Tool RPGM RPack Extractor

[xj47]

Hey,

After days of banging my head against a wall I've created a tool that can extract all* assets from .rpack archives.

I know there's been tools around for a while now that can extract stuff from an .rpack archive, but I think they all require you to know what the filepaths are for the assets (or they try to get around that by brute-force guessing.)
This tool is different because I've found a way to get a full* path list for the files stored in a .rpack archive.

To be precise, each .rpack file includes an index that lists all the paths it includes. This index is normally encrypted (or obfuscated at least) but once a asset query has been performed, a decrypted copy will be stored in memory. By performing a full memory dump for the application and then sifting through the data, a full lists of paths can be generated.
Once the path list has been generated, the same general process is used as with the already existing tools. (if you know the path you can just have the rpack-library decrypt it for you)

To use it, just extract the folder, copy into it the game.rpack and/or image.rpack file you want decrypted, and run ExtractStuff.exe

So far I have only tested it on "Fleeting Iris v0.83", but it should work for all games.
If you find a game that it doesn't work for please let me know and I will try to fix it.

(*The method is not completely fool-proof but it should get 95%+ of the files)

Changelog:
08/01/2018
Updated to version 1.1
Instead of being a mix of python script & dummy rpgmaker game, the whole thing is now a C program compiled as a single exe file. The image extraction is a fair bit faster, but it still takes a couple minutes for archives with thousands of images. Source code is included.

 

[KapitanDupa]

wow dude, do I really see you just dump process image and get all images with bruteforce? Also this implies all images are decrypted on game startup, what a waste of resources.

 

[xj47]

wow dude, do I really see you just dump process image and get all images with bruteforce? Also this implies all images are decrypted on game startup, what a waste of resources.

The images don't all get decrypted, just an index that specifies where each asset is located in the rpack file. (And the index doesn't take up a lot of space)

I used a brute-force search method to find the index stuff in the memory dump (which is 100-150 mb), but that part of the program only takes a few seconds to complete so it's kind of whatever. It's not a conceptually elegant way of doing it, but it goes so quickly in practice that I'm not motivated to change it.

 

[KapitanDupa]

Got it, thanks. Glad someone managed to break it, I've never had time for reverse engineering this for just a one game.

 

[TheMagister]

Doesn't work for me. I copy the files in the folder and it just tells me something about module not found (the command prompt goes away immediately).

EDIT: Okay, so I managed to fix it by running it with locale emulator (my computer is in Jap locale), but now it can't find the image or data packs...

 

[xj47]

Doesn't work for me. I copy the files in the folder and it just tells me something about module not found (the command prompt goes away immediately).

EDIT: Okay, so I managed to fix it by running it with locale emulator (my computer is in Jap locale), but now it can't find the image or data packs...

Is this for Fleeting Iris?
Also did you make sure to copy game.rpack & images.rpack and ONLY those two files? (The extractor uses a dummy RPGMaker game which can be interfered with if the wrong files are present)

 

[TheMagister]

Is this for Fleeting Iris?
Also did you make sure to copy game.rpack & images.rpack and ONLY those two files? (The extractor uses a dummy RPGMaker game which can be interfered with if the wrong files are present)

Yes, to both of those.

 

[gue5t]

@xj47 do you (or anyone else) have a recent version of the tool for encryption? The one on the author site is encrypted and they ask too many questions before providing the decryption key...

[EDIT]
You should replace the "RUN EXTRACTOR.lnk" with a bat\cmd\sh file since the shortcut file is using exact\full path and it's quite unlikely most people will use the exact same path as you. I'm guessing ".\dist\extractImages.exe" will do the job.
Also I'm guessing there is some kind of protection because I can't extract the files in my Win7 VM and also the game itself won't run in it as well. I've been testing with Iris v0.83.

Also here are 2 more code snippets I managed to find:

Spoiler: 1

You don't have permission to view the spoiler content. Log in or register now.

Spoiler: 2

You don't have permission to view the spoiler content. Log in or register now.

Maybe someone more knowledgeable will be able to use this to extract the index of files from within RPGMaker or write a program instead.

P.S. The code in 2 is not for VXAce so it might not be directly usable.

 

[xj47]

Yes, to both of those.

Hmm, it could be because I messed up the shortcut (as gue5t pointed out). The executable is in the dist folder but the active folder needs to be one level higher, so running the .exe the normal way doesn't work.
I currently don't have access to my main computer and won't get back for a couple days so the amount of support I can give is limited, but I'll see what I can do in the meantime.

@xj47 do you (or anyone else) have a recent version of the tool for encryption? The one on the author site is encrypted and they ask too many questions before providing the decryption key...

[EDIT]
You should replace the "RUN EXTRACTOR.lnk" with a bat\cmd\sh file since the shortcut file is using exact\full path and it's quite unlikely most people will use the exact same path as you. I'm guessing ".\dist\extractImages.exe" will do the job.
Also I'm guessing there is some kind of protection because I can't extract the files in my Win7 VM and also the game itself won't run in it as well. I've been testing with Iris v0.83.

Also here are 2 more code snippets I managed to find:

Spoiler: 1

You don't have permission to view the spoiler content. Log in or register now.

Spoiler: 2

You don't have permission to view the spoiler content. Log in or register now.

Maybe someone more knowledgeable will be able to use this to extract the index of files from within RPGMaker or write a program instead.

P.S. The code in 2 is not for VXAce so it might not be directly usable.

I don't have the encryption program either. If someone does I would also be very interested in taking a look at it.

The extractor program uses a dummy VXAce game, can you confirm whether it boots up at all? If there aren't any ".msg" files in the folder (which I use to communicate between the python script and RPG component), running Game.exe should cause a blank window to pop up briefly before closing.

The two code sections you linked is stuff I was already aware of. I guess the 2nd section is slightly different than what I found, but they seem to do the same thing.

With the API calls it is kind of annoying because I don't currently have access to my notes, but from the top of my head:

D
E
Sets-up/imports some ruby code, part of which modifies existing data structures (this is responsible for changing the asset loading methods so they pull stuff from the .rpack archives)
I think the E might be for "Enviroment"
The code this adds is what you have in your second spoiler block.
You can avoid calling this method entirely if you setup the ruby code manually
H
Retrieves header data for an image file, namely width & height. Can also be used to check if an image exists at all
I
Retrieves main data for an image file. Stores result in a Bitmap object
L
R
V
Z

I forget which letter goes for what, but of the remaining 5, there's one that gets the size of an asset stored in game.rpack, one that retrieves an assets from game.rpack (and requires you to know the size), and one that has something to do with deleting loaded assets from memory, which leaves two whose purpose I don't understand.
However those remaining two functions never got called during the testing I did (I had some low level logging setup) so they can't be critical for the general usage of the library.

It could be that one of them will literally give you an unencrypted listing of files in an rpack, but I don't know what the parameters or return value of the functions are so we can only really guess and hope to get lucky.

 

[TheMagister]

Hmm, it could be because I messed up the shortcut (as gue5t pointed out). The executable is in the dist folder but the active folder needs to be one level higher, so running the .exe the normal way doesn't work.
I currently don't have access to my main computer and won't get back for a couple days so the amount of support I can give is limited, but I'll see what I can do in the meantime.

When I put the images and data in the normal folder, the command prompt closed immediately(unless I open it with application profile (locale emulator)), but when I put them in the dist folder and ran them from there it did work, until it gave me the error that it couldn't find the data and images.rpack

EDIT: Nvm, fixed it by going back to American locale, works fine now.

 

[gue5t]

The only version I was able to find is this one:

You must be registered to see the links

But it is very old rev-3 (2011-12-25) and the one used is probably rev-4.3 (2012-10-2).

Spoiler: ChangeLog

You don't have permission to view the spoiler content. Log in or register now.

P.S. The dummy game starts for a second and then exits and the script is waiting for the memory dump but the game has closed before it was made. I see the same behavior when I run the original game so I'm guessing it's a protection meant to stop the game from running in a VM/debugger.

[EDIT]
Managed to find the "latest" version:

You must be registered to see the links

-

You must be registered to see the links

-

You must be registered to see the links

-

You must be registered to see the links

-

You must be registered to see the links

-

You must be registered to see the links

 

[xj47]

The only version I was able to find is this one:

You must be registered to see the links

But it is very old rev-3 (2011-12-25) and the one used is probably rev-4.3 (2012-10-2).

Spoiler: ChangeLog

You don't have permission to view the spoiler content. Log in or register now.

P.S. The dummy game starts for a second and then exits and the script is waiting for the memory dump but the game has closed before it was made. I see the same behavior when I run the original game so I'm guessing it's a protection meant to stop the game from running in a VM/debugger.

[EDIT]
Managed to find the "latest" version:

You must be registered to see the links

-

You must be registered to see the links

-

You must be registered to see the links

-

You must be registered to see the links

-

You must be registered to see the links

-

You must be registered to see the links

ooh, thanks for finding the latest version. I'll have to experiment with that a bit once I get back to my main PC.

RPGMaker VX does have protection against various debugging tools, but I think it normally gives you a popup message when that's the case.
You could check whether there's a file named MSG_MemDump.msg or something similar in the same directory as Game.exe. I'm using the existence & filenames of .msg files to communicate between the python script & game ruby code. If something is preventing these .msg files from being created you'd see the behavior your experiencing.

 

[gue5t]

There is some kind of protection closing the game when some tools are detected, on a clean Win7 VM is working fine but once some RE/debugging tools are installed the game closes without warning. The same behavior is observed with the extractor but not with other RPGMaker games. My guess is that the author of the encryption added something without a warning message in order to "protect" his/her creation...

 

[SvenVlad]

Dont know why, doesn't work for me. It's stays forever doing memory dump and nothing gets extracted.

 

[xj47]

Dont know why, doesn't work for me. It's stays forever doing memory dump and nothing gets extracted.

Hmm, there could be a couple reasons for that.
I'm currently in the process of rewritting the program to make it simpler, faster, and hopefully less error prone.
The new version might fix whatever problem you're experiencing, so I'll wait until then to look into it further

 

[gue5t]

@SvenVlad you're problem might be due to having a debugging or reverse engineering tool active (might be you're AV heuristics engine) you can try disabling them or using a clean VM for the extraction like I did.

 

[xj47]

@SvenVlad you're problem might be due to having a debugging or reverse engineering tool active (might be you're AV heuristics engine) you can try disabling them or using a clean VM for the extraction like I did.

Regarding the anti-debugging stuff, I think the rpack library only does those during its initialization. If you're in a position where you can force the program to sleep after loading the dll, then you can start-up a debugger-type program in that time window and dodge detection. I've had some success with that.

Also I've discovered that you can load the wfPcrypt.dll in a C program without any external dependencies. Most of the functions can be used without any RPGMaker stuff except for the image extraction one, the one that really matters > _ >
I'm currently trying to find a workaround for that so that I can get rid of the dummy RPG game completely.

I'm not sure how interested you are in all this, but if you want I can also send you some of my notes and what I have discovered so far.

 

[gue5t]

I'm definitely interested, RE is a hobby of mine. Unfortunately is seems you are much better than me - I suck at programing .

 

[xj47]

I'm definitely interested, RE is a hobby of mine. Unfortunately is seems you are much better than me - I suck at programing .

Yah, it's complicated stuff. I just recently finished my bachelors degree in CompSci, so although I don't have much experience reverse engineering stuff, I do have a fairly good understanding of how stuff works on a low level.

Here's a summary of the stuff I figured out.
I originally planned to just send you the document I had lying around, but that one is just 1000 lines of me talking to myself : P

Also I got the image-extraction function working from a pure C context (I not sure what I changed, but it works now).
With this I'll be able to have an extractor that's (almost) all one .exe and hopefully a lot faster.

Edit:
You can also look at the C source code included with the latest version, since it implements a bunch of the functions.

 

[xj47]

Dont know why, doesn't work for me. It's stays forever doing memory dump and nothing gets extracted.

Just uploaded a new version which may fix your problem.