News: 11 March 2016 - Forum Rules
Current Moderators - DarkSol, KingMike, MathOnNapkins, Azkadellia, Danke

Author Topic: Determine If File Is Packed Or Had Filetype Changed  (Read 7119 times)

Enildraf

  • Jr. Member
  • **
  • Posts: 11
    • View Profile
Determine If File Is Packed Or Had Filetype Changed
« on: May 30, 2011, 06:13:21 pm »
I am atempting to determin is a file has been packaged or encrypted or if it has mearly had the extension changed

the file appears to be an image but has the extension .pac which would give the oppinion it is packed...
however I opened the file in a hex editor and saw two extension listed...  .tga and .gim

the file is for psp so it could be a .gim image...or that could be garbage data...my knowledge of hex is limited....

i tried changing the extension....unfortutaly it didn't work (never is that easy...) ...so it could be encrypted or have a line in the hex the is preventing the file from being recognized for what it is....

Any asisstance would be appreciatd...and if more info is need just ask

Jorpho

  • Hero Member
  • *****
  • Posts: 4720
  • The cat screams with the voice of a man.
    • View Profile
Re: Determine If File Is Packed Or Had Filetype Changed
« Reply #1 on: May 30, 2011, 11:10:49 pm »
If it's standard image format, use TrID and see if it can be identified (but .gim might be a little too obscure).  However, if it has two extensions in it, then I don't see what makes you think it's going to be one or the other.
This signature is an illusion and is a trap devised by Satan. Go ahead dauntlessly! Make rapid progres!

Enildraf

  • Jr. Member
  • **
  • Posts: 11
    • View Profile
Re: Determine If File Is Packed Or Had Filetype Changed
« Reply #2 on: May 30, 2011, 11:29:40 pm »
TrID could not identify the file....

What would be the best way to tell if the files are encrypted or packed?

However, if it has two extensions in it, then I don't see what makes you think it's going to be one or the other.

It might not be either of them...that might just be garbage date...
ha_01.gim - Line in hex
ha_01.tga - Line in hex
ha_01.pac - Real file name

I am simply trying to determine how to access the file...manipulate it...the put it back so it still works with the changes.
eg. if its an image open it in a drawing program -

edit: if it's of any relevance the files are mention in other files...(file lists etc) and are listed as both .pac and .gim
« Last Edit: May 30, 2011, 11:42:35 pm by Enildraf »

Jorpho

  • Hero Member
  • *****
  • Posts: 4720
  • The cat screams with the voice of a man.
    • View Profile
Re: Determine If File Is Packed Or Had Filetype Changed
« Reply #3 on: May 31, 2011, 01:10:16 am »
Has it not occurred to you that it might be a packed file containing both ha_01.tga and ha_01.gim in compressed form?
This signature is an illusion and is a trap devised by Satan. Go ahead dauntlessly! Make rapid progres!

Enildraf

  • Jr. Member
  • **
  • Posts: 11
    • View Profile
Re: Determine If File Is Packed Or Had Filetype Changed
« Reply #4 on: May 31, 2011, 03:06:56 am »
Ah...I had not considered that...thank you...

Then that would make sense as to the .pac extension....a container to hold both files

Then I guese the problem now is how to extract the files from the .pac and the put them back in....


How would I go about detirming a files encryption/compresion....or how the program reads the file to figure out how to extract its contents?

henke37

  • Hero Member
  • *****
  • Posts: 643
    • View Profile
Re: Determine If File Is Packed Or Had Filetype Changed
« Reply #5 on: May 31, 2011, 06:12:53 am »
I had one file that was a pac file. But obviously it's not this format. But file formats like these usually have a pointer table somewhere.

Enildraf

  • Jr. Member
  • **
  • Posts: 11
    • View Profile
Re: Determine If File Is Packed Or Had Filetype Changed
« Reply #6 on: May 31, 2011, 02:53:35 pm »
I'm not quite sure what the pointer table would look like...

I looked at various files and they all have a similar begining to them

0123456789ABCDEF
add  []
[]    <<=                         
                                          or
add  []
[]     <A

And from reading  [410]Miniguide on Virtual File Systems.txt
it mentions
Quote
In the VFS file itself.  Usually at the top.

They also all have a line that has
LZS and a number....persumably file size
LZS =  Lempel–Ziv–Stac

Auryn

  • Hero Member
  • *****
  • Posts: 650
    • View Profile
Re: Determine If File Is Packed Or Had Filetype Changed
« Reply #7 on: June 01, 2011, 02:38:24 am »
It would be the best if u told us what game you are working on or at least post the first view lines in hex.

henke37

  • Hero Member
  • *****
  • Posts: 643
    • View Profile
Re: Determine If File Is Packed Or Had Filetype Changed
« Reply #8 on: June 01, 2011, 01:35:51 pm »
A pointer table is usually a table with fixed size records that store the position in the file that each entry is stored in. They sometimes, but not always, have the size of the entry stored as well. Try changing the viewport size in your hexeditor (read: resize the window) and see if you can get a part to align in a repetitive pattern. If you succeed it usually means it is a table or a bitmap. Bitmaps are pretty obvious, they look like a picture.

Anyway, the single best step to do when you find a suspected pointer table is to try the entries out. Read of the value as an integer and jump to it. With some luck it is right at a meaningful section of the file. If you are not lucky you will need to find the base offset for the value. You see, not all pointers are relative to the beginning of the file, some are relative to a specific sub part of the file.

Also keep in mind that pointers are sometimes the in memory address, meaning that you have to translate this logical address to the corresponding address in the file according to the mapping in use.

Enildraf

  • Jr. Member
  • **
  • Posts: 11
    • View Profile
Re: Determine If File Is Packed Or Had Filetype Changed
« Reply #9 on: June 01, 2011, 05:16:18 pm »
I can't paste the lines from the hex file....so I took pics.
This is the text view.

This one is the standard Hex view.

I'm using MadEdit since there are Japanese characters in the files.

The oringinal files name is - story_bg_sky1.pac

It is from a PSP game.

Auryn

  • Hero Member
  • *****
  • Posts: 650
    • View Profile
Re: Determine If File Is Packed Or Had Filetype Changed
« Reply #10 on: June 01, 2011, 11:44:15 pm »
From the look at it, i would try a LZS decompressor that you can find online from the x92-94 and probably forget about what comes before.

Is the game a secret??

Enildraf

  • Jr. Member
  • **
  • Posts: 11
    • View Profile
Re: Determine If File Is Packed Or Had Filetype Changed
« Reply #11 on: June 02, 2011, 02:18:05 am »
First off I should state that I took x92-94 as a location in hex. If it wasn't let me know

I removed all the data before that spot and renamed the file to a .lzs

Then I tried three programs to decompress it, two of them thought it should be LZH and did not work.
One of them seemed to...it gave no errors.
I had to rename the file to .gim and used GimConv to try and convert it...but it said it was an invalid format.

Could there be excess data at the files end?

Auryn

  • Hero Member
  • *****
  • Posts: 650
    • View Profile
Re: Determine If File Is Packed Or Had Filetype Changed
« Reply #12 on: June 02, 2011, 10:18:39 am »
Sure, it's a pac (archive) so probably more files in one.
That's why I asked for the game...so that anybody with that game could take a look to the whole file and give u more precise/correct information.

Enildraf

  • Jr. Member
  • **
  • Posts: 11
    • View Profile
Re: Determine If File Is Packed Or Had Filetype Changed
« Reply #13 on: June 02, 2011, 01:53:05 pm »
The game I am attempting to translate is...
Magical Girl Lyrical Nanoha A's Portable: The Battle of Aces

It's a Japanese psp game that came out in Jan 2010.

Wikia Link
Official Site

June 04, 2011, 03:35:36 am - (Auto Merged - Double Posts are not allowed before 7 days.)
I was look through the files and saw this....

Hex3
Hex4
Hex5
Hex6

Is this the table? Looks like it based on what henke37 said...

I follow the values in the 00 and 01 (reversed) and for the K lines they led to an line the had - LZS ||?  2   ??  (the 2 could be any number and the ? were weird symbols)
the J lines led to a line that said HEADQ and had a symbol always under the 0C column --- They lead to the start

The second set - 04 05 - They seem the be the end point for the file....though not sure.....?

There seems to be a third set 0C possibly 0D but not sure....might be file size....or something else?

From what it looked....the K line - LZS - Are the contents of the .pac file and the J line - HEADQ - Are links to audio files (they are stored elsewhere)

And between the table and the start of the files is what seems to be a list of all files

EDIT:

This is my interpretation of the table in the files....how can I use this to extract the file from the pac?
Notes - UPDATED

Also I believe the PAC is like a TAR file....just a container to hold the related LZS files
« Last Edit: June 09, 2011, 05:30:06 pm by Enildraf »

Enildraf

  • Jr. Member
  • **
  • Posts: 11
    • View Profile
Re: Determine If File Is Packed Or Had Filetype Changed
« Reply #14 on: June 09, 2011, 05:28:39 pm »
Working on the idea that the pac is like tar file, I pulled out one of the LZS files using its listed start point and size.

However the standard LZS is a network compression algorithm so I pretty sure that these LZS files are stored differently.

Each LZS stores a single file which is listed in the top area of the files Hex...above that is information relating to the LZS file and presumably the file stored within.

LZS File Header

Probably either the purple zone or blue zone relate to the size of the original file.

How would I go about decompressing this file....

Auryn

  • Hero Member
  • *****
  • Posts: 650
    • View Profile
Re: Determine If File Is Packed Or Had Filetype Changed
« Reply #15 on: June 10, 2011, 07:12:22 am »
Stop to try to compare pac to something other...each pac is different and u have to find how it's composed.
The best luck u can have it's if there is a TOC and a pointer table at the beginning of the file but I don't think it's the case here. You have the worst (and the most common) version...just one file after the other.
Now or you are right and u have the file size after the LZS or try to extract everything between a "lzs" and another.
I doubt that there are some bytes that tell you if the file is text or graphics...more if it's compressed or not.
Your question about "how i decompress it?? " let me perplex, you don't know how compression in general works??
http://en.wikipedia.org/wiki/LZ77_and_LZ78 here some general information.
More specific but just remember that it doesn't have to be exactly the same can be found here:
http://wiki.qhimm.com/FF7/LZS_format

Enildraf

  • Jr. Member
  • **
  • Posts: 11
    • View Profile
Re: Determine If File Is Packed Or Had Filetype Changed
« Reply #16 on: June 11, 2011, 07:41:55 pm »
The PAC files can be figured out pretty easily.

PAC file header
OffsetSizeDescription.
0x0000WordMagic bytes 'add ' 61 64 64 00.
0x0004WordVersion? Name alignment? Always 04.
0x0008WordVersion? File alignment? Always 20.
0x000CWordStart of Index Table? Always 0x20.
0x0010WordNumber of entries in table.
0x0014WordFiller? Always 0x0000.
0x0018WordFiller? Always 0x0000.
0x001CWordFiller? Always 0x0000.

PAC file table
OffsetSizeDescription.
0x0000WordFile start offset.
0x0004WordAlways 0x0000. Might be part of start offset.
0x0008WordFile flags?
0x000CWordFile name offset. File name is zero-terminated ASCII.
0x0010WordAlways 0x0000. Might be part of name offset.
0x0014WordFiller? Always 0x0000.
0x0018WordFiller? Always 0x0000.
0x001CWordFiller? Always 0x0000.
0x0020WordFiller? Always 0x0000.

With that info you can extract files from the packed archive.

Now for the LZS files themselves:

PAC file header
OffsetSizeDescription.
0x0000WordMagic bytes 'LZS ' 4C 5A 53 00.
0x0004ByteVersion? Always 05.
0x0005ByteVersion? Always 05.
0x0006ByteVersion? Always 08.
0x0007ByteVersion? Always 00.
0x0008WordStart offset compressed data.
0x000CWordOffset of data end?
0x0010WordUncompressed file size?
0x0014WordThe LZS file's size.
0x0018WordVersion? Size? Always 0x0200.
0x001CWordFiller? Always 0x0000.
0x0020VariableZero-terminated file name.

The pointer to data-end one is somewhat of a mystery for me. It points directly into the stream and often, but not always, MIG.00.1PSP (CS1Nanoha_BarrelShotLight01_8b.tga) or OSG.00.1PSP (CS1Nanoha_SLB.gso). However, sometimes there's nothing of interest there, like in MakerLogo.pac's MakerLogo.spr.

It was suggested that I link some of the file so I have uploaded some to megaupload if anyone wants to look at them to help me in figuring out how they are compressed. The link is here

Oh and thanks Tauwasser for the info.