ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Thu Oct 18, 2018 3:48 pm

All times are UTC




Post new topic  Reply to topic  [ 56 posts ]  Go to page 1 2 3 Next
Author Message
 Post subject: Destiny 2 PKG
PostPosted: Fri Aug 25, 2017 9:14 pm 

Joined: Tue Jan 26, 2016 12:45 pm
Posts: 51
Files are in PKG Format, Uploaded samples. Biggest File is ~ 2 GB can go up to 4 I asume.

http://www19.zippyshare.com/v/QZoYkOFu/file.html
http://www19.zippyshare.com/v/1aP4I9aF/file.html


Top
   
 Post subject: Re: Destiny 2 PKG
PostPosted: Fri Aug 25, 2017 9:38 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 9051
The data is encrypted probably with blowfish or xtea, so there is not much to do without the algorithm and the key.
This is the work-in-progress script, which means that you CANNOT use it but it's useful to me or other people when the problem with the encryption is solved:
Code:
comtype oodle   # ???
goto 0xd0
get FILES long
get INFO_OFF long
goto INFO_OFF
for i = 0 < FILES
    get OFFSET long
    get ZSIZE long
    get SIZE long
    get SOME_CRC long
    getdstring ZHASH 16
    getdstring HASH 16
    encryption ??? ???
    if SIZE == 0
        log "" OFFSET ZSIZE
    else
        clog "" OFFSET ZSIZE SIZE
    endif
next i

Just for the record, there was a topic for Destiny 1 but I don't know if the format (and encryption) is the same... anyway there was no solution so it's useless:
viewtopic.php?t=134


Top
   
 Post subject: Re: Destiny 2 PKG
PostPosted: Sat Aug 26, 2017 12:48 am 

Joined: Tue Jan 26, 2016 12:45 pm
Posts: 51
Destiny 2 got a super crazy Protection so it might not easy to get the Key from the Client also Binary Files are not shipped yet. So I asume we have to wait for the Beta to start to Dig around for the Key.


Top
   
 Post subject: Re: Destiny 2 PKG
PostPosted: Sat Aug 26, 2017 5:06 am 

Joined: Sat Aug 26, 2017 5:02 am
Posts: 1
Feel free to borrow against my research ;) We'll probably have to wait for the game's exe to drop in order to harvest the decryption information unfortunately.

https://github.com/Ernegien/Destiny2ool ... 2ools.Core


Top
   
 Post subject: Re: Destiny 2 PKG
PostPosted: Sat Aug 26, 2017 6:12 am 

Joined: Tue Jan 26, 2016 12:45 pm
Posts: 51
I currently working to get the Take Home Client :) Which contain the Full Game. I had someone at Blizzard who can share the Key but not sure if they can do on DST2 as well?


Top
   
 Post subject: Re: Destiny 2 PKG
PostPosted: Tue Aug 29, 2017 7:34 am 

Joined: Tue Jan 26, 2016 12:45 pm
Posts: 51
Ernegien wrote:
Feel free to borrow against my research ;) We'll probably have to wait for the game's exe to drop in order to harvest the decryption information unfortunately.

https://github.com/Ernegien/Destiny2ool ... 2ools.Core



Binarys are up. You got Hands on?


Top
   
 Post subject: Re: Destiny 2 PKG
PostPosted: Tue Aug 29, 2017 6:24 pm 

Joined: Sun Mar 20, 2016 10:25 pm
Posts: 26
So far:

Game has AES and 3DES encryption, the only two found so far.
Several hash algorithms: SHA1, SHA256, MD5, MurMur3, CRC32, Tiger192.
Game still uses Oodle, specifically the LZ variant.
Edit: In addition to Oodle, ZLib is also statically linked to the application.

The following is the only AES key present "5e5b3fcccc60c298c3266226de660799505f9475fc1ba4c1be68f6864c0a0356"

There is at least two separate chunk flags besides uncompressed, most likely encryption, and encryption + compression (Values 3 and 7) in the 3rd byte of chunk flags.
When the third flag is set, there is an additional 16 bytes after the chunk hash, Also to note, Each encrypted chunk in the same package start with the same bytes.


Top
   
 Post subject: Re: Destiny 2 PKG
PostPosted: Tue Aug 29, 2017 10:16 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 9051
Do you have a confirmation of that aes key?
It still gives garbage data when used with aes on the bytes at offset 0x800


Top
   
 Post subject: Re: Destiny 2 PKG
PostPosted: Tue Aug 29, 2017 10:39 pm 

Joined: Sun Mar 20, 2016 10:25 pm
Posts: 26
aluigi wrote:
Do you have a confirmation of that aes key?
It still gives garbage data when used with aes on the bytes at offset 0x800


I'm pretty sure the bytes at 0x800 is a RSA signature verification block.

Edit: Looks like Oodle in D2 is using a hardcoded max block size of 0x40000.

Main package routine: sub_7FF700E7F020, SHA1 verification: sub_7FF700E7FFA0


Top
   
 Post subject: Re: Destiny 2 PKG
PostPosted: Tue Aug 29, 2017 11:16 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 9051
Can you provide an example with the samples provided in the previous posts?
Here I used the following with w64_pvp_0159_0.pkg but still no luck:
Code:
encryption aes "\x5e\x5b\x3f\xcc\xcc\x60\xc2\x98\xc3\x26\x62\x26\xde\x66\x07\x99\x50\x5f\x94\x75\xfc\x1b\xa4\xc1\xbe\x68\xf6\x86\x4c\x0a\x03\x56"
log "dump.dat" 0x2800 0xd30


Top
   
 Post subject: Re: Destiny 2 PKG
PostPosted: Tue Aug 29, 2017 11:31 pm 

Joined: Sun Mar 20, 2016 10:25 pm
Posts: 26
aluigi wrote:
Can you provide an example with the samples provided in the previous posts?
Here I used the following with w64_pvp_0159_0.pkg but still no luck:
Code:
encryption aes "\x5e\x5b\x3f\xcc\xcc\x60\xc2\x98\xc3\x26\x62\x26\xde\x66\x07\x99\x50\x5f\x94\x75\xfc\x1b\xa4\xc1\xbe\x68\xf6\x86\x4c\x0a\x03\x56"
log "dump.dat" 0x2800 0xd30


I never got the AES key to work, It was just found when debugging the game. I'm not sure what it's used for yet. However, as I said previously, all enc blocks start with the same bytes, *in each package itself* so it's possible it's a single key per package.

Edit: Just the first two bytes of each encrypted block, in each package, are the same.
Edit2: Scratch that, variable length bytes at the start of each enc block are the same, found some with two and some with three so far.


Top
   
 Post subject: Re: Destiny 2 PKG
PostPosted: Wed Aug 30, 2017 9:35 am 

Joined: Fri Mar 17, 2017 9:41 pm
Posts: 14
The download OpenBeta is available for all on Blizzard App. :mrgreen:


Top
   
 Post subject: Re: Destiny 2 PKG
PostPosted: Wed Aug 30, 2017 9:41 am 

Joined: Fri Mar 17, 2017 9:41 pm
Posts: 14
aluigi wrote:
Can you provide an example with the samples provided in the previous posts?
Here I used the following with w64_pvp_0159_0.pkg but still no luck:
Code:
encryption aes "\x5e\x5b\x3f\xcc\xcc\x60\xc2\x98\xc3\x26\x62\x26\xde\x66\x07\x99\x50\x5f\x94\x75\xfc\x1b\xa4\xc1\xbe\x68\xf6\x86\x4c\x0a\x03\x56"
log "dump.dat" 0x2800 0xd30



Decryptable with Hashcat ?


Top
   
 Post subject: Re: Destiny 2 PKG
PostPosted: Wed Aug 30, 2017 3:42 pm 

Joined: Sun Mar 20, 2016 10:25 pm
Posts: 26
Looks like the encryption is called "fang" . Ever heard of it?

https://paste.md-5.net/wexomefaxo.cpp

This is ran per block entry, and it always check for fang first, if not, it just copies to the buffer (v52) which is then used for decompression. (Oodle)


Top
   
 Post subject: Re: Destiny 2 PKG
PostPosted: Thu Aug 31, 2017 6:01 pm 

Joined: Thu Sep 01, 2016 9:55 pm
Posts: 5
Little FYI: move your Destiny 2 folder to a safe location before opening Blizzard Launcher since it will delete ALL the game files (because the beta ended)


Top
   
 Post subject: Re: Destiny 2 PKG
PostPosted: Thu Aug 31, 2017 7:08 pm 

Joined: Thu Aug 31, 2017 7:03 pm
Posts: 6
Hello!

I've been doing some digging into the unpacking method used.

destiny2.exe decrypts and opens the \packages\w64_client_bootstrap_unp1_0.pkg
The decryption is being handled by the \bin\x64\oo2core_3_win64.dll

The decrypting thread callstack:
: Call Site
Code:
 # Child-SP          RetAddr           : Args to Child          
00 000000c2`9c3ff858 00007fff`fd73988f : 00000000`00000008 00000000`00000004 00000004`fbee05c6 000005c6`00000013 : ntdll!NtWaitForSingleObject+0x14
01 000000c2`9c3ff860 00007ff7`b81bbfd2 : 000001db`843406f0 000001db`85792e48 00000013`00000000 00000000`00000548 : KERNELBASE!WaitForSingleObjectEx+0x9f
02 000000c2`9c3ff900 00007ff7`b8170b36 : ffffffff`20c00006 000001db`00000001 000001db`85792cf0 000001db`857921a0 : destiny2!opus_get_version_string+0x3388e2
03 000000c2`9c3ff930 00007ff7`b8170b8a : 000001db`8578d800 ffffffff`00000004 0000ffff`00000001 00007ff7`b99c7898 : destiny2!opus_get_version_string+0x2ed446
04 000000c2`9c3ff960 00007ff7`b81a3413 : 000001db`8573d780 000001db`00000004 000000c2`9c3ff9c0 00000000`0000000a : destiny2!opus_get_version_string+0x2ed49a
05 000000c2`9c3ff990 00007ff7`b816b762 : 000001db`85792e40 00000000`00000004 00000000`00000000 00007ff7`b8153f04 : destiny2!opus_get_version_string+0x31fd23
06 000000c2`9c3ffab0 00007ff7`b816ec89 : 000001db`8573d780 00000000`00000004 00000000`00000010 00000000`00000012 : destiny2!opus_get_version_string+0x2e8072
07 000000c2`9c3ffb30 00007ff7`b81a3758 : 00000000`00010004 00007ff7`b81bd525 000001dc`5eca7fb0 00007ff7`b99c78bc : destiny2!opus_get_version_string+0x2eb599
08 000000c2`9c3ffb60 00007ff7`b81a380f : 00007ff7`b99c7898 00007ff7`b99c7898 00000000`00000000 00007ff7`b81a3780 : destiny2!opus_get_version_string+0x320068
09 000000c2`9c3ffba0 00007fff`ffcf2774 : 00007ff7`b99c7898 00000000`00000000 00000000`00000000 00000000`00000000 : destiny2!opus_get_version_string+0x32011f
0a 000000c2`9c3ffbe0 00007ff8`00610d51 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14
0b 000000c2`9c3ffc10 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


oo2core_3_win64.dll relative functions:
Code:
Name    Address    Ordinal
OodleLZ_Decompress 000000018005F8B0 18
OodleLZDecoder_DecodeSome 000000018005E180 2


Still a WIP, but the key has to be stored here somewhere :)


Top
   
 Post subject: Re: Destiny 2 PKG
PostPosted: Thu Aug 31, 2017 8:20 pm 

Joined: Tue Jan 26, 2016 12:45 pm
Posts: 51
Did you also recorded the Launch Process Maybe?

I know it is :

destiny2.exe -uid Destiny2
"C:\Program Files (x86)\Blizzard App\Battle.net.9262\Loader64.exe" 11048 "C:\Program Files (x86)\Blizzard App\Battle.net.9262\bzrclient64.dll"

Where 11048 is Process ID. However it seems not to work, so I missing one step.


Top
   
 Post subject: Re: Destiny 2 PKG
PostPosted: Thu Aug 31, 2017 9:25 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 9051
@marn
oodle is only for decompression, the data you have there has been already decrypted somewhere else


Top
   
 Post subject: Re: Destiny 2 PKG
PostPosted: Thu Aug 31, 2017 9:26 pm 

Joined: Thu Aug 31, 2017 7:03 pm
Posts: 6
aluigi wrote:
@marn
oodle is only for decompression, the data you have there has been already decrypted somewhere else


Yup :(

Trying to further debug the .exe but they have pretty good anti-debugging checking in the GFSDK_Aftermath_lib.dll


Top
   
 Post subject: Re: Destiny 2 PKG
PostPosted: Fri Sep 01, 2017 12:07 pm 

Joined: Thu Aug 28, 2014 8:57 pm
Posts: 2
marn wrote:
aluigi wrote:
@marn
oodle is only for decompression, the data you have there has been already decrypted somewhere else


Yup :(

Trying to further debug the .exe but they have pretty good anti-debugging checking in the GFSDK_Aftermath_lib.dll

Send a bunch of thanks to NVidia for that file


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 56 posts ]  Go to page 1 2 3 Next

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited