Projector EXE
To Shockwave DCR
Anthony Kleine
Open the Projector EXE file in a hex editor.
I’ll be using HxD.
Search backwards for “XFIR” . Note down the Offset of each, shown at the bottom left of the window. If you don’t find anything, that’s alright.
As you can see, the search for “XFIR” found something, so I’ve noted down the offset in Notepad.
Continue searching - this can turn up a lot of results!
Now, go back to the end of the file. Search backwards for “RIFX” . Note down the Offset of each, shown at the bottom left of the window. If you don’t find anything, that’s alright as long as you found something when searching for “XFIR” .
As you can see, my search didn’t turn up any results.
A Note About DRM
By this time, you should have some addresses written down. If you don’t, your EXE may be DRM protected. I will not be covering protection schemes such as Armadillo or ActiveMARK here, but it is still possible to get a DIR/DXR/DCR from these using other methods.
We’re going to go back to all the addresses we wrote down. Press Ctrl+G and paste in an address from the list.
Now, check what it says eight bytes after “RIFX” or “XFIR” .
If it says neither, it’s probably just an Xtra or can be disregarded.
If you can’t find any that have “FDGM”, “MDGF”, “MV93” or “39VM” after, your EXE might be protected with DRM.
The four bytes immediately following the “RIFX” or “XFIR” is the length of the file.
Copy the length, then position your cursor before the “RIFX” or “XFIR” and press Ctrl+E . Then paste the length into the box - if it’s “XFIR” you’ll need to write it backwards.
You’ll be eight bytes short, as the “RIFX” or “XFIR” and the following four bytes don’t count as part of the length you copied before, so hold Shift and press the right arrow key eight times.
At this point, you can simply copy your selection, go to File > New, paste the selection and save it as a DIR/DXR/DCR.
You can also search backwards for “.dir” to get the proper filename. Note that although it says “.dir” that isn’t actually the proper extension here.