of Duels of the Planeswalkers uses now ZED files as archives (and no more directly WAD files), the problem is they are encrypted and as a consequence we're not able to mod the game...
Here's a link about the progress the modders made.

I join for convenience an extract of the file we would like to decode (just the beginning because the entire size is 320 Mb...)
Thanks in advance for any help.

[logoliv]

If someone is interested and needs a complete ZED file, you can always download a demo on Steam here

[aluigi]

I gave a quick look at them.
Basically their bytes are simply xored with the preceeding byte:
data[i] ^= data[i - 1];
And the first byte xored with 0x53.

And the archives are just a customized ZIP format with the central directory linking directly to the compressed data.
The problem is that the first part of this compressed data is obfuscated in a certain way.

For example in the demo there is a compressed file at offset 0x66389 of 0x100 bytes that decompresses to 0x110 bytes.
These 0x100 bytes are scrambled in a certain way that they become 0x99 bytes that are xored as written before and passed directly to the zlib inflate.
The problem is just the part that shrinks the data to 0x99 bytes which is not a classical input->output obfuscation but it looks more like "precomp" used to rip games (just to give you an idea of what I mean).

[logoliv]

Thanks for taking the time to look Luigi.
When you talk about offset 0x66389, do you speak from DATA_000.ZED or did you looked at another ZED file (like audio or movies) ?
It seems that only the data file is encrypted, and by the way it's the only one we need to decompress because all cards are coded in it.

[aluigi]

I refer to DATA_000.ZED because the other archives use a different non-encrypted format.

[logoliv]

ok, so i have 3 questions :

1) how did you find the value 0x53 that is xored with the first byte ?
2) how do you proceed ? simply from left to right (xor the second byte with the result of the first xor) or storing the i-1 byte before xor (xor the second byte with the value that the first byte had before it was xored) ?
3) finally, did you managed to have a decoded file like :
<Files> <File Name="...

Sorry for all the questions but i'm new at this. If you managed to decode the list of files it's nice because i think the rest of the archive are just WAD files and the modder team knows how to decode them.

[aluigi]

1)
via debugger with the help of offbreak

2)
from the reverse order so from the last byte till the the second one (because the first is xored with 0x53)

3)
no because this is a completely different format where you have a customized ZIP files where instead of the central directory ("PK\3\4") you have just the deflate data.

[logoliv]

Thanks for yours explanations, the problematic point is now more clear to me. I also understand that i clearly don't have the knowledge to go further at all... do you think there's a way to find the scrambling algorithm ?

[aluigi]

With time and desire many things are possible

The project was interesting but currently I don't have a plan for retrieving this last part of information, I really think it's some public algorithm because the code was quite complex and not caused by obfuscations.
Maybe someone else is interested.

[logoliv]

Someone has found a good clue on the scramble algorithm... Please could you just give a look at the post and tell me if it helps ?

[aluigi]

I think that's the correct one
Currently I don't have RSA implemented in quickbms so I can't do something now.