Skip to content
View in the app

A better way to browse. Learn more.
ResHax

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.
Help us keep the site running.

Echo of Soul File Encryption Information

ZenHAX
in Zenhax

Featured Replies

  • Author
  • Localization

atom0s, posted Sun Dec 06, 2015 6:54 am (10338)

Echo of Soul is an online MMORPG that makes use of some custom encryption mixed with Microsoft's Cryptography library.
Code:
http://echoofsoul.aeriagames.com/


Protected files can be seen having a header like this:
Image

The first four bytes are used as a signature to determine if the file is protected or not. Inside of the game, we can see a check for this like this:
Code:
  v2 = (const CHAR *)sub_E2DF80(lpFileName);
  v3 = CreateFileA(v2, 0x80000000, 1u, 0, 3u, 0x80u, 0);
  if ( v3 == (HANDLE)-1
    || (NumberOfBytesRead = 0,
        v9 = 0xD0B7A0CC,
        ReadFile(v3, Buffer, 4u, &NumberOfBytesRead, 0),
        CloseHandle(v3),
        NumberOfBytesRead != 4) )
  {
LABEL_8:
    result = 0;
  }
  else
  {
    for ( i = 0; ;   i )
    {
      v7 = i;
      if ( i >= 4 )
        break;
      if ( Buffer[i] != *((_BYTE *)&v9   i) )
        goto LABEL_8;
    }
    result = 1;
  }
  return result;


Here the file is loaded and the first 4 bytes are read. Afterward, the code checks byte by byte against the value of v9 (or 0xD0B7A0CC). If it matches its considered protected; otherwise it is not.

Next the game makes use of the Crypto library functions provided by Microsoft. The game creates an MD5 hash object by using the following:
Code:
  if ( !CryptAcquireContextW((HCRYPTPROV *)(a2   1140), L"SBENCRYPTIONKEYCONTAINER10", L"Microsoft Enhanced Cryptographic Provider v1.0", 1u, 0) && GetLastError() == -2146893802 )
    CryptAcquireContextW((HCRYPTPROV *)(a2   1140), L"SBENCRYPTIONKEYCONTAINER10", 0, 1u, 8u);
  if ( !*(_DWORD *)(a2   1140) )
  {
    v6 = GetLastError();
    sub_E4B130(L"CryptAcquireContext failed. (%d)(0xx)", v6);
  }
  v7 = (HCRYPTHASH *)(a2   1148);
  if ( CryptCreateHash(*(_DWORD *)(a2   1140), 0x8003u, 0, 0, (HCRYPTHASH *)(a2   1148))
    && CryptHashData(*v7, &pbData, 8u, 0)
    && CryptDeriveKey(*(_DWORD *)(a2   1140), 0x6801u, *v7, (DWORD)&loc_800000, (HCRYPTKEY *)(a2   1144)) )
    v11 = 0;
  else
    LOBYTE(v11) = 0;


Here the game is creating a hash provider context to use an MD5 crypto object. The pbData is added to the has object as a key for the encryption / decryption which in this case is:
Image

Once initialized, the game makes use of the crypto provider with its encryption and decryption by the following two functions:
Code:
int __usercall sub_409810@(HCRYPTKEY hKey@, int a2@)
{
  signed int v2; // ecx@1
  int v3; // eax@2
  int result; // eax@3
  int v5; // [sp 0h] [bp-4h]@1
 
  v5 = 8;
  CryptDecrypt(hKey, 0, 1, 0, (BYTE *)a2, (DWORD *)&v5);
  v2 = 0;
  do
  {
    LOBYTE(v3) = *(_BYTE *)(v2   a2);
    if ( (_BYTE)v3 == 127 )
    {
      result = 0;
    }
    else if ( (_BYTE)v3 == -128 )
    {
      result = 255;
    }
    else
    {
      v3 = (unsigned __int8)v3;
      if ( (unsigned __int8)v3 >= 0x80u )
        result = v3 - 1;
      else
        result = v3   1;
    }
    *(_BYTE *)(v2     a2) = result;
  }
  while ( v2   *(_DWORD *)a2 ^= 0xA4A7FF88;
  *(_DWORD *)(a2   4) ^= 0xA0447823;
  return result;
}

BOOL __usercall sub_4097B0@(int a1@, DWORD a2@, HCRYPTKEY hKey)
{
  signed int v3; // ecx@1
  unsigned __int8 v4; // al@2
  char v5; // al@3
  DWORD pdwDataLen; // [sp 0h] [bp-4h]@1

  pdwDataLen = a2;
  *(_DWORD *)a1 ^= 0xA4A7FF88;
  *(_DWORD *)(a1   4) ^= 0xA0447823;
  v3 = 0;
  do
  {
    v4 = *(_BYTE *)(v3   a1);
    if ( v4 )
    {
      if ( v4 == -1 )
      {
        v5 = -128;
      }
      else if ( v4 >= 0x80u )
      {
        v5 = v4   1;
      }
      else
      {
        v5 = v4 - 1;
      }
    }
    else
    {
      v5 = 127;
    }
    *(_BYTE *)(v3     a1) = v5;
  }
  while ( v3   pdwDataLen = 8;
  return CryptEncrypt(hKey, 0, 1, 0, (BYTE *)a1, &pdwDataLen, 8u);
}


Not going to go into much detail on these, but we see that the data is processed in 8 byte chunks. Those 8 bytes are broken into 4 byte parts and xor'd with the keys: 0xA4A7FF88 and 0xA0447823
Some minor adjustments are made based on the byte data and the crypto provider is called to encrypt or decrypt the data.

I created two tools to deal with both of these functions.
eosdec - A tool to decrypt Echo of Souls files.
eosenc - A tool to encrypt Echo of Souls files.

A simple test to validate the encryption is being handled properly is to:
eosdec the EoS.ini file. Then to eosenc the resulting decrypted file.
The new encrypted file will match the original EoS.ini perfectly.

You can check out this project (and possibly other future tools for this game) here:
https://gitlab.com/atom0s/EoSTools
  • Author
  • Localization

Dezert, posted Sat Apr 02, 2016 1:48 pm (12345)

atom0s wrote:
I have moved this project to Gitlab as Github has been bought over by corporate greed.
https://gitlab.com/atom0s/EoSTools


There should be exe files? or without them to do to make it work?
  • Author
  • Localization

atom0s, posted Tue Apr 05, 2016 8:35 pm (12448)

Dezert wrote:
atom0s wrote:
I have moved this project to Gitlab as Github has been bought over by corporate greed.
https://gitlab.com/atom0s/EoSTools


There should be exe files? or without them to do to make it work?


You need to compile them yourself. I do not release binaries for things like this for legal reasons. Download Visual Studio 2015 (there is a free version that will work just fine). And use it to compile the projects to exe's.
  • Author
  • Localization

aluigi, posted Tue Jul 05, 2016 4:40 pm (15040)

Regarding the binaries, if for you it's ok I have attached them (compiled yesterday as x86 release static) to this post so you will have no legal annoyances :)

eos.zip

  • Author
  • Localization

AnonBaiter, posted Tue Jul 05, 2016 8:43 pm (15051)

atom0s wrote:
I do not release binaries for things like this for legal reasons.
Why? Do you think that compiling programs are now encouraging piracy?
  • Author
  • Localization

atom0s, posted Wed Jul 06, 2016 7:38 am (15067)

AnonBaiter wrote:
atom0s wrote:
I do not release binaries for things like this for legal reasons.
Why? Do you think that compiling programs are now encouraging piracy?


Releasing binaries that allow the access to assets and copyright material has gotten me DMCA's in the past, so yes I avoid them. Do I think/care that encourages piracy? No.
But I enjoy not fighting with game companies over legal garbage so I just don't bother releasing binaries.

. no worries, I just choose not to release binaries for these kinds of things due to legal reasons.
Guest
This topic is now closed to further replies.
Go to topic listing

Account

Navigation

Search

Search

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.