Jump to content
kandinsky

Encrypted values - how does it work exactly

Recommended Posts

Hey,


GameGuardian is a great software and I appreciate that you provide it for free. I'd like to understand how the encrypted value search works exactly internally.

 

Using encrypted search I find the value I am interested in but how did GG got these search results? I think the value is rol and xored, does GG read the assembly code to find out which XOR keys are applied? Does it XOR the value by the memory addresss?

 

Thanks,

Kandinsky

Edited by kandinsky
added internally

Share this post


Link to post
Share on other sites

Stefan, we do not know how that worked. It is pure magic from Hogwarts School of Witchcraft and Wizardry.

Share this post


Link to post
Share on other sites
31 minutes ago, Enyby said:

Stefan, we do not know how that worked. It is pure magic from Hogwarts School of Witchcraft and Wizardry.

 

:D

 

Does GG read the assembly code? I´d like to understand the logic to be able to calculate the encrypted value myself.

Share this post


Link to post
Share on other sites

Ok, it was for a gameloft game. I can find the coin value with GG and also loaded the game in IDA. It seems the coins are xored and roled a few times but I wasn't able to understand how GG correctly found the encrypted value. I need to freeze a few values as it seems the coins are in several variables xored. If I select the wrong ones the game crashes immediately.

 

I wanted to understand the encrypted algo to be able to calculate the value myself directly and freeze some addresses above/below instead of narrowing the search a few times each time.

Edited by kandinsky

Share this post


Link to post
Share on other sites

Gameloft use random keys for XOR. It generated every run of game. You can not do anything with it.

If be exact they use ROR and XOR. Offset for ROR and key for XOR is random. It set on calls near lrand48.

Newer games use double storage, older - one storage.

Double storage have same algorithm but implemented two times. Of course double storage use different params for each.

_______________________________________________
added 1 minute later

Most easy way - mod so for prevent init keys for storage. It lead to ROR and XOR with zero params.

It cause to leaved only XOR with address. It is simple and can be found in GG in one search with data type XOR.

Share this post


Link to post
Share on other sites
protectedStorageKey = randomValue1;
protectedStorageRotateBits = randomValue2;

x' = ((x << protectedStorageRotateBits) | (x >> (0x20 - protectedStorageRotateBits))) ^ protectedStorageKey ^ memoryAddrOf(x);

If set random values to zero then all goes to:

x' = x ^ memoryAddrOf(x);

 

Share this post


Link to post
Share on other sites

Thanks for the explanation Enyby. I'll take a look if I can mod the so in IDA.

Edited by kandinsky

Share this post


Link to post
Share on other sites
7 minutes ago, kandinsky said:

If this doesn't work I'll try to set the irand48 argument to 0.

Not argument. Need replace return value. And not entire calls. Only in needed places. It must be 4 calls for double storage or 2 for one storage.

Usually placed on init class storage.

_______________________________________________
added 1 minute later

I simple NOP'ed STR instruction for saving result of calls in class fields. By default field zero filled. May be because placed in .bss, may be because use memset with zero fill after malloc.

Share this post


Link to post
Share on other sites

Hey,

 

the exports are missing for this game as the so library apparently was stripped during compilation. I am a stuck now as there are too many lrand48 calls and I do not know which one is responsible for the init keys.


Can a feature be added to GG to show the base address of the library in order to be able to rebase IDA? This way I could find the value in GG and jump to the offset in IDA.

I looked in /proc/PID/smaps for the SO but couldn't find the base address.

 

Thanks,

Kandi

Edited by kandinsky

Share this post


Link to post
Share on other sites
8 minutes ago, kandinsky said:

Can a feature be added to GG to show the base address of the library in order to be able to rebase IDA?

Use

cat /proc/pid/maps

From root shell. Pid must be pid of needed process. Showed in square brackets in GG before process name.

In output this command you get all regions in memory include rebased so.

 

It is more condensed output from smaps.

Share this post


Link to post
Share on other sites

You can use Minion rush as example because this game does not strip debug info from libs.

Share this post


Link to post
Share on other sites

@Enyby I am playing a game in which I suspect there is a double storage system.  1 st value is without encryption and second one is encrypted somewhere.  Can you explain how to find the second encrypted value so I could edit it. 

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...