ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Sun May 26, 2019 11:01 am

All times are UTC




Post new topic  Reply to topic  [ 16 posts ] 
Author Message
PostPosted: Mon Mar 25, 2019 3:15 pm 

Joined: Tue Feb 26, 2019 7:14 am
Posts: 11
Hi all, I've found the decryption func in dffnt.exe here:
https://pastebin.com/KvkjYUrr

The Key is ahcTaNwLcATRE... and three bytes E2,5E,C8.

I am a noob to Cryptography and cannot recognize this, hope some of you can help.

BTW KT's doaxvv use the same algorithm.


Top
   
PostPosted: Mon Mar 25, 2019 4:36 pm 

Joined: Thu Aug 07, 2014 10:28 pm
Posts: 227
is the key the same in vv?


Top
   
PostPosted: Mon Mar 25, 2019 4:49 pm 

Joined: Tue Feb 26, 2019 7:14 am
Posts: 11
chrrox wrote:
is the key the same in vv?

different keys


Top
   
PostPosted: Mon Mar 25, 2019 4:51 pm 

Joined: Thu Aug 07, 2014 10:28 pm
Posts: 227
Can you post the vv key I think I know how it works inthat game


Top
   
PostPosted: Mon Mar 25, 2019 10:43 pm 

Joined: Thu Aug 07, 2014 10:28 pm
Posts: 227
Here is that function in psuedo code from ida.
https://pastebin.com/raw/mQuwMy4x


Top
   
PostPosted: Tue Mar 26, 2019 3:21 am 

Joined: Tue Feb 26, 2019 7:14 am
Posts: 11
chrrox wrote:
Can you post the vv key I think I know how it works inthat game

I haven't update vv, and it's not runable on my pc now...

you can try find the key yourself, take the (outdated) doax_vv.exe below as example:
https://mega.nz/#!LjpABYpR!Y7FaF06WYfuS ... UyLvbIdSHA

1400FEEA0 (file offset FE2A0) is the decrypt function, find that in the current vv executable,
then you can get the key string in ram.


Top
   
PostPosted: Tue Mar 26, 2019 10:07 pm 

Joined: Thu Aug 07, 2014 10:28 pm
Posts: 227
Thanks I thought that was the function I found it in the latest exe.
I am going to try to follow what is happening.


Top
   
PostPosted: Thu Mar 28, 2019 9:33 am 

Joined: Thu Aug 07, 2014 10:28 pm
Posts: 227
in your dissidia code I know how it works we just need to find how to generate the 4 byte key for the file.
in the example

Code:
v57 = *(_BYTE *)(v13 % v50 + v51) ^ *((_BYTE *)v9 + v13 % v52 + 40);
v57 = v9[(v13 % v52) + 40] ^  v51[v13 % v50]


we need to figure out how to generate v9 if you can figure that out or tell me the function name and ill look at it.

in the older game v9 was generated with
Code:
def generate_key(num):
        A = num+0x3e7
        B = A*8 # FIXME: missing sth here to catch the possible overflow
        B -= A
        C = int(B / 0xB) + int(num % 0x11) + 0x1AC
        key=[]
        sh = 24
        while sh>=0:
                val = (C >> sh)&0xff
                if val > 0: key.append(val)
                sh-=8
        return bytes( key )


anyway how the encryption works is.
take the secret xor seed you posted
and the 4 byte secret per file key and xor them.
then take that result and xor the entire encrypted file with it starting at offset 0x4 (after the file size)
and you skip xoring the byte if it is 0 or the same byte as the xor.
thats it.


Top
   
PostPosted: Thu Mar 28, 2019 5:11 pm 

Joined: Tue Feb 26, 2019 7:14 am
Posts: 11
chrrox wrote:
in your dissidia code I know how it works we just need to find how to generate the 4 byte key for the file.
in the example

Code:
v57 = *(_BYTE *)(v13 % v50 + v51) ^ *((_BYTE *)v9 + v13 % v52 + 40);
v57 = v9[(v13 % v52) + 40] ^  v51[v13 % v50]


we need to figure out how to generate v9 if you can figure that out or tell me the function name and ill look at it.

in the older game v9 was generated with
Code:
def generate_key(num):
        A = num+0x3e7
        B = A*8 # FIXME: missing sth here to catch the possible overflow
        B -= A
        C = int(B / 0xB) + int(num % 0x11) + 0x1AC
        key=[]
        sh = 24
        while sh>=0:
                val = (C >> sh)&0xff
                if val > 0: key.append(val)
                sh-=8
        return bytes( key )


anyway how the encryption works is.
take the secret xor seed you posted
and the 4 byte secret per file key and xor them.
then take that result and xor the entire encrypted file with it starting at offset 0x4 (after the file size)
and you skip xoring the byte if it is 0 or the same byte as the xor.
thats it.


Thanks, by your hint I have successfully decrypted the TOC file :)

Other files do not have first 4 bytes as unzipped size, they are recorded in the TOC.

Also the zip structure:
int32[zlib_blob size+0x8000]
zlib_blob
align 0x10
int32[zlib_blob size+0x8000]
....

some zip may have uncompressed ending data, see log.


Attachments:
File comment: algo updated
cryptfixed.rar [9.64 KiB]
Downloaded 102 times
ktcry_test.rar [534.52 KiB]
Downloaded 95 times
Top
   
PostPosted: Fri Mar 29, 2019 12:34 pm 

Joined: Thu Aug 07, 2014 10:28 pm
Posts: 227
Very nice going to try this on vv tonight


Top
   
PostPosted: Mon Apr 01, 2019 1:58 am 

Joined: Sun Aug 30, 2015 12:51 pm
Posts: 53
Tools generate errors about missing files on Q: drive. I think you have hard-coded those links by mistake.


Top
   
PostPosted: Mon Apr 01, 2019 2:27 am 

Joined: Tue Feb 26, 2019 7:14 am
Posts: 11
Panzerdroid wrote:
Tools generate errors about missing files on Q: drive. I think you have hard-coded those links by mistake.

The messy C# source here: pastebin.com/ySWUFhai (not more readable than dnspy .etc output i think)

The purpose of deRest.exe is to decompress all the asset ( which already moved to their real path ) and make them work with a patched TOC and dffnt.exe
I don't think anyone else needs that so...
I put that in package is for if someone wants a ktcry.dll usage example...


Top
   
PostPosted: Tue Apr 02, 2019 12:57 am 

Joined: Wed Mar 23, 2016 5:11 am
Posts: 58
moiennepe wrote:
The purpose of deRest.exe is to decompress all the asset ( which already moved to their real path ) and make them work with a patched TOC and dffnt.exe

Unfortunately I cant make it work, any chance for an example on how to use this stuff?


Top
   
PostPosted: Wed Apr 17, 2019 5:18 am 

Joined: Fri Jul 20, 2018 2:27 pm
Posts: 6
It would be really nice if it could be properly explained how to use this to decrypt PC game files, I'd love to extract assets such as audio (character voices) and poke at the various message archive files.


Top
   
PostPosted: Mon May 13, 2019 9:35 am 

Joined: Sun Mar 31, 2019 7:14 am
Posts: 3
anything?


Top
   
PostPosted: Fri May 17, 2019 11:42 pm 

Joined: Sun May 31, 2015 2:23 am
Posts: 332
So any word on a method to extract Dissidia NT's files? It'd be really helpful for my projects.


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 16 posts ] 

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited