ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Thu Mar 30, 2017 8:18 pm

All times are UTC




Post new topic  Reply to topic  [ 15 posts ] 
Author Message
PostPosted: Sat Aug 09, 2014 9:21 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 5713
The following is probably the easiest way to retrieve the password used for the archives of some games, in fact it's quite common to find ZIP archives (sometimes with non-zip extensions like pak, dat) and protected by password using the ZipCrypto algorithm.

In this method I will use no debuggers, no breakpoints, no signsrch... nothing that makes you feel a pro :)

Necessary tools:
QuickBMS http://aluigi.org/quickbms.htm
ZIP password scanner (script) http://aluigi.org/papers/bms/zip_pwd_scan.bms
exestringz http://aluigi.org/mytoolz.htm#exestringz
dumproc http://aluigi.org/mytoolz.htm#dumproc

Alternatively you can use:
exestringz -> strings http://technet.microsoft.com/en-us/sysi ... 97439.aspx
dumproc -> procdump http://technet.microsoft.com/en-us/sysi ... 96900.aspx


The example game for this tutorial is Mini Robot Wars:
http://www.bigfishgames.com/download-ga ... index.html


Locate the ZIP archive:
Image


This step is not ever necessary but it's a good way to avoid problems with packed/protected executables and games that built the password at runtime.
So, launch the game:
Image


Launch dumproc specifying the name of the executable:
Code:
dumproc mrw.exe dump.dat



Please note that sometimes you may have two processes of the same game, remember to specify the PID of the second one, like in the following case:
Image
In that specific case you had to specify the exact pid of the game, so:
Code:
dumproc 3692 dump.dat



Now use exestringz on the dumped process with the -b option:
Code:
exestringz -b -q 1 dump.dat passwords_list.txt


The alternative command for the "strings" tool is:
Code:
strings dump.dat > passwords_list.txt



Launch the ZIP scanner script against the ZIP archive:
Code:
z:\>quickbms zip_pwd_scanner.bms "C:\Program Files (x86)\Mini Robot Wars\DATA"

QuickBMS generic files extractor and reimporter 0.5.32
by Luigi Auriemma
e-mail: aluigi@autistici.org
web:    aluigi.org
        (Jul 19 2014 - 10:03:02)

                  http://quickbms.aluigi.org
               http://twitter.com/luigi_auriemma

- open input file C:\Program Files (x86)\Mini Robot Wars\DATA
- open script zip_pwd_scanner.bms
- set output folder .

  offset   filesize   filename
--------------------------------------
- enter in folder C:\Program Files (x86)\Mini Robot Wars
- open input file C:\Program Files (x86)\Mini Robot Wars\passwords_list.txt
- enter in folder .
- open input file z:\\passwords_list.txt
- SCRIPT's MESSAGE:
  the error "incomplete input file number 1" means that no password was found

- SCRIPT's MESSAGE:
  FILE: Resource/

- SCRIPT's MESSAGE:
  FILE: Resource/Button/

- SCRIPT's MESSAGE:
  FILE: Resource/Button/Btn_Adv_Lab_Disable.png

- SCRIPT's MESSAGE:
  scanning in progress, please wait patiently...

- SCRIPT's MESSAGE:
  Password found:

  EC?^!98$$%ab17

- SCRIPT's MESSAGE:
  (hex visualization for debugging)
  45433f5e21393824242561623137


- 0 files found in 1 seconds
  coverage file 0     0%   10982      123799172
  coverage file 1    45%   97303      213932
  coverage file -1  366600%   39534144   10784
  coverage file -2  366600%   39578136   10796

The password has been found: EC?^!98$$%ab17


This is the final recap of the steps:
- launch the game
- dump the process
- dumps the strings in a wordlist file
- crack the zip using the wordlist


That's all.
It's super easy, it requires no skills and works most of the times.


Attachments:
img10.png [2.32 KiB]
Not downloaded yet
img1.png [167.63 KiB]
Not downloaded yet
img0.png [14.64 KiB]
Not downloaded yet
Top
   
PostPosted: Wed Dec 24, 2014 11:10 am 

Joined: Fri Oct 24, 2014 3:13 pm
Posts: 71
Hi aluigi my friend very good tutorial I am learning


Top
   
PostPosted: Mon Jun 29, 2015 2:35 pm 
User avatar

Joined: Thu Aug 14, 2014 8:52 pm
Posts: 178
Hello luigi many thanks for the great tutorial, I download this game for understand that, and really all be ok to the last step, and I stuck there, after run zip password script I got no password, all scanning going well but no found nothing so whats wrong?

Image


Top
   
PostPosted: Mon Jun 29, 2015 3:33 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 5713
There is something really very strange in that message, it looks like your script is corrupted.
The reason is simple, your messages are truncated so the password was found but you cannot see it.

Example:
the -> the error "incomplete input file number 1" means that no password was found
FILE -> FILE: name of the file
Password -> Password found: followed by the textual password on the next line
hex -> (hex visualization for debugging)


Top
   
PostPosted: Mon Jun 29, 2015 4:53 pm 
User avatar

Joined: Thu Aug 14, 2014 8:52 pm
Posts: 178
ok so now all be working fine, I redownload script and work very well, now my question is, I try it in another game, I got all files but in the end I got it, thats mean the password is not stored in .exe?

PS: about the dump.dat the only way to dump this one to convert to txt password dump is via strings, because exestringz for some reason when try dump it it only stuck there in console like dumping, but it never ends.

Image


Top
   
PostPosted: Mon Jun 29, 2015 5:00 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 5713
If you don't receive the "Password found" message, it means that it's not in the exe. It may happen sometimes so don't be surprised :)

strings is ok too.

The image you posted show that you selected passwords_list.txt as input file which is wrong, you must select the ZIP protected by password as input file (passwords_list.txt is loaded automatically by the script).


Top
   
PostPosted: Tue Nov 22, 2016 6:28 am 

Joined: Tue Nov 22, 2016 6:09 am
Posts: 3
Hi guys, I'am newbie in programming,
and i want to try edit some *.xml file on archive this game
https://www.awem.com/cradle-of-rome-2.html (Cradle Of Rome2)
and yes I can extract those archive (resources.pak) with this bms script
http://aluigi.altervista.org/bms/awem.bms
but when I re-importing (using awem.bms) always failed.
I try open that .pak file with peazip always ask for password.
may i ask to you guys to retrieve password for this game (resources.pak), or make a script for re-importing?
sorry for my bad English.

Many thanks.


Top
   
PostPosted: Tue Nov 22, 2016 9:04 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 5713
If it's really a ZIP archive then first check the "pak"-related passwords listed here:
http://aluigi.altervista.org/papers.htm#info


Top
   
PostPosted: Wed Nov 23, 2016 1:50 am 

Joined: Tue Nov 22, 2016 6:09 am
Posts: 3
aluigi wrote:
If it's really a ZIP archive then first check the "pak"-related passwords listed here:
http://aluigi.altervista.org/papers.htm#info


thanks for a link, and i have check for Cradle Of Rome 2 [resources.pak] not found.
Ctrl+f and type "Cradle" [without Quotes] only found 1 result [to these link http://aluigi.altervista.org/papers/uniginex.zip]
help me please..
thanks for reply..


Top
   
PostPosted: Wed Nov 23, 2016 9:18 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 5713
You made a big mess and you are 100% OT.

resources.pak is a AWEM archive that you correctly extracted with my script.

If you extract the files in the same folder of the game, delete resources.pak and run the game, it may work.
"If" it doesn't work then you can try the reimport feature of quickbms.
If the reimport feature doesn't work correctly or you are not satisfied with it (it has some limits unfortunately) then there are no solutions ready to use.
In this case the script is not valid for reimporting.

Anyway this is TOTALLY unrelated to the ZIP files of this topic, so do NOT post here.

P.S.: I confirm that the game works perfectly with the files extracted in the game folder and resources.pak is deleted :D


Top
   
PostPosted: Thu Nov 24, 2016 1:31 am 

Joined: Tue Nov 22, 2016 6:09 am
Posts: 3
aluigi wrote:
You made a big mess and you are 100% OT.

resources.pak is a AWEM archive that you correctly extracted with my script.

If you extract the files in the same folder of the game, delete resources.pak and run the game, it may work.
"If" it doesn't work then you can try the reimport feature of quickbms.
If the reimport feature doesn't work correctly or you are not satisfied with it (it has some limits unfortunately) then there are no solutions ready to use.
In this case the script is not valid for reimporting.

Anyway this is TOTALLY unrelated to the ZIP files of this topic, so do NOT post here.

P.S.: I confirm that the game works perfectly with the files extracted in the game folder and resources.pak is deleted :D



whaaaaaaaaa thanks you very much, I will try that trick..
and I am so SORRY for wrong post :( ...

note : you can delete my post in this topic :D


Top
   
PostPosted: Fri Mar 10, 2017 11:32 am 

Joined: Thu Mar 09, 2017 7:26 pm
Posts: 5
Hi I tried to dump Wolcen but I have this error message :
Is it because it's a 64 bit process (I think) :
Image


Top
   
PostPosted: Fri Mar 10, 2017 11:56 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 5713
Yeah, you have to use alternatives for 64bit processes.
The Windows Task Manager (taskmgr) has a "Create Dump File" when you right-click on a process in the Processes tab, the dump is big but it's perfect for your needs.
Process Explorer has a similar feature with the additional possibility to create a smaller dump that probably doesn't contain the key you need, so you have to use the "Create Full Dump" option.
ProcDump is the same of the previous 2 suggestions: procdump -ma process_name
The full dump is useful if the key is generated at runtime instead of being hard-coded in the executable.
There are many tools that allow to dump only the main module of the process and not the whole memory without attaching debuggers, feel free to search on Google.


Top
   
PostPosted: Fri Mar 10, 2017 3:23 pm 

Joined: Tue Feb 14, 2017 5:38 am
Posts: 10
How to do this with an android game?


Top
   
PostPosted: Fri Mar 10, 2017 5:44 pm 

Joined: Thu Mar 09, 2017 7:26 pm
Posts: 5
My dump file size is more than 3GB then when using exestringz I have an error Not enough space.
What can I do ?


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 15 posts ] 

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited