This topic was archived here:

https://web.archive.org/web/20230000000000fw_/https://www.zenhax.com/viewtopic.php?t=17936

Bang1338, posted Wed Jan 25, 2023 8:00 am (75159)

---

Hello, this is my first time in here, sorry for bad English skill.
This is the follow up from:
- viewtopic.php?f=6&t=16080
- viewtopic.php?f=6&t=16544

So... in early time (before Season 6), Cookie Run's MIDI file is encrypted with Salsa20.
simontime, a Nintendo game reverse engineering guy, who successfully decrypted MIDI file, wrote the program in C
Key and IV are:

Code:

const uint8_t key[] =
{
   0xF7, 0x9B, 0xF7, 0x33, 0xF2, 0x3F, 0x9D, 0x7A,
   0xF2, 0xA2, 0x91, 0xCB, 0x4D, 0xCB, 0x5E, 0x49,
   0x63, 0xE6, 0xA8, 0x71, 0xE0, 0x51, 0x2C, 0xE1,
   0x46, 0xBD, 0x03, 0x67, 0x93, 0x56, 0xA4, 0x73
};

const uint8_t iv[] =
{
   0xBC, 0x79, 0xCC, 0x75, 0x91, 0xB4, 0x8D, 0x70
};

However not after long...
When game step into Season 6, everything changed. The new encryption step in.
There's a rumor that:

Quote:

-the midis are encrypted in a 24-byte cipher

So, I what have I found:

A lot of encrypted MIDI have this header:

Code:

29 01 38 FD B3 29 45 5E E8

which mean

Code:

)8y?)E^e

Thank to asdf_#4749 on Discord for this discover:

Quote:

the midi header MThd followed by 5 extra bytes (4D 54 68 64 00 00 00 06 00 in hex) seems to be the same in many midi files ive looked at (from various diff places not necessarily CROB) and these ones have )8y?)E^e / 29 01 38 FD B3 29 45 5E E8 in hex where the MThd header and the extra 5 bytes should be

I begin to use IDA Pro to decompile .so file in APK file, but... syrupyy (CRK but translated video creator) said:

Quote:

i tried before but it's obfuscated
it's less obfuscated on ios but ghidra doesn't understand it. id have to check ida pro

so yeah, I moved to iOS.

In this case, I'm using IDA Pro 7.5 with Hex-Rays (I don't use >=7.7 because crash)

There's a function called *gb* which you can see. I get into *gb::sound*

Today, I want to thank tungdo0602 for giving me OpenGPT API token since I can't login in Vietnam
I'm using a plugin called Gepetto
Sadly, *gb::sound* can't giving me any infomation few of them are too long that AI can't explain it.

So... I moved to *gb::crepe*
I found something, but not sound related...
It's called:
- gb::crepe::KeyStore::KeyStore
- gb::crepe::KeyStore::loadKey
- gb::crepe::KeyStore::loadMasterKey

The interesting one is loadKey and loadMasterKey
this is loadKey:

So... this is modified Salsa20?

and this is loadMasterKey:


Another one is *gb::buildConfig::crepeKeystoreMasterIndex*


A few unk_ thing, I clicked on it...


I scroll down a bit and I found this:


I think this is not a key for decrypting MIDI, so I ignore it.


So, I found nothing, or I just ignore a lot of it?
I almost become an autism guy because no one help with. So if you found something, please let me know!

There's my question:
- What kind of encryption it is? (hope that this is not ECC)
- Is their code hidden?
- What is their key and IV?

Also, I'll give you IDA Pro if you want it for research. DM me on Discord: Bang1338#5701
Hope you guy can helping me and us! Thank you!