盟军敢死队2及3 PCK文件格式表
盟军敢死队2及3 PCK文件格式表
地狱门神(F.R.C.)制作
|
数据区 |
数据块 |
数据 |
数据类型 |
长度 |
描述 |
样例数据 |
|
Header DA |
File DB |
Name |
String |
36 |
文件名 |
44415441(DATA) |
|
Type |
Int32 |
4 |
文件是0,文件夹是1,文件夹结束为0xFF |
00000000/01000000/FF000000 |
||
|
Length |
Int32 |
4 |
文件夹为0xFFFFFFFF |
DA2E0000 |
||
|
Address |
Int32 |
4 |
文件数据地址,文件夹为第一个文件的File DB地址 |
|
||
|
有很多个File DB,其中文件夹由文件夹的File DB和Name为空,Type为0xFF,Length和Address均为0xFFFFFFFF的特殊File DB配对 |
||||||
|
Data DA |
Data DB |
|
|
|
文件数据,以2048字节为最小单位对齐。盟军3这部分经过简单的异或加密 |
|
|
有很多个Data DB |
||||||
注意:
1、所有的整数数据类型都是little-endian的。
2、文件夹配对,文件夹和文件夹结尾以类似多层括号的方式配对,这一点与盟军1的DIR文件不同,即:
DATA{
PARGLOBAL.DAT
VAR.DAT
ANIMS{
ACTIVADOR.AN2
...
ABI{
...
}
}
...
}
3、盟军3的异或加密:
盟军3对每个文件的数据的每16个字节的第一个字节进行了异或处理,每个文件的首密钥的计算如下:
密钥的高位就是偏移量的右手第2位,密钥的低位就是偏移量模7然后按下表换算所得的值。
0-0 1-4 2-9 3-D 4-2 5-6 6-B
下一行的密匙是上一行密钥高位和低位分开各加1(如果低位结果为7或F则低位再加1,高低位分开溢出)的结果。
将每一行的首字节与该行的密钥异或即得原始文件。
附录:
盟军3的异或加密破解分析过程
以DATA.PCK为例。
盟军3对每个文件的数据的每16个字节的第一个字节进行了异或处理(在这种情况下首先想到的)。
假设异或用的数据为x,原来的数据为s,加密后的数据为t,则
t = s Xor x
s = t Xor x
所以我们可以通过
x = s Xor t
来得到密钥。
首先
|
偏移量 |
根据上下文猜测的原数据 |
加密数据 |
密钥 |
|
00026000h |
5B |
56 |
0D |
|
00026010h |
20 |
3E |
1E |
|
000260B0h |
20 |
|
BA |
|
|
42 |
42 |
00 |
|
|
42 |
40 |
02 |
|
0002AAD0h |
74 |
A1 |
D5 |
|
0002AAE0h |
00 |
E6 |
E6 |
|
0002AAF0h |
61 |
99 |
F8 |
|
0002AB00h |
72 |
7B |
09 |
|
0002AB10h |
2E |
34 |
|
|
0002AB20h |
|
44 |
2B |
|
0002AB30h |
35 |
09 |
|
|
0002AB40h |
74 |
39 |
4D |
|
0002AB50h |
66 |
38 |
5E |
|
0002AB60h |
61 |
01 |
60 |
|
0002AB70h |
61 |
10 |
71 |
|
0002AB80h |
62 |
E0 |
82 |
|
|
|
|
|
|
00026000h |
5B |
56 |
0D |
|
00026010h |
20 |
3E |
1E |
|
00026020h |
|
|
20 |
|
00026030h |
09 |
38 |
31 |
|
00026040h |
|
1D |
42 |
|
00026050h |
|
|
53 |
|
00026060h |
20 |
44 |
64 |
|
00026070h |
50 |
25 |
75 |
|
00026080h |
20 |
A6 |
86 |
|
00026090h |
4E |
D6 |
98 |
|
|
28 |
89 |
A9 |
|
|
|
|
|
|
00029800h |
20 |
2E |
0D |
|
00029810h |
2D |
33 |
1E |
|
00029820h |
2D |
0D |
20 |
|
00029830h |
2D |
|
31 |
|
00029840h |
2D |
|
42 |
|
00029850h |
2D |
7E |
53 |
|
|
|
|
|
|
|
42 |
42 |
00 |
|
|
42 |
40 |
02 |
|
0002B000h |
42 |
46 |
04 |
可以看出密钥的高位就是偏移量的右手第2位。下一个密匙是上一个密钥高位和低位分开各加1(如果低位结果为7或F则低位再加1,高低位分开溢出)的结果。
至于密钥的低位的第一行数据,推测如下:
密钥很可能与文件地址或文件长度有关。
以BSMB开头的文件很多(从盟军2继承),我们筛选出*SMB开头的文件,然后假设*的原数据为B,得到密钥(* Xor 4216),排序,即得下表前两列。
然后发现密钥只有7种。将文件地址和文件长度模7,得到下表。可以看出文件长度模7和密钥的一一对应关系,即
0-0 1-4 2-9 3-D 4-2 5-6 6-B
这样就完成了分析。
|
偏移量 |
密钥 |
文件地址 mod 7 |
文件长度 mod 7 |
|
0002A000h |
00 |
00 |
05 |
|
00042800h |
00 |
00 |
06 |
|
00049800h |
00 |
00 |
05 |
|
0004D000h |
00 |
00 |
01 |
|
00050800h |
00 |
00 |
02 |
|
00054000h |
00 |
00 |
03 |
|
00057800h |
00 |
00 |
04 |
|
0005B000h |
00 |
00 |
02 |
|
00062000h |
00 |
00 |
04 |
|
00065800h |
00 |
00 |
02 |
|
00069000h |
00 |
00 |
00 |
|
0007E000h |
00 |
00 |
02 |
|
00081800h |
00 |
00 |
02 |
|
0009D800h |
00 |
00 |
02 |
|
000AF000h |
00 |
00 |
06 |
|
000B2800h |
00 |
00 |
04 |
|
000B6000h |
00 |
00 |
02 |
|
000B9800h |
00 |
00 |
06 |
|
000BD000h |
00 |
00 |
03 |
|
000C0800h |
00 |
00 |
06 |
|
000C4000h |
00 |
00 |
03 |
|
000D5800h |
00 |
00 |
01 |
|
000D9000h |
00 |
00 |
03 |
|
000DC800h |
00 |
00 |
00 |
|
000E0000h |
00 |
00 |
02 |
|
000E3800h |
00 |
00 |
03 |
|
000E7000h |
00 |
00 |
00 |
|
000EA800h |
00 |
00 |
05 |
|
000EE000h |
00 |
00 |
01 |
|
000FF800h |
00 |
00 |
05 |
|
0010A000h |
00 |
00 |
05 |
|
0010D800h |
00 |
00 |
06 |
|
00111000h |
00 |
00 |
06 |
|
00114800h |
00 |
00 |
00 |
|
00118000h |
00 |
00 |
02 |
|
0011B800h |
00 |
00 |
00 |
|
0011F000h |
00 |
00 |
00 |
|
00145800h |
00 |
00 |
03 |
|
02418000h |
00 |
00 |
02 |
|
0241F000h |
00 |
00 |
03 |
|
02429800h |
00 |
00 |
00 |
|
03C39800h |
00 |
00 |
04 |
|
08E76000h |
00 |
00 |
04 |
|
08ECA000h |
00 |
00 |
03 |
|
09771800h |
00 |
00 |
03 |
|
09FF6000h |
00 |
00 |
00 |
|
0BBE1000h |
00 |
00 |
00 |
|
0D9FC000h |
00 |
00 |
03 |
|
1CAD7800h |
00 |
00 |
04 |
|
1CAF0000h |
00 |
00 |
04 |
|
0002A800h |
02 |
04 |
03 |
|
0003F800h |
02 |
04 |
00 |
|
00046800h |
02 |
04 |
05 |
|
0004A000h |
02 |
04 |
05 |
|
0004D800h |
02 |
04 |
01 |
|
00051000h |
02 |
04 |
04 |
|
00054800h |
02 |
04 |
00 |
|
00058000h |
02 |
04 |
01 |
|
0005B800h |
02 |
04 |
01 |
|
00062800h |
02 |
04 |
00 |
|
00066000h |
02 |
04 |
05 |
|
0007E800h |
02 |
04 |
02 |
|
00082000h |
02 |
04 |
01 |
|
0009E000h |
02 |
04 |
01 |
|
000AF800h |
02 |
04 |
01 |
|
000B3000h |
02 |
04 |
04 |
|
000B6800h |
02 |
04 |
02 |
|
000BA000h |
02 |
04 |
06 |
|
000BD800h |
02 |
04 |
00 |
|
000C1000h |
02 |
04 |
01 |
|
000C4800h |
02 |
04 |
04 |
|
000D6000h |
02 |
04 |
06 |
|
000D9800h |
02 |
04 |
05 |
|
000DD000h |
02 |
04 |
04 |
|
000E0800h |
02 |
04 |
03 |
|
000E4000h |
02 |
04 |
06 |
|
000E7800h |
02 |
04 |
02 |
|
000EB000h |
02 |
04 |
01 |
|
000EE800h |
02 |
04 |
02 |
|
00100000h |
02 |
04 |
01 |
|
00103800h |
02 |
04 |
05 |
|
00107000h |
02 |
04 |
01 |
|
0010A800h |
02 |
04 |
03 |
|
0010E000h |
02 |
04 |
01 |
|
00111800h |
02 |
04 |
01 |
|
00115000h |
02 |
04 |
02 |
|
00118800h |
02 |
04 |
02 |
|
0011C000h |
02 |
04 |
00 |
|
02423000h |
02 |
04 |
01 |
|
02426800h |
02 |
04 |
01 |
|
08490800h |
02 |
04 |
06 |
|
08E81000h |
02 |
04 |
02 |
|
097A3000h |
02 |
04 |
04 |
|
0CD73000h |
02 |
04 |
01 |
|
0E1CB000h |
02 |
04 |
03 |
|
0E59B800h |
02 |
04 |
01 |
|
0E5A6000h |
02 |
04 |
03 |
|
0002B000h |
04 |
01 |
00 |
|
0003C800h |
04 |
01 |
03 |
|
00043800h |
04 |
01 |
06 |
|
00047000h |
04 |
01 |
05 |
|
0004A800h |
04 |
01 |
06 |
|
0004E000h |
04 |
01 |
01 |
|
00051800h |
04 |
01 |
03 |
|
00055000h |
04 |
01 |
04 |
|
00058800h |
04 |
01 |
06 |
|
0005C000h |
04 |
01 |
01 |
|
00063000h |
04 |
01 |
04 |
|
00066800h |
04 |
01 |
04 |
|
0007B800h |
04 |
01 |
06 |
|
0007F000h |
04 |
01 |
03 |
|
0009E800h |
04 |
01 |
05 |
|
000B0000h |
04 |
01 |
06 |
|
000B3800h |
04 |
01 |
05 |
|
000B7000h |
04 |
01 |
02 |
|
000BA800h |
04 |
01 |
03 |
|
000BE000h |
04 |
01 |
02 |
|
000C1800h |
04 |
01 |
00 |
|
000D6800h |
04 |
01 |
04 |
|
000DA000h |
04 |
01 |
06 |
|
000E1000h |
04 |
01 |
04 |
|
000E4800h |
04 |
01 |
00 |
|
000E8000h |
04 |
01 |
06 |
|
000EB800h |
04 |
01 |
03 |
|
000EF000h |
04 |
01 |
01 |
|
00100800h |
04 |
01 |
06 |
|
00104000h |
04 |
01 |
01 |
|
00107800h |
04 |
01 |
01 |
|
0010B000h |
04 |
01 |
04 |
|
0010E800h |
04 |
01 |
00 |
|
00112000h |
04 |
01 |
04 |
|
00115800h |
04 |
01 |
02 |
|
00119000h |
04 |
01 |
06 |
|
0011C800h |
04 |
01 |
00 |
|
02415800h |
04 |
01 |
01 |
|
02419000h |
04 |
01 |
01 |
|
0241C800h |
04 |
01 |
00 |
|
02423800h |
04 |
01 |
06 |
|
02427000h |
04 |
01 |
00 |
|
07D60000h |
04 |
01 |
00 |
|
07D6E000h |
04 |
01 |
05 |
|
084A6000h |
04 |
01 |
02 |
|
097B8800h |
04 |
01 |
01 |
|
0AFB7000h |
04 |
01 |
03 |
|
0ED59000h |
04 |
01 |
06 |
|
0002B800h |
06 |
05 |
06 |
|
0003D000h |
06 |
05 |
03 |
|
00047800h |
06 |
05 |
03 |
|
0004B000h |
06 |
05 |
00 |
|
0004E800h |
06 |
05 |
02 |
|
00052000h |
06 |
05 |
01 |
|
00055800h |
06 |
05 |
01 |
|
00059000h |
06 |
05 |
01 |
|
0005C800h |
06 |
05 |
06 |
|
00063800h |
06 |
05 |
04 |
|
00067000h |
06 |
05 |
02 |
|
0007C000h |
06 |
05 |
00 |
|
0007F800h |
06 |
05 |
04 |
|
00083000h |
06 |
05 |
01 |
|
000AD000h |
06 |
05 |
01 |
|
000B0800h |
06 |
05 |
05 |
|
000B4000h |
06 |
05 |
02 |
|
000B7800h |
06 |
05 |
06 |
|
000BB000h |
06 |
05 |
02 |
|
000BE800h |
06 |
05 |
04 |
|
000C2000h |
06 |
05 |
04 |
|
000D7000h |
06 |
05 |
00 |
|
000DA800h |
06 |
05 |
00 |
|
000DE000h |
06 |
05 |
05 |
|
000E1800h |
06 |
05 |
00 |
|
000E5000h |
06 |
05 |
02 |
|
000EC000h |
06 |
05 |
02 |
|
000EF800h |
06 |
05 |
05 |
|
00101000h |
06 |
05 |
05 |
|
00104800h |
06 |
05 |
02 |
|
0010B800h |
06 |
05 |
03 |
|
0010F000h |
06 |
05 |
02 |
|
00112800h |
06 |
05 |
00 |
|
00116000h |
06 |
05 |
04 |
|
00119800h |
06 |
05 |
06 |
|
0011D000h |
06 |
05 |
04 |
|
00127800h |
06 |
05 |
06 |
|
00132000h |
06 |
05 |
00 |
|
02416000h |
06 |
05 |
02 |
|
0241D000h |
06 |
05 |
04 |
|
02420800h |
06 |
05 |
03 |
|
03C1F000h |
06 |
05 |
06 |
|
03F94800h |
06 |
05 |
06 |
|
0855C800h |
06 |
05 |
02 |
|
0AFB0800h |
06 |
05 |
01 |
|
0BB30000h |
06 |
05 |
01 |
|
0CD3C000h |
06 |
05 |
06 |
|
0CD5B800h |
06 |
05 |
06 |
|
0EB49000h |
06 |
05 |
02 |
|
0002C000h |
09 |
02 |
03 |
|
0003D800h |
09 |
02 |
00 |
|
00041000h |
09 |
02 |
05 |
|
00044800h |
09 |
02 |
04 |
|
00048000h |
09 |
02 |
01 |
|
0004B800h |
09 |
02 |
04 |
|
0004F000h |
09 |
02 |
06 |
|
00052800h |
09 |
02 |
03 |
|
00056000h |
09 |
02 |
05 |
|
00059800h |
09 |
02 |
06 |
|
0005D000h |
09 |
02 |
06 |
|
00064000h |
09 |
02 |
04 |
|
00067800h |
09 |
02 |
06 |
|
0007C800h |
09 |
02 |
03 |
|
00080000h |
09 |
02 |
05 |
|
00083800h |
09 |
02 |
04 |
|
0009C000h |
09 |
02 |
04 |
|
000AD800h |
09 |
02 |
05 |
|
000B1000h |
09 |
02 |
01 |
|
000B4800h |
09 |
02 |
04 |
|
000B8000h |
09 |
02 |
00 |
|
000BB800h |
09 |
02 |
01 |
|
000BF000h |
09 |
02 |
00 |
|
000C2800h |
09 |
02 |
02 |
|
000D4000h |
09 |
02 |
00 |
|
000D7800h |
09 |
02 |
06 |
|
000DB000h |
09 |
02 |
06 |
|
000DE800h |
09 |
02 |
05 |
|
000E2000h |
09 |
02 |
06 |
|
000E5800h |
09 |
02 |
01 |
|
000E9000h |
09 |
02 |
03 |
|
000EC800h |
09 |
02 |
03 |
|
00101800h |
09 |
02 |
04 |
|
00105000h |
09 |
02 |
03 |
|
00108800h |
09 |
02 |
05 |
|
0010C000h |
09 |
02 |
02 |
|
0010F800h |
09 |
02 |
02 |
|
00113000h |
09 |
02 |
02 |
|
00116800h |
09 |
02 |
01 |
|
0011A000h |
09 |
02 |
06 |
|
0011D800h |
09 |
02 |
03 |
|
02413000h |
09 |
02 |
04 |
|
0241A000h |
09 |
02 |
00 |
|
02421000h |
09 |
02 |
02 |
|
02424800h |
09 |
02 |
05 |
|
02428000h |
09 |
02 |
04 |
|
03C2A000h |
09 |
02 |
05 |
|
03E61000h |
09 |
02 |
05 |
|
05B5D000h |
09 |
02 |
01 |
|
07D53000h |
09 |
02 |
01 |
|
0B9D6000h |
09 |
02 |
02 |
|
0BA31000h |
09 |
02 |
01 |
|
0E1D3800h |
09 |
02 |
03 |
|
0E5A4000h |
09 |
02 |
04 |
|
0ED5A000h |
09 |
02 |
06 |
|
0002C800h |
0B |
06 |
01 |
|
0003E000h |
0B |
06 |
00 |
|
00048800h |
0B |
06 |
06 |
|
0004C000h |
0B |
06 |
00 |
|
0004F800h |
0B |
06 |
00 |
|
00053000h |
0B |
06 |
02 |
|
00056800h |
0B |
06 |
01 |
|
0005A000h |
0B |
06 |
05 |
|
00064800h |
0B |
06 |
03 |
|
00068000h |
0B |
06 |
03 |
|
0007D000h |
0B |
06 |
03 |
|
00084000h |
0B |
06 |
02 |
|
00095800h |
0B |
06 |
04 |
|
0009C800h |
0B |
06 |
05 |
|
000AE000h |
0B |
06 |
01 |
|
000B1800h |
0B |
06 |
01 |
|
000B5000h |
0B |
06 |
03 |
|
000B8800h |
0B |
06 |
01 |
|
000BC000h |
0B |
06 |
03 |
|
000BF800h |
0B |
06 |
01 |
|
000C3000h |
0B |
06 |
04 |
|
000D4800h |
0B |
06 |
01 |
|
000D8000h |
0B |
06 |
01 |
|
000DB800h |
0B |
06 |
00 |
|
000DF000h |
0B |
06 |
05 |
|
000E2800h |
0B |
06 |
06 |
|
000E6000h |
0B |
06 |
03 |
|
000E9800h |
0B |
06 |
06 |
|
000ED000h |
0B |
06 |
06 |
|
00105800h |
0B |
06 |
01 |
|
00109000h |
0B |
06 |
01 |
|
0010C800h |
0B |
06 |
05 |
|
00110000h |
0B |
06 |
01 |
|
00113800h |
0B |
06 |
03 |
|
00117000h |
0B |
06 |
04 |
|
0011A800h |
0B |
06 |
00 |
|
0011E000h |
0B |
06 |
03 |
|
0241E000h |
0B |
06 |
03 |
|
05C6E800h |
0B |
06 |
04 |
|
0A05E000h |
0B |
06 |
04 |
|
0AF92000h |
0B |
06 |
05 |
|
0DA25000h |
0B |
06 |
04 |
|
0E1D0800h |
0B |
06 |
04 |
|
0EB2A800h |
0B |
06 |
03 |
|
0003E800h |
0D |
03 |
04 |
|
00045800h |
0D |
03 |
04 |
|
00049000h |
0D |
03 |
04 |
|
0004C800h |
0D |
03 |
03 |
|
00050000h |
0D |
03 |
02 |
|
00053800h |
0D |
03 |
04 |
|
00057000h |
0D |
03 |
06 |
|
0005A800h |
0D |
03 |
05 |
|
00065000h |
0D |
03 |
03 |
|
00068800h |
0D |
03 |
01 |
|
0007D800h |
0D |
03 |
03 |
|
00081000h |
0D |
03 |
03 |
|
00084800h |
0D |
03 |
00 |
|
00096000h |
0D |
03 |
05 |
|
0009D000h |
0D |
03 |
05 |
|
000AE800h |
0D |
03 |
02 |
|
000B2000h |
0D |
03 |
02 |
|
000B5800h |
0D |
03 |
02 |
|
000B9000h |
0D |
03 |
04 |
|
000BC800h |
0D |
03 |
01 |
|
000C0000h |
0D |
03 |
01 |
|
000C3800h |
0D |
03 |
01 |
|
000D5000h |
0D |
03 |
04 |
|
000D8800h |
0D |
03 |
00 |
|
000DF800h |
0D |
03 |
02 |
|
000E3000h |
0D |
03 |
03 |
|
000E6800h |
0D |
03 |
05 |
|
000EA000h |
0D |
03 |
00 |
|
000ED800h |
0D |
03 |
00 |
|
00102800h |
0D |
03 |
04 |
|
00106000h |
0D |
03 |
02 |
|
00110800h |
0D |
03 |
05 |
|
00114000h |
0D |
03 |
04 |
|
00117800h |
0D |
03 |
04 |
|
0011B000h |
0D |
03 |
00 |
|
0011E800h |
0D |
03 |
00 |
|
00145000h |
0D |
03 |
02 |
|
02414000h |
0D |
03 |
05 |
|
0241B000h |
0D |
03 |
06 |
|
02422000h |
0D |
03 |
05 |
|
02425800h |
0D |
03 |
06 |
|
05C1B000h |
0D |
03 |
01 |
|
0A031000h |
0D |
03 |
02 |
|
0BA20800h |
0D |
03 |
04 |
|
0BAEF000h |
0D |
03 |
03 |
|
0DAED000h |
0D |
03 |
01 |
|
0EB0F000h |
0D |
03 |
03 |
浙公网安备 33010602011771号