【汉化资料】通用解包器制作工具QuickBMS图文教程(中英双语版)
老外发布了一篇通用解包器制作工具QuickBMS的图文教程,想学制作解包器的朋友可以仔细看看。 其实不是太难的。原文
http://forum.xentax.com/viewtopic.php?f=10&t=3525&start=0&st=0&sk=t&sd=a
I am going to make a tutorial for using quickbms for extracting archives that are no extractors for.
I am going to start off easy then add more and more difficult archives so you can learn and write your own scripts.
the tools you need are just 4 things.
1. A HEX editor I use HxD
2.Quick BMS http://aluigi.org/papers/quickbms.zip
3. a text editor like wordpad
4. a calculator that supports hex like the one built into windows.
We will start with a game called FEZ (Fantasy Earth Zero)
this is a great archive format for someone to learn bms scripting from.
I attached a sample.
website http://tw.fez.gamania.com/
installer http://tw.dl.gamania.com/fez/FEZ_1103.exe
this game uses textures with wrong headers mainly dds and some tga and some kind of .mdl format.
ok so you can download the full installer or this sample pac file here
http://www.MegaShare.com/1029061
ok so open the file up in your hex editor so you see what I have open here
so if you look to the right you will notice some readable text
Etc\aura.tex , Etc\cursor.tex , Etc\mahoujin.tex , Etc\env2.tex , and Etc\kaze.tex .
so just looking with out eyes we now know that there are at least 5 files in this bin file and after we extract them they will be placed in a folder called Etc.
so lets start looking at the other parts of the header in this file we will start with the first 4 bytes
well we have 05 00 00 00
whenever you are working with archives for computer games 99% of the time you read the values in reverse so the above number
would not be 5,000,000 but instead would be read as 00 00 00 05 or 5
Well if we remember from earlier we saw 5 file names and our first 4 bytes of our file are equal to 5 so there is a good chance we just discovered where the file count is stored in this archive.
data is stored in groups of 4 bytes " a long" 2 bytes " a short" or 1 byte "a byte" so we have our first part of our script
get FILES long
this tells quickbms to read a long value "aka 4 bytes" and store it as the variable FILES.
ok the next 4 bytes 74 00 00 00 are not needed in order for quickbms to extract our files but it represents the total size of our header.
so I will write the next line of code for quickbms
get HEADERSZ long
this stores the header size in the variable HEADERSZ
ok now we have 2 more bytes before the file name
so that is 0C 00 well 2 bytes is know as a short. but what does 00 0C stand for?
if we highlight the whole name of the file in out hex editor it shows us a length of C
we found the name length so we would write that as
get NSIZE short
this stores the 2 bytes in the variable NSIZE representing the length of the name
well next comes the name so to store that as a word in bms language we will write the next line
getdstring NAME NSIZE
this is saying store a string "aka a word" in the variable NAME and its length is equal to the variable NSIZE.
ok now we have another 4 bytes after the name 7C 00 00 00
well we already know the name of the file so now to extract the file we need to know its size and location in the archive.
7C is not a very big number for the size of the file to lets see what happens if we go to offset 7C
in HxD press ctrl +E and type in 7c for the start and end then click ok.
you should look like this after clicking ok
hmm this looks good it looks like a file header IMG0 so we will write out line saying that is the start of the file
get OFFSET long
this stores the 4 bytes as the variable OFFSET
ok the next 4 bytes are 70 10 00 00 well that looks bigger so lets see if that is the size of out file so it will translate into 00 00 10 70 or 1070
so lets go to our offset 7C and then we will add in the length column 1070
wow look at that I see TRUEVISION-XFILE that is a classic tga ending and we also end just before IMG0 which was the start of our first file
so that means we found our size
we write that as
get SIZE long
this stores the 4 bytes in the variable SIZE
ok now we have 2 bytes then the next file name hmm that seems familiar
lets see 0E 00so that means it translates into 00 0E or E
well the last 2 bytes we had before a name was the name size lets see if it still holds true
it does the name length is E
so that means we found where the pattern in the header repeats and we identified all that we need to extract the files so now we can finish our script and our extractor.
whenever the pattern starts you want to begin a loop so it will keep cycling through it until there are no files left. the easiest way to write that is.
for i = 0 < FILES
this means run the following commands until i = 0 and set i = FILES
so we will put that before our NSIZE variable because that is where the pattern starts.
next you want it to write out the file and we do that with the log command in the following format
log NAME OFFSET SIZE
this says write the file name and fill it with the data starting at the variable OFFSET and a length of SIZE.
now this is great but we want it to keep repeating the loop till there are no more files so we must add
next i
at the end so the loop continues.
ok so now save the file we created as extract.bms
and put Etc.pac extract.bms and quickbms.exe all in the same folder for wthis demo we will say c:\temp
so now at the command prompt change to that directory and type
quickbms.exe -l extract.bms Etc.pac .
this will list the the file contents and size or give you an error if your script is not correct.
Yay it worked
now lets try extracting them create a folder in c:\temp called extracted
now type the command
quickbms.exe extract.bms Etc.pac extracted
yes it worked now they are in the filder and extracted.
Code:
get FILES long
get HEADERSZ long
for i = 0 < FILES
get NSIZE short
getdstring NAME NSIZE
get OFFSET long
get SIZE long
log NAME OFFSET SIZE
next i
Let me know what you think of this tutorial and if you want me to continue on with more examples and more compex scripts. 还有通用的解包器可以用??? 引用第1楼XYZ于2009-06-09 11:49发表的:
还有通用的解包器可以用???
嗯..应该理解为需要自己写脚本的解包器..目前只是支持解包吧..? 引用第1楼XYZ于2009-06-09 11:49发表的:
还有通用的解包器可以用???
这是一个制作解包器的通用工具,在搞清楚文件结构的基础上只需要写很简单的几句脚本就可以制作一个解包器。教程的最后就是一个例子。
大家都可以好好学习一下。
这个教程就是教大家如何分析文件结构的。有热心人帮忙翻译一下吧。 引用第2楼firendless于2009-06-09 11:51发表的:
嗯..应该理解为需要自己写脚本的解包器..目前只是支持解包吧..?
目前只是支持解包。
通用打包工具是不可能有的。 引用第4楼shane007于2009-06-09 11:55发表的:
目前只是支持解包。
通用打包工具是不可能有的。
呵呵...狭义范围内还是会有的不是么..老大说要处理sy2?
现在选择的DX劫持输出就是解决它的吧? 引用第5楼firendless于2009-06-09 12:00发表的:
呵呵...狭义范围内还是会有的不是么..老大说要处理sy2?
现在选择的DX劫持输出就是解决它的吧?
狭义范围内还是会有的。---〉不错,静物1的syberia2的打包器可以通用。
要处理sy2? syberia2 和DX劫持输出没关系啊。 简单看了一下,没有压缩或者编码直接保存的可以通过这个解包。这个工具支持不支持常见的几种压缩方式呢? 引用第7楼肥牛于2009-06-12 16:26发表的:
简单看了一下,没有压缩或者编码直接保存的可以通过这个解包。这个工具支持不支持常见的几种压缩方式呢?
支持的。它几乎支持所有常见的压缩方式。
zlib的教程如下
https://www.chinaavg.com/read.php?tid=17492 我正打算做一个使用Quickbmsqu去解那些没有解包器的文档的教程。
起步会很简单,然后越来越难,直到你学会并且编写你自己的脚本。
我们需要如下的四个工具:
1、16进制编辑器,比如HxD。(我用WINHEX)
2、Quick BMShttp://aluigi.org/papers/quickbms.zip(老外真废话,不用这个还写什么教程啊?)
3、文本编辑器比如wordpad(我猜老外用的都是免费软件,我用EditPlus)
4、支持16进制的计算机,比如WINDOWS自带的
我们从一个叫做FEZ(Fantasy Earth Zero)的游戏开始
这对某些人学习bms脚本来说是一个很大的文档格式。
附上一些例子:
网站 http://tw.fez.gamania.com/
安装 http://tw.dl.gamania.com/fez/FEZ_1103.exe
这个游戏在主要思路上用不正常的文件头材质和一些TGA以及一些.MDL格式。
好了,你可以从这里下载到完整的安装或者一些样本片段文件。
http://www.MegaShare.com/1029061
用16进制编辑器打开文件,你就能看到如下所示:
https://www.chinaavg.com/p_w_upload/Mon_0906/20_5394_fcef4836c0f9181.jpg
可以看到右面有一些可辨认的文字
Etc\\aura.tex , Etc\\cursor.tex , Etc\\mahoujin.tex , Etc\\env2.tex , and Etc\\kaze.tex .
所以往下看我们就能知道在这个BIN文件里至少包含5个文件,如果把他们解包,则会被解包到一个叫做Etc的文件夹中。
我们还是看看这个文件的文件头中的其他部分吧,从前面4个字节开始。
https://www.chinaavg.com/p_w_upload/Mon_0906/20_5394_5bf4acf14bdcfc5.jpg
这四个字节是 05 00 00 00
我们处理的99%的游戏文档中,这个值是反向的。也就是说我们看到的05 00 00 00实际上应该是00 00 00 05或者说是5。
好了,如果我们还记得前面我们曾经看到过5个文件名,并且这个文件的前四个字节就等于5.那么我们就得出一个结论,那就是这里保存的是文档中的文件数。
数据的保存方式有长整型(Long)4字节,短整型(Short)2字节以及字节型(Bytes),于是我们得出了我们脚本的第一部分
get FILES long
这就告诉Quickbms读一个长整型值并且把它保存为变量FILES。
接下来的4个字节74 00 00 00 对于quickbms解包没有用处,但是它表示的是文件头的长度。
https://www.chinaavg.com/p_w_upload/Mon_0906/20_5394_db387f49a0190f0.jpg
于是我们可以写出下面一行quickbms脚本了
get HEADERSZ long
将文件头的大小保存到变量HEADERSZ 中
现在,在文件名前面,我们又得到了两个字节,0C 00,我们知道这是短整型,但是00 0C代表什么呢?如果我们在16进制编辑器中把文件名部分选中,就能看到,它的长度正好是C。文件名长度可以写为:
get NSIZE short
把表示文件名长度的两个字节保存到变量NSIZE中。
https://www.chinaavg.com/p_w_upload/Mon_0906/20_5394_f8e5834efff3030.jpg
在bms语言中,保存文件名应该写成下面的样子:
getdstring NAME NSIZE
这就是说,保存一个长度为NSIZE的字符串到变量NAME中。
好了,现在我们在文件名之后又得到了另外4个字节:7C 00 00 00
我们已经知道了文件名,现在要解包这个文件,那么我们需要知道文件的大小以及保存的路径。
很显然,作为文件的大小来说,7C不是一个很大的数字。那么让我们看看偏移量7C的地方是什么。
在HXD中按下Ctrl+E,然后在开始偏移量和结束偏移量的地方都输入7C,再按OK键。
https://www.chinaavg.com/p_w_upload/Mon_0906/20_5394_39cd87834665b12.jpg
我们就能看到下面的图
https://www.chinaavg.com/p_w_upload/Mon_0906/20_5394_dbfa9576f2d710c.jpg
这里好像是一个文件的文件头IMG0,于是我们写下这行表示这是文件的开头:
get OFFSET long
将4个字节保存到变量OFFSET中。
接下来的4个字节70 10 00 00看上去比较大,所以让我们看看这里是不是文件的长度。先翻译成00 00 10 70或者说是1070,从刚才的偏移量7C加上长度1070
https://www.chinaavg.com/p_w_upload/Mon_0906/20_5394_7287714e1484d8d.jpg
哦,我看到了TRUEVISION-XFILE,这是一个典型的TGA文件结尾。而且我们还看到了这个文件是以IMG0开头的。
https://www.chinaavg.com/p_w_upload/Mon_0906/20_5394_0657fb9546ac650.jpg
这意味着我们找到了文件的长度。记下:
get SIZE long
把4个字节保存到变量SIZE中。
好了,现在我们下一个文件的两个字节,它们看上去挺相似的。
把0E 00翻译成00 0E或者E
文件名前的两个字节就是文件名的长度,让我们看看是不是。
https://www.chinaavg.com/p_w_upload/Mon_0906/20_5394_565b399e103c69f.jpg
的确,文件名的长度是E
这意味着我们发现了文件头重复的部分,我们已经把需要解包的部分都识别出来了。现在我们就可以完成脚本生成我们的解包器了。
对于重复的部分,我们设定一个循环,让它一直运行到没有剩余的文件为止。简单的写出来就是:
for i = 0 < FILES
意思就是运行下面的命令从i = 0 直到i< FILES(这里的翻译和原文不同,我是按照语句的意思翻译的,原文没看明白)
我们把它放到NSIZE变量前面,因为它是循环部分的开始。
要把它保存到文件中并且记录日志命令要用下面的格式:
log NAME OFFSET SIZE
意思是把偏移量OFFSET开始,长度为SIZE的数据填写到文件里并保存。
现在,重复这些操作,直到没有剩余的文件,我们还得加一句:
next i
在循环之后,这样循环就可以进行了。
好了,保存脚本文件并且命名为extract.bms,把Etc.pac、extract.bms 和quickbms.exe放到一个文件夹中。在这个例子中,我们假设是C:\\Temp
现在在命令行模式下,进到刚才那个目录中并且输入:
quickbms.exe -l extract.bms Etc.pac .
将会列出文件的信息和大小。如果脚本不正确将给出错误信息。
耶,它运行了:
https://www.chinaavg.com/p_w_upload/Mon_0906/20_5394_7e5e2fdbbd69384.jpg
现在让我们试着把它们解包到extracted目录中,输入
quickbms.exe extract.bms Etc.pac extracted
好,正确运行并且解包了。
https://www.chinaavg.com/p_w_upload/Mon_0906/20_5394_5dd8cb43d153506.jpg
脚本代码:
get FILES long
get HEADERSZ long
for i = 0 < FILES
get NSIZE short
getdstring NAME NSIZE
get OFFSET long
get SIZE long
log NAME OFFSET SIZE
next i