ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Wed Oct 21, 2020 9:28 pm

All times are UTC




Post new topic  Reply to topic  [ 12 posts ] 
Author Message
 Post subject: rfc2898 derive bytes
PostPosted: Sun Aug 09, 2020 2:40 am 

Joined: Thu Aug 07, 2014 10:28 pm
Posts: 310
does quickbms support this encryption?
https://docs.microsoft.com/en-us/dotnet ... etcore-3.1
I found a unity game using this.

Code:
undefined8 AESCryption$$Decryption(longlong param_1)

{
  code *pcVar1;
  int iVar2;
  longlong *plVar3;
  longlong *plVar4;
  undefined8 uVar5;
  longlong lVar6;
 
  if (DAT_181b54bdf == '\0') {
                    /* WARNING: Subroutine does not return */
    FUN_1801e6140(3);
  }
  plVar3 = (longlong *)FUN_180225950(System.Security.Cryptography.RijndaelManaged_TypeInfo);
  System.Security.Cryptography.RijndaelManaged$$.ctor(plVar3,0);
  if (plVar3 != (longlong *)0x0) {
    (**(code **)(*plVar3 + 0x218))(plVar3,0x100,*(undefined8 *)(*plVar3 + 0x220));
    (**(code **)(*plVar3 + 0x198))(plVar3,0x100,*(undefined8 *)(*plVar3 + 0x1a0));
    plVar4 = (longlong *)System.Text.Encoding$$get_UTF8(0);
    if (plVar4 != (longlong *)0x0) {
      uVar5 = (**(code **)(*plVar4 + 0x238))
                        (plVar4,StringLiteral_7505,*(undefined8 *)(*plVar4 + 0x240));
      plVar4 = (longlong *)FUN_180225950(System.Security.Cryptography.Rfc2898DeriveBytes_TypeInfo);
      System.Security.Cryptography.Rfc2898DeriveBytes$$.ctor(plVar4,StringLiteral_7506,uVar5,0);
      if (plVar4 != (longlong *)0x0) {
        System.Security.Cryptography.Rfc2898DeriveBytes$$set_IterationCount(plVar4,1000,0);
        iVar2 = (**(code **)(*plVar3 + 0x208))(plVar3,*(undefined8 *)(*plVar3 + 0x210));
        uVar5 = (**(code **)(*plVar4 + 0x178))
                          (plVar4,(ulonglong)(uint)((int)((iVar2 >> 0x1f & 7U) + iVar2) >> 3),
                           *(undefined8 *)(*plVar4 + 0x180));
        (**(code **)(*plVar3 + 0x1e8))(plVar3,uVar5,*(undefined8 *)(*plVar3 + 0x1f0));
        iVar2 = (**(code **)(*plVar3 + 0x188))(plVar3,*(undefined8 *)(*plVar3 + 400));
        uVar5 = (**(code **)(*plVar4 + 0x178))
                          (plVar4,(ulonglong)(uint)((int)((iVar2 >> 0x1f & 7U) + iVar2) >> 3),
                           *(undefined8 *)(*plVar4 + 0x180));
        (**(code **)(*plVar3 + 0x1c8))(plVar3,uVar5,*(undefined8 *)(*plVar3 + 0x1d0));
        lVar6 = (**(code **)(*plVar3 + 0x288))(plVar3,*(undefined8 *)(*plVar3 + 0x290));
        if ((param_1 != 0) && (lVar6 != 0)) {
          uVar5 = FUN_1800d3b50(4,System.Security.Cryptography.ICryptoTransform_TypeInfo,lVar6,
                                param_1,0,*(undefined4 *)(param_1 + 0x18));
          FUN_1800a65e0(0,System.IDisposable_TypeInfo,lVar6);
          return uVar5;
        }
      }
    }
  }
  FUN_180214910(0);
  pcVar1 = (code *)swi(3);
  uVar5 = (*pcVar1)();
  return uVar5;
}



StringLiteral_7505 = UIPApbOu
StringLiteral_7506 = Zn2HpaJxv2x23zME


Top
   
 Post subject: Re: rfc2898 derive bytes
PostPosted: Sun Aug 09, 2020 8:34 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 11680
Honestly, no idea.
I have a PKCS5_PBKDF2_HMAC in quickbms but I guess it's used for hashing.
You can check if openssl or tomcrypt have something similar using different names.


Top
   
 Post subject: Re: rfc2898 derive bytes
PostPosted: Sun Aug 09, 2020 12:08 pm 

Joined: Thu Aug 07, 2014 10:28 pm
Posts: 310
that might be it do you have an example of using PKCS5_PBKDF2_HMAC


Top
   
 Post subject: Re: rfc2898 derive bytes
PostPosted: Sun Aug 09, 2020 12:40 pm 

Joined: Thu Aug 07, 2014 10:28 pm
Posts: 310
This function is in the games dll file.
can i call this function in quickbms.
it is not in the export list can i tell quickbms call the function at an offset?


Top
   
 Post subject: Re: rfc2898 derive bytes
PostPosted: Sun Aug 09, 2020 4:41 pm 

Joined: Thu Aug 07, 2014 10:28 pm
Posts: 310
I found the original code used for encryption.
https://pastebin.com/raw/jzd3c8jC
if i use Zn2HpaJxv2x23zME as password with UIPApbOu as the salt it decrypts correctly.
It would be great to get this working in quickbms instead of in unity editor.
Here is a sample encrypted and decrypted file.
https://anonfiles.com/ndL1z1L6o2/item_k ... uniform_7z


Top
   
 Post subject: Re: rfc2898 derive bytes
PostPosted: Fri Aug 21, 2020 9:17 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 11680
chrrox wrote:
This function is in the games dll file.
can i call this function in quickbms.
it is not in the export list can i tell quickbms call the function at an offset?

You can't call .NET functions.


Top
   
 Post subject: Re: rfc2898 derive bytes
PostPosted: Fri Aug 21, 2020 9:20 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 11680
While regarding the other question, probably it's possible to do something in quickbms with that hmac encryption I mentioned:
https://stackoverflow.com/questions/550 ... -using-clr


Top
   
 Post subject: Re: rfc2898 derive bytes
PostPosted: Fri Aug 21, 2020 3:56 pm 

Joined: Thu Aug 07, 2014 10:28 pm
Posts: 310
I Generated he key and ivec outside of quickbms just need to figure out how to generate them inside quickbms.

in python

Code:
hashlib.pbkdf2_hmac('sha1', b'Zn2HpaJxv2x23zME', b'UIPApbOu', 1000)


Then this works fine inside quickbms.

Code:
set KEY binary "\x48\xBB\x42\xFC\xCA\xD8\x2F\x25\x00\x4E\xBD\x97\xDE\xD7\x4D\x6F\x80\xE0\xAB\x8C\x5A\x15\x29\x7C\xD6\xD4\xBF\xCC\xF0\xCF\x8E\x54"
set IV  binary "\x91\xDA\xF0\xD7\xA3\xA5\x8F\x3C\x49\xE2\x94\x38\xDD\x6B\xD9\x4A\x00\xA2\xF1\x7C\xA5\xF7\x16\x27\xEB\x0F\x61\x1B\xE0\xA3\xF7\xC8"

encryption mcrypt_rijndael-256_cbc KEY IV

get SIZE asize
log NAME 0 SIZE


Top
   
 Post subject: Re: rfc2898 derive bytes
PostPosted: Fri Aug 21, 2020 4:22 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 11680
Great.
You just need the secret and salt field that is taken by that AESConfig resource.

*edit* ah ok I guess your python code is the generator, gotcha


Top
   
 Post subject: Re: rfc2898 derive bytes
PostPosted: Fri Aug 21, 2020 4:26 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 11680
Here we go both key and iv in the result:
Code:
encryption PKCS5_PBKDF2_HMAC_sha1 "Zn2HpaJxv2x23zME" "UIPApbOu" 1000
print "%QUICKBMS_HEXHASH%"


Top
   
 Post subject: Re: rfc2898 derive bytes
PostPosted: Fri Aug 21, 2020 4:33 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 11680
I think this code is complete, you just need to specify the offset:
Code:
encryption PKCS5_PBKDF2_HMAC_sha1 "Zn2HpaJxv2x23zME" "UIPApbOu" 1000

log MEMORY_FILE 0 0
putdstring QUICKBMS_HASH 64 MEMORY_FILE
goto 0 MEMORY_FILE
getdstring KEY 32 MEMORY_FILE
getdstring IV 32 MEMORY_FILE

encryption mcrypt_rijndael-256_cbc KEY IV 0 32
math OFFSET = ???
get SIZE asize
math SIZE - OFFSET
log "dump.dat" OFFSET SIZE

Probably I will add Rfc2898DeriveBytes to next quickbms


Top
   
 Post subject: Re: rfc2898 derive bytes
PostPosted: Fri Aug 21, 2020 10:17 pm 

Joined: Thu Aug 07, 2014 10:28 pm
Posts: 310
aluigi wrote:
Probably I will add Rfc2898DeriveBytes to next quickbms

Very cool.
Here is that sample extracted first.
Unity stores the file compressed then you decrypt the output.
https://anonfiles.com/Z4E2taObo2/item_k ... -enc_bytes
Works just as expected :)


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 12 posts ] 

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited