ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Mon Aug 03, 2020 12:15 pm

All times are UTC




Post new topic  Reply to topic  [ 1528 posts ]  Go to page Previous 170 71 72 73 7477 Next
Author Message
PostPosted: Thu Apr 16, 2020 3:48 pm 

Joined: Sat Sep 28, 2019 7:00 pm
Posts: 158
@Firecube: It's not an easy task either and involving debugging mobile app with graphics debuggers (also, maybe there is simpler method to do so engine-wise). Still, it's easier than reverse-engineering paks format, especially with encrypted index.

Also, since only index is obfuscated or encrypted in those paks, but not files themselves, you can extract raw chunks from any pak with offzip ("offzip -a your.pak output_folder") and then merge them, following known UE4 assets patterns. For example, there will be 01.uasset, 02.dat, 03.dat, 04.uasset, 05.dat and so on. Here 01.uasset is a header and 02.dat/03.dat are parts of that uasset or ubulk. So, merging 01+02+03 into one uasset will get you one working asset (probably, because there are also headerless ubulk files).
But this approach is not effective at all, because there are many assets types out there and total amount of assets can be 10k+ easily.

In any case, you can't get anything from those paks, since devs not only xor'ed index, but also obfuscated its offset and size - that means you must r-e libUE4.so library to find out what they did there. Alternatively, I think it's possible to find out index's offset and size for every pak manually and extract them with modified bms script.

_________________
You can request AES keys on rin forums (the list with keys is also there)
AES keys finder and latest UE4 bms scripts: in this post


Top
   
PostPosted: Fri Apr 17, 2020 4:45 am 

Joined: Tue Oct 08, 2019 4:40 pm
Posts: 4
• Engine: UE 4.22 (Should be)
• Available on iOS and Android.
• No shipping.exe (Might be a problem for encryption grabbing dont know).
• I do have the paks from iOS as I'm jailbroken and can file tamper. Just let me know if you need them.

If anyone has the time to crack it, would be appreciated cheers!


Attachments:
Capture.PNG [72.08 KiB]
Not downloaded yet
Top
   
PostPosted: Sat Apr 18, 2020 6:55 pm 

Joined: Sat Sep 28, 2019 7:00 pm
Posts: 158
I've noticed that PUBG Lite still have the same format as mobile version before (not encrypted, but with xor'ed index). For some reason pubg_mobile-extract script doesn't work with it, so here is working script for quickbms. Tested on latest version at the moment.

You can find the script in this post.

_________________
You can request AES keys on rin forums (the list with keys is also there)
AES keys finder and latest UE4 bms scripts: in this post


Last edited by spiritovod on Wed May 06, 2020 2:33 pm, edited 1 time in total.

Top
   
PostPosted: Tue Apr 21, 2020 12:55 am 

Joined: Tue Apr 07, 2020 10:34 am
Posts: 10
Hi spirtovod please my names is sarah Aes key
.


Top
   
PostPosted: Tue Apr 21, 2020 2:05 am 

Joined: Wed Apr 24, 2019 9:33 am
Posts: 4
Key:0x42163963B2E095A8D673B48B703B6DE016FE4DC36E0796CC14531C8DAE87E4BC
Download link:https://object.blue-protocol.com/setup/qe1MU2mMQlsRLDnpwby33hXq/BLUEPROTOCOL_Setup.exe


Top
   
PostPosted: Tue Apr 21, 2020 5:37 pm 
User avatar

Joined: Fri Mar 30, 2018 2:48 am
Posts: 278
AES Keys? :?:
If anyone needs to get keys on newer games (UE4 versions 4.19 and above), try the tool in my signature. :)
Hope it can be of help to people looking for keys.
Good luck!

_________________
If you appreciate my work and want to donate:
Paypal: ghfear@hotmail.com

AES Key Finder 1.8: https://zenhax.com/viewtopic.php?f=17&t=9407&start=20


Top
   
PostPosted: Tue Apr 21, 2020 9:22 pm 

Joined: Tue Apr 07, 2020 10:34 am
Posts: 10
GHFear wrote:
AES Keys? :?:
If anyone needs to get keys on newer games (UE4 versions 4.19 and above), try the tool in my signature. :)
Hope it can be of help to people looking for keys.
Good luck!
. Thanks bro good work.


Top
   
PostPosted: Wed Apr 22, 2020 1:35 am 

Joined: Wed Jun 05, 2019 7:30 am
Posts: 4
GHFear wrote:
AES Keys? :?:
If anyone needs to get keys on newer games (UE4 versions 4.19 and above), try the tool in my signature. :)
Hope it can be of help to people looking for keys.
Good luck!

Can this work for UE4 android game?


Top
   
PostPosted: Wed Apr 22, 2020 2:31 pm 
User avatar

Joined: Fri Mar 30, 2018 2:48 am
Posts: 278
Dark_VladislaV wrote:
GHFear wrote:
AES Keys? :?:
If anyone needs to get keys on newer games (UE4 versions 4.19 and above), try the tool in my signature. :)
Hope it can be of help to people looking for keys.
Good luck!

Can this work for UE4 android game?


Not yet. Perhaps in the future.

_________________
If you appreciate my work and want to donate:
Paypal: ghfear@hotmail.com

AES Key Finder 1.8: https://zenhax.com/viewtopic.php?f=17&t=9407&start=20


Top
   
PostPosted: Thu Apr 23, 2020 8:02 am 

Joined: Wed Apr 22, 2020 5:10 pm
Posts: 4
spiritovod wrote:
@Firecube: It's not an easy task either and involving debugging mobile app with graphics debuggers (also, maybe there is simpler method to do so engine-wise). Still, it's easier than reverse-engineering paks format, especially with encrypted index.

Also, since only index is obfuscated or encrypted in those paks, but not files themselves, you can extract raw chunks from any pak with offzip ("offzip -a your.pak output_folder") and then merge them, following known UE4 assets patterns. For example, there will be 01.uasset, 02.dat, 03.dat, 04.uasset, 05.dat and so on. Here 01.uasset is a header and 02.dat/03.dat are parts of that uasset or ubulk. So, merging 01+02+03 into one uasset will get you one working asset (probably, because there are also headerless ubulk files).
But this approach is not effective at all, because there are many assets types out there and total amount of assets can be 10k+ easily.

In any case, you can't get anything from those paks, since devs not only xor'ed index, but also obfuscated its offset and size - that means you must r-e libUE4.so library to find out what they did there. Alternatively, I think it's possible to find out index's offset and size for every pak manually and extract them with modified bms script.




:) HOW CAN I MARGE EXTRACTED FILES ?


Top
   
PostPosted: Thu Apr 23, 2020 8:58 am 

Joined: Wed Apr 22, 2020 5:10 pm
Posts: 4
Can anyone help me with this ?


Attachments:
Screenshot (4).png [105.16 KiB]
Not downloaded yet
Top
   
PostPosted: Thu Apr 23, 2020 4:15 pm 

Joined: Sat Sep 28, 2019 7:00 pm
Posts: 158
@TGGAMING: You're trying to extract mobile version with lite script, but they are not compatible.
And if you don't know how to merge files, google will help you (any hex editor will do). Anyway, if you don't know about internal structure of different UE4 assets, that method is of no use to your. It was just observation and it's not really useful way to explore pak contents.

_________________
You can request AES keys on rin forums (the list with keys is also there)
AES keys finder and latest UE4 bms scripts: in this post


Top
   
PostPosted: Fri Apr 24, 2020 9:43 am 

Joined: Sat Sep 28, 2019 7:00 pm
Posts: 158
Wrote some POC for aes keys finder (one exe -> one key or not found). JRE 8 or above is required to run it. Readme is included in the archive (please read it carefully to avoid issues). Virustotal report for those who care: link.
Bleeding Edge is supported, unless they'll change something related in the code. Last Oasis is also supported in version 0.9c. Finder can detect protected games starting from version 0.9d. Small fixes in version 0.9e. Additional message in case if a key is not found in version 0.9f.

Update 14.07.2020:
POC for aes keys finder in mobile games added (one game -> one key or not found). JRE 8 or above is required to run it. Readme is included in the archive (please read it carefully to avoid issues). Virustotal report for those who care: link.
Fixed premature appearance of key.txt, fixed issue when finder could work more than expected, added total execution time to output message in version 0.9c. Some optimizations were removed to improve compatibility with newest games in version 0.9d. More optimizations were removed to improve compatibility with some old games in version 0.9e (previous version is recommended though).

Known unsupported games: PUBG (all versions), Sea of Thieves.

-----------------------------------------------------------------------

I've desided to move all modified scripts to one post (this one). The reason why they can't be merged is because currently there is no way to distinguish them by archives names. Current method with scanning folder name for a pattern is not very effective, since pak archives can be moved anywhere.

Original post with modified script by ssh: viewtopic.php?t=1005&start=1200#p51805 (0.4.23.1a).
Latest official version of the script by aluigi: http://aluigi.org/bms/unreal_tournament_4.bms (0.4.24b at the moment).
Script with initial v9 paks support (0.4.25) - "latest_UE4_bms-script".

Supported games (with specific scripts): Sea of Thieves (SOT), State of Decay 2 (SOD2, latest versions), PUBG Lite, PUBG Mobile/Mobile Lite, PUBG Mobile (chinese ver.), Friday 13th Game (F13G), Bless Mobile, Dragon Quest XI (DQ11) + normals fix, Days Gone.


Attachments:
UE4_bms_specific_scripts.zip [65.95 KiB]
Downloaded 6 times
AES_finder_mobile_0.9e.zip [43.42 KiB]
Downloaded 2 times
AES_finder_0.9f.zip [41.4 KiB]
Downloaded 85 times
latest_UE4_bms-script.zip [3.21 KiB]
Downloaded 139 times

_________________
You can request AES keys on rin forums (the list with keys is also there)
AES keys finder and latest UE4 bms scripts: in this post


Last edited by spiritovod on Sun Aug 02, 2020 6:23 pm, edited 25 times in total.
Top
   
PostPosted: Sun Apr 26, 2020 6:13 am 

Joined: Wed Nov 15, 2017 1:30 am
Posts: 66
Awesome stuff spiritovod!


Top
   
PostPosted: Sun Apr 26, 2020 12:20 pm 
User avatar

Joined: Fri Mar 30, 2018 2:48 am
Posts: 278
spiritovod wrote:
Wrote some POC for aes keys finder (one exe -> one key or not found). JRE 8 or above is required to run it. Readme is included in the archive (please read it carefully to avoid issues). Virustotal report for those who care: link.
Bleeding Edge is supported, unless they'll change something related in the code. Last Oasis is also supported in version 0.9c.

Known unsupported games: PUBG, Sea of Thieves, all mobile games (because optimized dalvik code doesn't have any recognizable patterns).

-----------------------------------------------------------------------

I've desided to move all modified scripts to one post (this one). The reason why they can't be merged is because currently there is no way to distinguish them by archives names. Current method with scanning folder name for a pattern is not very effective, since pak archives can be moved anywhere.

Original post with modified script by ssh: viewtopic.php?t=1005&start=1200#p51805 (0.4.23.1a).
Latest official version of the script by aluigi: http://aluigi.org/bms/unreal_tournament_4.bms (0.4.24b at the moment).

Supported games (with specific scripts): Sea of Thieves (SOT), State of Decay 2 (SOD2, latest versions), PUBG Lite.


Really nice :]
This will help a lot of people.

_________________
If you appreciate my work and want to donate:
Paypal: ghfear@hotmail.com

AES Key Finder 1.8: https://zenhax.com/viewtopic.php?f=17&t=9407&start=20


Top
   
PostPosted: Tue Apr 28, 2020 8:55 pm 

Joined: Sat Sep 28, 2019 7:00 pm
Posts: 158
^ Thanks. The only downside is that the list with keys will not be updated frequently like before. I encourage all people using GHFear's or my key finders to post their results if that key is not present in the list or outdated there. It will be especially helpful in case of protected games (like UWP games).

Anyway, now I'm looking into aes keys in mobile games built with UE4. If you know any such game with known or unknown keys, let me know. The games I'm already aware of: M.A.D. 8 (key known), Injustice 2 Mobile (key known), Dead by Daylight (key unknown), Traha (key unknown), Bless Mobile (key unknown), Blade And Soul Revolution (key known) and Blade II (key known). If you'll mention some asian games which are hard to get, you can also PM me lib\arm64-xxx\libUE4.so from extracted apk, and a sample pak. Can't promise anything though, because it's more for research purposes at the moment, but it will be appreciated.
I know a little about that stuff, but it's probably good exercise for neural networks / deep learning devs, considering specifics of that "brute-force" approach to keys.

_________________
You can request AES keys on rin forums (the list with keys is also there)
AES keys finder and latest UE4 bms scripts: in this post


Last edited by spiritovod on Fri May 01, 2020 2:03 am, edited 2 times in total.

Top
   
PostPosted: Wed Apr 29, 2020 10:10 am 

Joined: Wed Apr 22, 2020 5:10 pm
Posts: 4
@spiritovod
I would like to try a method that allows things to be shown in runtime, and I think it requires some values. What is the way to do this?


Top
   
PostPosted: Thu Apr 30, 2020 6:15 pm 

Joined: Fri Feb 28, 2020 11:38 pm
Posts: 3
Hi, for Dungeon Defenders Awakened, they have recently updated the game, but the current key (0x4FFEC9593990380FF7987674CD6CCC408EC4EEFFB79920C6137919C4F268A09F) doesn't work with unreal_tournament_4_0.4.23.1a.bms anymore as it gives the following:

Code:
Error: incomplete input file -10:
       Can't read 5 bytes from offset 00000000004c1450.
       Anyway don't worry, it's possible that the BMS script has been written
       to exit in this way if it's reached the end of the archive so check it
       or contact its author or verify that all the files have been extracted.
       Please check the following coverage information to know if it's ok.

  coverage file -10 100%   4985936    4985936    . offset 00000000004c1450

Last script line before the error or that produced the error:
  153 get CHUNK_END_OFFSET longlong TOC_FILE


I have also tried using the AES key finders but they do not find a match.

Here is the latest shipping exe https://mega.nz/file/5MMXhSTK#mQO6Tcgpk ... OJu0NooR4g

I would appreciate if anyone could help.


Top
   
PostPosted: Thu Apr 30, 2020 6:44 pm 

Joined: Sat Sep 28, 2019 7:00 pm
Posts: 158
@Vaziayu: You either have more than one exe besides AES_finder in the same folder (it can't handle more than one game exe at a time) or you forgot to remove steam protection from the exe. Just tested my finder and it works just fine. Next time please read included readme carefully.

@TGGAMING: It has been already explained before that it's not an easy task, and there is no complete guide about how to it as well. And I'm not going to write such guide too.

_________________
You can request AES keys on rin forums (the list with keys is also there)
AES keys finder and latest UE4 bms scripts: in this post


Top
   
PostPosted: Thu Apr 30, 2020 8:32 pm 

Joined: Fri Feb 28, 2020 11:38 pm
Posts: 3
spiritovod wrote:
@Vaziayu: You either have more than one exe besides AES_finder in the same folder (it can't handle more than one game exe at a time) or you forgot to remove steam protection from the exe. Just tested my finder and it works just fine. Next time please read included readme carefully.

@TGGAMING: It has been already explained before that it's not an easy task, and there is no complete guide about how to it as well. And I'm not going to write such guide too.


I see the part saying about Steamless now, I seemed to have skimmed past it interpreting it as part of the Java runtime requirement, my apologies and thanks for your help.


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 1528 posts ]  Go to page Previous 170 71 72 73 7477 Next

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited