Retrieving ZIP passwords from games

[michalss]

The following is probably the easiest way to retrieve the password used for the archives of some games, in fact it's quite common to find ZIP archives (sometimes with non-zip extensions like pak, dat) and protected by password using the ZipCrypto algorithm.

In this method I will use no debuggers, no breakpoints, no signsrch... nothing that makes you feel a pro 

Necessary tools:
QuickBMS https://web.archive.org/web/20220309115557/http://aluigi.org/quickbms.htm
ZIP password scanner (script) https://web.archive.org/web/20220309115557/http://aluigi.org/papers/bms/zip_pwd_scan.bms
exestringz https://web.archive.org/web/20220309115557/http://aluigi.org/mytoolz.htm#exestringz
dumproc https://web.archive.org/web/20220309115557/http://aluigi.org/mytoolz.htm#dumproc

Alternatively you can use:
exestringz -> strings https://web.archive.org/web/20220309115557/http://technet.microsoft.com/en-us/sysinternals/bb897439.aspx
dumproc -> procdump https://web.archive.org/web/20220309115557/http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx


The example game for this tutorial is Mini Robot Wars:
https://web.archive.org/web/20220309115557/http://www.bigfishgames.com/download-games/13244/mini-robot-wars/index.html

 

Locate the ZIP archive:

This step is not ever necessary but it's a good way to avoid problems with packed/protected executables and games that built the password at runtime.
So, launch the game:

 

Launch dumproc specifying the name of the executable:

dumproc mrw.exe dump.dat

Please note that sometimes you may have two processes of the same game, remember to specify the PID of the second one, like in the following case:

In that specific case you had to specify the exact pid of the game, so:

dumproc 3692 dump.dat

Now use exestringz on the dumped process with the -b option:

exestringz -b -q 1 dump.dat passwords_list.txt

The alternative command for the "strings" tool is:

strings dump.dat > passwords_list.txt

 

Launch the ZIP scanner script against the ZIP archive:

z:\>quickbms zip_pwd_scanner.bms "C:\Program Files (x86)\Mini Robot Wars\DATA"

QuickBMS generic files extractor and reimporter 0.5.32
by Luigi Auriemma
e-mail: [email protected]
web:    aluigi.org
        (Jul 19 2014 - 10:03:02)

                  http://quickbms.aluigi.org
               http://twitter.com/luigi_auriemma

- open input file C:\Program Files (x86)\Mini Robot Wars\DATA
- open script zip_pwd_scanner.bms
- set output folder .

  offset   filesize   filename
--------------------------------------
- enter in folder C:\Program Files (x86)\Mini Robot Wars
- open input file C:\Program Files (x86)\Mini Robot Wars\passwords_list.txt
- enter in folder .
- open input file z:\\passwords_list.txt
- SCRIPT's MESSAGE:
  the error "incomplete input file number 1" means that no password was found

- SCRIPT's MESSAGE:
  FILE: Resource/

- SCRIPT's MESSAGE:
  FILE: Resource/Button/

- SCRIPT's MESSAGE:
  FILE: Resource/Button/Btn_Adv_Lab_Disable.png

- SCRIPT's MESSAGE:
  scanning in progress, please wait patiently...

- SCRIPT's MESSAGE:
  Password found:

  EC?^!98$$%ab17

- SCRIPT's MESSAGE:
  (hex visualization for debugging)
  45433f5e21393824242561623137


- 0 files found in 1 seconds
  coverage file 0     0%   10982      123799172
  coverage file 1    45%   97303      213932
  coverage file -1  366600%   39534144   10784
  coverage file -2  366600%   39578136   10796

The password has been found: EC?^!98$$%ab17


This is the final recap of the steps:
- launch the game
- dump the process
- dumps the strings in a wordlist file
- crack the zip using the wordlist


That's all.
It's super easy, it requires no skills and works most of the times.

 

Original post by Aluigi from zenhax.