ZenHAX
http://zenhax.com/

Retrieving ZIP passwords from games - the debugger way
http://zenhax.com/viewtopic.php?f=4&t=59
Page 1 of 2

Author:  aluigi [ Mon Aug 11, 2014 6:34 pm ]
Post subject:  Retrieving ZIP passwords from games - the debugger way

In the other thread we have seen the easiest method to get the password from the ZIP archives used by various games.

The following method instead is a bit more advanced and can be used not only for the ZIP archives, but also for other types of passwords like those used for encryptions like AES and blowfish.
Like all my tutorials, I will try to make everything as easy as I can.

Tools:
Signsrch http://aluigi.org/mytoolz.htm#signsrch
Ollydbg or Windbg or any other debugger
http://ollydbg.de/
http://www.microsoft.com/click/services ... =300135395

Optional tools:
QuickBMS http://quickbms.aluigi.org


The example game for this tutorial is Mini Robot Wars:
http://www.bigfishgames.com/download-ga ... index.html



First step - check the files in the folder of the game and start it.
Image


Start signsrch on the process of the game, in this case mrw.exe but you can specify also the PID in case of conflicts.
If the game runs on two processes, you must specify the PID of the second one.
Image


Output of signsrch:
Image


Attach a debugger to the game, the following example is Windbg.
Windbg is faster than ollydbg and more compatible with "some" games, but it's not easy to use like ollydbg and other visual debuggers.
Image


Now it's necessary to put a breakpoint or finding another way to interrupt the debugger when the zipcrypto function is called.
The simplest way obviously is going with the debugger at the beginning of the instruction pointed by the offset visualized by signsrch.

But if you want something more easy you can use the following script for quickbms:
Code:
math quickbms_arg1 -= 3
goto quickbms_arg1
for i = 0 < 5
    put 0xcc byte
next i
With the following command:
Code:
quickbms -p -a 0x40426e int3.bms process://mrw.exe



The following is an example of that command with Ollydbg in the background:
Image


Now play the game and wait the debugger.
Ollydbg:
Image
Windbg:
Image


It's quite easy and doesn't need a big knowledge of debugging, moreover if you use ollydbg in which you must do absolutely nothing.

I don't know if exist easiest ways to explain this, but if you know... tell me :)

Attachments:
img7.png [16.07 KiB]
Not downloaded yet
img9.png [33.36 KiB]
Not downloaded yet
img8.png [49.58 KiB]
Not downloaded yet
img6.png [169.57 KiB]
Not downloaded yet
img2.png [26.22 KiB]
Not downloaded yet
img1.png [3.23 KiB]
Not downloaded yet
img0.png [65.32 KiB]
Not downloaded yet

Author:  Ekey [ Mon Aug 11, 2014 7:14 pm ]
Post subject:  Re: Retrieving ZIP passwords from games - the debugger way

My method >

1) Load target in Olly
2) Right Click -> Search for -> All Constant
3) In Hexdecimal enter -> 012345678 -> Push Ok
4) Set Breakpoint on found constant
5) Run target and you can see password in FPU Registers

:)

Author:  aluigi [ Wed Feb 25, 2015 10:56 am ]
Post subject:  Re: Retrieving ZIP passwords from games - the debugger way

I forgot to add a tip: if the password is not immediately visible in the registers and in the stack, go step-by-step through the next instructions till you see something like "MOV *, BYTE PTR [*]".
You can do that with F8 in Ollydbg or F10 in Windbg.

Author:  devilkkw [ Sat Apr 11, 2015 6:23 pm ]
Post subject:  Re: Retrieving ZIP passwords from games - the debugger way

is it valid for self extracting zip?
on my try, i found only password i've input.

Author:  aluigi [ Sat Apr 11, 2015 8:07 pm ]
Post subject:  Re: Retrieving ZIP passwords from games - the debugger way

If the self-extracting executable contains the password (and so you are not prompted to insert it), obviously you can get it.

Author:  devilkkw [ Sun Apr 12, 2015 9:39 am ]
Post subject:  Re: Retrieving ZIP passwords from games - the debugger way

thank you.
and if it ask for password? no way?

Author:  aluigi [ Sun Apr 12, 2015 10:28 am ]
Post subject:  Re: Retrieving ZIP passwords from games - the debugger way

In that case you have to crack it with specific software. Anyway this is OT so don't ask about this stuff in this thread.

