Encrypted values - how does it work exactly

kandinsky · September 24, 2016

Hey,

GameGuardian is a great software and I appreciate that you provide it for free. I'd like to understand how the encrypted value search works exactly internally.

Using encrypted search I find the value I am interested in but how did GG got these search results? I think the value is rol and xored, does GG read the assembly code to find out which XOR keys are applied? Does it XOR the value by the memory addresss?

Thanks,

Kandinsky

Edited September 24, 2016 by kandinsky
added internally

Enyby · September 24, 2016

Stefan, we do not know how that worked. It is pure magic from Hogwarts School of Witchcraft and Wizardry.

kandinsky · September 24, 2016

31 minutes ago, Enyby said:

Stefan, we do not know how that worked. It is pure magic from Hogwarts School of Witchcraft and Wizardry.

Does GG read the assembly code? I´d like to understand the logic to be able to calculate the encrypted value myself.

Enyby · September 24, 2016

Here video with full explanation how it worked: https://www.youtube.com/watch?v=gqqm9CMKrA4

kandinsky · September 24, 2016

Ok, it was for a gameloft game. I can find the coin value with GG and also loaded the game in IDA. It seems the coins are xored and roled a few times but I wasn't able to understand how GG correctly found the encrypted value. I need to freeze a few values as it seems the coins are in several variables xored. If I select the wrong ones the game crashes immediately.

I wanted to understand the encrypted algo to be able to calculate the value myself directly and freeze some addresses above/below instead of narrowing the search a few times each time.

Edited September 24, 2016 by kandinsky

Enyby · September 24, 2016

Gameloft use random keys for XOR. It generated every run of game. You can not do anything with it.

If be exact they use ROR and XOR. Offset for ROR and key for XOR is random. It set on calls near lrand48.

Newer games use double storage, older - one storage.

Double storage have same algorithm but implemented two times. Of course double storage use different params for each.

_______________________________________________

added 1 minute later

Most easy way - mod so for prevent init keys for storage. It lead to ROR and XOR with zero params.

It cause to leaved only XOR with address. It is simple and can be found in GG in one search with data type XOR.

Enyby · September 24, 2016

protectedStorageKey = randomValue1;
protectedStorageRotateBits = randomValue2;

x' = ((x << protectedStorageRotateBits) | (x >> (0x20 - protectedStorageRotateBits))) ^ protectedStorageKey ^ memoryAddrOf(x);

If set random values to zero then all goes to:

x' = x ^ memoryAddrOf(x);

kandinsky · September 24, 2016

Thanks for the explanation Enyby. I'll take a look if I can mod the so in IDA.

Edited September 26, 2016 by kandinsky

Enyby · September 24, 2016

7 minutes ago, kandinsky said:

If this doesn't work I'll try to set the irand48 argument to 0.

Not argument. Need replace return value. And not entire calls. Only in needed places. It must be 4 calls for double storage or 2 for one storage.

Usually placed on init class storage.

_______________________________________________

added 1 minute later

I simple NOP'ed STR instruction for saving result of calls in class fields. By default field zero filled. May be because placed in .bss, may be because use memset with zero fill after malloc.

kandinsky · September 26, 2016

Hey,

the exports are missing for this game as the so library apparently was stripped during compilation. I am a stuck now as there are too many lrand48 calls and I do not know which one is responsible for the init keys.

Can a feature be added to GG to show the base address of the library in order to be able to rebase IDA? This way I could find the value in GG and jump to the offset in IDA.

I looked in /proc/PID/smaps for the SO but couldn't find the base address.

Thanks,

Kandi

Edited September 26, 2016 by kandinsky

Enyby · September 26, 2016

8 minutes ago, kandinsky said:

Can a feature be added to GG to show the base address of the library in order to be able to rebase IDA?

Use

cat /proc/pid/maps

From root shell. Pid must be pid of needed process. Showed in square brackets in GG before process name.

In output this command you get all regions in memory include rebased so.

It is more condensed output from smaps.

kandinsky · September 26, 2016

Many thanks Enyby, I'll take a look

Enyby · September 26, 2016

You can use Minion rush as example because this game does not strip debug info from libs.

Junirobert · March 8, 2019

@Enyby I am playing a game in which I suspect there is a double storage system. 1 st value is without encryption and second one is encrypted somewhere. Can you explain how to find the second encrypted value so I could edit it.

Sign In

Encrypted values - how does it work exactly

Question

kandinsky

13 answers to this question

Recommended Posts

Enyby

kandinsky

Enyby

kandinsky

Enyby

Enyby

kandinsky

Enyby

kandinsky

Enyby

kandinsky

Enyby

Junirobert

Create an account or sign in to comment

Create an account

Sign in

Similar Content

Changing the found value does not work

How to know the real value from XOR key and encrypted value?

Arm64 patch does not quite work

Why the same function with different values does not work on 32 bit systems

How to change encrypted value to my desired value and not just randomly increase/decrease it

Downloads

Activity

My Activity Streams

Important Information