ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Wed Jan 17, 2018 4:57 am

All times are UTC




Post new topic  Reply to topic  [ 661 posts ]  Go to page Previous 17 8 9 10 1134 Next
Author Message
PostPosted: Thu Apr 13, 2017 5:14 pm 
User avatar

Joined: Tue Apr 04, 2017 11:44 am
Posts: 236
michalss wrote:
Rick wrote:
Hook BCryptVerifySignature and make it return true. It's a proper RSA public+private key pair, can't forge signatures. So either replace RSA keys or break signature validation.

Hmm thx Rick is there any chance to find key for us pls ? It is above my knowledge to be honest..


thats mathematically impossible and replacing needs a way to inject code, its waaaay easier to hook the function he mentioned...

Rick wrote:
Hook BCryptVerifySignature and make it return true. It's a proper RSA public+private key pair, can't forge signatures. So either replace RSA keys or break signature validation.


I attached an empty project that contains a proxy dll, for anyone needing a start to inject code, just use the main function, for now it just shows a hello world message box. compile it and put the resulting AnselSDK64.dll together with AnselSDK64_org.dll into the rootfolder of mea. code gets executed after denuvo and before engine start :)

greetz WV

PS: in case someone wonders how I make those dlls, I made myself a tool for that: https://www.youtube.com/watch?v=lAY_ww8SNmM


Attachments:
AnselSDK64.rar [155.22 KiB]
Downloaded 78 times
Top
   
PostPosted: Thu Apr 13, 2017 6:31 pm 

Joined: Sun Aug 10, 2014 12:49 pm
Posts: 241
warrantyvoider wrote:
michalss wrote:
Rick wrote:
Hook BCryptVerifySignature and make it return true. It's a proper RSA public+private key pair, can't forge signatures. So either replace RSA keys or break signature validation.

Hmm thx Rick is there any chance to find key for us pls ? It is above my knowledge to be honest..


thats mathematically impossible and replacing needs a way to inject code, its waaaay easier to hook the function he mentioned...

Rick wrote:
Hook BCryptVerifySignature and make it return true. It's a proper RSA public+private key pair, can't forge signatures. So either replace RSA keys or break signature validation.


I attached an empty project that contains a proxy dll, for anyone needing a start to inject code, just use the main function, for now it just shows a hello world message box. compile it and put the resulting AnselSDK64.dll together with AnselSDK64_org.dll into the rootfolder of mea. code gets executed after denuvo and before engine start :)

greetz WV

PS: in case someone wonders how I make those dlls, I made myself a tool for that: https://www.youtube.com/watch?v=lAY_ww8SNmM


Very interesting method. Find the key must be possible from exe if there is no denuvo i believe however i dont know how exactly use this dlls yet :) never done it before, so i guess need to learn smt about it.. As far as i understand only what we need is to hook this function where every call for header validation it needs return true right ?


Top
   
PostPosted: Thu Apr 13, 2017 6:46 pm 
User avatar

Joined: Tue Apr 04, 2017 11:44 am
Posts: 236
I could print the key out, overwrite it, etc, but why? this works too...
Image

michalss wrote:
... however i dont know how exactly use this dlls yet :) ...

just copy this dll and the AnselSDK64_org.dll from previous post into the folder, where the game exe is (overwrite the existing one, back it up if you want), then start the game


Attachments:
AnselSDK64.rar [17.18 KiB]
Downloaded 78 times


Last edited by warrantyvoider on Thu Apr 13, 2017 6:54 pm, edited 2 times in total.
Top
   
PostPosted: Thu Apr 13, 2017 6:50 pm 

Joined: Sun Aug 10, 2014 12:49 pm
Posts: 241
warrantyvoider wrote:
I could print the key out, overwrite it, etc, but why? this works too...
Image


Sure if this works no need to break the key. This is complete usable DLL can i try it with my modify files with original headers or it still need some modifications ? It might be a strange question but as i said i have zero experience with hooking and stuff... but im able to modify files for my needs..


Top
   
PostPosted: Fri Apr 14, 2017 10:25 am 

Joined: Sun Aug 10, 2014 12:49 pm
Posts: 241
Thank you a lot WV and Rick it works like charm :)..


Top
   
PostPosted: Fri Apr 14, 2017 10:34 am 
User avatar

Joined: Tue Apr 04, 2017 11:44 am
Posts: 236
michalss wrote:
Thank you a lot WV and Rick it works like charm :)..

np, any screenshots? trying import today too...


Top
   
PostPosted: Fri Apr 14, 2017 10:50 am 

Joined: Sun Aug 10, 2014 12:49 pm
Posts: 241
warrantyvoider wrote:
michalss wrote:
Thank you a lot WV and Rick it works like charm :)..

np, any screenshots? trying import today too...



Yes very soon during today... :)


Top
   
PostPosted: Fri Apr 14, 2017 11:29 am 
User avatar

Joined: Tue Apr 04, 2017 11:44 am
Posts: 236
here some quick tests ive tried: (all on layout.toc because its on of the first files to load, and Data\Win32\streaminginstall\ayainstallpackage\cas.cat)
-as excpected, using the exported, unobfuscated preview of tocs from my browser loads fine if the footer is removed, so will have to fix my code for that
-without the dll a single change in the toc headers key will stall the exe on startup, with the dll I can see the verification access use, so works fine
-same goes for cat files

so I guess I can start writing an "SetDataBySha1(byte[] sha1, byte[] data);" function and later add it to my plugin interface for you to use

EDIT: first update was accepted^^


Top
   
PostPosted: Fri Apr 14, 2017 4:13 pm 
User avatar

Joined: Tue Apr 04, 2017 11:44 am
Posts: 236
welcome to import/export business :D

Image

notes:
-this automatically edits cat file, finds a new cas file (from 99 downwards) and appends the chunk data to it
-automatically compresses with zstd and creates chunk blocks
-importing encrypted emargo content IS NOT yet implemented (comes soon, dear translators^^)
-if you can have a hexpreview (of something in VFS), then you can also import (chunks, ebx and res data)
-works with my dll, game loads this happily

now im going to add this to my plugin interface and make a demo plugin to display and edit data by sha1

PS: backup your data, redownloading/rescanning 42gb is no fun!


Attachments:
Release.rar [341.29 KiB]
Downloaded 95 times
Top
   
PostPosted: Fri Apr 14, 2017 7:35 pm 

Joined: Thu Aug 13, 2015 5:08 pm
Posts: 21
Can you extract models with this tool? If not, any plans for that?

Thanks for your work WarrantyVoider.


Top
   
PostPosted: Fri Apr 14, 2017 8:36 pm 

Joined: Sun Aug 10, 2014 12:49 pm
Posts: 241
warrantyvoider wrote:
michalss wrote:
Thank you a lot WV and Rick it works like charm :)..

np, any screenshots? trying import today too...



Here you go :)

Image


Last edited by michalss on Fri Apr 14, 2017 8:48 pm, edited 1 time in total.

Top
   
PostPosted: Fri Apr 14, 2017 8:41 pm 
User avatar

Joined: Tue Apr 04, 2017 11:44 am
Posts: 236
Snowpiercer wrote:
Can you extract models with this tool? If not, any plans for that?

Thanks for your work WarrantyVoider.


now you can, if you have some external tool for it^^

added import for encrypted/embargoed content, like the talktables!

this means, if you already have a working talktable editor, you can already try it out ingame, I have to make one before I can test that, but I clearly see the game still loads, as does my tools :D

greetz

EDIT:
michalss wrote:
warrantyvoider wrote:
michalss wrote:
Thank you a lot WV and Rick it works like charm :)..

np, any screenshots? trying import today too...



Here you go :)
noice, ill get there too soon^^


Attachments:
Release.rar [339.83 KiB]
Downloaded 60 times


Last edited by warrantyvoider on Fri Apr 14, 2017 10:08 pm, edited 3 times in total.
Top
   
PostPosted: Fri Apr 14, 2017 8:59 pm 

Joined: Fri Apr 14, 2017 7:42 pm
Posts: 4
warrantyvoider wrote:
welcome to import/export business :D

Image

notes:
-this automatically edits cat file, finds a new cas file (from 99 downwards) and appends the chunk data to it
-automatically compresses with zstd and creates chunk blocks
-importing encrypted emargo content IS NOT yet implemented (comes soon, dear translators^^)
-if you can have a hexpreview (of something in VFS), then you can also import (chunks, ebx and res data)
-works with my dll, game loads this happily

now im going to add this to my plugin interface and make a demo plugin to display and edit data by sha1

PS: backup your data, redownloading/rescanning 42gb is no fun!



i'll be the noob here.

how to you launch the browser?
i just get a pop up then nothing. log is empty.


Top
   
PostPosted: Fri Apr 14, 2017 9:41 pm 
User avatar

Joined: Tue Apr 04, 2017 11:44 am
Posts: 236
paulscottttt wrote:
i'll be the noob here.

how to you launch the browser?
i just get a pop up then nothing. log is empty.


how about you say what you did and what the popup said?


Top
   
PostPosted: Fri Apr 14, 2017 9:44 pm 

Joined: Fri Apr 14, 2017 7:42 pm
Posts: 4
warrantyvoider wrote:
paulscottttt wrote:
i'll be the noob here.

how to you launch the browser?
i just get a pop up then nothing. log is empty.


how about you say what you did and what the popup said?


just a standard run as ad'


Top
   
PostPosted: Fri Apr 14, 2017 9:51 pm 
User avatar

Joined: Tue Apr 04, 2017 11:44 am
Posts: 236
paulscottttt wrote:
just a standard run as ad'


im honestly sorry, I dont know what happened, but the upload was indeed somehow corrupted, so thanks for testing and reporting! I reuploaded it now, and this should work. Please redownload and sry again

greetz


Top
   
PostPosted: Fri Apr 14, 2017 10:01 pm 

Joined: Fri Apr 14, 2017 7:42 pm
Posts: 4
warrantyvoider wrote:
paulscottttt wrote:
just a standard run as ad'


im honestly sorry, I dont know what happened, but the upload was indeed somehow corrupted, so thanks for testing and reporting! I reuploaded it now, and this should work. Please redownload and sry again

greetz


no worries. i'll await the reupload :)


Top
   
PostPosted: Fri Apr 14, 2017 10:16 pm 
User avatar

Joined: Tue Apr 04, 2017 11:44 am
Posts: 236
so I added try/catch and log output for this problem, this way it always starts, but...

...the problem is the plugin system! the exact error is

Code:
Could Not Load Assembly: Operation not Supported (Exception from HRESULT: 0x80131515)


that means the file is not trusted! ive never seen this before, its byte exact the same files, but if you download them, windows marks them as unsecure! wtf!? so the solution is to goto plugin folder and click on the plugins, open properties and "unblock them"

Image

http://www.chilkatforum.com/questions/8 ... 0x80131515

greetz

EDIT: to be sure, readded it here again
EDIT2:
a first test with data of different size shows that you also have to edit the toc/sb data to reflect the new size. for now this has to be done per hand, but I will automate it
Image


Attachments:
Release.rar [339.83 KiB]
Downloaded 61 times
Top
   
PostPosted: Sat Apr 15, 2017 3:35 am 

Joined: Sat Apr 15, 2017 3:33 am
Posts: 1
i'm probably missing something completely obvious but how do i load the game files into the tool?


Top
   
PostPosted: Sat Apr 15, 2017 5:44 am 

Joined: Wed Apr 12, 2017 3:52 am
Posts: 3
coursepitch wrote:
i'm probably missing something completely obvious but how do i load the game files into the tool?


If it is like Voider's other Explorer when you open it you point to the game .exe file and the tool does the rest


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 661 posts ]  Go to page Previous 17 8 9 10 1134 Next

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited