Small tutorial how decrypting and decompressing *.BIN files (Dragonica\Table) from memory.
Client and Used Tools
Preparation
Download and install Dragonica client. Start launcher and wait when the game will update to the latest version.
First stage - Decrypting and Disabling GameGuard
Run OllyDbg. Open and load main executable -> (IAHGames\Dragonica\Release\dragonica.exe).
Now to begin to decrypting tables we need to disable GameGuard. How to? Easy.
Search for -> All referenced text strings.
After both all referenced string found scroll up to the beginning.
Now Search for text
enter text -> InitAppProtectFailed. Press OK.
Follow in Disassembler (Enter)
Code:
00A2E3BD E8 9E676600 CALL dragonic.01094B60 ; <- Staring GameGuard
00A2E3C2 85C0 TEST EAX,EAX
00A2E3C4 74 68 JE SHORT dragonic.00A2E42E
00A2E3C6 8D8C24 68010000 LEA ECX,DWORD PTR SS:[ESP+168]
00A2E3CD FF15 10777701 CALL DWORD PTR DS:[<&MSVCP80.??0?$basic_>]
00A2E3D3 C68424 90010000>MOV BYTE PTR SS:[ESP+190],0A
00A2E3DB 68 049F7B01 PUSH dragonic.017B9F04 ; UNICODE "AppProtect luanch failed"
00A2E3E0 8D8424 6C010000 LEA EAX,DWORD PTR SS:[ESP+16C]
00A2E3E7 50 PUSH EAX
00A2E3E8 68 D89E7B01 PUSH dragonic.017B9ED8 ; UNICODE "InitAppProtectFailed"
00A2E3ED 68 E8887B01 PUSH dragonic.017B88E8 ; UNICODE "MESSAGE"
00A2E3F2 E8 B9B80400 CALL dragonic.00A79CB0
00A2E3F7 83C4 10 ADD ESP,10
00A2E3FA 6A 00 PUSH 0
00A2E3FC 68 24807B01 PUSH dragonic.017B8024 ; UNICODE "Dragonica"
00A2E401 8D8C24 70010000 LEA ECX,DWORD PTR SS:[ESP+170]
00A2E408 FF15 28777701 CALL DWORD PTR DS:[<&MSVCP80.?c_str@?$ba>]
00A2E40E 50 PUSH EAX
00A2E40F 6A 00 PUSH 0
00A2E411 FF15 44807701 CALL DWORD PTR DS:[<&USER32.MessageBoxW>>; USER32.MessageBoxW
00A2E417 C68424 90010000>MOV BYTE PTR SS:[ESP+190],9
00A2E41F 8D8C24 68010000 LEA ECX,DWORD PTR SS:[ESP+168]
00A2E426 FF15 30777701 CALL DWORD PTR DS:[<&MSVCP80.??1?$basic_>]
00A2E42C EB 47 JMP SHORT dragonic.00A2E475
00A2E42E 8B4E 34 MOV ECX,DWORD PTR DS:[ESI+34]
Just NOP CALL 01094B60 and JE 00A2E42E -> JMP 00A2E42E
Select modified code -> Copy to executable -> Selection -> Save file.
New executable for me named dragonica_nogg.exe . In Olly press ALT+F2 -> Yes and open new exe.
Search for -> All referenced text strings. After searching scroll up.
Search for text and enter text .BIN.
Follow in Disassembler (Enter)
Set breakpoint on (F2)
Code:
014671F9 68 14B08601 PUSH dragonic.0186B014 ; UNICODE ".BIN"
Press F9 for run.
Good breakpoint triggered .
In command line enter -> BP ReadFile
Press F9 for run. Again triggered and in stack you can see this
First part reading table file.
Code:
0012CBE4 01423079 /CALL to ReadFile from dragonic.01423073
0012CBE8 00000248 |hFile = 00000248
0012CBEC 04BF68A8 |Buffer = 04BF68A8
0012CBF0 0000003F |BytesToRead = 3F (63.)
0012CBF4 0012CC3C |pBytesRead = 0012CC3C
0012CBF8 00000000 \pOverlapped = NULL
Press F9 - Second part.
Code:
0012CBE4 01423079 /CALL to ReadFile from dragonic.01423073
0012CBE8 00000248 |hFile = 00000248
0012CBEC 04B93CF0 |Buffer = 04B93CF0
0012CBF0 00000009 |BytesToRead = 9
0012CBF4 0012CC3C |pBytesRead = 0012CC3C
0012CBF8 00000000 \pOverlapped = NULL
Press F9 - Third part.
Code:
0012CBE4 01423079 /CALL to ReadFile from dragonic.01423073
0012CBE8 00000248 |hFile = 00000248
0012CBEC 04BF68A8 |Buffer = 04BF68A8
0012CBF0 0000003F |BytesToRead = 3F (63.)
0012CBF4 0012CC3C |pBytesRead = 0012CC3C
0012CBF8 00000000 \pOverlapped = NULL
Press F9 - Last part. This is what we need
Code:
0012CBE4 01423079 /CALL to ReadFile from dragonic.01423073
0012CBE8 00000248 |hFile = 00000248
0012CBEC 050B0020 |Buffer = 050B0020
0012CBF0 003A2F14 |BytesToRead = 3A2F14 (3813140.)
0012CBF4 0012CC3C |pBytesRead = 0012CC3C
0012CBF8 00000000 \pOverlapped = NULL
Select Buffer -> Follow in Dump.
Trace (F8) until you reach
Code:
7C80186F FF15 8C11807C CALL DWORD PTR DS:[<&ntdll.NtReadFile>] ; ntdll.ZwReadFile
Passed ZwReadFile you can see that the buffer is filling
Now we need to achieve this piece of code (F8)
Code:
014248A1 E8 8AF6FFFF CALL dragonic.01423F30 ; <- Decrypting Routine
After CALL 014248A1 you can see like this
First byte's 78 9C - Zlib compression.[/IMG]
Backup -> Save data to file.
Now we need to decompressing saved file. Will help us a great tool Offset file UnZipper written by aluigi.
New file im saved to -> \IAHGames\Dragonica\Table\tb_decrypted.bin
Decompressing
Code:
offzip -a "d:\IAHGames\Dragonica\Table\tb_decrypted.bin" out 0x0
Okay first table file decompressed (in folder OUT), repeat for second table file (tb2.bin).
For config.inb it work too
Code:
[SERVER]
IP = 122.50.2.133
PORT = 11002
RANK_URL = http://dgnrank.dragonica.iahgames.com:8888/XmlRanking.asp?Type=%d&Class=%d&RealmNo=%d
[LOCAL_INFO]
NATION_CODE = SINGAPORE
SERVICE_REGION = SINGAPORE
LANGUAGE = ENGLISH
SERVICE_TYPE = 2
[GAME]
UsePack=1 ; Use Packed Data
UseExtraPack = 1 ; Use Extra Packed Data (./World/Folders , ./BGM , etc...)
UseBugTrap = 1
UseCoupleUI = 1
;FinishLinkURL = about:blank
CashChargeURL = http://passport.iahgames.com
Sound=1 ; Use Sound
UseAddUnitThread = 1 ; Use Add Unit Thread
MaxFrameRate=60
BugTrapIP = 211.232.145.170
BugTrapPort = 9999
BugTrapAppName = Dragonica_S_CB
BugTrapScreenShot = 0
UseGSM = 0
UseGameGuard = 1
UseVariableActorUpdate = 0
UseNewClone = 1
UseActorControllerUpdateOptimize = 1
UseProjectionShadow = 0
UseProjectionLight = 0
UseUIOffscreenRendering = 1
UseEmporiaTeamItem = 1
[LOG]
; CreateLog - NO_LOG/ERROR_LOG/FULL_LOG/FULL_LOG2
;LogLevel= ERROR_LOG
; DirectMode - do not buffer log, write to file directly
;DirectMode = 1
; InfoLogLevel - INFO_LOG level (0 ~ 9)
;InfoLogLevel = 9
Very old my video tutorial you can found on Elitepvpers forums.
Enjoy