30 Sep

September update of unpackers

Last few months have been... extra busy. I survived HDD crash, participated in Flare-On reversing contest (and finished 4th!), had quite fun projects at work - but all that is a matter of another story. Today I want to share with you a long-overdue update for unpackers.

Enigma Virtual Box unpacker

  • Added support for Enigma Virtual Box v8.10, v8.20, v9.00 and v9.10.
  • Unpacker now restores file attributes and date/time. Be careful, unpacked files might have attributes "read only", "hidden", etc.!
  • Added validation of extracted folder/file names to prevent directory traversal attacks. It was on my todo list for a long time and all the media-craziness around Zip Slip finally forced me to do something about it.
  • Fixed warning message about TLS directory. Mea culpa.

Molebox Virtualization Studio unpacker

  • Fixed error "VFSDecrypt: failed to find STELPACK signature" on some data files;
  • Fixed error "SPack catalog not found or invalid. vfsrootsize=00000000" on some EXE files;
  • Fixed out-of-memory error when unpacking huge data files;
  • Loads possible filenames from mole_dictionary.txt;

How to use mole_dictionary.txt

If you have a file which uses "hide files" feature of Molebox VS, it only stores hash of the filename - original filenames are not stored anywhere. But if you have a good idea what the filename might be, you can add it to mole_dictionary.txt and my unpacker will use that for intelligent guessing.

You must enter path relative to where the main executable is, for example: data\magic.dat. DO NOT enter full paths like C:\Program Files\My Program\data\magic.dat, they will not work.

You can also add comments for your convenience - any line starting with "//" is treated as a comment and ignored.

If your paths contain non-English characters, make sure you save mole_dictionary.txt in UTF-8 encoding with BOM.

Real-life example of mole_dictionary.txt

There are lots of different "editions" of Tantra Online game. They all need specific files like HTSound.dll, HTWeb.dll or system\MobInfo.tan to run properly. However, this specific version called Tantra Surya has packed all files inside HTLauncher.exe and .sps files

and enabled "hide files" feature:

My unpacker does the job but original filenames are lost:

To improve unpacking results, you can add list of files normally used by Tantra into mole_dictionary.txt. Let's start with something simple, files that normally are in Tantra root folder:

After that, unpacker works much better. It has recovered most of the DLL names and just 5 filenames are unknown:

Of course, the more possibilities you add, the better are chances that the filename will be recovered. smile So, let's look into some subfolders..

Take, for example, this map folder:

Compare it to the same map folder in some different Tantra edition, in my case - Prime:

Now we know what filenames to add to mole_dictionary.txt:

Run the unpacker again on the packed HTLauncher.exe and the result is much better:

You can keep on building your dictionary until all the unknown filenames are resolved. But that's your task, I will not do that for you.. smile

Have fun and as always - please let me know if you notice any issues!

27 Feb

February update of unpackers

Enigma Virtual Box unpacker v0.51

  • Hopefully solved the UI-freeze issues.
  • Improved loading speed for big files (100+ MB).
  • Added a warning for the user when loading big file:
  • Added support for Enigma Virtual Box v8.00.
  • Enigma Virtual Box v8.00 finally added support for TLS callbacks. My unpacker will detect such files and will try to fix TLS directory automatically.

Known issue - for x64 executables exception directory is not restored. The unpacked executable will work until an exception happens. If you find any such executable, please send it to me and I'll work to improve the unpacker.

demoleition v0.60

  • Hopefully solved the UI-freeze issues.
  • Fixed bug with certificates and overlays that I introduced few versions ago.
  • Fixed bug with multi-packed files
  • Main form shows that only Molebox v2.x is supported.
  • Improved loading speed for big files (100+ MB) and added warning for users.

demoleition VS v0.01


This is first BETA release of static unpacker for Molebox v4.x. It works for most of the files in my collection but is not well tested by any means. If you notice any bugs (trust me, you will!), please let me know.

Known limitations: way too many. Few most important ones:

  • Error checking is very limited. If something bad happens, it will most likely crash.
  • Main file is saved as _unpacked.bin. Overlay (if present) is saved as overlay.bin.
  • The biggest problem is the "hide files" feature of MoleboxVS. It does not store original filename, just the MD5 hash of it. So, in those cases it's almost impossible to restore original filenames. I added big fat warning for those cases.
  • Loading large files will make the UI freeze. I'll fix it after the bugs in unpacker itself are fixed.

So, why release it? I've had it like this for 5+ years now. It almost works. But without your feedback it will stay in this "almost working" state forever. The more bugs you report, the bigger the chance that I'll finally finish this project.. So, have fun!


Bugs reported by users. I'll work to fix the when I get some free time.

  • Some data files can't be unpacked. Error
  • Sometimes main EXE file will not be unpacked. No error message but _unpacked.bin file won't be created.
  • Mysterious unpacking problem on some files. Error
  • Very large data files can't be unpacked. Error
20 Dec 2017

December update for unpackers

This month brings us not one but two updated unpackers! smile

Updated Molebox unpacker

  • Fixes a crash with double-packed files. Thanks to whoknows for reporting the issue!

Updated Enigma Virtual Box unpacker

  • Support for Enigma Virtual Box v7.90
  • Detection of Enigma Protector. The feature was added long time ago but accidentally removed later.

I still need to work on the UI-freeze issue. When unpacking very large files, UI will appear to be frozen until unpacking process completes. It may take 5+ minutes on very large files, please be patient!

04 Oct 2017

October update to Molebox unpacker

Thanks to my reader Max I have fixed another bug in the Molebox unpacker.

  • Removed memory leak that caused "out of memory" error when unpacking very large files (1.5GB+)

The usual request

I hope you find this unpacker useful. But if it doesn't work for you, please send me an error report with all the details you can and I'll try to fix it. Have fun!

22 Aug 2017

Yet another update to Molebox unpacker

Thanks to my readers I have fixed few more bugs in the Molebox unpacker.

  • Better support for non-ASCII symbols in filenames
  • Very large (4GB+) files will now unpack correctly
  • Unpacker will extract embedded files packed with old versions of Molebox (like version 2.0570)

The usual request

I hope you find this unpacker useful. But if it doesn't work for you, please send me an error report with all the details you can and I'll try to fix it. Have fun!

21 Apr 2017

Updated Enigma VirtualBox unpacker again

This update has been long overdue. Finally it supports files larger than 2GB! smile

Full changelog:

  • Supports files larger than 2GB. Yeah!
  • Correctly recognizes EnigmaVB 7.50-7.70;
  • You can use command-line EnigmaVBUnpacker.exe /nogui [pathToFile] to unpack file, save results to !unpacker.log and close automatically.
  • NEW: fixed "Error creating temporary file"

Hopefully I didn't break anything during the rewrite. But if I did, send me an email and I'll fix it! smile

EDIT 2x: Very stupid error fixed. /me embarrassed. Sorry.

06 Feb 2017

Updated Molebox unpacker

During last year, the most common complaint on this blog was "your Molebox unpacker cannot unpack this crazy big EXE of MMORPG game X, Y or Z."

Sounds like an easy problem to fix, right? Well, that's not true - but I finally did it!

TL;DR:

In the rest of the post I'll describe the obstacles I had to overcome while solving this seemingly simple problem.

Delphi TMemoryStream limitation

First, unpacker is written using classic (non-.NET) Delphi and compiled as x86 executable. And standard Delphi streams are retarded. TMemoryStream uses GetMem - which ends up somewhere in Delphi memory manager and VirtualAlloc. That doesn't work well with 800+MB files.

I ended up with implementing custom stream backed by temporary file (CreateFile with FILE_ATTRIBUTE_TEMPORARY | FILE_FLAG_DELETE_ON_CLOSE).

Pointer magic

Since the original unpacker was using TMemoryStream, the whole file was loaded in memory as a continuous memory block and I could easily read/write each byte of file using pointers. Something like this:

Guess what? Files don't work that way.. sad I had to do a full and complete rewrite of all those methods.

Zlib conflicts

Original unpacker was compiled with Delphi 3. Delphi 3 didn't have Zlib library, so you had to supply your own Zlib implementation. But it won't compile with new versions of Delphi, giving error message

Unit Graphutil was compiled with a different version of zlib.TZDecompressionStream.

The solution was to get rid of my Zlib implementation and rewrite all methods that deal with decompression.

ANSI strings

In Delphi 3 all strings were ANSI. Starting from Delphi 20072009, strings are Unicode. Since Molebox internally uses ANSI, it required changing quite a few structure definitions and rewriting several string manipulation routines. It's a lot of fun (and source of the most obscure bugs), trust me!

Conclusion

I hope you find this unpacker useful. But if it doesn't work for you, please send me an error report with all the details you can and I'll try to fix it. Have fun!

24 Mar 2016

MoleBox goes out of business

Molebox as it used to be

A bit of history

MoleBox 2 was released in year 2003 and it was one of the first file virtualization solutions in the market. It bundled executable with the DLL and data files into a single EXE file. At that time that was something new and innovative.

They had quite a success and released another product (MoleBox Ultra, later renamed to MoleBox Virtualization Solution) in year 2009. Apparently it was very hard to fight in the increasingly more competitive market of application virtualization solutions and the last version of MoleBox Virtualization Solution was released in 2013.

Game over

In February 2016 domain molebox.com was sold for $1526. Yesterday their web server started serving generic WordPress page with dating-related spam. And that is just sad. sad
MoleBox dating advice

Release of static unpacker

However, both editions of MoleBox are still very popular with private game server owners, as they allow to bundle patched EXE files together with their custom data files. It's not a bullet-proof security but stops newbies from stealing their valuable data.

Since the MoleBox company is officially out of business now, I have no more reasons to keep my static Molebox unpacker private. It supports most versions of MoleBox 2.x including the external box files.

Have fun guys!

Download link: see October update to Molebox unpacker for an updated version.

P.S. This post was made just because I noticed changes in MoleBox web, I wasn't planning to release the unpacker today. So, please keep in mind this code was written in year 2009 and has had only one small fix applied in 2015. It's likely that you'll encounter some bugs and quirks - please send me the problematic file and I'll fix the bug. smile

P.P.S. I have static unpacker for MoleBox Virtualization Solution as well. But it doesn't have a nice UI yet, so it will be released on a later day.