ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Thu Aug 24, 2017 8:50 am

All times are UTC




Post new topic  Reply to topic  [ 21 posts ]  Go to page 1 2 Next
Author Message
PostPosted: Mon Aug 11, 2014 6:34 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 6465
In the other thread we have seen the easiest method to get the password from the ZIP archives used by various games.

The following method instead is a bit more advanced and can be used not only for the ZIP archives, but also for other types of passwords like those used for encryptions like AES and blowfish.
Like all my tutorials, I will try to make everything as easy as I can.

Tools:
Signsrch http://aluigi.org/mytoolz.htm#signsrch
Ollydbg or Windbg or any other debugger
http://ollydbg.de/
http://www.microsoft.com/click/services ... =300135395

Optional tools:
QuickBMS http://quickbms.aluigi.org


The example game for this tutorial is Mini Robot Wars:
http://www.bigfishgames.com/download-ga ... index.html



First step - check the files in the folder of the game and start it.
Image


Start signsrch on the process of the game, in this case mrw.exe but you can specify also the PID in case of conflicts.
If the game runs on two processes, you must specify the PID of the second one.
Image


Output of signsrch:
Image


Attach a debugger to the game, the following example is Windbg.
Windbg is faster than ollydbg and more compatible with "some" games, but it's not easy to use like ollydbg and other visual debuggers.
Image


Now it's necessary to put a breakpoint or finding another way to interrupt the debugger when the zipcrypto function is called.
The simplest way obviously is going with the debugger at the beginning of the instruction pointed by the offset visualized by signsrch.

But if you want something more easy you can use the following script for quickbms:
Code:
math quickbms_arg1 -= 3
goto quickbms_arg1
for i = 0 < 5
    put 0xcc byte
next i
With the following command:
Code:
quickbms -p -a 0x40426e int3.bms process://mrw.exe



The following is an example of that command with Ollydbg in the background:
Image


Now play the game and wait the debugger.
Ollydbg:
Image
Windbg:
Image


It's quite easy and doesn't need a big knowledge of debugging, moreover if you use ollydbg in which you must do absolutely nothing.

I don't know if exist easiest ways to explain this, but if you know... tell me :)


Attachments:
img7.png [16.07 KiB]
Not downloaded yet
img9.png [33.36 KiB]
Not downloaded yet
img8.png [49.58 KiB]
Not downloaded yet
img6.png [169.57 KiB]
Not downloaded yet
img2.png [26.22 KiB]
Not downloaded yet
img1.png [3.23 KiB]
Not downloaded yet
img0.png [65.32 KiB]
Not downloaded yet
Top
   
PostPosted: Mon Aug 11, 2014 7:14 pm 

Joined: Sat Aug 09, 2014 2:34 pm
Posts: 713
My method >

1) Load target in Olly
2) Right Click -> Search for -> All Constant
3) In Hexdecimal enter -> 012345678 -> Push Ok
4) Set Breakpoint on found constant
5) Run target and you can see password in FPU Registers

:)


Top
   
PostPosted: Wed Feb 25, 2015 10:56 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 6465
I forgot to add a tip: if the password is not immediately visible in the registers and in the stack, go step-by-step through the next instructions till you see something like "MOV *, BYTE PTR [*]".
You can do that with F8 in Ollydbg or F10 in Windbg.


Top
   
PostPosted: Sat Apr 11, 2015 6:23 pm 
User avatar

Joined: Mon Oct 13, 2014 10:58 am
Posts: 12
is it valid for self extracting zip?
on my try, i found only password i've input.

_________________
Devil Inside.


Top
   
PostPosted: Sat Apr 11, 2015 8:07 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 6465
If the self-extracting executable contains the password (and so you are not prompted to insert it), obviously you can get it.


Top
   
PostPosted: Sun Apr 12, 2015 9:39 am 
User avatar

Joined: Mon Oct 13, 2014 10:58 am
Posts: 12
thank you.
and if it ask for password? no way?

_________________
Devil Inside.


Top
   
PostPosted: Sun Apr 12, 2015 10:28 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 6465
In that case you have to crack it with specific software. Anyway this is OT so don't ask about this stuff in this thread.


Top
   
PostPosted: Sun Apr 12, 2015 1:56 pm 
User avatar

Joined: Mon Oct 13, 2014 10:58 am
Posts: 12
sorry for OT and many thank's for answer.
indeed, you speak about ollydbg,in this tutorial you retrive password for 32bit application, but what is your suggestion for 64bit application? because we still waiting for olly64 :(

_________________
Devil Inside.


Top
   
PostPosted: Sun Apr 12, 2015 2:25 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 6465
Windbg and other 64bit debuggers work perfectly.

Considering that, currently, there is almost ever a 32bit version of a software/game and the 64bit-only games are still rare (only the big games based on big engines, Cry and Unreal), the lack of a 64bit version of olly is not a problem.
I agree that the this situation will change in future but the big engines used for 64bit-only games don't use ZIP archives.


Top
   
PostPosted: Sun Apr 12, 2015 4:56 pm 
User avatar

Joined: Mon Oct 13, 2014 10:58 am
Posts: 12
nice clarification.
thank you more :)

_________________
Devil Inside.


Top
   
PostPosted: Fri May 15, 2015 1:50 am 

Joined: Thu May 14, 2015 8:09 pm
Posts: 8
What if signsrch doesn't show the password encryption address? Its a .pkg file you can view the contents but when you try to extract it asks for a password.


Top
   
PostPosted: Fri May 15, 2015 10:14 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 6465
@eriger777
What game?


Top
   
PostPosted: Sat May 16, 2015 4:30 am 

Joined: Thu May 14, 2015 8:09 pm
Posts: 8
aluigi wrote:
@eriger777
What game?


Black Prophecy. I can provide sample files if needed. The game isn't around anymore http://www.gamershell.com/download_70492.shtml that's the download. The files are I:\Program Files (x86)\Gamigo\Black Prophecy Client\GFX


Top
   
PostPosted: Sat May 16, 2015 6:24 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 6465
One of the first results on Google:
http://www.ownedcore.com/forums/mmo/gen ... -help.html

Download zip.bms, open it with a text editor and use the following at line 25:
Code:
set ZIP_PASSWORD binary "\xB7\x27\x4A\x3B\xCB\xDD\x4B\xD8\xB4\xCD\x8D\xD8\x2D\x8F\x00\xDB"

and at line 84 use this:
Code:
encryption zipcrypto ZIP_PASSWORD 1 0 16


Top
   
PostPosted: Sat May 16, 2015 3:21 pm 

Joined: Thu May 14, 2015 8:09 pm
Posts: 8
aluigi wrote:
One of the first results on Google:
http://www.ownedcore.com/forums/mmo/gen ... -help.html

Download zip.bms, open it with a text editor and use the following at line 25:
Code:
set ZIP_PASSWORD binary "\xB7\x27\x4A\x3B\xCB\xDD\x4B\xD8\xB4\xCD\x8D\xD8\x2D\x8F\x00\xDB"

and at line 84 use this:
Code:
encryption zipcrypto ZIP_PASSWORD 1 0 16


This is what I get.

Image


Top
   
PostPosted: Sat May 16, 2015 7:15 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 6465
Unfortunately the script doesn't support the AES encryption so I guess you have to use other solutions.


Top
   
PostPosted: Sun May 17, 2015 4:04 am 

Joined: Thu May 14, 2015 8:09 pm
Posts: 8
aluigi wrote:
Unfortunately the script doesn't support the AES encryption so I guess you have to use other solutions.


And how would I go about doing that?


Top
   
PostPosted: Sun May 17, 2015 9:11 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 6465
I don't know if there are libraries that allow to use passwords containing NULL bytes, minizip wants a string.
I may even suspect that the password provided in that forum in reality is directly the AES encryption key but probably I'm wrong.

In the next version of quickbms I will add support to the function used to derive the key from the ZIP password and salt for being able to use the AES encryption in zip.bms.


Top
   
PostPosted: Thu Dec 31, 2015 5:29 pm 

Joined: Thu May 14, 2015 8:09 pm
Posts: 8
Hey! did you ever add that option to quickbms?


Top
   
PostPosted: Thu Dec 31, 2015 6:26 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 6465
Sure, zip.bms already implements the AES passwords from many months.


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 21 posts ]  Go to page 1 2 Next

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited