main.cpp /* Metin2FileExtractor pushedx edxlabs

Size: px

Start display at page:

Download "main.cpp /* Metin2FileExtractor pushedx edxlabs"

Teresa Joan Dixon
6 years ago
Views:

1 Downloaded from: justpaste.it/metin2_filext_source main.cpp /* Metin2FileExtractor pushedx edxlabs This program serves as a file extractor for the Metin2 data files. The EIX files are the header files and the EPK files are the data files. The data can be uncompressed, encrypted, and/or compressed. This code shows how the client performs the logic. This was a "for fun" project and done in about ~12 hours of work. I am releasing this tool and the source code to the elitepvperss' Metin2 community to help spread new knowledge. I have no immediate plans for a file editor at this time as I'm not playing the game or doing anything with it. Maybe sometime later though. */ I hope you enjoy! #define _CRT_SECURE_NO_WARNINGS #include <windows.h> #include <stdio.h> #include <string> #include <vector> #include <sstream> // Dumps a complete archive bool DumpArchive(const char * infolder, const char * name); int main(int argc, char * argv[]) system("cls"); printf("welcome to the Metin2 File Extractor!\n"); printf("this program was made by pushedx for the elitepvpers' Metin2 community.\n"); printf("this is a free tool for all to use.\n"); printf("it should work on the US/DE version files but Korea is not tested.\n"); printf("enjoy :)\n\n"); if(argc!= 3) printf("usage: Metin2FileExtractor <Path to PAK folder> <Archive title>\n"); printf("examples:\n"); printf("\tmetin2fileextractor \"C:\\Program Files\\Subagames\\Metin2\\pack\" BGM\n"); printf("\tmetin2fileextractor \"C:\\Program Files\\Subagames\\Metin2\\pack\" PC\n"); printf("\tmetin2fileextractor \"C:\\Program Files\\Metin2_Germany\\pack\" ETC\n"); printf("\tmetin2fileextractor \"C:\\Program Files\\Metin2_Germany\\pack\" root\n"); system("pause"); return -1; std::string safecheck = argv[2]; if(safecheck.find_first_of("!@#$%^&*()+=[] \\:\";\'<>?,./")!= std::string::npos) printf("error: The Archive title (%s) contains invalid characters. The program will now exit.\n", argv[2]); return -1; printf("beginning the archive dump. Please be patient while it finishes.\n\n"); bool result = DumpArchive(argv[1], argv[2]); if(result == true)

2 printf("the archive dump was successful!\n"); else printf("the archive dump was not successful.\n"); printf("thank you for using the Metin2 File Extractor!\n"); system("pause"); return 0; // The expected magic header value #define LZ_KEY 0x5A4F434D struct TEntry1 DWORD index; char filename[160]; DWORD dw1; DWORD dw2; DWORD dw3; DWORD dwsrcsize; DWORD unpackedcrc; DWORD dwfileoffset; BYTE packedtype; BYTE b2; BYTE b3; BYTE b4; ; struct TEntry2 DWORD header; DWORD decryptedblocksize; DWORD compressedblocksize; DWORD decompressedblocksize; ; struct TEntry3 DWORD header; DWORD version; DWORD filecount; ; // For decompressing (ripped from client) BYTE glzodata[] = 0xB9, 0x9E, 0xB0, 0x02, 0x6F, 0x69, 0x81, 0x05, 0x63, 0x98, 0x9B, 0x28, 0x79, 0x18, 0x1A, 0x00, ; // For decrypting (ripped from client) BYTE glzodata2[] = 0x22, 0xB8, 0xB4, 0x04, 0x64, 0xB2, 0x6E, 0x1F, 0xAE, 0xEA, 0x18, 0x00, 0xA6, 0xF6, 0xFB, 0x1C, ;

3 // Utility decompress function declspec(naked) void ASM_LZO_FUNC1() asm MOV EDX, DWORD PTR SS:[ESP + 0x08] MOV ECX, DWORD PTR SS:[ESP + 0x04] PUSH EBX PUSH EBP PUSH ESI MOV ESI, DWORD PTR SS:[ESP + 0x18] PUSH EDI MOV EAX, 0xC6EF3720 MOV EDI, 0x20 LEA EBX, DWORD PTR DS:[EBX] LABEL1: MOV EBX, EDX SHR EBX, 0x5 MOV EBP, EDX SHL EBP, 0x4 XOR EBX, EBP MOV EBP, EAX SHR EBP, 0x0B AND EBP, 0x03 MOV EBP, DWORD PTR DS:[ESI + EBP * 0x04] ADD EBP, EAX ADD EBX, EDX XOR EBX, EBP SUB ECX, EBX MOV EBX, ECX SHR EBX, 0x05 MOV EBP, ECX SHL EBP, 0x04 XOR EBX, EBP ADD EAX, 0x61C88647 MOV EBP, EAX AND EBP, 0x03 MOV EBP, DWORD PTR DS:[ESI + EBP * 0x04] ADD EBX, ECX ADD EBP, EAX XOR EBX, EBP SUB EDX, EBX DEC EDI JNZ LABEL1 MOV EAX, DWORD PTR SS:[ESP + 0x20] POP EDI POP ESI POP EBP MOV DWORD PTR DS:[EAX], EDX MOV DWORD PTR DS:[EAX + 0x04], ECX POP EBX RETN // Decompress function in the client declspec(naked) void ASM_LZO_CHECKKEY() asm MOV EAX,DWORD PTR SS:[ESP + 0x10] MOV ECX, EAX AND ECX, 0x JNG LABEL1 DEC ECX OR ECX, 0xFFFFFFF8

4 INC ECX LABEL1: JE LABEL2 SUB EAX, ECX ADD EAX, 8 MOV DWORD PTR SS:[ESP + 0x10],EAX JMP LABEL3; LABEL2: MOV DWORD PTR SS:[ESP + 0x10],EAX LABEL3: PUSH EBX MOV EBX, EAX SAR EBX, 0x03 TEST EBX, EBX JLE LABEL5 PUSH EBP //MOV EBP, lzodata MOV EBP, [ESP + 0x14] PUSH ESI //MOV ESI, indata MOV ESI, [ESP + 0x14] PUSH EDI //MOV EDI, outbuffer MOV EDI, [ESP + 0x14] LABEL4: MOV EAX,DWORD PTR DS:[ESI] MOV ECX,[ESI + 0x04] PUSH EDI PUSH EBP PUSH EAX PUSH ECX CALL ASM_LZO_FUNC1 ADD ESP, 0x10 ADD EDI, 0x08 ADD ESI, 0x08 DEC EBX JNZ LABEL4 MOV EAX,DWORD PTR SS:[ESP + 0x20] POP EDI POP ESI POP EBP LABEL5: POP EBX RET // Wrapper function to decompress data int LZObject_CheckKey(LPBYTE outbuffer, LPBYTE indata, LPBYTE lzodata, DWORD dwsize) int result = 1; asm mov edx, dwsize mov ecx, indata sub ecx, 4 mov eax, lzodata mov edi, outbuffer push edx

5 push eax push ecx push edi call ASM_LZO_CHECKKEY MOV EDX, DWORD PTR DS:[EDI] MOV EAX, LZ_KEY ADD ESP, 0x10 CMP EDX, EAX JE LABEL1 mov result, 0 LABEL1: NOP return result; // Ripped from the client via OllyDbg. It was tedious, but simple work since // you can set labels in OllyDbg for the new jump locations. declspec(naked) void ASM_LZO_DECOMPRESS() asm MOV EAX,DWORD PTR SS:[ESP+0x08] PUSH EBX MOV EBX,DWORD PTR SS:[ESP+0x14] PUSH EBP PUSH ESI MOV ESI,DWORD PTR SS:[ESP+0x10] MOV DWORD PTR DS:[EBX],0x00 PUSH EDI MOV CL,BYTE PTR DS:[ESI] LEA EBP,DWORD PTR DS:[ESI+EAX] MOV EAX,DWORD PTR SS:[ESP+0x1C] CMP CL,0x11 JBE label1 AND ECX,0xFF SUB ECX,0x11 CMP ECX,0x04 JB label2 label3: MOV DL,BYTE PTR DS:[ESI] DEC ECX JNZ label3 JMP label4 label1: XOR ECX,ECX MOV CL,BYTE PTR DS:[ESI] CMP ECX,0x10 JNB label5 TEST ECX,ECX JNZ label6 CMP BYTE PTR DS:[ESI],0x00 JNZ label7 label8: MOV DL,BYTE PTR DS:[ESI+0x01] ADD ECX,0xFF TEST DL,DL JE label8

6 label7: XOR EDX,EDX MOV DL,BYTE PTR DS:[ESI] LEA ECX,DWORD PTR DS:[ECX+EDX+0x0F] label6: MOV EDX,DWORD PTR DS:[ESI] ADD ESI,0x04 MOV DWORD PTR DS:[EAX],EDX ADD EAX,0x04 DEC ECX // Switch (cases 1..4) JE label4 CMP ECX,0x04 JB label9 label10: MOV EDX,DWORD PTR DS:[ESI] // Default case of switch 0055BACA SUB ECX,0x04 MOV DWORD PTR DS:[EAX],EDX ADD EAX,0x04 ADD ESI,0x04 CMP ECX,0x04 JNB label10 TEST ECX,ECX JBE label4 label11: MOV DL,BYTE PTR DS:[ESI] DEC ECX JNZ label11 JMP label4 label9: MOV DL,BYTE PTR DS:[ESI] // Cases 2,3,4 of switch 0055BACA DEC ECX JNZ label9 label4: XOR ECX,ECX // Case 1 of switch 0055BACA MOV CL,BYTE PTR DS:[ESI] CMP ECX,0x10 JNB label5 SHR ECX,0x02 MOV EDX,EAX SUB EDX,ECX XOR ECX,ECX MOV CL,BYTE PTR DS:[ESI] SHL ECX,0x02 SUB EDX,ECX MOV CL,BYTE PTR DS:[EDX-0x801] SUB EDX,0x0801 MOV BYTE PTR DS:[EAX],CL INC EDX lable28: MOV CL,BYTE PTR DS:[EDX] MOV BYTE PTR DS:[EAX],CL MOV DL,BYTE PTR DS:[EDX+0x01] label14: MOV CL,BYTE PTR DS:[ESI-0x02] AND ECX,0x03

7 JE label1 label2: MOV DL,BYTE PTR DS:[ESI] DEC ECX JNZ label2 XOR ECX,ECX MOV CL,BYTE PTR DS:[ESI] label5: CMP ECX,0x40 // Switch (cases 0..3F) JB label12 MOV EDX,ECX // Default case of switch label5 MOV EDI,EAX SHR EDX,0x02 AND EDX,0x07 SUB EDI,EDX XOR EDX,EDX MOV DL,BYTE PTR DS:[ESI] SHL EDX,0x03 SUB EDI,EDX DEC EDI SHR ECX,0x05 DEC ECX label25: MOV DL,BYTE PTR DS:[EDI] MOV DL,BYTE PTR DS:[EDI+0x01] INC EDI INC EDI label13: MOV DL,BYTE PTR DS:[EDI] INC EDI DEC ECX JNZ label13 JMP label14 label12: CMP ECX,0x20 JB label15 AND ECX,0x1F // Cases 20,21,22,23,24,25,26,27,28,29,2A,2B,2C,2D,2E,2F,30,31,32,33,34,35,36,37,38,39,3A,3B,3C,3D,3E,3F of switch label5 JNZ label16 CMP BYTE PTR DS:[ESI],0 JNZ label17 label18: MOV DL,BYTE PTR DS:[ESI+0x01] ADD ECX,0xFF TEST DL,DL JE label18 label17: XOR EDX,EDX MOV DL,BYTE PTR DS:[ESI] LEA ECX,DWORD PTR DS:[ECX+EDX+0x1F] label16: XOR EDX,EDX MOV EDI,EAX MOV DX,WORD PTR DS:[ESI]

8 SHR EDX,0x02 SUB EDI,EDX DEC EDI ADD ESI,0x02 JMP label19 label15: CMP ECX,0x10 JB label20 MOV EDX,ECX // Cases 10,11,12,13,14,15,16,17,18,19,1A,1B,1C,1D,1E,1F of switch label5 MOV EDI,EAX AND EDX,0x08 SHL EDX,0x0B SUB EDI,EDX AND ECX,0x07 JNZ label21 CMP BYTE PTR DS:[ESI],0x00 JNZ label22 label23: MOV DL,BYTE PTR DS:[ESI+0x01] ADD ECX,0xFF TEST DL,DL JE label23 label22: XOR EDX,EDX MOV DL,BYTE PTR DS:[ESI] LEA ECX,DWORD PTR DS:[ECX+EDX+0x07] label21: XOR EDX,EDX MOV DX,WORD PTR DS:[ESI] ADD ESI,0x02 SHR EDX,0x02 SUB EDI,EDX CMP EDI,EAX JE label24 SUB EDI,0x4000 label19: CMP ECX,0x06 JB label25 MOV EDX,EAX SUB EDX,EDI CMP EDX,0x04 JL label25 MOV EDX,DWORD PTR DS:[EDI] ADD EDI,0x04 MOV DWORD PTR DS:[EAX],EDX ADD EAX,0x04 SUB ECX,0x02 label26: MOV EDX,DWORD PTR DS:[EDI] SUB ECX,0x04 MOV DWORD PTR DS:[EAX],EDX ADD EAX,0x04 ADD EDI,0x04 CMP ECX,0x04 JNB label26 TEST ECX,ECX JBE label14 label27: MOV DL,BYTE PTR DS:[EDI] INC EDI DEC ECX JNZ label27 JMP label14 label20:

9 SHR ECX,0x02 // Cases 0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F of switch label5 MOV EDX,EAX SUB EDX,ECX XOR ECX,ECX MOV CL,BYTE PTR DS:[ESI] SHL ECX,0x02 SUB EDX,ECX DEC EDX JMP lable28 label24: MOV ECX,DWORD PTR SS:[ESP+0x1C] SUB EAX,ECX CMP ESI,EBP MOV DWORD PTR DS:[EBX],EAX JNZ label29 POP EDI POP ESI POP EBP XOR EAX,EAX POP EBX RETN label29: SBB EAX,EAX POP EDI AND AL,0xFC POP ESI POP EBP ADD EAX, -4 POP EBX RETN // Decompress wrapper function void LZObject_Decompress(LPBYTE src, DWORD srclen, LPBYTE dst, DWORD * ptrnewlen, void * workmemory) asm MOV EDI, src MOV EAX, dst push workmemory MOV EDX, ptrnewlen push EDX MOV EDX, srclen PUSH EAX PUSH EDX ADD EDI, 4 PUSH EDI call ASM_LZO_DECOMPRESS ADD ESP, 0x14 TEST EAX, EAX JE LABEL1 INT 3 // Error, don't continue LABEL1: NOP // Tokenizes a string into a vector std::vector<std::string> TokenizeString(const std::string& str, const std::string& delim) //

10 using namespace std; vector<string> tokens; size_t p0 = 0, p1 = string::npos; while(p0!= string::npos) p1 = str.find_first_of(delim, p0); if(p1!= p0) string token = str.substr(p0, p1 - p0); tokens.push_back(token); p0 = str.find_first_not_of(delim, p1); return tokens; // Saves the file to a specific folder based on the path. The root // directory I choose to use is named 'output'. void SaveFile(const char * originalfilename, LPBYTE outbuffer, DWORD outbuffersize) std::stringstream dirpath; std::vector<std::string> pathtokens = TokenizeString(originalFilename, "\\/"); dirpath << "output"; CreateDirectoryA(dirPath.str().c_str(), NULL); dirpath << "\\"; size_t index = 0; for(index = 0; index < pathtokens.size() - 1; ++index) if(pathtokens[index].find_first_of(":")!= std::string::npos) continue; dirpath << pathtokens[index]; CreateDirectoryA(dirPath.str().c_str(), NULL); dirpath << "\\"; dirpath << pathtokens[index]; FILE * of = fopen(dirpath.str().c_str(), "wb"); if(of) fwrite(outbuffer, 1, outbuffersize, of); fclose(of); else printf("could not save the file %s\n", dirpath.str().c_str()); // Dumps a complete archive. I have combined two sets of logic for this, // but you can separate them if you want a more unique tool that allows // you to extract individual files or explore the contents. bool DumpArchive(const char * infolder, const char * name) HANDLE eixhandle = INVALID_HANDLE_VALUE; HANDLE epkhandle = INVALID_HANDLE_VALUE; SECURITY_ATTRIBUTES eixsecurity = 0; SECURITY_ATTRIBUTES epksecurity = 0; DWORD eixfilesize = 0; DWORD epkfilesize = 0; HANDLE eixfilemapping = NULL; HANDLE epkfilemapping = NULL;

11 LPBYTE eixfilebufferptr = NULL; LPBYTE epkfilebufferptr = NULL; bool bwaserror = false; std::string eixname_ = infolder; if(!(eixname_[eixname_.size() - 1] == '\\' eixname_[eixname_.size() - 1] == '/')) eixname_ += "\\"; eixname_ += name; eixname_ += ".eix"; std::string epkname_ = infolder; if(!(epkname_[epkname_.size() - 1] == '\\' epkname_[epkname_.size() - 1] == '/')) epkname_ += "\\"; epkname_ += name; epkname_ += ".epk"; const char * eixname = eixname_.c_str(); const char * epkname = epkname_.c_str(); eixsecurity.nlength = sizeof(security_attributes); eixsecurity.binherithandle = TRUE; eixsecurity.lpsecuritydescriptor = NULL; epksecurity.nlength = sizeof(security_attributes); epksecurity.binherithandle = TRUE; epksecurity.lpsecuritydescriptor = NULL; // Open the files to access while(bwaserror == false) eixhandle = CreateFileA(eixName, GENERIC_READ, FILE_SHARE_READ, &eixsecurity, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if(eixhandle == INVALID_HANDLE_VALUE) printf("could not open the %s file. The program will now exit.\n", eixname); epkhandle = CreateFileA(epkName, GENERIC_READ, FILE_SHARE_READ, &epksecurity, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if(epkhandle == INVALID_HANDLE_VALUE) printf("could not open the %s file. The program will now exit.\n", epkname); // All done now // Create the access handles for reading the files while(bwaserror == false) // We need to store the size of the file for file mapping eixfilesize = GetFileSize(eixHandle, NULL); if(eixfilesize == INVALID_FILE_SIZE) DWORD dwerror = GetLastError(); if(dwerror!= NO_ERROR) printf("there was an error [%i] getting the file size of the %s file. The program will now exit.\n", dwerror, eixname);

12 // We need to store the size of the file for file mapping epkfilesize = GetFileSize(epkHandle, NULL); if(epkfilesize == INVALID_FILE_SIZE) DWORD dwerror = GetLastError(); if(dwerror!= NO_ERROR) printf("there was an error [%i] getting the file size of the %s file. The program will now exit.\n", dwerror, epkname); // Create a file mapping object eixfilemapping = CreateFileMapping(eixHandle, NULL, PAGE_READONLY, 0, eixfilesize, NULL); if(eixfilemapping == 0) printf("could not create a file mapping object for the %s file. The program will now exit.\n", eixname); // Create a file mapping object epkfilemapping = CreateFileMapping(epkHandle, NULL, PAGE_READONLY, 0, epkfilesize, NULL); if(epkfilemapping == 0) printf("could not create a file mapping object for the %s file. The program will now exit.\n", epkname); // Create a file mapping view eixfilebufferptr = reinterpret_cast<lpbyte>(mapviewoffile(eixfilemapping, FILE_MAP_READ, 0, 0, eixfilesize)); if(eixfilebufferptr == 0) printf("could not create a view of the the %s file. The program will now exit.\n", eixname); // Create a file mapping view epkfilebufferptr = reinterpret_cast<lpbyte>(mapviewoffile(epkfilemapping, FILE_MAP_READ, 0, 0, epkfilesize)); if(epkfilebufferptr == 0) printf("could not create a view of the the %s file. The program will now exit.\n", epkname); // All done now // Now we need to verify the files we just loaded while(bwaserror == false) // We need at least 12 bytes if(eixfilesize < 0x0C) printf("the file size for the %s file is too small. The program will now exit.\n", eixname);

13 // Verify the header LPDWORD eixheader = reinterpret_cast<lpdword>(eixfilebufferptr); if(*eixheader!= 0x444B5045) // Some hard coded check // Important: This value is read from the client itself. If the client updates, this value // would need to be updated as well if it ever changed. if(*eixheader!= LZ_KEY) printf("the file header for the %s file is incorrect. The program will now exit.\n", eixname); // Get a file header pointer from the buffer TEntry2 * eixheader = (TEntry2 *)eixfilebufferptr; // Store a pointer to the encrypted data LPBYTE eixdatabuffer = eixfilebufferptr + 0x14; // We don't care about this check because we will create the // buffers ourselves in dynamic memory. The game wants to be as // efficient as possible though. if(eixheader->decompressedblocksize <= 0x10000) // Allocate space for the decompressed buffer LPBYTE decompressedbuffer = new BYTE[eixHeader->decompressedBlockSize]; memset(decompressedbuffer, 0, eixheader->decompressedblocksize); // If the contents of the file are not encrypted (no test data yet) // So, not going to add the implementation at this time. if(eixheader->decryptedblocksize == 0) printf("[todo] -- eixheader of %s is not encrypted!\n", eixname); delete [] decompressedbuffer; // We don't care about this check because we will create the // buffers ourselves in dynamic memory. The game wants to be as // efficient as possible though. if(eixheader->decryptedblocksize < 0x2000) // Create a buffer to decrypt the contents of the exi header into LPBYTE compressedbuffer = new BYTE[eixHeader->decryptedBlockSize]; memset(compressedbuffer, 0, eixheader->decryptedblocksize); // Try to decrypt the data int result = LZObject_CheckKey(compressedBuffer, eixdatabuffer, glzodata, eixheader- >decryptedblocksize); if(result == 0) delete [] decompressedbuffer; delete [] compressedbuffer; printf("there was an error decrypting the data of the %s file. The program will now exit.\n", eixname);

14 // Try to decompress the data now DWORD finalsize = 0; LZObject_Decompress(compressedBuffer, eixheader->compressedblocksize, decompressedbuffer, &finalsize, 0); // Make sure the file size matches if(finalsize!= eixheader->decompressedblocksize) delete [] decompressedbuffer; delete [] compressedbuffer; printf("there was an error decompressing the data of the %s file. The program will now exit.\n", eixname); // Get a pointer to the new file header TEntry3 * entry3 = (TEntry3 *)decompressedbuffer; // Check the file version if(entry3->version!= 2) delete [] decompressedbuffer; delete [] compressedbuffer; printf("the version of the %s file is incorrect. Expected (%i) Actual (%i). The program will now exit.\n", eixname, 2, entry3->version); // Make sure we have a match in the number of entries and the expected block size if(finalsize!= (((entry3->filecount + entry3->filecount * 2) << 0x06) + 0x0C)) delete [] decompressedbuffer; delete [] compressedbuffer; printf("the pack index file size of the %s file is incorrect. The program will now exit.\n", eixname); // Store a pointer to the block of data LPBYTE decompressedblock = decompressedbuffer + 0x0C; // If we have files to process if(entry3->filecount > 0) // Build a filename for our dump file std::string dumpfilename = eixname; dumpfilename = dumpfilename.substr(1 + dumpfilename.find_last_of("\\/")); dumpfilename = dumpfilename.substr(0, dumpfilename.find_first_of(".")); dumpfilename += "_dump.txt"; // Create the output file for the eix header dump FILE * of = fopen(dumpfilename.c_str(), "w"); if(of == 0) printf("there was an error creating the %s file. The header data will not be dumped.\n", dumpfilename.c_str()); // Loop through all of the files for(dword x = 0; x < entry3->filecount; ++x) // Create a pointer to the file entry block TEntry1 * pentry = (TEntry1 *)decompressedblock; // Make sure there is a value here if(pentry->dw2 == 0)

15 printf("no dw2 field set for the file %s\n", pentry->filename); continue; >b4); // Simple entry dump if(of) fprintf(of, "%i. ", pentry->index); fprintf(of, "%s\n", pentry->filename); fprintf(of, "[%.8X]", pentry->dw1); fprintf(of, "[%.8X]", pentry->dw2); fprintf(of, "[%.8X]", pentry->dw3); fprintf(of, "[%.8X]", pentry->dwsrcsize); fprintf(of, "[%.8X]", pentry->unpackedcrc); fprintf(of, "[%.8X]", pentry->dwfileoffset); fprintf(of, "[%.2X %.2X %.2X %.2X]", pentry->packedtype, pentry->b2, pentry->b3, pentry- fprintf(of, "\n"); // Not compressed, no extra header if(pentry->packedtype == 0) SaveFile(pEntry->filename, epkfilebufferptr + pentry->dwfileoffset, pentry->dwsrcsize); // Header and compressed/encrypted else // Decompress if(pentry->packedtype == 1) // Calculate the data pointer to the entry data block LPBYTE pdataptr = epkfilebufferptr + pentry->dwfileoffset; // Get a pointer to the header for this block TEntry2 * pentryheader = (TEntry2*)pDataPtr; LZ_KEY, h); // Make sure the header is correct DWORD h = *(reinterpret_cast<lpdword>(pdataptr)); if(h!= LZ_KEY) printf("the header for %s is incorrect. Expected (%x) Actual (%x).\n", pentry->filename, continue; // Allocate memory for the uncompressed data LPBYTE uncompresseddata = new BYTE[pEntryHeader->decompressedBlockSize]; memset(uncompresseddata, 0, pentryheader->decompressedblocksize); // Decompress the data LZObject_Decompress(pDataPtr + 16, pentryheader->compressedblocksize, uncompresseddata, &finalsize, 0); // Make sure the operation went right if(finalsize!= pentryheader->decompressedblocksize) printf("file size for %s differs from expected. Expected (%i) Actual (%i).\n", pentry- >filename, pentryheader->decompressedblocksize, finalsize); else SaveFile(pEntry->filename, uncompresseddata, pentryheader- >decompressedblocksize);

16 // Cleanup now delete [] uncompresseddata; // Decrypt + Decompress else if(pentry->packedtype == 2) // Calculate the data pointer to the entry data block LPBYTE pdataptr = epkfilebufferptr + pentry->dwfileoffset; // Get a pointer to the header for this block TEntry2 * pentryheader = (TEntry2*)pDataPtr; LZ_KEY, h); DWORD h = *(reinterpret_cast<lpdword>(pdataptr)); if(h!= LZ_KEY) printf("the header for %s is incorrect. Expected (%x) Actual (%x).\n", pentry->filename, continue; // Create a buffer for the decrypted data LPBYTE decrypteddata = new BYTE[pEntryHeader->decryptedBlockSize]; memset(decrypteddata, 0, pentryheader->decryptedblocksize); // Decrypt the data int result = LZObject_CheckKey(decryptedData, pdataptr + 20, glzodata2, pentryheader- >decryptedblocksize); if(result == 0) printf("there was an error decrypting the data for the %s file. It will be skipped.\n", pentry->filename); delete [] decrypteddata; continue; // Create a buffer for the final uncompressed data LPBYTE uncompresseddata = new BYTE[pEntryHeader->decompressedBlockSize]; memset(uncompresseddata, 0, pentryheader->decompressedblocksize); // Decompress LZObject_Decompress(decryptedData, pentryheader->compressedblocksize, uncompresseddata, &finalsize, 0); // Make sure the file sizes match if(finalsize!= pentryheader->decompressedblocksize) printf("file size for %s differs from expected. Expected (%i) Actual (%i)\n", pentry- >filename, pentryheader->decompressedblocksize, finalsize); else SaveFile(pEntry->filename, uncompresseddata, pentryheader- >decompressedblocksize); // Cleanup now delete [] decrypteddata; delete [] uncompresseddata; decompressedblock += 0xC0; // next block // Close our output file for the header dump file if(of) fclose(of);

17 // Cleanup delete [] decompressedbuffer; delete [] compressedbuffer; else // If we get here, we are using an unsupported type of file that // was not accessible at the time this tool was written. printf("[todo] -- if(*eixheader!= 0x444B5045)\n"); // All done now // Cleanup if(eixfilemapping!= 0) CloseHandle(eixFileMapping); if(epkfilemapping!= 0) CloseHandle(epkFileMapping); if(eixhandle!= INVALID_HANDLE_VALUE) CloseHandle(eixHandle); if(epkhandle!= INVALID_HANDLE_VALUE) CloseHandle(epkHandle); // Return the status return (bwaserror == false);

Data Exfiltration Techniques

Data Exfiltration Techniques Introduction In this article we will see how malware encode or encrypt data that s exfiltrated to the Command and Control Server from infected machines. This is often done