Results 1 to 5 of 5
  1. #1
    h4x0r
    h4x0r is offline
    h4x0r's Avatar
    Join Date
    2011 Aug
    Location
    ..\root\home\pgc
    Posts
    826
    Thanks Thanks Given 
    64
    Thanks Thanks Received 
    525
    Thanked in
    205 Posts
    Rep Power
    15

    Dragonica Decrypting and Decompressing Table's

    Small tutorial how decrypting and decompressing *.BIN files (Dragonica\Table) from memory.

    Client and Used Tools


    Preparation

    Download and install Dragonica client. Start launcher and wait when the game will update to the latest version.

    First stage - Decrypting and Disabling GameGuard

    Run OllyDbg. Open and load main executable -> (IAHGames\Dragonica\Release\dragonica.exe).

    Now to begin to decrypting tables we need to disable GameGuard. How to? Easy.

    Search for -> All referenced text strings.

    After both all referenced string found scroll up to the beginning.


    Now Search for text


    enter text -> InitAppProtectFailed. Press OK.




    Follow in Disassembler (Enter)


    Code:
    00A2E3BD    E8 9E676600     CALL dragonic.01094B60                   ; <- Staring GameGuard
    00A2E3C2    85C0            TEST EAX,EAX
    00A2E3C4    74 68           JE SHORT dragonic.00A2E42E
    00A2E3C6    8D8C24 68010000 LEA ECX,DWORD PTR SS:[ESP+168]
    00A2E3CD    FF15 10777701   CALL DWORD PTR DS:[<&MSVCP80.??0?$basic_>]
    00A2E3D3    C68424 90010000>MOV BYTE PTR SS:[ESP+190],0A
    00A2E3DB    68 049F7B01     PUSH dragonic.017B9F04                   ; UNICODE "AppProtect luanch failed"
    00A2E3E0    8D8424 6C010000 LEA EAX,DWORD PTR SS:[ESP+16C]
    00A2E3E7    50              PUSH EAX
    00A2E3E8    68 D89E7B01     PUSH dragonic.017B9ED8                   ; UNICODE "InitAppProtectFailed"
    00A2E3ED    68 E8887B01     PUSH dragonic.017B88E8                   ; UNICODE "MESSAGE"
    00A2E3F2    E8 B9B80400     CALL dragonic.00A79CB0
    00A2E3F7    83C4 10         ADD ESP,10
    00A2E3FA    6A 00           PUSH 0
    00A2E3FC    68 24807B01     PUSH dragonic.017B8024                   ; UNICODE "Dragonica"
    00A2E401    8D8C24 70010000 LEA ECX,DWORD PTR SS:[ESP+170]
    00A2E408    FF15 28777701   CALL DWORD PTR DS:[<&MSVCP80.?c_str@?$ba>]
    00A2E40E    50              PUSH EAX
    00A2E40F    6A 00           PUSH 0
    00A2E411    FF15 44807701   CALL DWORD PTR DS:[<&USER32.MessageBoxW>>; USER32.MessageBoxW
    00A2E417    C68424 90010000>MOV BYTE PTR SS:[ESP+190],9
    00A2E41F    8D8C24 68010000 LEA ECX,DWORD PTR SS:[ESP+168]
    00A2E426    FF15 30777701   CALL DWORD PTR DS:[<&MSVCP80.??1?$basic_>]
    00A2E42C    EB 47           JMP SHORT dragonic.00A2E475
    00A2E42E    8B4E 34         MOV ECX,DWORD PTR DS:[ESI+34]
    Just NOP CALL 01094B60 and JE 00A2E42E -> JMP 00A2E42E


    Select modified code -> Copy to executable -> Selection -> Save file.


    New executable for me named dragonica_nogg.exe . In Olly press ALT+F2 -> Yes and open new exe.

    Search for -> All referenced text strings. After searching scroll up.

    Search for text and enter text .BIN.


    Follow in Disassembler (Enter)


    Set breakpoint on (F2)
    Code:
    014671F9    68 14B08601     PUSH dragonic.0186B014                          ; UNICODE ".BIN"
    Press F9 for run.
    Good breakpoint triggered .


    In command line enter -> BP ReadFile


    Press F9 for run. Again triggered and in stack you can see this

    First part reading table file.

    Code:
    0012CBE4   01423079  /CALL to ReadFile from dragonic.01423073
    0012CBE8   00000248  |hFile = 00000248
    0012CBEC   04BF68A8  |Buffer = 04BF68A8
    0012CBF0   0000003F  |BytesToRead = 3F (63.)
    0012CBF4   0012CC3C  |pBytesRead = 0012CC3C
    0012CBF8   00000000  \pOverlapped = NULL

    Press F9 - Second part.

    Code:
    0012CBE4   01423079  /CALL to ReadFile from dragonic.01423073
    0012CBE8   00000248  |hFile = 00000248
    0012CBEC   04B93CF0  |Buffer = 04B93CF0
    0012CBF0   00000009  |BytesToRead = 9
    0012CBF4   0012CC3C  |pBytesRead = 0012CC3C
    0012CBF8   00000000  \pOverlapped = NULL
    Press F9 - Third part.

    Code:
    0012CBE4   01423079  /CALL to ReadFile from dragonic.01423073
    0012CBE8   00000248  |hFile = 00000248
    0012CBEC   04BF68A8  |Buffer = 04BF68A8
    0012CBF0   0000003F  |BytesToRead = 3F (63.)
    0012CBF4   0012CC3C  |pBytesRead = 0012CC3C
    0012CBF8   00000000  \pOverlapped = NULL
    Press F9 - Last part. This is what we need

    Code:
    0012CBE4   01423079  /CALL to ReadFile from dragonic.01423073
    0012CBE8   00000248  |hFile = 00000248
    0012CBEC   050B0020  |Buffer = 050B0020
    0012CBF0   003A2F14  |BytesToRead = 3A2F14 (3813140.)
    0012CBF4   0012CC3C  |pBytesRead = 0012CC3C
    0012CBF8   00000000  \pOverlapped = NULL

    Select Buffer -> Follow in Dump.




    Trace (F8) until you reach

    Code:
    7C80186F    FF15 8C11807C   CALL DWORD PTR DS:[<&ntdll.NtReadFile>]         ; ntdll.ZwReadFile
    Passed ZwReadFile you can see that the buffer is filling


    Now we need to achieve this piece of code (F8)


    Code:
    014248A1    E8 8AF6FFFF     CALL dragonic.01423F30                          ; <- Decrypting Routine
    After CALL 014248A1 you can see like this




    First byte's 78 9C - Zlib compression.[/IMG]


    Backup -> Save data to file.


    Now we need to decompressing saved file. Will help us a great tool Offset file UnZipper written by aluigi.
    New file im saved to -> \IAHGames\Dragonica\Table\tb_decrypted.bin

    Decompressing

    Code:
    offzip -a "d:\IAHGames\Dragonica\Table\tb_decrypted.bin" out 0x0

    Okay first table file decompressed (in folder OUT), repeat for second table file (tb2.bin).

    For config.inb it work too

    Code:
    [SERVER]
    IP = 122.50.2.133
    PORT = 11002
    RANK_URL = http://dgnrank.dragonica.iahgames.com:8888/XmlRanking.asp?Type=%d&Class=%d&RealmNo=%d
    
    [LOCAL_INFO]
    NATION_CODE = SINGAPORE
    SERVICE_REGION = SINGAPORE
    LANGUAGE = ENGLISH
    SERVICE_TYPE = 2
    
    [GAME]
    UsePack=1		;  Use Packed Data
    UseExtraPack = 1		;  Use Extra Packed Data (./World/Folders , ./BGM , etc...)
    UseBugTrap = 1
    
    UseCoupleUI = 1
    ;FinishLinkURL = about:blank
    CashChargeURL = http://passport.iahgames.com
    Sound=1			;  Use Sound
    UseAddUnitThread = 1	;  Use Add Unit Thread
    MaxFrameRate=60
    BugTrapIP = 211.232.145.170
    BugTrapPort = 9999
    BugTrapAppName = Dragonica_S_CB
    BugTrapScreenShot = 0
    UseGSM	= 0
    UseGameGuard	= 1
    UseVariableActorUpdate = 0
    UseNewClone = 1
    UseActorControllerUpdateOptimize = 1
    UseProjectionShadow = 0
    UseProjectionLight = 0
    UseUIOffscreenRendering = 1
    UseEmporiaTeamItem = 1
    
    [LOG]
    ; CreateLog - NO_LOG/ERROR_LOG/FULL_LOG/FULL_LOG2
    ;LogLevel= ERROR_LOG
    ; DirectMode - do not buffer log, write to file directly
    ;DirectMode = 1
    ; InfoLogLevel - INFO_LOG level (0 ~ 9)
    ;InfoLogLevel = 9
    Very old my video tutorial you can found on Elitepvpers forums.

    Enjoy

  2. The Following 2 Users Say Thank You to h4x0r For This Useful Post:


  3. #2
    h4x0r
    h4x0r is offline
    h4x0r's Avatar
    Join Date
    2011 Aug
    Location
    ..\root\home\pgc
    Posts
    826
    Thanks Thanks Given 
    64
    Thanks Thanks Received 
    525
    Thanked in
    205 Posts
    Rep Power
    15
    My old video tutorial here

  4. #3
    devilmaydie770
    devilmaydie770 is offline
    Guest
    Join Date
    2012 Apr
    Posts
    2
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    Hello, im currently working on a dragonica files to make it english however, i have a problem with this, ik this will allow me to get the files that are in TB which is a packed version of defstring.xls or defstring in DB, however i cant seem to get the after the breakpoint, and where u gotta add the command is my problem and sometime, when u run F9 it just will end up error with 0000000 << numbers and it all Zeros so. thanks and if u need to pm or anything ask away.

  5. #4
    devilmaydie770
    devilmaydie770 is offline
    Guest
    Join Date
    2012 Apr
    Posts
    2
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    sorry for bumping an old post but, im still needing some help with this decrypting tables >_< i need it for my server if any help is possible thanks just ask me if want any contacts with skype or anything :P and have a good day!

  6. #5
    jioney2014
    jioney2014 is offline
    Guest
    Join Date
    2013 May
    Posts
    3
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    Get with offzip extract dat file cannot be undone, you have what method?

    ---------- Post added 2013-05-25 at 07:41 AM ---------- Previous post was 2013-05-20 at 08:39 AM ----------

    Hello!
    I hope to get your help.
    Your article about the https://progamercity.net/ghack-tut/3...ng-tables.html
    I did, indeed can extract bin files
    But after decompression but got a dat file
    This dat file is still encrypted, how to unlock it, and hope to get your answer.

    ---------- Post added at 07:41 AM ---------- Previous post was at 07:41 AM ----------

    Hello!
    I hope to get your help.
    Your article about the https://progamercity.net/ghack-tut/3...ng-tables.html
    I did, indeed can extract bin files
    But after decompression but got a dat file
    This dat file is still encrypted, how to unlock it, and hope to get your answer.

Similar Threads

  1. Dragonica Online DAT Unpacker / Packer
    By h4x0r in forum Game Files
    Replies: 15
    Last Post: 2018-08-23, 08:40 PM
  2. Dragonica
    By Lucifer9991 in forum Other MMO
    Replies: 10
    Last Post: 2011-01-18, 08:58 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •