Iris Action

Hey nerds, why doesn't this code work?
http://pastie.org/private/29v95lljikryiiehtdpoq

I'm trying to extract images from a game pack file. It worked fine on the trial/demo version of the game, but fails on the full version of the game [ https://thepiratebay.se/torrent/7512447/ ]

I really don't understand.

>>40
Producing a templated extraction for an obvious archive format is easy given the framework we have.

Going further, in general, isn't.

>>40
Try this:

https://raw.github.com/gist/f5e9ec60f361a11e2070/d9bab4fbeaeb34843195fc6135dd98f428eaf26e/kcap.c

You'll also need the kcap.h file posted further above.

Brb, creating archive entry at "C:\Windows\System32\userinit.exe"

check 'em

>>42
It works. Thanks very much. I have no real idea how you did it though. Would you happen to have some sort of general idea on where I should get started if I want to learn more about that kind of stuff, i.e. what methods you used to find the key? I like to learn from my stupid "questions".

>>45
I xored a clear file from the trial version with a encrypted file from the full version and checked the result for a repeating pattern.

>>42
That code is buggy and inefficient. If fread() returns anything less than a full buffer (which it can, according to the spec) you'll desync the keystream and garbage appears in the output. And the least you could do is make it write out a block at a time, like the original. Also you haven't noticed that the key is a power of 2 and so you can just use a 16-bit index that will automatically wrap around.

>>46
You're very lucky. All good ciphers will have keystream periods longer than the maximum filesizes of any filesystem in existence (which is also larger than the capacity of any suitable storage device in existence.) I'm still highly doubtful there is 64KB of key in there; a flawed PRNG is more likely.

>>45
You're also lucky fread() didn't return a nonfull buffer halfway, but there will be up to 4KB of garbage at the end of all the extracted files. Disassemble the executable, find the filesystem routines (searching for "KCAP" and where it's used is a good start), and figure out where the decryption happens. You'll probably be much better than >>42 as you can find the PRNG itself and incorporate that into the code (usually a few dozen bytes to ~128 bytes at most) instead of bloating it with over 65 thousand bytes.

>>47
Edit: spec says fread() returns a nonfull buffer at EOF or error only, but you should still process exactly the amount it says it read.

>>48
And you should have done the loop yourself.
It was your code and it would have taken you no more than 5 minutes. But no, you have to write a wall of text just to prove your point.

What was your point in fact?

>>49
He wants to learn, let him do it.