Jump to content
  • 0

Encrypted values - how does it work exactly


kandinsky
 Share

Question

Hey,


GameGuardian is a great software and I appreciate that you provide it for free. I'd like to understand how the encrypted value search works exactly internally.

 

Using encrypted search I find the value I am interested in but how did GG got these search results? I think the value is rol and xored, does GG read the assembly code to find out which XOR keys are applied? Does it XOR the value by the memory addresss?

 

Thanks,

Kandinsky

Edited by kandinsky
added internally
Link to comment
Share on other sites

13 answers to this question

Recommended Posts

  • 1
  • Administrators
7 minutes ago, kandinsky said:

If this doesn't work I'll try to set the irand48 argument to 0.

Not argument. Need replace return value. And not entire calls. Only in needed places. It must be 4 calls for double storage or 2 for one storage.

Usually placed on init class storage.

_______________________________________________
added 1 minute later

I simple NOP'ed STR instruction for saving result of calls in class fields. By default field zero filled. May be because placed in .bss, may be because use memset with zero fill after malloc.

Link to comment
Share on other sites

  • 0
31 minutes ago, Enyby said:

Stefan, we do not know how that worked. It is pure magic from Hogwarts School of Witchcraft and Wizardry.

 

:D

 

Does GG read the assembly code? I´d like to understand the logic to be able to calculate the encrypted value myself.

Link to comment
Share on other sites

  • 0

Ok, it was for a gameloft game. I can find the coin value with GG and also loaded the game in IDA. It seems the coins are xored and roled a few times but I wasn't able to understand how GG correctly found the encrypted value. I need to freeze a few values as it seems the coins are in several variables xored. If I select the wrong ones the game crashes immediately.

 

I wanted to understand the encrypted algo to be able to calculate the value myself directly and freeze some addresses above/below instead of narrowing the search a few times each time.

Edited by kandinsky
Link to comment
Share on other sites

  • 0
  • Administrators

Gameloft use random keys for XOR. It generated every run of game. You can not do anything with it.

If be exact they use ROR and XOR. Offset for ROR and key for XOR is random. It set on calls near lrand48.

Newer games use double storage, older - one storage.

Double storage have same algorithm but implemented two times. Of course double storage use different params for each.

_______________________________________________
added 1 minute later

Most easy way - mod so for prevent init keys for storage. It lead to ROR and XOR with zero params.

It cause to leaved only XOR with address. It is simple and can be found in GG in one search with data type XOR.

Link to comment
Share on other sites

  • 0
  • Administrators
protectedStorageKey = randomValue1;
protectedStorageRotateBits = randomValue2;

x' = ((x << protectedStorageRotateBits) | (x >> (0x20 - protectedStorageRotateBits))) ^ protectedStorageKey ^ memoryAddrOf(x);

If set random values to zero then all goes to:

x' = x ^ memoryAddrOf(x);

 

Link to comment
Share on other sites

  • 0

Hey,

 

the exports are missing for this game as the so library apparently was stripped during compilation. I am a stuck now as there are too many lrand48 calls and I do not know which one is responsible for the init keys.


Can a feature be added to GG to show the base address of the library in order to be able to rebase IDA? This way I could find the value in GG and jump to the offset in IDA.

I looked in /proc/PID/smaps for the SO but couldn't find the base address.

 

Thanks,

Kandi

Edited by kandinsky
Link to comment
Share on other sites

  • 0
  • Administrators
8 minutes ago, kandinsky said:

Can a feature be added to GG to show the base address of the library in order to be able to rebase IDA?

Use

cat /proc/pid/maps

From root shell. Pid must be pid of needed process. Showed in square brackets in GG before process name.

In output this command you get all regions in memory include rebased so.

 

It is more condensed output from smaps.

Link to comment
Share on other sites

  • 0

@Enyby I am playing a game in which I suspect there is a double storage system.  1 st value is without encryption and second one is encrypted somewhere.  Can you explain how to find the second encrypted value so I could edit it. 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.