Skip to content
View in the app

A better way to browse. Learn more.
ResHax

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.
Help us keep the site running.

Destiny 2 PKG

ZenHAX
in Zenhax

Featured Replies

  • Replies 65
  • Views 13
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

  • Author
  • Localization

aluigi, posted Fri Aug 25, 2017 9:38 pm (25878)

The data is encrypted probably with blowfish or xtea, so there is not much to do without the algorithm and the key.
This is the work-in-progress script, which means that you CANNOT use it but it's useful to me or other people when the problem with the encryption is solved:
Code:
comtype oodle   # ???
goto 0xd0
get FILES long
get INFO_OFF long
goto INFO_OFF
for i = 0 < FILES
    get OFFSET long
    get ZSIZE long
    get SIZE long
    get SOME_CRC long
    getdstring ZHASH 16
    getdstring HASH 16
    encryption ??? ???
    if SIZE == 0
        log "" OFFSET ZSIZE
    else
        clog "" OFFSET ZSIZE SIZE
    endif
next i

Just for the record, there was a topic for Destiny 1 but I don't know if the format (and encryption) is the same... anyway there was no solution so it's useless:
viewtopic.php?t=134
  • Author
  • Localization

Ehnoah, posted Sat Aug 26, 2017 12:48 am (25883)

Destiny 2 got a super crazy Protection so it might not easy to get the Key from the Client also Binary Files are not shipped yet. So I asume we have to wait for the Beta to start to Dig around for the Key.
  • Author
  • Localization

Ehnoah, posted Sat Aug 26, 2017 6:12 am (25888)

I currently working to get the Take Home Client :) Which contain the Full Game. I had someone at Blizzard who can share the Key but not sure if they can do on DST2 as well?
  • Author
  • Localization

Ehnoah, posted Tue Aug 29, 2017 7:34 am (26017)

Ernegien wrote:
Feel free to borrow against my research ;) We'll probably have to wait for the game's exe to drop in order to harvest the decryption information unfortunately.

https://github.com/Ernegien/Destiny2ool ... 2ools.Core



Binarys are up. You got Hands on?
  • Author
  • Localization

toxic72, posted Tue Aug 29, 2017 6:24 pm (26026)

So far:

Game has AES and 3DES encryption, the only two found so far.
Several hash algorithms: SHA1, SHA256, MD5, MurMur3, CRC32, Tiger192.
Game still uses Oodle, specifically the LZ variant.
Edit: In addition to Oodle, ZLib is also statically linked to the application.

The following is the only AES key present "5e5b3fcccc60c298c3266226de660799505f9475fc1ba4c1be68f6864c0a0356"

There is at least two separate chunk flags besides uncompressed, most likely encryption, and encryption compression (Values 3 and 7) in the 3rd byte of chunk flags.
When the third flag is set, there is an additional 16 bytes after the chunk hash, Also to note, Each encrypted chunk in the same package start with the same bytes.
  • Author
  • Localization

aluigi, posted Tue Aug 29, 2017 10:16 pm (26030)

Do you have a confirmation of that aes key?
It still gives garbage data when used with aes on the bytes at offset 0x800
  • Author
  • Localization

toxic72, posted Tue Aug 29, 2017 10:39 pm (26035)

aluigi wrote:
Do you have a confirmation of that aes key?
It still gives garbage data when used with aes on the bytes at offset 0x800


I'm pretty sure the bytes at 0x800 is a RSA signature verification block.

Edit: Looks like Oodle in D2 is using a hardcoded max block size of 0x40000.

Main package routine: sub_7FF700E7F020, SHA1 verification: sub_7FF700E7FFA0
  • Author
  • Localization

aluigi, posted Tue Aug 29, 2017 11:16 pm (26036)

Can you provide an example with the samples provided in the previous posts?
Here I used the following with w64_pvp_0159_0.pkg but still no luck:
Code:
encryption aes "\x5e\x5b\x3f\xcc\xcc\x60\xc2\x98\xc3\x26\x62\x26\xde\x66\x07\x99\x50\x5f\x94\x75\xfc\x1b\xa4\xc1\xbe\x68\xf6\x86\x4c\x0a\x03\x56"
log "dump.dat" 0x2800 0xd30
  • Author
  • Localization

toxic72, posted Tue Aug 29, 2017 11:31 pm (26037)

aluigi wrote:
Can you provide an example with the samples provided in the previous posts?
Here I used the following with w64_pvp_0159_0.pkg but still no luck:
Code:
encryption aes "\x5e\x5b\x3f\xcc\xcc\x60\xc2\x98\xc3\x26\x62\x26\xde\x66\x07\x99\x50\x5f\x94\x75\xfc\x1b\xa4\xc1\xbe\x68\xf6\x86\x4c\x0a\x03\x56"
log "dump.dat" 0x2800 0xd30


I never got the AES key to work, It was just found when debugging the game. I'm not sure what it's used for yet. However, as I said previously, all enc blocks start with the same bytes, *in each package itself* so it's possible it's a single key per package.

Edit: Just the first two bytes of each encrypted block, in each package, are the same.
Edit2: Scratch that, variable length bytes at the start of each enc block are the same, found some with two and some with three so far.
  • Author
  • Localization

apollon08170, posted Wed Aug 30, 2017 9:35 am (26050)

The download OpenBeta is available for all on Blizzard App. :mrgreen:
  • Author
  • Localization

apollon08170, posted Wed Aug 30, 2017 9:41 am (26052)

aluigi wrote:
Can you provide an example with the samples provided in the previous posts?
Here I used the following with w64_pvp_0159_0.pkg but still no luck:
Code:
encryption aes "\x5e\x5b\x3f\xcc\xcc\x60\xc2\x98\xc3\x26\x62\x26\xde\x66\x07\x99\x50\x5f\x94\x75\xfc\x1b\xa4\xc1\xbe\x68\xf6\x86\x4c\x0a\x03\x56"
log "dump.dat" 0x2800 0xd30



Decryptable with Hashcat ?
  • Author
  • Localization

toxic72, posted Wed Aug 30, 2017 3:42 pm (26061)

Looks like the encryption is called "fang" . Ever heard of it?

https://paste.md-5.net/wexomefaxo.cpp

This is ran per block entry, and it always check for fang first, if not, it just copies to the buffer (v52) which is then used for decompression. (Oodle)
  • Author
  • Localization

Fusion_, posted Thu Aug 31, 2017 6:01 pm (26123)

Little FYI: move your Destiny 2 folder to a safe location before opening Blizzard Launcher since it will delete ALL the game files (because the beta ended)
  • Author
  • Localization

marn, posted Thu Aug 31, 2017 7:08 pm (26126)

Hello!

I've been doing some digging into the unpacking method used.

destiny2.exe decrypts and opens the \packages\w64_client_bootstrap_unp1_0.pkg
The decryption is being handled by the \bin\x64\oo2core_3_win64.dll

