Last few months have been... extra busy. I survived HDD crash, participated in Flare-On reversing contest (and finished 4th!), had quite fun projects at work - but all that is a matter of another story. Today I want to share with you a long-overdue update for unpackers.
Enigma Virtual Box unpacker
- Added support for Enigma Virtual Box v8.10, v8.20, v9.00 and v9.10.
- Unpacker now restores file attributes and date/time. Be careful, unpacked files might have attributes "read only", "hidden", etc.!
- Added validation of extracted folder/file names to prevent directory traversal attacks. It was on my todo list for a long time and all the media-craziness around Zip Slip finally forced me to do something about it.
- Fixed warning message about TLS directory. Mea culpa.
Molebox Virtualization Studio unpacker
- Fixed error "VFSDecrypt: failed to find STELPACK signature" on some data files;
- Fixed error "SPack catalog not found or invalid. vfsrootsize=00000000" on some EXE files;
- Fixed out-of-memory error when unpacking huge data files;
- Loads possible filenames from mole_dictionary.txt;
How to use mole_dictionary.txt
If you have a file which uses "hide files" feature of Molebox VS, it only stores hash of the filename - original filenames are not stored anywhere. But if you have a good idea what the filename might be, you can add it to mole_dictionary.txt and my unpacker will use that for intelligent guessing.
You must enter path relative to where the main executable is, for example: data\magic.dat. DO NOT enter full paths like C:\Program Files\My Program\data\magic.dat, they will not work.
You can also add comments for your convenience - any line starting with "//" is treated as a comment and ignored.
If your paths contain non-English characters, make sure you save mole_dictionary.txt in UTF-8 encoding with BOM.
Real-life example of mole_dictionary.txt
There are lots of different "editions" of Tantra Online game. They all need specific files like HTSound.dll, HTWeb.dll or system\MobInfo.tan to run properly. However, this specific version called Tantra Surya has packed all files inside HTLauncher.exe and .sps files
and enabled "hide files" feature:
My unpacker does the job but original filenames are lost:
To improve unpacking results, you can add list of files normally used by Tantra into mole_dictionary.txt. Let's start with something simple, files that normally are in Tantra root folder:
// from Tantra Atlas Online Oficial _settings.ini bg_settings.png BugslayerUtil.dll ChatServer.cfg d3dx9_27.dll d3dx9_28.dll d3dx9_29.dll dbghelp.dll HT3DHeaven.dll HTDirect3D.dll HTLauncher.exe HTSound.dll HTSpec.cfg HTUserSetting.sys HTWeb.dll icon.ico MSCOMCTL.OCX MSINET.OCX mss32.dll NotifyMsg.dat ntdll.dll serverlist.bin Serverlist.txt Tantra Updater.exe Tantra.dat Tantra.exe Tantra_Crash.txt TantraCrashSender.exe tempTantra.dat UpdateList.dat version.dat XPva03.dll
After that, unpacker works much better. It has recovered most of the DLL names and just 5 filenames are unknown:
Of course, the more possibilities you add, the better are chances that the filename will be recovered. 🙂 So, let's look into some subfolders..
Take, for example, this map folder:
Compare it to the same map folder in some different Tantra edition, in my case - Prime:
Now we know what filenames to add to mole_dictionary.txt:
data\maps\AnakaKruma\MAP_AnakaKruma.tcc data\maps\AnakaKruma\MAP_AnakaKruma.thm data\maps\AnakaKruma\MAP_AnakaKruma.tme data\maps\AnakaKruma\MAP_AnakaKruma.tml data\maps\AnakaKruma\MAP_AnakaKruma.tmo data\maps\AnakaKruma\Sky.tmd data\maps\AnakaKruma\SkyTerrain.tmd data\maps\AnakaKruma\TerrainTex.hpk
Run the unpacker again on the packed HTLauncher.exe and the result is much better:
You can keep on building your dictionary until all the unknown filenames are resolved. But that's your task, I will not do that for you.. 🙂
Have fun and as always - please let me know if you notice any issues!
Hi kao! Thanks for this update!
Unfortunately with the new version of your "Enigma Virtual Box unpacker" I'm having the same issue i had with the previous versions, with the exception that now I don't see any TLS directory warning message. The problem is with some RPGMaker MV boxed games. It extract apparently everything, but opening the .exe, the game does not start, I get only a blank window. Like if there was some problem with the unpacked exe, because the games it can't unpack correctly generate an exe of the same dimension every time (44,2MB), instead the exe of the games that extracts correctly, are variable.
Here some non-unpacking correctly games (You may need to set your windows locale to open non-unicode characters in Japanese):
{hidden link}
{hidden link}
{hidden link}
{hidden link}
{hidden link}
{hidden link}
{hidden link}
Disclaimer: these are adult-only games.
Thank you, I will check it. Download speed for those files is around 10kbps, so it will take a while. 😉
Are you sure there are no warnings in the unpacker log, for example, about overlay?
Apparently RPGMaker MV has issues with "%" signs in folder names. Rename "%DEFAULT FOLDER%" to something else and the game will start properly.
Hi kao!
I feel pretty dumb for not thinking about renaming the folder. Now it seems to work properly.
Many thanks for your work and for the help! Wish you the best. 🙂
link is dead sir
Links work just fine. If your ISP/country blocks mega.nz, just use a VPN or find another solution.
This is the client that I can't decrypt
How can I contact you privately?
{hidden link}
Answered to your email.
Hi Kao, i wonder was it much of effort for you to update Enigma Unpacker everytime? I mean i assume that it may just few lines of code right? Enigma Virtual Box 8 - 9 software might changed its structure a little to prevent breaking but not that much ... I just curious about it 🙂
Also do you think it's possible to break Enigma Pro as well?
As i know, the Enigma Pro may pack file exactly the same like Enigma Free, except of that Pro version allow User to change the .dat name to anything they want to fool the Unpacker. So if your Unpacker allow User to input files name manually, perhaps it can break Enigma Pro too?
Thank you
It all depends on what was changed.
Changes that don't affect file format are indeed a matter of adding few lines. The entire process takes 10-20 minutes, from downloading EnigmaVB, to packing my test files, running unpacker, examining log, making required changes, compiling a new version, testing it again and packing it all up.
Changes that affect file format take somewhere between 1 and 20 hours. Again, it all depends on what was changed and how. Analyzing new changes is just a part of the job. The biggest problem is to ensure backwards compatibility with all the EnigmaVB versions - that takes quite some time.
My unpacker is a static unpacker, meaning it doesn't run any of the executables, so it's pretty safe to use it on malicious files. I intend to keep it that way. Enigma Protector, on the other hand, encrypts data files with a key that cannot be reliably obtained without running the executable (and, in some cases, bypassing hardware id check). So, it requires a totally different approach and I'm not planning to do that any time soon.
Hello, I really want your software, but unfortunately I can not open the download link, can you send it directly to my mailbox, thank you
Links work just fine. If your ISP/country blocks mega.nz, just use a VPN or find another solution.
Oh, this is my mailbox
heeroyuy55@qq.com
Hi,Kao.
Can you support Enigma Virtual Box v9.20 with your tool?
Here you go: https://lifeinhex.com/october-update-of-unpackers/ 🙂
For Surya Client (Tantra) they change the whole directory into another folders like all mesh *tmb files are stored in data/mesh . I hope sir kao will find a way to unpack the files with ease 🙂
{hidden link}
The main program is invalid after decompression. Please check below. Thanks
Hi there,
1) Your RAR file is password protected. I can't extract files without the password.
2) There are so many folders in RAR, which is "the main program"?
password: ***
GameServer folder
Always concerned..Thanks for the update tool
When do you update the tool?
New version is released when I fix some serious bug or improve something. No serious bugs have been reported so far - so I'm not planning any more updates this year.
If you have found some bug, please report it and I'll try to fix it! 🙂
[+] EnigmaVB version: 9.20
[!] Found 0x32D0 bytes of overlay. Unpacked file may or may not work. Be careful!
{hidden link}
Please don't make duplicate comments.
Sir Kao are you busy lately ? i have problem in removing dll in *.exe i don't have enough skills to debugg the exe in Ollydbg , would you try to remove the dll for me ? If you don't mind ? You can send the link here if you're done . {hidden link}
I will leave the link here
[File Inside]
1.) HTLauncher
2.) Dll
{hidden link}
Thank you so Much Sir Kao!
I can't even check your file:
Hello sir kao sorry for late reply , i upload the file in mega so that you can check the link .
Link :{hidden link}
I looked at your file - it is not packed at all. So, it has nothing to do with my unpackers.
This is not "please crack this file for me" service. I can't help you with that.
I understand thank you sir kao.
I just leave here the Full Client link . If you need it .
Link : {hidden link}
Thank you again Sir Kao ! God Bless
QUIERO DESCOMPRIMIR UNOS CLIENTES Y ME SALE ESTO
[i] Loading file: D:\World Of Tantra PH\HTLauncher.exe
[+] MD5: d14965051a70d93cf0902248785a77e9
[i] BoxOffset = 1BD000
[x] Molebox signature not found, exiting
I can't help you without seeing the file. Please upload it to Mega.nz and post a link.
{hidden link}
este es el cliente
{hidden link}
this client I want to unravel
I will look at it when I get some free time.
how can i contact you?
Hi Kao greetings this is off topic, hoping you could help us been playing a specific tantra server all windows 10 and 11 users having trouble playing the game after you launch the game.. when you use the QZP or port out to another place HTLauncher error pops up C++ run time error. The 2nd error is the game automatically close due to PS gameguard detecting something what do the devs need to filter on their server. sorry for my terms i just need to figure this out.
Hi Zeke,
I'm not playing Tantra at all, so I don't really know what issues you're talking about. But I'm pretty sure it has nothing to do with my unpacker.