lioncash / ExtractData

An extraction tool for visual novels. Originally developed by Yuu.
138 stars 26 forks source link

NekoPara tpm extraction doesn't work #2

Closed Fighter19 closed 3 years ago

Fighter19 commented 9 years ago

I compiled the program from source, however I couldn't do so with Debug flag (I used VC2010) It complained about zlibd.lib not being found, I checked the project settings zlibd wasn't referenced, so I think this is some kind of VC habit I don't know (I'm not really developing with VC). Decrypting doesn't work (at least I assume so), also tried with other xp3 extraction programs (No files are listed) I could provide an exe together with a tpm file. Or I could do the debugging part myself, if I only knew how to get to break the algorithm (would be great to do a documentation so other people can contribute as well). I'm like a starter in Debugging on ASM base. Adding a new tpm file to the directory will make the game crash with the reason of a parsing error.

lioncash commented 9 years ago

This extraction tool is really old and I'm positive the .tpm files in NekoPara aren't the same format as anything this supports.

Fighter19 commented 9 years ago

Well they still have the exports V2Unlink and V2Link, so I guess the x3dec module inside the kirikiri engine hasn't changed much.

Fighter19 commented 9 years ago

It seems you can't open the "newer" xp3 files. Looks like NekoPara has an own way to decrypt the files. I'm a very nooby "hacker" and never really done something useful except for game trainers. And I have no idea where to start to reverse the decryption process (I guess somewhere where a string is processed a special way, so I know it has to be in a loop, and the output are unencrypted strings.), I tried to compile KrkrZ engine so maybe I get more information, however it fails at some points (also because I'm too lazy to install nasm now), and I think there is better stuff to do than getting KrKrZ compiled to MAYBE get a good overview. Also it's completely commented in Japanese making understanding hard. But I'd also be really glad if someone finds a way to open the xp3 files. And even more if someone had the nerves to document how they did it. I just know that the tpm file is a dll which get's imported by the KrKrZ engine, then get's used to decrypt it, so nekopara_v1.tpm is basically the decrypter itself. Maybe if someone were able to compile KrKrZ and get the Data loaded with the engine. (Nekopara is using irikiri Z Executable core /1.2.0.3 (Compiled on Nov 18 2014 17:23:21) TJS2/2.4.28)) You could output them again undecrypted. Interesting to mention is also that you can't use data packages from different versions. E.g you can't use the exe from the all ages version to open the adult version. It will result in a Script Error, however I think the data is still successfully decrypted as indicated by the logfile. 16:34:17 (info) Done. (contains 1207 file(s), 1207 segment(s)) 16:34:17 Invalid character 'Æ' at line 1

16:34:17 Script exception raised Invalid character 'Æ'

marcussacana commented 9 years ago

and if this nekopara_v1.tpm is the key "signature" encrypted so that the executable has the key to uncrip the tpm..., the engine may generate a key time and using it saves the encrypted nekopara_v1.tpm with her and same key and save the executable. .. hence the error reason to try to start with another executable ...

Sorry, my English is not so good ... kkkk hope of to understand

Fighter19 commented 9 years ago

Afaik the tpm doesn't get encrypted or decrypted, as i understood from browsing around the Internet, tpm IS the decryption algorithm itself. But I may be wrong.

Fighter19 commented 9 years ago

nekopara_v1.tpm is located in plugin So you have nekopara_v1.exe and inside the plugin folder you have nekopara_v1.tpm

marcussacana commented 9 years ago

Ohh, and this Tpm is a .dll file but another extension.... contains on file "This program cannot be run in DOS mode." and the file not is a executable... later i try open with reshacker to view...

Fighter19 commented 9 years ago

Yes tpm is a dll and dlls in general are non executable. Resource hacker will only for on exes afaik (as far as i know), as only they contain such information. Resource hacker also only shows you the ICON and some text which is inside the exe but not what's stored outside the exe (you won't be able to open the tpm file or the xp3 with Resource Hacker).

Fighter19 commented 9 years ago

This indeed interessting, I'll take a look at it, looks pretty much what i talked about.

yolo3231 commented 9 years ago

Hello, i speak little english,hope you understand , i want traslate this same game, i use all tools of xp3 files, NvTools , xp3 Tools,Crage and more, i dont know if i dont use correctly or that? TT-TT

yolo3231 commented 9 years ago

http://tlwiki.org/index.php?title=Kirikiri2_for_Translators#Preferred_Tools

marcussacana commented 9 years ago

The Nekopara don't use the KrKr2 Engine.. is KrKrZ Don't exist tool for this engine...

Fighter19 commented 9 years ago

Even then extraction could be added, but it's quite hard to understand how the engine works, if you don't speak Japanese. If someone actually get's the krkrz engine working from source, and if the custom compiled version works with the one in NekoPara, then you can just hook up the functions to save the decrypted files somewhere on the HDD and later repack it (in case a better solution isn't possible).

yolo3231 commented 9 years ago

@Fighter19 Are you try with fuck tpm? https://github.com/regomne/chinesize/tree/master/kirikiri2/FuckTpm See this http://prntscr.com/686mnj

marcussacana commented 9 years ago

i can't compile the FuckTPM, you have the library to compile the source? Better, you can upload the executable please?

Fighter19 commented 9 years ago

They are just the translated version of another project (from Jap to Chinese). It doesn't work with FuckTPM it can't inject properly. EDIT: As far as I remember when I had a look at it, koisakura was the project which did pretty much the same, but I think what has to be injected has to be changed as well, and the opcodes weren't documented properly, so I don't know what they try to achieve.

yolo3231 commented 9 years ago

I think the best way to translate the game would be in an external way, since it is impossible to do it within the code, on the other hand this would be similar as the following image and the code that will use would be "java" or "c ++" since these are used by windows.

http://bit.ly/1vpWqSB (spanish)

marcussacana commented 9 years ago

steins;gate? for xbox? but pc is possible

Fighter19 commented 9 years ago

Actually I think reversing the way the extraction works (or simply cutting out the parts you need to extract them, then hook them to a custom program) is more effective. On the other hand you could hook up the dialogue system to change the content of the text, or patch the script files in RAM. (Yes, the script files are actually saved in an unencrypted form in RAM). EDIT: I found out a way to do so, for this I patch the function which sets the pointer to the text to a custom file (which is load to RAM before setting the pointer there), but I think the size has to fit. I'll work on it for the time, as long as there is no extraction method. 2015-02-24_00001

marcussacana commented 9 years ago

it's good.... :/ you can try if the game support this chars? ãéíóúç :V my lang use this especial chars :V: and you can speak one good program to edit the ram memory?

Fighter19 commented 9 years ago

The best free program is called Cheat Engine, however I would write you a script so you only need to write the text file. And yes, the characters are supported by default so no need to change the font, better contact me now in freenode irc (send messsage to /msg Fighter19), as this is now Off-Topic

yolo3231 commented 9 years ago

Hi guys I have good news, having lasted many hours looking for online methods to translate this game I came across a program called "Visual novel reader" which provides the facility to translate game (if there is already a translation) and try with nekopara version English and did not work, however to change Japanese language and to this work = D but translations do not make much sense, I think that there is a way in which you can add translations manually here is a screenshot and the link of the program.

Link: https://drive.google.com/folderview?id=0B3YXxE6u-4bzc1RKWHpoLWZROTQ screenshot_12 screenshot_11

yolo3231 commented 9 years ago

@Fighter19 What is the name of Program?

Fighter19 commented 9 years ago

It's not a program yet, I manually edited Memory to show a method on how to WRITE a program or script. All you have to do is to acquire the pointer of the text section then overwrite the text there with your own text, but right now, the limitation is that you can't change the size of the written text. However if I take my time I can find the value which indicated how many characters a text has, then manually change them. After done so, I could dump the information of the dialogue (to a file) then translate them. A custom script would then handle injecting the correct translated data into the game (it looks like a chapter has it's own text). This script will run Nekopara than patch it automatically in the end. But your program looks like a nice universal workaround. Also I can't promise I manage to finish the script as it takes quite some time for a newbie like me (I've only done more little things before, here I actually have to write a tool which parses information) EDIT: The program I use to analyze the structure of the game is called Cheat Engine, it's probably the most powerful free debugger out there. EDIT2: The end of a text is indicated by a 00 byte (size is not a problem), now I have to find out how the pointer of the beginning text is determined. %fFontname; is being used to set the font, however the default font supports special characters and a special font is used for the brackets an CJK characters (SourceHanSansCN-M).

yolo3231 commented 9 years ago

i understand, but when I do the same with the cheat engine, for example I'm looking for "i wipeed the sweet off..." the result are hexadecimal codgios, and if I want to change them, idk that i do as it would happen texts to hexadecimal codes? D:

yolo3231 commented 9 years ago

Example http://prntscr.com/69vdev

Fighter19 commented 9 years ago

You need to do a text search (also mind capital letters), also for now, you won't come far with doing this in RAM as after a restart of the game, the changes are undone, you can however begin to translate it in a file which is dumped. EDIT: The text section looks like: http://puu.sh/gcKrF/4c70be84bf.png

yolo3231 commented 9 years ago

http://vn.i-forge.net/tools/#arctool See this? and this http://bit.ly/1DbUJ92 (spanish)

yolo3231 commented 9 years ago

in this way, you can create a dll that is injecte automatically usign cheat engine.

yolo3231 commented 9 years ago

Can you send me a picture that how do you do this?

Fighter19 commented 9 years ago

Yeah, you actually showed me a tutorial on how to change NORMAL values of games. However what I do is a lot more complicated (still not something over-the-top). You're tutorial is useful if you want to change the amount of life, score,armor etc. in a game, but this is useless for a VN. http://puu.sh/gcMk2/c2b81273b7.png This is something you want to go for. But as I said modifying a dump of the region is a lot more useful than modifying the region in RAM.

Fighter19 commented 9 years ago

The thing is that you used the search type:"All" you need to set it to "String" before starting a search EDIT2: You won't see the change on your text if it's already rendered, meaning you have to modify it before you can actually see it. Oh and you won't be able to actually see the changes in the backlog, I'll have to look even deeper to change this as well.

marcussacana commented 9 years ago

@Fighter19 hello, i complete the dracu-riot hacking but the image files (*.psb) exist tool to extract if possible with remake... the pimg exist a tool of the asmod... but don't works with psb.. you know one tool for this?

xmoezzz commented 9 years ago

Currently, I'm working with krkrz engine.And here are some of my suggestions. (After I passed cet-6, my English is getting bader. I hope you can understand my words. 1.I try to extract xp3 files from YuzuSoft's galgame(krkrz engine) and I find some special info. (As we know, xp3 files contain 'file' 'info' 'aldr' sub-chunk for each file. But i find a chunk called 'Yuzu' File name from info chunk is incorrect, and the real file name is record in 'Yuzu' chunk.(the struct of 'Yuzu' is not hard to analysis. Other parts of xp3 file is same to krkr2's xp3 file. Now, U can dump those xp3 file.(Of course, you should write a tool by yourself. (Later, I find the developer of YuzuSoft and Nekopara is ‘M2’, maybe this structure of xp3 file is similar. 2.After dumping file, I these files are encrypted by xor.(It is very easy too find out the keys 3.Abort 'PSB' file some psb files are images, U can directly open it with photoshop.(U can find libpsd in krkrz project And others are complied ks scripts(Also, it can contain image data and animation data. Both 'psb' image and 'psb' script has the same signature.("PSB\x0" DLL 'psbfile.dll' can parse 'psb' scripts. There are two types of 'psb' script: (uncompressed: signature "PSB\x0"; compressed :using zlib as compression method, data offset +0x4 is compressed file size, data offset +8 is uncompressed file size) After U uncompress it, and U will find "PSB\x0" signature in the begin of uncompressed data.

There are this structure of PSB file: struct Header { DWORD Signature; //"PSB\x0" DWORD Version; //2 DWORD Unknown; //never used DWORD NameTree; DWORD StrListOffset; DWORD StrResOffset; //U can estract string from this offset, using utf-8 DWORD DibOffList; DWORD DibSizeList; DWORD DibRes; DWORD ResIndexTree; };

I'm so sad that those strings are 'sorted'.( It means the order in this script isn't same as game So U should find string from an array to another array.......(Just debug it, U will get the procedures (my email: xmoe.project@gmail.com (I can read Chinses,Japanese, English and a little Russian

Fighter19 commented 9 years ago

Thank you for this useful information!

Bugster commented 9 years ago

There's not much point decrypting Nekopara to translate it into English by the way as it's already available in English from dlsite.

Fighter19 commented 9 years ago

I have the Steam version, it comes with English, Japanese and Chinese. However there are other languages as well, which could be supported by the community.

marcussacana commented 9 years ago

here i find to portuguese brazilian translation project..

marcussacana commented 9 years ago

hello again @Fighter19 ^^, man, i remove the nekopara protection... Running withou any .sig file and without TPM file, the XP3 only with default Zlib.... Print for now i uploading the game, if you like, after i send...

Fighter19 commented 9 years ago

Interesting however I found out, that the Key is stored inside nekopara_vol1.exe. The protection is trivial, I just lack the skill, and the time to reverse it (I even found the location where the decryption takes place). As far as I know the protection it self isn't even stored in a TPM (in comparison to what I thought first), however you being able to remove the file should show it i think. It is an XOR (quite primitive encryption, if you can call that encryption) which loops through the section which uses a specific key, much like in Fate/Night (afaik). EDIT: I thought of two ways to dump it, by either getting the keys (easiest one, however likely to fail, hard to analyze) , or by redirecting the decrypted file stream to a file (problem is getting the file name, so you know which file is what).

marcussacana commented 9 years ago

man, you know how can edit the ks.scn files? the xmoeproject don't say how the offset tree work bellow

Fighter19 commented 9 years ago

As far as I know scn files are encrypted, so you were able to get some? EDIT: I can't find out much without having the file.

marcussacana commented 9 years ago

hm... the strings don't have any type of encryp. img

Fighter19 commented 9 years ago

Ah, well, they definitely have the strings. Is there a section which contains some gibberish / unreadable symbols. There might be the offsets, length or pointers stored for the strings. Make sure those symbols don't make sense in Chinese or Japanese (set the encoding respectively) EDIT: I would like to proceed this on an IRC if possible, would you come for a private chat at Freenode IRC, send a private msg to Fighter19 (with /msg Fighter19 [Your Message]) EDIT2: I don't like to spam the Issue section.

marcussacana commented 9 years ago

hm... encoding... well spoken, can say the encoding.... allways i viewn here 00 STRING 00 (string separator) (string separator)

for sample: 「もうちょっとしたらあんな風にちゃんとしてくれるのかなぁ?」 hex in file: 00 E3 80 8C E3 82 82 E3 81 86 E3 81 A1 E3 82 87 E3 81 A3 E3 81 A8 E3 81 97 E3 81 9F E3 82 89 E3 81 82 E3 82 93 E3 81 AA E9 A2 A8 E3 81 AB E3 81 A1 E3 82 83 E3 82 93 E3 81 A8 E3 81 97 E3 81 A6 E3 81 8F E3 82 8C E3 82 8B E3 81 AE E3 81 8B E3 81 AA E3 81 81 EF BC 9F E3 80 8D 00

and english: %fSourceHanSansCN-M;「%f;No! If that's the case, then Chocola will sleep on the sofa!%fSourceHanSansCN-M;」

hex: 00 25 66 53 6F 75 72 63 65 48 61 6E 53 61 6E 73 43 4E 2D 4D 3B E3 80 8C 25 66 3B 4E 6F 21 20 49 66 20 74 68 61 74 27 73 20 74 68 65 20 63 61 73 65 2C 20 74 68 65 6E 20 43 68 6F 63 6F 6C 61 20 77 69 6C 6C 20 73 6C 65 65 70 20 6F 6E 20 74 68 65 20 73 6F 66 61 21 25 66 53 6F 75 72 63 65 48 61 6E 53 61 6E 73 43 4E 2D 4D 3B E3 80 8D 00

marcussacana commented 9 years ago

ohh, upoad end here, if you like download, only request

marcussacana commented 9 years ago

and this SourceHanSansCN-M; for me its a string effect: print

Fighter19 commented 9 years ago

huh, for me it looks like you successfully extracted the files. With which tools? :O

marcussacana commented 9 years ago

after decrypted... hm... any works, arc_conv, AE, KiriKiri, xp3_upk, it's raw xp3

marcussacana commented 9 years ago

the game with xp3 raw format: [redacted] you can use my program to download free in this site: [redacted]