ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Thu Aug 22, 2019 9:22 am

All times are UTC




Post new topic  Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Wed May 08, 2019 6:26 pm 

Joined: Wed May 08, 2019 3:51 pm
Posts: 3
Does anyone in here knows how to obtain the RSA Modulus, Public Exponent, Private Exponent from a Unreal Engine 4 game binary executable when it has "pak" signing enabled?

My question is because I wanted to do a modification for a game called "KurtzPel" but it has this enabled.
So by just "repaking" with encryption only doesn't works because it won't match the "sig" signature file.

I originally posted about this at Gildor's Forums https://www.gildor.org/smf/index.php/to ... l#msg32543

Does anyone in here knows how to obtain the following values for "repaking"?

Code:
EncryptionKey=
SigningPublicExponent=
SigningModulus=
SigningPrivateExponent=


So far I know "EncryptionKey" is AES-256 (32 bytes) which once converted from HEX to Base64 is 44 characters long and can be used directly in UE 4.19 Editor.

(KurtzPel EncryptionKey)

HEX:
Code:
0x38D519D3867059256FFEAA9C7F575787EF2C048D38BF5C33CD1798A445570EE3

Base64:
Code:
ONUZ04ZwWSVv/qqcf1dXh+8sBI04v1wzzReYpEVXDuM=

Tested and working, you can encrypt your own paks with the same encryption used by the game.

But there is a problem, additionally the game needs the paks to be signed with a RSA key, so it cannot read modified paks by just encrypting them (Store encrypted CRCs of each 128kb chunk of the pak file in a separate sig file alongside the pak file.).

So as the UE4 documentation says,

"SigningPublicExponent" is the RSA key public exponent used for signing a pak file.
"SigningModulus" is the RSA key modulus used for signing a pak file.
"SigningPrivateExponent" is the RSA key private exponent used for signing a pak file.

Here is a random generated signing key by UE 4.19,

Base64:
Code:
SigningPublicExponent=/XDcMShioGFM4oCec6JvT/G0TOC95biIJC7+sydYzRkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
SigningModulus=V/SAydLKBE4r5ix7Bi/7FdUe5qA5sSqabYr6G3cIaE0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
SigningPrivateExponent=9VKVlXgm4STlpoLbWudO7tMe5qA5sSqabYr6G3cIaE0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

HEX:
Code:
SigningPublicExponent=0xFD70DC312862A0614CE2809E73A26F4FF1B44CE0BDE5B888242EFEB32758CD190000000000000000000000000000000000000000000000000000000000000000
SigningModulus=0x57F480C9D2CA044E2BE62C7B062FFB15D51EE6A039B12A9A6D8AFA1B7708684D0000000000000000000000000000000000000000000000000000000000000000
SigningPrivateExponent=0xF55295957826E124E5A682DB5AE74EEED31EE6A039B12A9A6D8AFA1B7708684D0000000000000000000000000000000000000000000000000000000000000000


By the way instead of using the Unreal Editor you can also generate them with UnrealPak.exe by using parameters.

Code:
GenerateKeys= P= Q= [-NoVerifyPrimes]


Quote:
An RSA public-key / private-key pair can be generated by the following steps:
1. Generate a pair of large, random primes p and q.
2. Compute the modulus n as n = pq.
3. Select an odd public exponent e between 3 and n-1 that is relatively prime to p-1
and q-1.
4. Compute the private exponent d from e, p and q. (See below.)
5. Output (n, e) as the public key and (n, d) as the private key.


So technically those can be obtained, but here I'm just theory, no idea how to approach this.
Help on how to obtain this would be really appreciated.


Top
   
PostPosted: Sat May 11, 2019 4:45 pm 

Joined: Thu Aug 28, 2014 8:57 pm
Posts: 3
No way to go from public key to private without brute-force and that is too much work for the used key sizes. A way for that would break almost all certificate based stuff (https included). google pointers: RSA & factorisation


Top
   
PostPosted: Mon May 13, 2019 1:34 pm 

Joined: Wed May 08, 2019 3:51 pm
Posts: 3
masterx244 wrote:
No way to go from public key to private without brute-force and that is too much work for the used key sizes. A way for that would break almost all certificate based stuff (https included). google pointers: RSA & factorisation


The game executable is supposed to have the private key, otherwise it couldn't decrypt the game files.


Top
   
PostPosted: Tue May 14, 2019 4:30 am 
User avatar

Joined: Tue May 08, 2018 7:48 pm
Posts: 69
JM69 wrote:
The game executable is supposed to have the private key, otherwise it couldn't decrypt the game files.


No, game exe does not need to have private key to check signature. You only need RSA public key to do it.

AES key(for encrypting pak index) and RSA private key(for generating pak signature) are different. Game executable only contains AES key and RSA public key.


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 4 posts ] 

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited