I'm trying to decrypt a save game via QuickBMS. Thankfully, it's a Unity game so it's easy to check how the game does it. Here's some disassembled code from it:
TripleDESCryptoServiceProvider tripleDESCryptoServiceProvider = new TripleDESCryptoServiceProvider();
tripleDESCryptoServiceProvider.Key = key;
tripleDESCryptoServiceProvider.IV = array;
tripleDESCryptoServiceProvider.Mode = CipherMode.CFB;
tripleDESCryptoServiceProvider.Padding = PaddingMode.PKCS7;
ICryptoTransform cryptoTransform = tripleDESCryptoServiceProvider.CreateDecryptor();
byte decrypted = cryptoTransform.TransformFinalBlock(data, 0, data.Length);
I know how to get the key and IV, but i can't seem to get valid output, no matter which Encryption command i use.
Here's a sample encrypted save game, base64 encoded:https://pastebin.com/hZrvK4Gu
And here's the sample save game decrypted, read from game memory during run-time: https://pastebin.com/X4h5cpXX
(keep in mind that THIS IS how it should look immediately after decryption; the game does base64 encode before encryption)
So this is what my script looks like so far to get the key and IV, but as i said, the final file doesn't match up:
string KEY = "=(*&^%$#@%^**^((*(())=bc=_-420@@#$#9-2@@#$#11_)00xyz2*(*(*((=)(&"
log MEMORY_FILE 0 0
get FILESIZE asize 0
clog MEMORY_FILE 0 FILESIZE FILESIZE 0 # decrypt base64
get MSIZE1 asize MEMORY_FILE
get KEYADD byte MEMORY_FILE # first byte gets added to key
string KEYADD = KEYADD
string KEY + KEYADD
print "New Key: %KEY%"
Encryption sha1 KEY
print "SHA-1 hash: %QUICKBMS_HEXHASH%"
print "SHA-1 hash binary: %QUICKBMS_HASH%"
set KEY string QUICKBMS_HASH
string KEY - 4 # 16 byte key from hash
xmath POS "MSIZE1 - 1"
goto POS MEMORY_FILE
get IVSIZE byte MEMORY_FILE # last byte is IV size
print "IV size: %IVSIZE%"
math POS - IVSIZE
goto POS MEMORY_FILE
getdstring IVECTOR IVSIZE MEMORY_FILE
xmath DATASIZE "MSIZE1 - IVSIZE - 2" # exclude the IV, IV size and key salt in data size
print "Data size: %DATASIZE%"
Encryption 3des-112 KEY IVECTOR 0 16
log "112key-decrypt.bin" 1 DATASIZE MEMORY_FILE
What's strange is that the actual encrypted data size is 440 bytes (without the first and last byte and the IV), but the properly decrypted file size ends up being 432 bytes. All the QuickBMS algorithms i've tried return 440 bytes.