Free Game Research Forum | Official QuickBMS support | twitter @zenhax
It is currently Tue Mar 21, 2023 11:01 am

All times are UTC

Post new topic  Reply to topic  [ 1 post ] 
Author Message
PostPosted: Wed Jan 25, 2023 8:00 am 

Joined: Wed Jan 25, 2023 6:55 am
Posts: 1
Hello, this is my first time in here, sorry for bad English skill.
This is the follow up from:
- viewtopic.php?f=6&t=16080
- viewtopic.php?f=6&t=16544

So... in early time (before Season 6), Cookie Run's MIDI file is encrypted with Salsa20.
simontime, a Nintendo game reverse engineering guy, who successfully decrypted MIDI file, wrote the program in C
Key and IV are:
const uint8_t key[] =
   0xF7, 0x9B, 0xF7, 0x33, 0xF2, 0x3F, 0x9D, 0x7A,
   0xF2, 0xA2, 0x91, 0xCB, 0x4D, 0xCB, 0x5E, 0x49,
   0x63, 0xE6, 0xA8, 0x71, 0xE0, 0x51, 0x2C, 0xE1,
   0x46, 0xBD, 0x03, 0x67, 0x93, 0x56, 0xA4, 0x73

const uint8_t iv[] =
   0xBC, 0x79, 0xCC, 0x75, 0x91, 0xB4, 0x8D, 0x70

However not after long...
When game step into Season 6, everything changed. The new encryption step in.
There's a rumor that:
-the midis are encrypted in a 24-byte cipher

So, I what have I found:

A lot of encrypted MIDI have this header:
29 01 38 FD B3 29 45 5E E8
which mean

Thank to asdf_#4749 on Discord for this discover:
the midi header MThd followed by 5 extra bytes (4D 54 68 64 00 00 00 06 00 in hex) seems to be the same in many midi files ive looked at (from various diff places not necessarily CROB) and these ones have )8ý³)E^è / 29 01 38 FD B3 29 45 5E E8 in hex where the MThd header and the extra 5 bytes should be

I begin to use IDA Pro to decompile .so file in APK file, but... syrupyy (CRK but translated video creator) said:
i tried before but it's obfuscated
it's less obfuscated on ios but ghidra doesn't understand it. id have to check ida pro

so yeah, I moved to iOS.

In this case, I'm using IDA Pro 7.5 with Hex-Rays (I don't use >=7.7 because crash)
There's a function called *gb* which you can see. I get into *gb::sound*

Today, I want to thank tungdo0602 for giving me OpenGPT API token since I can't login in Vietnam :(
I'm using a plugin called Gepetto
Sadly, *gb::sound* can't giving me any infomation + few of them are too long that AI can't explain it.

So... I moved to *gb::crepe*
I found something, but not sound related...
It's called:
- gb::crepe::KeyStore::KeyStore
- gb::crepe::KeyStore::loadKey
- gb::crepe::KeyStore::loadMasterKey

The interesting one is loadKey and loadMasterKey
this is loadKey:
So... this is modified Salsa20?

and this is loadMasterKey:

Another one is *gb::buildConfig::crepeKeystoreMasterIndex*

A few unk_ thing, I clicked on it...

I scroll down a bit and I found this:

I think this is not a key for decrypting MIDI, so I ignore it.

So, I found nothing, or I just ignore a lot of it?
I almost become an autism guy because no one help with. So if you found something, please let me know!

There's my question:
- What kind of encryption it is? (hope that this is not ECC)
- Is their code hidden?
- What is their key and IV?

Also, I'll give you IDA Pro if you want it for research. DM me on Discord: Bang1338#5701
Hope you guy can helping me and us! Thank you!

Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 1 post ] 

All times are UTC

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited