Cannot open 'ggpack://ThimbleweedPark.ggpack1'

[urielz]

I'm having an issue using the plugin on macOS 10.13.5. I don't know anything at all about radare and how to use it. So I'm basically trying to guess a fix. I'd appreciate if someone can point out an obvious error:

The output of: r2 ggpack://ThimbleweedPark.ggpack1 is: Cannot open 'ggpack://ThimbleweedPark.ggpack1'

By inspecting the code, I followed a suggestion made in a comment in io_ggpack.c: To look for the magic byte (which could be platform-dependent). I have to extend the mask quite a bit to get a hit, this is what I did:

[0x00000000]> /x 4fd0..........................93 Searching 16 bytes in [0x0-0x1df6013f] hits: 26 0x019ed84f hit26_0 4fd0e3fa860551f79e8c5b0ac8ae1493 0x01fc3223 hit26_1 4fd0f16a8bfc3b6749e3e05b970cbc93 0x01fdda86 hit26_2 4fd0684011dd653edd8df2b8a2ed8593 0x0247acfe hit26_3 4fd019ab17aec9955a8775ac927a5493 0x028805e7 hit26_4 4fd0abe52e4e9bddff01a684ada22f93 0x02dae656 hit26_5 4fd0dcf25f43d8880e7ca592f62f7793 0x0533d35a hit26_6 4fd0e5fa61f09a8ee3c92e2fa6931993 0x06151af4 hit26_7 4fd0ab81d7591f46d60f05356c764093 0x0711c651 hit26_8 4fd0036f6f1ca2572a48633c514e0493 0x071d824c hit26_9 4fd0dea517813bdbc899ae76d4e77293 0x0758ab51 hit26_10 4fd078a67cca7a81849300ed9243e193 0x0c23f83e hit26_11 4fd0cd831ac285761a2e28dd41ec9993 0x0ec19be5 hit26_12 4fd0e128791f2b7260244861d27ba593 0x10e3dcdb hit26_13 4fd0a4c5f18e84ae270b42e88938b593 0x127f0baa hit26_14 4fd08f7215b2c3f22888325921c47193 0x140ea530 hit26_15 4fd00e8d9c5de107d8a942a0364fa993 0x1428ec64 hit26_16 4fd0fa62414b4f50fbe642ee6706be93 0x142f6d8d hit26_17 4fd04ccb6d5b3ff6b859b031fb900493 0x15931600 hit26_18 4fd0557cbe366fe7ef14c896b5cfde93 0x161a8437 hit26_19 4fd031adf4ba5bc2194e33f4390b5a93 0x167f5492 hit26_20 4fd03fe46df83b8d335b029745db2a93 0x197081d6 hit26_21 4fd0482c8e3ffdfd38f7608ba6da4493 0x19b56ee4 hit26_22 4fd0aca508ecad2cd77601b8c419bb93 0x1c6f79bf hit26_23 4fd07a71be3989de51c7d35066947093 0x1dc91851 hit26_24 4fd0dcf1732f30f180d59427b9fd4d93 0x1de2f6d9 hit26_25 4fd049dbcf4b4982833ca9bd6e379c93

So I added all of that to io_ggpack.c and changed the line: #define BRUTE_VERSIONS 2 to #define BRUTE_VERSIONS 28

After doing make install I still get the same error... any help would be appreciate it.

And @mrmacete thanks for sharing this!

[mrmacete]

hey! interesting 😄

the "cannot open" error is very generic and may also happen if the plugin isn't installed properly. To figure it out you can run r2 -L and see if among the output you get a line similar to this:

rw_  ggpack   ggpack:// io plugin (MIT)

are you using r2 from git? (if not, then try to use it from git master)

if all the above is OK, did you try to enable debugging output by setting ENABLE_DEBUG to 1 here ? : https://github.com/mrmacete/r2-ggpack/blob/master/io_ggpack.c#L14

it should spit out a lot of stuff before actually failing, would be helpful to paste it here.

[urielz]

Thanks for helping me out with this! I followed up on your suggestions, here's what I got:

r2 -L output looks ok:

rw_  ar       Open ar/lib files [ar|lib]://[file//path] (LGPL3)
rw_  bfdbg    BrainFuck Debugger (bfdbg://path/to/file) (LGPL3)
rwd  bochs    Attach to a BOCHS debugger (LGPL3)
r_d  debug    Native debugger (dbg:///bin/ls dbg://1388 pidof:// waitfor://) (LGPL3) v0.2.0 pancake
rw_  default  open local files using def_mmap:// (LGPL3)
rwd  gdb      Attach to gdbserver, 'qemu -s', gdb://localhost:1234 (LGPL3)
rw_  gprobe   open gprobe connection using gprobe:// (LGPL3)
rw_  gzip     read/write gzipped files (LGPL3)
rw_  http     http get (http://rada.re/) (LGPL3)
rw_  ihex     Intel HEX file (ihex://eeproms.hex) (LGPL)
rwd  mach     mach debugger io plugin (mach://pid) (LGPL)
rw_  malloc   memory allocation (malloc://1024 hex://cd8090) (LGPL3)
rw_  mmap     open file using mmap:// (LGPL3)
rw_  null     null-plugin (null://23) (LGPL3)
rwd  qnx      Attach to QNX pdebug instance, qnx://host:1234 (LGPL3)
rw_  r2k      kernel access API io (r2k://) (LGPL3)
rw_  r2pipe   r2pipe io plugin (MIT)
rw_  r2web    r2web io client (r2web://cloud.rada.re/cmd/) (LGPL3)
rw_  rap      radare network protocol (rap://:port rap://host:port/file) (LGPL3)
rw_  rbuf     RBuffer IO plugin: rbuf:// (LGPL)
rw_  self     read memory from myself using 'self://' (LGPL3)
rw_  shm      shared memory resources (shm://key) (LGPL3)
rw_  sparse   sparse buffer allocation (sparse://1024 sparse://) (LGPL3)
rw_  tcp      load files via TCP (listen or connect) (LGPL3)
rwd  windbg   Attach to a KD debugger (windbg://socket) (LGPL3)
rwd  winedbg  Wine-dbg io and debug.io plugin for r2 (MIT)
rw_  zip      Open zip files [apk|ipa|zip|zipall]://[file//path] (BSD)
rw_  ggpack   ggpack:// io plugin (MIT)

I was using version 2.6.0 (the pre-compiled version). I cloned the git master.

r2 -v output is now:

radare2 2.8.0-git 18681 @ darwin-x86-64 git.2.7.0-9-gb12837b52
commit: b12837b52a03bca1f0f0f599ce7e31813330ce98 build: 2018-07-11__00:07:58

Unfortunately the issue persists with the latest version, this is the output with debug mode on:

r2 ggpack://ThimbleweedPark.ggpack1
retry with version 1
retry with version 2
retry with version 3
retry with version 4
retry with version 5
retry with version 6
retry with version 7
retry with version 8
retry with version 9
retry with version 10
retry with version 11
retry with version 12
retry with version 13
retry with version 14
retry with version 15
retry with version 16
retry with version 17
retry with version 18
retry with version 19
retry with version 20
retry with version 21
retry with version 22
retry with version 23
retry with version 24
retry with version 25
retry with version 26
retry with version 27
[r] Cannot open 'ggpack://ThimbleweedPark.ggpack1'

One more thing that I suspect it's not relevant but just in case, in order to look for the string, I have to open the file like this:

r2 -e bin.maxstrbuf=0x1df6013f ThimbleweedPark.ggpack1

otherwise I get this warning:

WARNING: bin_strings buffer is too big (0x1df6013f). Use -zzz or set bin.maxstrbuf (RABIN2_MAXSTRBUF) in r2 (rabin2)

[mrmacete]

wow, super interesting.

can you also set this to one (sorry forgot to say this yesterday): https://github.com/mrmacete/r2-ggpack/blob/master/gglib.c#L9

from what platform is the game file?

also: r2 -e bin.maxstrbuf=0x1df6013f ThimbleweedPark.ggpack1 actually doesn't use the plugin, it opens the raw file, that's why you get issues with string buffers

[mrmacete]

ohh one thing i noticed: if it's really a problem with the magic bytes, make sure you search for that pattern in the TWP executable, not the ggpack itself (the comment isn't clear about that)

[urielz]

Finally got around to try your suggestions:

from what platform is the game file?

It's the steam version

ohh one thing i noticed: if it's really a problem with the magic bytes, make sure you search for that pattern in the TWP executable, not the ggpack itself (the comment isn't clear about that)

Ok that's interesting, if I look at the executable then I can see one of the two sets of strings already defined in io_ggpack.c

I turn on the other debug flag, this is the output now:

r2 ggpack://ThimbleweedPark.ggpack1
gg_hash_unserialize: wrong signature 0xc443c201
retry with version 1
gg_hash_unserialize: wrong signature 0xc443c201
[r] Cannot open 'ggpack://ThimbleweedPark.ggpack1'

[mrmacete]

ohh that's very interesting!

can you try this tweak? on this line: https://github.com/mrmacete/r2-ggpack/blob/master/gglib.c#L85

turn this:

if (signature != 0x04030201) {

into this:

if ((signature & 0x0f0f0f0f) != 0x04030201) {

and see if it makes some progress?

[urielz]

sure :) thanks for looking into this, here's the output:

r2 ggpack://ThimbleweedPark.ggpack1
gg_hash_unserialize: plo out of range
retry with version 1
gg_hash_unserialize: plo out of range
[r] Cannot open 'ggpack://ThimbleweedPark.ggpack1'

[mrmacete]

ok, nice.

so probably there's another layer of obfuscation, but it doesn't seem so hard to beat.

i'll just need to buy the steam version and see what's going on :joy:

steam on macos, right?

[urielz]

yes, steam on macos.

[mrmacete]

ahah no problem, i'll do that - just give me few days

[urielz]

👍 thanks again for looking into this!

[mrmacete]

Fixed via https://github.com/mrmacete/r2-ggpack/commit/01335fba4ef009f0a37c16dc7d07135428d5ec7b

[mrmacete]

Sorry for the delay, found the time only today to fix this 😅

[mrmacete]

please let me know if it works for you, reopen if not!