This topic was archived here:

https://web.archive.org/web/20230000000000fw_/https://www.zenhax.com/viewtopic.php?t=16915

potchy, posted Mon May 23, 2022 9:00 pm (71650)

---

Following the update in May 11, the developer started to encrypt their game's LUA files to prevent data mining and cheating.

The curious thing is that the encryption algorithm they're using is only applied every 2 bytes, leaving half of a file unchanged. It's hard to explain, so here's a side-by-side comparison of one the files before and after the update:


There are some instances where the 2 bytes rule doesn't apply, but maybe it's a coincidence? Anyway, at first I thought the game was performing a simple XOR cipher with a 4-byte key like XX XX 00 00, but I've tried to brute force it with no results. While I can find some keys that work for the first 4 bytes of a file, it doesn't work for the rest.


Some other thing I noticed is that identical files (prior to this update) are no longer identical. They are encrypted differently, which means the game doesn't use the same key for every file. It's unlikely that the developer is storing 1000 keys inside the game's executable, so I think they derive each key at runtime based on the file's name or some other factor.

The header of the file compression format the game uses (KOM) hasn't changed at all. I can unpack and repack a KOM file without touching the LUAs inside and the game still recognizes them perfectly. The game also doesn't crash if I change a single non important byte of a file, like, say, part of a string, so I'm sure there's no checksum verification going on.

I would really appreciate some pointers on what to look out for next. Unfortunately, I don't know much about reverse engineering. I could probably work out a script to reverse the encryption if I knew what algorithm they're using, but that's about it.

---

Relevant links:
Files:

• Sample files
• List of files that were identical before the update

KOM utils (pick any):

• QuickBMS extraction script for KOM files (Grand Chase Classic uses the V.0.3 variant)
• Python 2.7 unpacker/repacker script for KOM files (when prompted for KOM version, type 3)
• KOM unpacker/repacker program (made for an old version of Elsword, but still works for Grand Chase Classic)

Crypto stuff:

• Finding the XOR key with CyberChef (didn't really work, but here it is anyway)
• Using the XOR key with CyberChef

Zerphyrum, posted Fri Jun 17, 2022 5:15 pm (72141)

---

Hey! Have you discovered anything since then? Add me on Discord so we can find out

lucas111213, posted Wed Aug 10, 2022 1:03 am (72947)

---

Hi! Did you managed to decrypt the .lua files?

ssh, posted Sat Aug 20, 2022 3:40 pm (73091)

---

GrandChase_kom_lua_stg_dec.bms

potchy, posted Sat Aug 20, 2022 8:35 pm (73092)

---

ssh wrote:

GrandChase_kom_lua_stg_dec.bms

Thanks for sharing! The relevant part is the Decrypt function. The exact same algorithm can be used to encrypt back the file, in case anyone else is curious.

akenohime50, posted Fri Aug 26, 2022 3:34 am (73185)

---

potchy wrote:

ssh wrote:

GrandChase_kom_lua_stg_dec.bms

Thanks for sharing! The relevant part is the Decrypt function. The exact same algorithm can be used to encrypt back the file, in case anyone else is curious.

hi, how can i repack the files? using the same script file fails to repack even when i don't touch the files

Noctis, posted Tue Sep 20, 2022 5:20 pm (73527)

---

It seems the encryption has changed on September 14th. Also lots of .stg files were converted to .lua
Did anyone happen to get the new decryption yet?

potchy, posted Thu Sep 22, 2022 7:06 pm (73551)

---

The encryption method remains the same.
Lua scripts, regardless of extension, are now compiled to bytecode, not by using the standard Lua compiler (luac), but with a custom one built by KOG, or so I was told.
It's already hard enough to get something readable when decompiling a standard Lua script with luadec or unluac, so I think we've hit a dead end.

akenohime50 wrote:

hi, how can i repack the files? using the same script file fails to repack even when i don't touch the files

It cannot be done with QuickBMS. You would need to write your own KOM packer or implement the encryption algorithm on top of one of the Python scripts I shared in my original post.

Syntaxii, posted Sat Oct 01, 2022 11:03 pm (73654)

---

potchy wrote:

The encryption method remains the same.
Lua scripts, regardless of extension, are now compiled to bytecode, not by using the standard Lua compiler (luac), but with a custom one built by KOG, or so I was told.
It's already hard enough to get something readable when decompiling a standard Lua script with luadec or unluac, so I think we've hit a dead end.

Was this in reference to just repacking to kom or decryption as well? The STG files decrypt just fine with the bms file above but lua files are mostly broken. Messing around with the key in line 10 can result in some varying degrees of success but nothing functional. I'm fairly certain theres a method to this already though - from some BR private server folk.

potchy, posted Sun Oct 02, 2022 6:04 pm (73664)

---

For context, most .stg files have always been Lua scripts with a different extension for no reason whatsoever.
Following the update, all .stg files except for Sort.stg had their extension changed to .lua.
I'm confident the reason for this change is so that it's easier for the development team to write a batch tool to compile all files with .lua extension using their custom compiler, leaving .stg files intact.
Proof is that Sort.stg structure hasn't changed. It cannot be compiled, because it's not a Lua script, but a custom structure built specifically for Grand Chase items.
The new private server that's a 1-1 copy from Classic was released BEFORE the update. I'm sure they're stuck as well.

To sum up, all .lua and .stg are still encrypted.
Both can be decrypted with the .bms file @ssh provided above.
Now, for .lua files, in addition to the encryption, they are also compiled. It's not an encryption and it's very difficult to reverse it.
There are tools like luadec and unluac that can decompile normal .lua files (with a lot of limitations), but unfortunately, because KOG used a custom compiler, both these tools don't work with their files.

Zerphyrum, posted Mon Oct 03, 2022 4:50 pm (73671)

---

potchy wrote:

For context, most .stg files have always been Lua scripts with a different extension for no reason whatsoever.
Following the update, all .stg files except for Sort.stg had their extension changed to .lua.
I'm confident the reason for this change is so that it's easier for the development team to write a batch tool to compile all files with .lua extension using their custom compiler, leaving .stg files intact.
Proof is that Sort.stg structure hasn't changed. It cannot be compiled, because it's not a Lua script, but a custom structure built specifically for Grand Chase items.
The new private server that's a 1-1 copy from Classic was released BEFORE the update. I'm sure they're stuck as well.

To sum up, all .lua and .stg are still encrypted.
Both can be decrypted with the .bms file @ssh provided above.
Now, for .lua files, in addition to the encryption, they are also compiled. It's not an encryption and it's very difficult to reverse it.
There are tools like luadec and unluac that can decompile normal .lua files (with a lot of limitations), but unfortunately, because KOG used a custom compiler, both these tools don't work with their files.

Its not a dead end, I know some people of GC Discord Server that already decompiled the files but dont reveal the method, only the files. Im sure someone will post the method someday.

potchy, posted Wed Oct 26, 2022 1:11 pm (73680)

---

With today's update, KOM file format was changed for the first time in Classic.
The header now reads KOG GC TEAM MASSFILE V.1.0.
Previous extractors for formats 0.2, 0.3 and 0.4 do not work anymore.

Edit: I'm sorry! I clicked bumped accidentally. lol

Zerphyrum, posted Tue Mar 28, 2023 8:20 pm (76092)

---

Any news about the .KOM files decrypt?