Author:  devilkkw [ Sun Apr 12, 2015 1:56 pm ]
Post subject:  Re: Retrieving ZIP passwords from games - the debugger way

sorry for OT and many thank's for answer.
indeed, you speak about ollydbg,in this tutorial you retrive password for 32bit application, but what is your suggestion for 64bit application? because we still waiting for olly64 :(

Author:  aluigi [ Sun Apr 12, 2015 2:25 pm ]
Post subject:  Re: Retrieving ZIP passwords from games - the debugger way

Windbg and other 64bit debuggers work perfectly.

Considering that, currently, there is almost ever a 32bit version of a software/game and the 64bit-only games are still rare (only the big games based on big engines, Cry and Unreal), the lack of a 64bit version of olly is not a problem.
I agree that the this situation will change in future but the big engines used for 64bit-only games don't use ZIP archives.

Author:  devilkkw [ Sun Apr 12, 2015 4:56 pm ]
Post subject:  Re: Retrieving ZIP passwords from games - the debugger way

nice clarification.
thank you more :)

Author:  eriger777 [ Fri May 15, 2015 1:50 am ]
Post subject:  Re: Retrieving ZIP passwords from games - the debugger way

What if signsrch doesn't show the password encryption address? Its a .pkg file you can view the contents but when you try to extract it asks for a password.

Author:  aluigi [ Fri May 15, 2015 10:14 pm ]
Post subject:  Re: Retrieving ZIP passwords from games - the debugger way

@eriger777
What game?

Author:  eriger777 [ Sat May 16, 2015 4:30 am ]
Post subject:  Re: Retrieving ZIP passwords from games - the debugger way

aluigi wrote:
@eriger777
What game?


Black Prophecy. I can provide sample files if needed. The game isn't around anymore http://www.gamershell.com/download_70492.shtml that's the download. The files are I:\Program Files (x86)\Gamigo\Black Prophecy Client\GFX

Author:  aluigi [ Sat May 16, 2015 6:24 am ]
Post subject:  Re: Retrieving ZIP passwords from games - the debugger way

One of the first results on Google:
http://www.ownedcore.com/forums/mmo/gen ... -help.html

Download zip.bms, open it with a text editor and use the following at line 25:
Code:
set ZIP_PASSWORD binary "\xB7\x27\x4A\x3B\xCB\xDD\x4B\xD8\xB4\xCD\x8D\xD8\x2D\x8F\x00\xDB"

and at line 84 use this:
Code:
encryption zipcrypto ZIP_PASSWORD 1 0 16

Author:  eriger777 [ Sat May 16, 2015 3:21 pm ]
Post subject:  Re: Retrieving ZIP passwords from games - the debugger way

aluigi wrote:
One of the first results on Google:
http://www.ownedcore.com/forums/mmo/gen ... -help.html

Download zip.bms, open it with a text editor and use the following at line 25:
Code:
set ZIP_PASSWORD binary "\xB7\x27\x4A\x3B\xCB\xDD\x4B\xD8\xB4\xCD\x8D\xD8\x2D\x8F\x00\xDB"

and at line 84 use this:
Code:
encryption zipcrypto ZIP_PASSWORD 1 0 16


This is what I get.

Image

Author:  aluigi [ Sat May 16, 2015 7:15 pm ]
Post subject:  Re: Retrieving ZIP passwords from games - the debugger way

Unfortunately the script doesn't support the AES encryption so I guess you have to use other solutions.

Author:  eriger777 [ Sun May 17, 2015 4:04 am ]
Post subject:  Re: Retrieving ZIP passwords from games - the debugger way

aluigi wrote:
Unfortunately the script doesn't support the AES encryption so I guess you have to use other solutions.


And how would I go about doing that?

Author:  aluigi [ Sun May 17, 2015 9:11 am ]
Post subject:  Re: Retrieving ZIP passwords from games - the debugger way

I don't know if there are libraries that allow to use passwords containing NULL bytes, minizip wants a string.
I may even suspect that the password provided in that forum in reality is directly the AES encryption key but probably I'm wrong.

In the next version of quickbms I will add support to the function used to derive the key from the ZIP password and salt for being able to use the AES encryption in zip.bms.

Author:  eriger777 [ Thu Dec 31, 2015 5:29 pm ]
Post subject:  Re: Retrieving ZIP passwords from games - the debugger way

Hey! did you ever add that option to quickbms?

Author:  aluigi [ Thu Dec 31, 2015 6:26 pm ]
Post subject:  Re: Retrieving ZIP passwords from games - the debugger way

Sure, zip.bms already implements the AES passwords from many months.

Page 1 of 2 All times are UTC
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/