Flag: Tornado!
Hurricane!
|
|
Topic created on: March 5, 2007 17:46 CST by MIPs  .
So I read through the article on reversing a file format(very good article), but what if they the file doesn't use any known compression. I've got most of the header figured out but where should I go from here? Is there anything I should be on the lookout for?
P.S. The files I'm using to compare are very small(100kb). I can post them if you would like to see what I'm working with and want to give me some hints.
Here are the knowns/unknowns
Header:
0x00 - 0x03(word) = PKG tag
0x04 - 0x07(word) = Unknown ???
0x08 - 0x0B(word) = 0xC0 - Size of header(0x00 - 0xBF)
0x0C - 0x0F(word) = Unknown ???
0x10 - 0x13(word) = size of (footer/key)?? at end of data starting @ 0x100
0x14 - 0x17(word) = Unknown ???
0x18 - 0x1F(Dword) = Size of file
0x20 - 0x27(Dword) = Unknown ???
0x28 - 0x2F(Dword) = Size of data @ 0x100 - 0x80 byte footer.
0x30 - 0x5F(String) = Game ID...zero padded
0x60 - 0xBF(Data) = First block of Encrypted/Compressed data. 0x60(96) bytes
0xC0 - 0xC3(word) = Unknown ???
0xC4 - 0xC7(word) = Unknown ???
0xC8 - 0xCB(word) = Unknown ???
0xCC - 0xCF(word) = Unknown ???
0xD0 - 0xD3(word) = Unknown ???
0xD4 - 0xD7(word) = Unknown ???
0xD8 - 0xDB(word) = Unknown ???
0xDC - 0xDF(word) = Unknown ???
0xE0 - 0xE3(word) = Unknown ???
0xE4 - 0xE7(word) = Unknown ???
0xE8 - 0xEB(word) = Unknown ???
0xEC - 0xF3(Dword) = Size of data @ 0x100 - 0x80 byte footer.
0xF4 - 0xFF() = Zero pad???
0x100 = Start of data.
@EOF = SHA-1 Value
Files:
http://www.wikiupload.com/download_page.php?id=97160
|
Posting files can only help us answer your question. (Just a reminder to all, please respect others' copyrights.)
|
Thnx for the link igorsk. I'm reading now. Don't know why I didn't run across this while searching.
Links in first thread
|
hi MIPs,
Perhaps I misunderstand, but are you trying to reverse the PKG file format?
|
Hey dotVoid,
Yes you are correct. If you take a look at the files I uploaded you'll see 2 encrypted/compressed blocks of data and a zero padded SHA-1 id at the EOF.
I have made some more progress as far as figuring out what a few more of the header values mean. After that I'm stuck though. If it turns out to be encryption, are all hopes lost in figuring out the structure and contents of the file? Or is there more I can learn and do.
P.S. If anyone looks at the file and finds it extremely easy , lol please don't post and spoil it for me. Feel free to leave me a hint though. This is practice for me. I'll post a list of knowns in the first post in a sec. I have to compile a neater list from my scribble. ^_^ Thnx in advanced.
|
From the information that you posted above, I believe you're working on PS3 PKG files (correct me if I'm wrong). While I can't help with the format, I recommend reversing the program that knows how to handle those PKG files and try to understand what type of encryption and compression are being used.
There is a great plug-in for IDA that can determine if a well-known encryption is used. As of regarding the compression, I guess you need to reverse the code and figure it out by yourself.
Edit: Just to let you know, I have just finished a project where I was requested to reverse engineer a propriety format. Fortunately, the encryption that was used is well-known, but I had to reverse from scratch both compressions.
|
|
Yes you are correct. I tried using FindCrypt in IDA but it didnt pop up a window saying it found anything so.... I guess I'm out of luck then because I don't have access to any program that can handle the format,. It's all on the PS3. Thanks for the input.
|
|
FindCrypt doesn't pop up a Window, it prints in the output window at the bottom of the screen and uses IDA bookmarks to delimit where it found crypto.
|
> aeppert: FindCrypt doesn\'t pop up a Window, it prints in the output window at the bottom of the screen and uses IDA bookmarks to delimit where it found crypto.
According to a screenshot posted on the blog it does. But either way, I got no results. It's funny because someone has confirmed the use of SHA-1. And you can see the value at the end. But Findcrypt still doesn't pick up on it.
|
> MIPs: > But Findcrypt still doesn\'t pick up on it.
tried pressing CTRL-M in IDA ?
|
> dennis: > MIPs: > But Findcrypt still doesn\\\'t pick up on it.
>
> tried pressing CTRL-M in IDA ?
Yup, tried it. I'm not getting anything. Maybe there using there own encryption and compression. Or I'm doing something wrong. Has anyone looked at the files? Links in first post. ^_-
|
These pkg files are data files, no? Or do they contain any
code? Which files do you use IDA on?
|
MIPs,
I'm not entirely familiar with the gaming world, but perhaps there's a program for PC that converts one format to PS3 PKG format or vise versa? You can then reverse x86 assembly rather than ARM (if you reverse PS3 files).
Anyway, make sure you run FindCrypt on the executable and not the data files.
|
> dennis: These pkg files are data files, no? Or do they contain any
> code? Which files do you use IDA on?
As far as I can tell you won't see any code till you can get to the contents inside. When put into IDA, it's like looking at a winrar archive. Just without the readable strings.
These .pkg's are what I'm putting into IDA. The .pkg files I posted are just license files so they probably just contain a text file, thats why they are so small and contain a huge zero pad. I do have freely obtainable demo.pkg's that contain a demo game but the format is essentially the same(just a bigger data section)so I posted these smaller files instead.
My assumption is that PKG is an archiving format and my ultimate goal is be able to extract the contents. Even though I haven't found any concrete evidence of encryption yet(besides no readable text), there have been guesses that the first small data block @ 0x60 is a key or signature.
|
MIPs,
You cannot run FindCrypt on those PKG files directly. FindCrypt searches for patterns inside the binary code. If you have a program that knows how to handle those PKG files, you should load it in IDA and run FindCrypt.
It nearly impossible to understand propriety compression/encryption if you don't have a program that can read the files.
|
> dotVoid: MIPs,
>
> You cannot run FindCrypt on those PKG files directly. FindCrypt searches for patterns inside the binary code. If you have a program that knows how to handle those PKG files, you should load it in IDA and run FindCrypt.
>
> It nearly impossible to understand propriety compression/encryption if you don\'t have a program that can read the files.
Damn, that's what I was afraid of. Well currently there is no access to a file that can handle .pkg types because it all exist on the PS3 itself. I guess this is a lost cause for now, and it's time to switch focus. Ah well, thanks for letting me pick you guys brains. Its been informative.
Any other suggestions or opinions are still welcome.
|
MIP's,
I just stumbled across this bored and hopefully I won't look like an idiot...lol
But isn't the PS3 PPC based? If so, then why are you using x86 architecture to try to decrypt the pkg's? Not to mention that it's 64bit as well.
Hope this helps. (if it even makes sense)
|
> illizit: MIP\'s,
>
> I just stumbled across this bored and hopefully I won\'t look like an idiot...lol
>
> But isn\'t the PS3 PPC based? If so, then why are you using x86 architecture to try to decrypt the pkg\'s? Not to mention that it\'s 64bit as well.
> Hope this helps. (if it even makes sense)
yeap it is.
you are right it is ppc and also if u check about the file extention on the web u will find out that it is OS X instalation file ;)
so for who knows and owns MAC maybe he can do something with it to uncompress the file.
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 31,314 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}