30 Sep

September update of unpackers

Last few months have been... extra busy. I survived HDD crash, participated in Flare-On reversing contest (and finished 4th!), had quite fun projects at work - but all that is a matter of another story. Today I want to share with you a long-overdue update for unpackers.

Enigma Virtual Box unpacker

  • Added support for Enigma Virtual Box v8.10, v8.20, v9.00 and v9.10.
  • Unpacker now restores file attributes and date/time. Be careful, unpacked files might have attributes "read only", "hidden", etc.!
  • Added validation of extracted folder/file names to prevent directory traversal attacks. It was on my todo list for a long time and all the media-craziness around Zip Slip finally forced me to do something about it.
  • Fixed warning message about TLS directory. Mea culpa.

Molebox Virtualization Studio unpacker

  • Fixed error "VFSDecrypt: failed to find STELPACK signature" on some data files;
  • Fixed error "SPack catalog not found or invalid. vfsrootsize=00000000" on some EXE files;
  • Fixed out-of-memory error when unpacking huge data files;
  • Loads possible filenames from mole_dictionary.txt;

How to use mole_dictionary.txt

If you have a file which uses "hide files" feature of Molebox VS, it only stores hash of the filename - original filenames are not stored anywhere. But if you have a good idea what the filename might be, you can add it to mole_dictionary.txt and my unpacker will use that for intelligent guessing.

You must enter path relative to where the main executable is, for example: data\magic.dat. DO NOT enter full paths like C:\Program Files\My Program\data\magic.dat, they will not work.

You can also add comments for your convenience - any line starting with "//" is treated as a comment and ignored.

If your paths contain non-English characters, make sure you save mole_dictionary.txt in UTF-8 encoding with BOM.

Real-life example of mole_dictionary.txt

There are lots of different "editions" of Tantra Online game. They all need specific files like HTSound.dll, HTWeb.dll or system\MobInfo.tan to run properly. However, this specific version called Tantra Surya has packed all files inside HTLauncher.exe and .sps files

and enabled "hide files" feature:

My unpacker does the job but original filenames are lost:

To improve unpacking results, you can add list of files normally used by Tantra into mole_dictionary.txt. Let's start with something simple, files that normally are in Tantra root folder:

After that, unpacker works much better. It has recovered most of the DLL names and just 5 filenames are unknown:

Of course, the more possibilities you add, the better are chances that the filename will be recovered. smile So, let's look into some subfolders..

Take, for example, this map folder:

Compare it to the same map folder in some different Tantra edition, in my case - Prime:

Now we know what filenames to add to mole_dictionary.txt:

Run the unpacker again on the packed HTLauncher.exe and the result is much better:

You can keep on building your dictionary until all the unknown filenames are resolved. But that's your task, I will not do that for you.. smile

Have fun and as always - please let me know if you notice any issues!

9 thoughts on “September update of unpackers

  1. Hi kao! Thanks for this update!

    Unfortunately with the new version of your "Enigma Virtual Box unpacker" I'm having the same issue i had with the previous versions, with the exception that now I don't see any TLS directory warning message. The problem is with some RPGMaker MV boxed games. It extract apparently everything, but opening the .exe, the game does not start, I get only a blank window. Like if there was some problem with the unpacked exe, because the games it can't unpack correctly generate an exe of the same dimension every time (44,2MB), instead the exe of the games that extracts correctly, are variable.

    Here some non-unpacking correctly games (You may need to set your windows locale to open non-unicode characters in Japanese):
    {hidden link}
    {hidden link}
    {hidden link}
    {hidden link}
    {hidden link}
    {hidden link}
    {hidden link}

    Disclaimer: these are adult-only games.

    • Thank you, I will check it. Download speed for those files is around 10kbps, so it will take a while. ;)

      Are you sure there are no warnings in the unpacker log, for example, about overlay?

    • Apparently RPGMaker MV has issues with "%" signs in folder names. Rename "%DEFAULT FOLDER%" to something else and the game will start properly.

      • Hi kao!
        I feel pretty dumb for not thinking about renaming the folder. Now it seems to work properly.
        Many thanks for your work and for the help! Wish you the best. :)

    • Links work just fine. If your ISP/country blocks mega.nz, just use a VPN or find another solution.

  2. Hi Kao, i wonder was it much of effort for you to update Enigma Unpacker everytime? I mean i assume that it may just few lines of code right? Enigma Virtual Box 8 - 9 software might changed its structure a little to prevent breaking but not that much ... I just curious about it :)
    Also do you think it's possible to break Enigma Pro as well?
    As i know, the Enigma Pro may pack file exactly the same like Enigma Free, except of that Pro version allow User to change the .dat name to anything they want to fool the Unpacker. So if your Unpacker allow User to input files name manually, perhaps it can break Enigma Pro too?
    Thank you

    • It all depends on what was changed.

      Changes that don't affect file format are indeed a matter of adding few lines. The entire process takes 10-20 minutes, from downloading EnigmaVB, to packing my test files, running unpacker, examining log, making required changes, compiling a new version, testing it again and packing it all up.

      Changes that affect file format take somewhere between 1 and 20 hours. Again, it all depends on what was changed and how. Analyzing new changes is just a part of the job. The biggest problem is to ensure backwards compatibility with all the EnigmaVB versions - that takes quite some time.

      My unpacker is a static unpacker, meaning it doesn't run any of the executables, so it's pretty safe to use it on malicious files. I intend to keep it that way. Enigma Protector, on the other hand, encrypts data files with a key that cannot be reliably obtained without running the executable (and, in some cases, bypassing hardware id check). So, it requires a totally different approach and I'm not planning to do that any time soon.

  3. Hello, I really want your software, but unfortunately I can not open the download link, can you send it directly to my mailbox, thank you

Leave a Reply

Your email address will not be published.

 ×  seven  =  35