Game resource archive used by TOJ.

File format

• 4 bytes - index section offset
• 4 bytes - index section length
• [data section]
• [index section (encrypted)]

Index section format

• 4 bytes - number of entries
• 4 bytes - unknown
• string - path
• 4 bytes - unknown
• string - entry 1 filename
• 4 bytes - entry 1 offset
• 4 bytes - entry 1 length
• 4 bytes - unknown
• string - entry 2 filename
• 4 bytes - entry 2 offset
• 4 bytes - entry 2 length
• 4 bytes - unknown
• string - entry 3 filename

...

• 4 bytes - unknown
• string - last entry filename
• 4 bytes - last entry offset
• 4 bytes - last entry length

I just got idea that unknowns might be version numbers of files, but I need to check if it's true.

Index Encyption

Rc4 stream cipher is used.

Encryption/decryption is done with advapi32 Crypt functions with following key and settings:

password = "1111";
CryptAcquireContext(&hCryptProv, NULL, MS_DEF_PROV, PROV_RSA_FULL, 0);
CryptCreateHash(hCryptProv, CALG_MD5, 0, 0, &hHash);
CryptHashData(hHash, (BYTE *) password, 4, 0);
CryptDeriveKey(hCryptProv, CALG_RC4, hHash, 4, &hKey);

First bytes of keystream are:

BA 38 72 06 03 1D 16 65
77 D3 28 EE 9D 12 40 44
8A DB B7 00 1B 3D C5 93
81 16 E2 21 62 8D 34 8A
70 28 30 A3 41 C5 F9 25
B0 AA 84 2A 34 3F BC 45
2F 8E 7B 7F D3 9D 75 DB
3D 33 3E 71 2F DD ...

Content encyption

Seems text content files are encrypted too. Encyption is same as index encryption, but "TOJ" password is used instead of "1111".