ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Tue Oct 27, 2020 8:41 pm

All times are UTC




Post new topic  Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Mon Mar 16, 2020 10:03 am 

Joined: Fri Mar 06, 2020 4:44 am
Posts: 12
Hi, I really need help decrypting the savegame file (link: https://drive.google.com/open?id=1ZJuzq ... rNhps1ItSb) since I can't mod the lootboxes to acquire unobtainable outfits (the game has stopped receiving new content and they can't be bought even with real money) in the game as it is server-sided, so editing player's data is the only way to do so. I have tried scripts on https://aluigi.altervista.org/quickbms.htm but none of them could help. If anyone could really help me decrypt the file to edit it and encrypt the edited file again to replace, it would be a really great help to me since I want to archive this game real bad. There's no way to get all the outfits now so it's my only option to do this :( Thanks in advance!
P. S. Here's the game on the Play Store (https://play.google.com/store/apps/deta ... ordondashx) if it helps. The game is part of the classic time management game franchise Diner Dash which first started in 2003.


Top
   
PostPosted: Mon Mar 16, 2020 10:48 am 

Joined: Fri Mar 06, 2020 4:44 am
Posts: 12
Hi, I need some scripts to decode the game's save.json savegame file (https://drive.google.com/open?id=1HZ1ww ... yYBb8fpTEa , there are 2 instances of my game progress at 2 different time), since there are many unobtainable items in the game (they can't even be bought with real money), and the game's loot box data is server-sided so it's out of question to even find data for that. Also if the algorithm used to encode the savegame file is found, is it possible to edit the game file and then encrypt it again to make a new save game? Thanks!


Top
   
PostPosted: Mon Mar 16, 2020 11:28 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 11696
I just tried to check if it used deflate compression, didn't scan all the algorithms. No luck with deflate.
It's possible that it may be encrypted.
Both the files have the 0xb0 bytes at the beginning.
It may be an block-cipher encryption like AES.
No key, no decryption.


Top
   
PostPosted: Tue Mar 17, 2020 4:51 am 

Joined: Fri Mar 06, 2020 4:44 am
Posts: 12
aluigi wrote:
I just tried to check if it used deflate compression, didn't scan all the algorithms. No luck with deflate.
It's possible that it may be encrypted.
Both the files have the 0xb0 bytes at the beginning.
It may be an block-cipher encryption like AES.
No key, no decryption.

Hi, thanks for the quick reply. I'm still working on where to look for the key to decrypt, so I'm going to list some of my deductions on where the key might be (and potential code dump in the game's lib on how it encrypt and decrypt data) and the full list of all the files in some folders most related to game data. I'm still new to this so if there's some script for my to put the key in for trial-and-error decrypting, please tell me where to do so since I want avoid inconveniencing you as much as possible:
1. cookieFile.txt in the game's files folder in the internal memory (https://drive.google.com/open?id=1jXgBt ... xKiK5kQ-Xx):
Code:
endpoint1.collection.us2.sumologic.com   FALSE   /   FALSE   null   AWSALB   EHto3xdm69GYvXqEAv41qjpOuBMh3NYuqe5yHsDrwm4N9G8wYJJbnb5B9lT/rf/pzUdlyov3yHX56DOOp6hYms44bn7OqlNHTvst4JrXoKWG6QTiALOeU8qBf7H6
endpoint1.collection.us2.sumologic.com   FALSE   /   FALSE   null    SameSite   None

2. INSTALLATION file in the game's file folder in the internal memory (https://drive.google.com/open?id=1uuXdW ... 1YACPdFlvV):
Code:
466c56eb-beae-42c6-8944-4c3d43259a6b

Full list of the game's files folder:
Image
3. __hs__db_key_values in the game's databases folder in the internal memory, which contains these 2 values only (https://drive.google.com/open?id=1UyAWS ... ZhgnMc3kJJ):
screenOrientation in binary:
Code:
aced0005737200116a6176612e6c616e
672e496e746567657212e2a0a4f78187
3802000149000576616c756578720010
6a6176612e6c616e672e4e756d626572
86ac951d0b94e08b0200007870ffffff
ff

disableAnimations in binary:
Code:
aced0005737200116a6176612e6c616e
672e426f6f6c65616ecd207280d59cfa
ee0200015a000576616c7565787000

Full list of the game's databases folder (all of the -journal files are encrypted too):
Image
4. .hptc_kache_glu.gordondashx in the game's code_cache folder (only file in the folder) is in encryption as well: https://drive.google.com/open?id=1m3zur ... 43ACnZqi8T - still don't know what it does
5. The game's lib files (https://drive.google.com/open?id=1DJX3X ... cXUjr_0hsA), which I only uploaded 2 of them here since they are my main point of investigation that has the libpfgame.so file with 2 suspicious strings, Aes_Setkey_Dec and Aes_Setkey_Enc. For convenience, I will upload its code here from IDA and I can't really understand ARM codes so it will take me sometime to learn it after I posted this:
Aes_SetKey_Dec
Code:
.text:00A32A48                 EXPORT Aes_SetKey_Dec
.text:00A32A48 Aes_SetKey_Dec                          ; DATA XREF: LOAD:0000221C↑o
.text:00A32A48 ; __unwind {
.text:00A32A48                 PUSH            {R4-R6,LR}
.text:00A32A4A                 MOV             R4, R2
.text:00A32A4C                 MOV             R5, R0
.text:00A32A4E                 BLX             j_Aes_SetKey_Enc
.text:00A32A52                 CMN.W           R4, #0x14
.text:00A32A56                 IT EQ
.text:00A32A58                 POPEQ           {R4-R6,PC}
.text:00A32A5A                 LDR             R3, =(_GLOBAL_OFFSET_TABLE_ - 0xA32A6C)
.text:00A32A5C                 ADD.W           R1, R5, #0x20
.text:00A32A60                 LDR             R2, =(unk_15636B8 - 0x18E9058)
.text:00A32A62                 ADD.W           R0, R4, #0x14
.text:00A32A66                 LDR             R5, =(unk_192E168 - 0x18E9058)
.text:00A32A68                 ADD             R3, PC
.text:00A32A6A                 ADD.W           LR, R2, R3
.text:00A32A6E                 ADD             R3, R5
.text:00A32A70
.text:00A32A70 loc_A32A70                              ; CODE XREF: Aes_SetKey_Dec+76↓j
.text:00A32A70                 LDR             R5, [R1]
.text:00A32A72                 SUBS            R0, #1
.text:00A32A74                 UBFX.W          R2, R5, #8, #8
.text:00A32A78                 MOV.W           R4, R5,LSR#24
.text:00A32A7C                 LDRB.W          R12, [LR,R4]
.text:00A32A80                 UXTB            R4, R5
.text:00A32A82                 UBFX.W          R5, R5, #0x10, #8
.text:00A32A86                 LDRB.W          R2, [LR,R2]
.text:00A32A8A                 LDRB.W          R5, [LR,R5]
.text:00A32A8E                 LDRB.W          R4, [LR,R4]
.text:00A32A92                 ORR.W           R2, R2, #0x100
.text:00A32A96                 ORR.W           R5, R5, #0x200
.text:00A32A9A                 LDR.W           R6, [R3,R4,LSL#2]
.text:00A32A9E                 ORR.W           R4, R12, #0x300
.text:00A32AA2                 LDR.W           R2, [R3,R2,LSL#2]
.text:00A32AA6                 LDR.W           R5, [R3,R5,LSL#2]
.text:00A32AAA                 EOR.W           R2, R2, R6
.text:00A32AAE                 LDR.W           R4, [R3,R4,LSL#2]
.text:00A32AB2                 EOR.W           R2, R2, R5
.text:00A32AB6                 EOR.W           R2, R2, R4
.text:00A32ABA                 STR.W           R2, [R1],#4
.text:00A32ABE                 BNE             loc_A32A70
.text:00A32AC0                 POP             {R4-R6,PC}
.text:00A32AC0 ; End of function Aes_SetKey_Dec


Aes_SetKey_Enc
Code:
.text:00A3291C                 EXPORT Aes_SetKey_Enc
.text:00A3291C Aes_SetKey_Enc                          ; CODE XREF: j_Aes_SetKey_Enc+8↑j
.text:00A3291C                                         ; DATA XREF: LOAD:0000222C↑o
.text:00A3291C
.text:00A3291C var_34          = -0x34
.text:00A3291C var_30          = -0x30
.text:00A3291C var_2C          = -0x2C
.text:00A3291C var_28          = -0x28
.text:00A3291C
.text:00A3291C ; __unwind {
.text:00A3291C                 PUSH.W          {R4-R11,LR}
.text:00A32920                 SUB             SP, SP, #0x14
.text:00A32922                 ADD.W           R12, R2, #0x1C
.text:00A32926                 MOVS            R3, #3
.text:00A32928                 MOVS            R7, #0
.text:00A3292A                 MOV.W           R11, R2,LSR#2
.text:00A3292E                 MOV             LR, R2
.text:00A32930                 ADD.W           R3, R3, R2,LSR#3
.text:00A32934                 STR             R3, [R0]
.text:00A32936                 CMP.W           R7, R2,LSR#2
.text:00A3293A                 BEQ             loc_A32964
.text:00A3293C                 ADD.W           R3, R0, #0x10
.text:00A32940                 MOV             R7, R11
.text:00A32942
.text:00A32942 loc_A32942                              ; CODE XREF: Aes_SetKey_Enc+44↓j
.text:00A32942                 LDRB            R5, [R1,#1]
.text:00A32944                 SUBS            R7, #1
.text:00A32946                 LDRB            R6, [R1]
.text:00A32948                 LDRB            R4, [R1,#2]
.text:00A3294A                 LDRB            R2, [R1,#3]
.text:00A3294C                 ORR.W           R6, R6, R5,LSL#8
.text:00A32950                 ADD.W           R1, R1, #4
.text:00A32954                 ORR.W           R6, R6, R4,LSL#16
.text:00A32958                 ORR.W           R2, R6, R2,LSL#24
.text:00A3295C                 STR.W           R2, [R3],#4
.text:00A32960                 BNE             loc_A32942
.text:00A32962                 MOV             R7, R11
.text:00A32964
.text:00A32964 loc_A32964                              ; CODE XREF: Aes_SetKey_Enc+1E↑j
.text:00A32964                 CMP             R7, R12
.text:00A32966                 BCS             loc_A32A34
.text:00A32968                 ADD.W           R1, R0, R7,LSL#2
.text:00A3296C                 STR             R1, [SP,#0x38+var_28]
.text:00A3296E                 MOV             R1, #0xFFFFFFE4
.text:00A32972                 MOVS            R5, #0
.text:00A32974                 SUB.W           R1, R1, LR
.text:00A32978                 STR.W           LR, [SP,#0x38+var_30]
.text:00A3297C                 ADD             R1, R7
.text:00A3297E                 STR             R1, [SP,#0x38+var_2C]
.text:00A32980                 ADDS            R1, R7, #4
.text:00A32982                 SUB.W           R1, R1, LR,LSR#2
.text:00A32986                 ADD.W           R4, R0, R1,LSL#2
.text:00A3298A                 LDR             R0, =(_GLOBAL_OFFSET_TABLE_ - 0xA32992)
.text:00A3298C                 LDR             R1, =(unk_15636B8 - 0x18E9058)
.text:00A3298E                 ADD             R0, PC  ; _GLOBAL_OFFSET_TABLE_
.text:00A32990                 ADD.W           R8, R1, R0 ; unk_15636B8
.text:00A32994                 LDR             R1, =(unk_15637B8 - 0x18E9058)
.text:00A32996                 ADD             R0, R1  ; unk_15637B8
.text:00A32998                 STR             R0, [SP,#0x38+var_34]
.text:00A3299A
.text:00A3299A loc_A3299A                              ; CODE XREF: Aes_SetKey_Enc+116↓j
.text:00A3299A                 LDR             R0, [SP,#0x38+var_28]
.text:00A3299C                 ADDS            R6, R7, R5
.text:00A3299E                 MOV             R1, R11
.text:00A329A0                 ADD.W           R9, R0, R5,LSL#2
.text:00A329A4                 MOV             R0, R6
.text:00A329A6                 LDR.W           R10, [R9,#0xC]
.text:00A329AA                 BLX             __aeabi_uidivmod
.text:00A329AE                 CBZ             R1, loc_A329E4
.text:00A329B0                 LDR             R0, [SP,#0x38+var_30]
.text:00A329B2                 CMP             R0, #0x1C
.text:00A329B4                 BCC             loc_A32A20
.text:00A329B6                 CMP             R1, #4
.text:00A329B8                 BNE             loc_A32A20
.text:00A329BA                 UBFX.W          R0, R10, #8, #8
.text:00A329BE                 UBFX.W          R1, R10, #0x10, #8
.text:00A329C2                 UXTB.W          R2, R10
.text:00A329C6                 MOV.W           R3, R10,LSR#24
.text:00A329CA                 LDRB.W          R0, [R8,R0]
.text:00A329CE                 LDRB.W          R2, [R8,R2]
.text:00A329D2                 LDRB.W          R1, [R8,R1]
.text:00A329D6                 LDRB.W          R3, [R8,R3]
.text:00A329DA                 ORR.W           R0, R2, R0,LSL#8
.text:00A329DE                 ORR.W           R0, R0, R1,LSL#16
.text:00A329E2                 B               loc_A32A1C
.text:00A329E4 ; ---------------------------------------------------------------------------
.text:00A329E4
.text:00A329E4 loc_A329E4                              ; CODE XREF: Aes_SetKey_Enc+92↑j
.text:00A329E4                 MOV             R0, R6
.text:00A329E6                 MOV             R1, R11
.text:00A329E8                 BLX             __aeabi_uidivmod
.text:00A329EC                 LDR             R1, [SP,#0x38+var_34]
.text:00A329EE                 MOV.W           R6, R10,LSR#24
.text:00A329F2                 LDRB.W          R6, [R8,R6]
.text:00A329F6                 UXTB.W          R3, R10
.text:00A329FA                 LDRB.W          R3, [R8,R3]
.text:00A329FE                 LDRB            R0, [R1,R0]
.text:00A32A00                 UBFX.W          R1, R10, #0x10, #8
.text:00A32A04                 UBFX.W          R2, R10, #8, #8
.text:00A32A08                 LDRB.W          R1, [R8,R1]
.text:00A32A0C                 LDRB.W          R2, [R8,R2]
.text:00A32A10                 EORS            R0, R2
.text:00A32A12                 UXTB            R0, R0
.text:00A32A14                 ORR.W           R0, R0, R1,LSL#8
.text:00A32A18                 ORR.W           R0, R0, R6,LSL#16
.text:00A32A1C
.text:00A32A1C loc_A32A1C                              ; CODE XREF: Aes_SetKey_Enc+C6↑j
.text:00A32A1C                 ORR.W           R10, R0, R3,LSL#24
.text:00A32A20
.text:00A32A20 loc_A32A20                              ; CODE XREF: Aes_SetKey_Enc+98↑j
.text:00A32A20                                         ; Aes_SetKey_Enc+9C↑j
.text:00A32A20                 LDR.W           R0, [R4,R5,LSL#2]
.text:00A32A24                 ADDS            R5, #1
.text:00A32A26                 EOR.W           R0, R0, R10
.text:00A32A2A                 STR.W           R0, [R9,#0x10]
.text:00A32A2E                 LDR             R0, [SP,#0x38+var_2C]
.text:00A32A30                 ADDS            R0, R0, R5
.text:00A32A32                 BNE             loc_A3299A
.text:00A32A34
.text:00A32A34 loc_A32A34                              ; CODE XREF: Aes_SetKey_Enc+4A↑j
.text:00A32A34                 ADD             SP, SP, #0x14
.text:00A32A36                 POP.W           {R4-R11,PC}
.text:00A32A36 ; End of function Aes_SetKey_Enc


Other AES strings I found from searching libpfgame.so:
Image

6. Strings I found in libjs.so:
Image

Full list of the game's lib folder:
Image

Full list of the game's internal memory folder, which includes all previous files:
Image
Full list of the game's sdcard memory folder, which mostly contains sprites, assetlist, plist files so it might not be significant:
Image

If there's no way to decrypt this using these data, should I risk modifying the game's lib file to not encode using AES anymore? Thanks!
Edit: Added one extra piece of info.


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 4 posts ] 

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited