30 Sep 2018

September update of unpackers

Last few months have been... extra busy. I survived HDD crash, participated in Flare-On reversing contest (and finished 4th!), had quite fun projects at work - but all that is a matter of another story. Today I want to share with you a long-overdue update for unpackers.

Enigma Virtual Box unpacker

  • Added support for Enigma Virtual Box v8.10, v8.20, v9.00 and v9.10.
  • Unpacker now restores file attributes and date/time. Be careful, unpacked files might have attributes "read only", "hidden", etc.!
  • Added validation of extracted folder/file names to prevent directory traversal attacks. It was on my todo list for a long time and all the media-craziness around Zip Slip finally forced me to do something about it.
  • Fixed warning message about TLS directory. Mea culpa.

Molebox Virtualization Studio unpacker

  • Fixed error "VFSDecrypt: failed to find STELPACK signature" on some data files;
  • Fixed error "SPack catalog not found or invalid. vfsrootsize=00000000" on some EXE files;
  • Fixed out-of-memory error when unpacking huge data files;
  • Loads possible filenames from mole_dictionary.txt;

How to use mole_dictionary.txt

If you have a file which uses "hide files" feature of Molebox VS, it only stores hash of the filename - original filenames are not stored anywhere. But if you have a good idea what the filename might be, you can add it to mole_dictionary.txt and my unpacker will use that for intelligent guessing.

You must enter path relative to where the main executable is, for example: data\magic.dat. DO NOT enter full paths like C:\Program Files\My Program\data\magic.dat, they will not work.

You can also add comments for your convenience - any line starting with "//" is treated as a comment and ignored.

If your paths contain non-English characters, make sure you save mole_dictionary.txt in UTF-8 encoding with BOM.

Real-life example of mole_dictionary.txt

There are lots of different "editions" of Tantra Online game. They all need specific files like HTSound.dll, HTWeb.dll or system\MobInfo.tan to run properly. However, this specific version called Tantra Surya has packed all files inside HTLauncher.exe and .sps files

and enabled "hide files" feature:

My unpacker does the job but original filenames are lost:

To improve unpacking results, you can add list of files normally used by Tantra into mole_dictionary.txt. Let's start with something simple, files that normally are in Tantra root folder:

After that, unpacker works much better. It has recovered most of the DLL names and just 5 filenames are unknown:

Of course, the more possibilities you add, the better are chances that the filename will be recovered. smile So, let's look into some subfolders..

Take, for example, this map folder:

Compare it to the same map folder in some different Tantra edition, in my case - Prime:

Now we know what filenames to add to mole_dictionary.txt:

Run the unpacker again on the packed HTLauncher.exe and the result is much better:

You can keep on building your dictionary until all the unknown filenames are resolved. But that's your task, I will not do that for you.. smile

Have fun and as always - please let me know if you notice any issues!

38 thoughts on “September update of unpackers

  1. Hi kao! Thanks for this update!

    Unfortunately with the new version of your "Enigma Virtual Box unpacker" I'm having the same issue i had with the previous versions, with the exception that now I don't see any TLS directory warning message. The problem is with some RPGMaker MV boxed games. It extract apparently everything, but opening the .exe, the game does not start, I get only a blank window. Like if there was some problem with the unpacked exe, because the games it can't unpack correctly generate an exe of the same dimension every time (44,2MB), instead the exe of the games that extracts correctly, are variable.

    Here some non-unpacking correctly games (You may need to set your windows locale to open non-unicode characters in Japanese):
    {hidden link}
    {hidden link}
    {hidden link}
    {hidden link}
    {hidden link}
    {hidden link}
    {hidden link}

    Disclaimer: these are adult-only games.

    • Thank you, I will check it. Download speed for those files is around 10kbps, so it will take a while. ;)

      Are you sure there are no warnings in the unpacker log, for example, about overlay?

    • Apparently RPGMaker MV has issues with "%" signs in folder names. Rename "%DEFAULT FOLDER%" to something else and the game will start properly.

      • Hi kao!
        I feel pretty dumb for not thinking about renaming the folder. Now it seems to work properly.
        Many thanks for your work and for the help! Wish you the best. :)

  2. Hi Kao, i wonder was it much of effort for you to update Enigma Unpacker everytime? I mean i assume that it may just few lines of code right? Enigma Virtual Box 8 - 9 software might changed its structure a little to prevent breaking but not that much ... I just curious about it :)
    Also do you think it's possible to break Enigma Pro as well?
    As i know, the Enigma Pro may pack file exactly the same like Enigma Free, except of that Pro version allow User to change the .dat name to anything they want to fool the Unpacker. So if your Unpacker allow User to input files name manually, perhaps it can break Enigma Pro too?
    Thank you

    • It all depends on what was changed.

      Changes that don't affect file format are indeed a matter of adding few lines. The entire process takes 10-20 minutes, from downloading EnigmaVB, to packing my test files, running unpacker, examining log, making required changes, compiling a new version, testing it again and packing it all up.

      Changes that affect file format take somewhere between 1 and 20 hours. Again, it all depends on what was changed and how. Analyzing new changes is just a part of the job. The biggest problem is to ensure backwards compatibility with all the EnigmaVB versions - that takes quite some time.

      My unpacker is a static unpacker, meaning it doesn't run any of the executables, so it's pretty safe to use it on malicious files. I intend to keep it that way. Enigma Protector, on the other hand, encrypts data files with a key that cannot be reliably obtained without running the executable (and, in some cases, bypassing hardware id check). So, it requires a totally different approach and I'm not planning to do that any time soon.

  3. Hello, I really want your software, but unfortunately I can not open the download link, can you send it directly to my mailbox, thank you

    • Links work just fine. If your ISP/country blocks mega.nz, just use a VPN or find another solution.

  4. For Surya Client (Tantra) they change the whole directory into another folders like all mesh *tmb files are stored in data/mesh . I hope sir kao will find a way to unpack the files with ease :)

    • Hi there,
      1) Your RAR file is password protected. I can't extract files without the password.
      2) There are so many folders in RAR, which is "the main program"?

    • New version is released when I fix some serious bug or improve something. No serious bugs have been reported so far - so I'm not planning any more updates this year.

      If you have found some bug, please report it and I'll try to fix it! :)

  5. [+] EnigmaVB version: 9.20
    [!] Found 0x32D0 bytes of overlay. Unpacked file may or may not work. Be careful!
    {hidden link}

  6. Sir Kao are you busy lately ? i have problem in removing dll in *.exe i don't have enough skills to debugg the exe in Ollydbg , would you try to remove the dll for me ? If you don't mind ? You can send the link here if you're done . {hidden link}

    I will leave the link here
    [File Inside]
    1.) HTLauncher
    2.) Dll
    {hidden link}

    Thank you so Much Sir Kao!

    • I can't even check your file:

      Upload still in progress…
      Download not available yet because the upload for this file is still in progress. Approximate completion time below.

      Download ready soon…

      • Hello sir kao sorry for late reply , i upload the file in mega so that you can check the link .

        Link :{hidden link}

        • I looked at your file - it is not packed at all. So, it has nothing to do with my unpackers.

          This is not "please crack this file for me" service. I can't help you with that.

  7. I just leave here the Full Client link . If you need it .

    Link : {hidden link}

    Thank you again Sir Kao ! God Bless

  8. QUIERO DESCOMPRIMIR UNOS CLIENTES Y ME SALE ESTO

    [i] Loading file: D:\World Of Tantra PH\HTLauncher.exe
    [+] MD5: d14965051a70d93cf0902248785a77e9
    [i] BoxOffset = 1BD000
    [x] Molebox signature not found, exiting

  9. Hi Kao greetings this is off topic, hoping you could help us been playing a specific tantra server all windows 10 and 11 users having trouble playing the game after you launch the game.. when you use the QZP or port out to another place HTLauncher error pops up C++ run time error. The 2nd error is the game automatically close due to PS gameguard detecting something what do the devs need to filter on their server. sorry for my terms i just need to figure this out.

    • Hi Zeke,
      I'm not playing Tantra at all, so I don't really know what issues you're talking about. But I'm pretty sure it has nothing to do with my unpacker.

Leave a Reply

  • Be nice to me and everyone else.
  • If you are reporting a problem in my tool, please upload the file which causes the problem.
    I can`t help you without seeing the file.
  • Links in comments are visible only to me. Other visitors cannot see them.

Your email address will not be published.

 −  5  =  0