{"id":4551,"date":"2019-01-15T08:56:17","date_gmt":"2019-01-15T16:56:17","guid":{"rendered":"https:\/\/multimedia.cx\/eggs\/?p=4551"},"modified":"2019-01-15T14:06:26","modified_gmt":"2019-01-15T22:06:26","slug":"re-clue-chronicles-compression","status":"publish","type":"post","link":"https:\/\/multimedia.cx\/eggs\/re-clue-chronicles-compression\/","title":{"rendered":"Reverse Engineering Clue Chronicles Compression"},"content":{"rendered":"

My last post<\/a> described my exploration into the 1999 computer game Clue Chronicles: Fatal Illusion<\/a>. Some readers expressed interest in the details so I thought I would post a bit more about how I have investigated and what I have learned.<\/p>\n

It’s frustrating to need to reverse engineer a compression algorithm that is only applied to a total of 8 files (out of a total set of ~140), but here we are. Still, I’m glad some others expressed interest in this challenge as it motivated me to author this post, which in turn prompted me to test and challenge some of my assumptions.<\/p>\n

\nSpoiler:<\/strong> Commenter ‘m’ gave me the clue I needed: PKWare Data Compression Library used the implode algorithm rather than deflate. I was able to run this .ini data through an open source explode algorithm found in libmpq<\/a> and got the correct data out.\n<\/p><\/blockquote>\n

Files To Study<\/strong>
\nI uploaded a selection of files for others to study, should they feel so inclined<\/a>. These include the main game binary (if anyone has ideas about how to isolate the decompression algorithm from the deadlisting); compressed and uncompressed examples from 2 files (newspaper.ini and Drink.ini); and the compressed version of Clue.ini, which I suspect is the root of the game’s script.<\/p>\n

The Story So Far<\/strong>
\nThis ad-hoc scripting language found in the Clue Chronicles game is driven by a series of .ini files that are available in both compressed and uncompressed forms, save for a handful of them which only come in compressed flavor. I have figured out a few obvious details of the compressed file format:<\/p>\n

\r\nbytes 0-3 \"COMP\"\r\nbytes 4-11 unknown\r\nbytes 12-15 size of uncompressed data\r\nbytes 16-19 size of compressed data (filesize - 20 bytes)\r\nbytes 20- compressed payload\r\n<\/pre>\n
The average compression ratio is on the same order as what could be achieved by running ‘gzip’ against the uncompressed files and using one of the lower number settings (i.e., favor speed vs. compression size, e.g., ‘gzip -2’ or ‘gzip -3’). Since the zlib\/DEFLATE algorithm<\/a> is quite widespread on every known computing platform, I thought that this would be a good candidate to test. <\/p>\n
Exploration<\/strong>
\nMy thinking was that I could load the bytes in the compressed ini file and feed it into Python’s zlib library<\/a>, sliding through the first 100 bytes to see if any of them “catch” on the zlib decompression algorithm.<\/p>\n
Here is the exploration script:
\n<\/p>\n