Difference between revisions of "Unprotecting a protected MIX"
(Crossposted from PPM (I am the original poster there).) |
(Cleaning this up a little.) |
||
| Line 1: | Line 1: | ||
| − | + | This tutorial shows the reader how to unprotect a [[MIX]] file protected by the methods of [[MIX Protector]] or [[XRML Leechkiller]] as of spring 2009. | |
| + | Please note that due to the public availability of this information, the tools in question may change their approach, invalidating this technique. | ||
| − | TS/RA2 Mix files consist of a header, an index, and a body. The header includes basic information about the MIX (does it have a checksum, is it encrypted, how many files are in it, how big is it). The index includes the size, location, and checksum of each file in the mix | + | ==Background== |
| + | TS/RA2 Mix files consist of a header, an index, and a body. | ||
| + | * The '''header''' includes basic information about the MIX (does it have a checksum, is it encrypted, how many files are in it, how big is it). | ||
| + | * The '''index''' includes the size, location, and checksum of each file in the mix. | ||
| + | * The '''body''' contains the actual files. | ||
There are two main "MIX protector" or "Leechkiller" programs out there that will mangle the header (specifically, the internal file size) in such a way that RA2 reads the mix properly but XCC Mixer will refuse to open it. They both operate under essentially the same principle. | There are two main "MIX protector" or "Leechkiller" programs out there that will mangle the header (specifically, the internal file size) in such a way that RA2 reads the mix properly but XCC Mixer will refuse to open it. They both operate under essentially the same principle. | ||
| − | First, it is necessary to understand how the headers are laid out. The first four bytes are the encryption and checksum flags. If the MIX is has encrypted | + | First, it is necessary to understand how the headers are laid out. The first four bytes are the encryption and checksum flags. If the MIX is has encrypted headers (not to be confused with "protected": "encrypted" refers to the Blowfish encryption that Westwood used on its own mixes; XCC breaks this just fine) the flags are 00 02 00 00. If the MIX has a checksum, the flags are 00 01 00 00. Neither of the current MIX Protector programs work on files with encrypted headers, (although they could be modified to do so with some effort), so I won't go into that right now. |
On unencrypted MIXes (i.e. all the ones you will need to break), after the flags comes the "header". The header consists of a 16-bit integer that equals the number of files in the MIX, and a 32-bit integer that equals the size of the body of the MIX (the size of the MIX file minus the size of the header and index). These numbers are "big-endian", which means the bytes are arranged backwards (but the bits within each byte are arranged normally). (This is because the Intel x86 architecture is semi-retarded). So if bytes 04 and 05 (the number of files) are 0xB801, you need to rearrange this to 0x01B8 to get the actual number of files. (0x01B8 in decimal is 440, you can use Google Calculator to convert if necessary.) | On unencrypted MIXes (i.e. all the ones you will need to break), after the flags comes the "header". The header consists of a 16-bit integer that equals the number of files in the MIX, and a 32-bit integer that equals the size of the body of the MIX (the size of the MIX file minus the size of the header and index). These numbers are "big-endian", which means the bytes are arranged backwards (but the bits within each byte are arranged normally). (This is because the Intel x86 architecture is semi-retarded). So if bytes 04 and 05 (the number of files) are 0xB801, you need to rearrange this to 0x01B8 to get the actual number of files. (0x01B8 in decimal is 440, you can use Google Calculator to convert if necessary.) | ||
| − | + | ===Header summary=== | |
| − | |||
So, here's the big picture so far: The first few bytes of the MIX are | So, here's the big picture so far: The first few bytes of the MIX are | ||
| − | byte 00: always 00 | + | <pre>byte 00 : always 00 |
| − | byte 01: is 01 if checksummed, 02 if encrypted, 00 otherwise. Should always be 00 on protected mixes. | + | byte 01 : is 01 if checksummed, 02 if encrypted, 00 otherwise. Should always be 00 on protected mixes. |
| − | byte 02: always 00 (VK's Mix Protector will overwrite this with garbage) | + | byte 02 : always 00 (VK's Mix Protector will overwrite this with garbage) |
| − | byte 03: always 00 (VK's Mix Protector will overwrite this with garbage) | + | byte 03 : always 00 (VK's Mix Protector will overwrite this with garbage) |
byte 04-05: big-endian number containing the number of files. | byte 04-05: big-endian number containing the number of files. | ||
| − | byte 06-09: big-endian number containing MIX body size. (LeechKiller and VK's Mix Protector will both overwrite bytes 06 and 07 with garbage). | + | byte 06-09: big-endian number containing MIX body size. (LeechKiller and VK's Mix Protector will both overwrite bytes 06 and 07 with garbage).</pre> |
Then you have the index (12 bytes per index entry) and then the body. | Then you have the index (12 bytes per index entry) and then the body. | ||
| − | All the "MIX protectors" do is add some number to the body size. XCC Mixer checks the body size first when reading a MIX, and rejects the MIX if the body size in the header is larger than the actual body size. | + | ==How protection works== |
| + | All the "MIX protectors" do is add some number to the body size. XCC Mixer checks the body size first when reading a MIX, and rejects the MIX if the body size in the header is larger than the actual body size. It does this to avoid accessing unallocated memory and crashing with a segmentation fault. | ||
Red Alert 2, on the other hand, apparently just ignores the body size in the header, and operates entirely on the information in the index. In theory, anyway. I suppose it's possible that "protected" mixes could cause RA2 to access memory out of bounds and crash, but I haven't seen it happen yet. | Red Alert 2, on the other hand, apparently just ignores the body size in the header, and operates entirely on the information in the index. In theory, anyway. I suppose it's possible that "protected" mixes could cause RA2 to access memory out of bounds and crash, but I haven't seen it happen yet. | ||
| − | Anyway, VK's Mix Protector apparently just adds 2 to byte 06, causing XCCU to fail but making it easy to repair the MIX file. The XRML LeechKiller will add a random 16-bit value to bytes 06-07, instead, making it more difficult. To repair a "protected" MIX, you need to recalculate the body size and write it into bytes 06-09 with a hex editor. | + | Anyway, '''VK's Mix Protector apparently just adds 2 to byte 06''', causing XCCU to fail but making it easy to repair the MIX file. The '''XRML LeechKiller will add a random 16-bit value to bytes 06-07''', instead, making it more difficult. '''To repair a "protected" MIX, you need to recalculate the body size and write it into bytes 06-09 with a hex editor.''' |
To calculate the body size, take the actual file size by right-clicking on the file and clicking Properties. Windows should give you Size: n MB (x bytes). (Ignore "Size on Disk"). Take the number of bytes and apply the following formula: | To calculate the body size, take the actual file size by right-clicking on the file and clicking Properties. Windows should give you Size: n MB (x bytes). (Ignore "Size on Disk"). Take the number of bytes and apply the following formula: | ||
| − | BodySize = FileSize - ( (NumberOfFilesInMix * 12) + 10) | + | <span style="font-size: large; font-weight: bold;"><code>BodySize = FileSize - ( (NumberOfFilesInMix * 12) + 10)</code></span> |
You see, the index has twelve bytes for each file, the header has four bytes for flags, two bytes for the number of files, and four bytes for the body size. | You see, the index has twelve bytes for each file, the header has four bytes for flags, two bytes for the number of files, and four bytes for the body size. | ||
| Line 36: | Line 41: | ||
Don't forget, the body size and the number of files are all in big-endian form, and must be inserted as such. | Don't forget, the body size and the number of files are all in big-endian form, and must be inserted as such. | ||
| − | + | ==In short, for the impatient== | |
| + | #Grab your favorite hex editor and open the protected mix. | ||
| + | #Ensure that the first four bytes (bytes 00 - 03) are 0x00000000. | ||
| + | #Read the next two bytes (bytes 04-05) and reverse the order (e.g. b8 01 becomes 01 b8). This is the number of files. Convert it from hex to decimal. | ||
| + | #Multiply the number of files by 12. Then add 10. We'll call this number H. | ||
| + | #Take the file size. We'll call this number F. | ||
| + | #F - H = B. | ||
| + | #Convert B to hex. Pad the front with zeroes until it is eight hex digits long. Rearrange the bytes in big-endian order (e.g. 00 94 26 7F becomes 7F 26 94 00) | ||
| + | #Overwrite the next four bytes (bytes 06-09) with this corrected value. | ||
| + | #Save the MIX file and exit your hex editor. | ||
| + | |||
| + | ==Notes== | ||
| + | *This will ''not'' recover the filenames of each file in the MIX. Those are gone forever. | ||
| − | + | ==See also== | |
| − | + | *''This tutorial is a reformatted version of a tutorial posted originally on [http://www.ppmsite.com/forum/viewtopic.php?p=307837#307837 PPM] and then cross-posted here by its author, aristurtle.'' | |
| − | + | *[http://forums.renegadeprojects.com/showthread.php?tid=414&pid=6822#pid6822 DCoder summing up MIX protection in 2006] | |
| − | + | *[[MIX Protector]], [[VK]]'s tool for MIX protection | |
| − | + | *[[XRML Leechkiller]], [[User:Saberhawk|Saberhawk]]'s tool for MIX protection | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | [[Category:General Tutorials]] [[Category:RA2/YR Tutorials]] | |
Revision as of 00:16, 19 April 2009
This tutorial shows the reader how to unprotect a MIX file protected by the methods of MIX Protector or XRML Leechkiller as of spring 2009. Please note that due to the public availability of this information, the tools in question may change their approach, invalidating this technique.
Contents
Background
TS/RA2 Mix files consist of a header, an index, and a body.
- The header includes basic information about the MIX (does it have a checksum, is it encrypted, how many files are in it, how big is it).
- The index includes the size, location, and checksum of each file in the mix.
- The body contains the actual files.
There are two main "MIX protector" or "Leechkiller" programs out there that will mangle the header (specifically, the internal file size) in such a way that RA2 reads the mix properly but XCC Mixer will refuse to open it. They both operate under essentially the same principle.
First, it is necessary to understand how the headers are laid out. The first four bytes are the encryption and checksum flags. If the MIX is has encrypted headers (not to be confused with "protected": "encrypted" refers to the Blowfish encryption that Westwood used on its own mixes; XCC breaks this just fine) the flags are 00 02 00 00. If the MIX has a checksum, the flags are 00 01 00 00. Neither of the current MIX Protector programs work on files with encrypted headers, (although they could be modified to do so with some effort), so I won't go into that right now.
On unencrypted MIXes (i.e. all the ones you will need to break), after the flags comes the "header". The header consists of a 16-bit integer that equals the number of files in the MIX, and a 32-bit integer that equals the size of the body of the MIX (the size of the MIX file minus the size of the header and index). These numbers are "big-endian", which means the bytes are arranged backwards (but the bits within each byte are arranged normally). (This is because the Intel x86 architecture is semi-retarded). So if bytes 04 and 05 (the number of files) are 0xB801, you need to rearrange this to 0x01B8 to get the actual number of files. (0x01B8 in decimal is 440, you can use Google Calculator to convert if necessary.)
Header summary
So, here's the big picture so far: The first few bytes of the MIX are
byte 00 : always 00 byte 01 : is 01 if checksummed, 02 if encrypted, 00 otherwise. Should always be 00 on protected mixes. byte 02 : always 00 (VK's Mix Protector will overwrite this with garbage) byte 03 : always 00 (VK's Mix Protector will overwrite this with garbage) byte 04-05: big-endian number containing the number of files. byte 06-09: big-endian number containing MIX body size. (LeechKiller and VK's Mix Protector will both overwrite bytes 06 and 07 with garbage).
Then you have the index (12 bytes per index entry) and then the body.
How protection works
All the "MIX protectors" do is add some number to the body size. XCC Mixer checks the body size first when reading a MIX, and rejects the MIX if the body size in the header is larger than the actual body size. It does this to avoid accessing unallocated memory and crashing with a segmentation fault.
Red Alert 2, on the other hand, apparently just ignores the body size in the header, and operates entirely on the information in the index. In theory, anyway. I suppose it's possible that "protected" mixes could cause RA2 to access memory out of bounds and crash, but I haven't seen it happen yet.
Anyway, VK's Mix Protector apparently just adds 2 to byte 06, causing XCCU to fail but making it easy to repair the MIX file. The XRML LeechKiller will add a random 16-bit value to bytes 06-07, instead, making it more difficult. To repair a "protected" MIX, you need to recalculate the body size and write it into bytes 06-09 with a hex editor.
To calculate the body size, take the actual file size by right-clicking on the file and clicking Properties. Windows should give you Size: n MB (x bytes). (Ignore "Size on Disk"). Take the number of bytes and apply the following formula:
BodySize = FileSize - ( (NumberOfFilesInMix * 12) + 10)
You see, the index has twelve bytes for each file, the header has four bytes for flags, two bytes for the number of files, and four bytes for the body size.
Don't forget, the body size and the number of files are all in big-endian form, and must be inserted as such.
In short, for the impatient
- Grab your favorite hex editor and open the protected mix.
- Ensure that the first four bytes (bytes 00 - 03) are 0x00000000.
- Read the next two bytes (bytes 04-05) and reverse the order (e.g. b8 01 becomes 01 b8). This is the number of files. Convert it from hex to decimal.
- Multiply the number of files by 12. Then add 10. We'll call this number H.
- Take the file size. We'll call this number F.
- F - H = B.
- Convert B to hex. Pad the front with zeroes until it is eight hex digits long. Rearrange the bytes in big-endian order (e.g. 00 94 26 7F becomes 7F 26 94 00)
- Overwrite the next four bytes (bytes 06-09) with this corrected value.
- Save the MIX file and exit your hex editor.
Notes
- This will not recover the filenames of each file in the MIX. Those are gone forever.
See also
- This tutorial is a reformatted version of a tutorial posted originally on PPM and then cross-posted here by its author, aristurtle.
- DCoder summing up MIX protection in 2006
- MIX Protector, VK's tool for MIX protection
- XRML Leechkiller, Saberhawk's tool for MIX protection