The decrypting thread callstack:
: Call Site
Code:
 # Child-SP          RetAddr           : Args to Child          
00 000000c2`9c3ff858 00007fff`fd73988f : 00000000`00000008 00000000`00000004 00000004`fbee05c6 000005c6`00000013 : ntdll!NtWaitForSingleObject 0x14
01 000000c2`9c3ff860 00007ff7`b81bbfd2 : 000001db`843406f0 000001db`85792e48 00000013`00000000 00000000`00000548 : KERNELBASE!WaitForSingleObjectEx 0x9f
02 000000c2`9c3ff900 00007ff7`b8170b36 : ffffffff`20c00006 000001db`00000001 000001db`85792cf0 000001db`857921a0 : destiny2!opus_get_version_string 0x3388e2
03 000000c2`9c3ff930 00007ff7`b8170b8a : 000001db`8578d800 ffffffff`00000004 0000ffff`00000001 00007ff7`b99c7898 : destiny2!opus_get_version_string 0x2ed446
04 000000c2`9c3ff960 00007ff7`b81a3413 : 000001db`8573d780 000001db`00000004 000000c2`9c3ff9c0 00000000`0000000a : destiny2!opus_get_version_string 0x2ed49a
05 000000c2`9c3ff990 00007ff7`b816b762 : 000001db`85792e40 00000000`00000004 00000000`00000000 00007ff7`b8153f04 : destiny2!opus_get_version_string 0x31fd23
06 000000c2`9c3ffab0 00007ff7`b816ec89 : 000001db`8573d780 00000000`00000004 00000000`00000010 00000000`00000012 : destiny2!opus_get_version_string 0x2e8072
07 000000c2`9c3ffb30 00007ff7`b81a3758 : 00000000`00010004 00007ff7`b81bd525 000001dc`5eca7fb0 00007ff7`b99c78bc : destiny2!opus_get_version_string 0x2eb599
08 000000c2`9c3ffb60 00007ff7`b81a380f : 00007ff7`b99c7898 00007ff7`b99c7898 00000000`00000000 00007ff7`b81a3780 : destiny2!opus_get_version_string 0x320068
09 000000c2`9c3ffba0 00007fff`ffcf2774 : 00007ff7`b99c7898 00000000`00000000 00000000`00000000 00000000`00000000 : destiny2!opus_get_version_string 0x32011f
0a 000000c2`9c3ffbe0 00007ff8`00610d51 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk 0x14
0b 000000c2`9c3ffc10 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart 0x21


oo2core_3_win64.dll relative functions:
Code:
Name    Address    Ordinal
OodleLZ_Decompress 000000018005F8B0 18
OodleLZDecoder_DecodeSome 000000018005E180 2


Still a WIP, but the key has to be stored here somewhere :)
  • Author
  • Localization

Ehnoah, posted Thu Aug 31, 2017 8:20 pm (26127)

Did you also recorded the Launch Process Maybe?

I know it is :

destiny2.exe -uid Destiny2
"C:\Program Files (x86)\Blizzard App\Battle.net.9262\Loader64.exe" 11048 "C:\Program Files (x86)\Blizzard App\Battle.net.9262\bzrclient64.dll"

Where 11048 is Process ID. However it seems not to work, so I missing one step.
  • Author
  • Localization

aluigi, posted Thu Aug 31, 2017 9:25 pm (26129)

@marn
oodle is only for decompression, the data you have there has been already decrypted somewhere else
  • Author
  • Localization

marn, posted Thu Aug 31, 2017 9:26 pm (26130)

aluigi wrote:
@marn
oodle is only for decompression, the data you have there has been already decrypted somewhere else


Yup :(

Trying to further debug the .exe but they have pretty good anti-debugging checking in the GFSDK_Aftermath_lib.dll
  • Author
  • Localization

masterx244, posted Fri Sep 01, 2017 12:07 pm (26144)

marn wrote:
aluigi wrote:
@marn
oodle is only for decompression, the data you have there has been already decrypted somewhere else


Yup :(

Trying to further debug the .exe but they have pretty good anti-debugging checking in the GFSDK_Aftermath_lib.dll

Send a bunch of thanks to NVidia for that file
  • Author
  • Localization

Sir Kane, posted Fri Sep 01, 2017 2:14 pm (26146)

It's AES-GCM with one of two static 128 bit keys (a flag in the block table entry indicates which to use). The 12 byte nonce is initialized using some static data, then modified with package ID and a constant that matches the pkg version or whatever it is. The authentication tag is the last 16 bytes in the block table entry.

I've managed to decrypt and decompress some data earlier and just need to make a usable tool.

Attached the source for a simple extraction tool with the keys and nonce stripped.

SourcePublic_v2.cpp

  • Author
  • Localization

Ginsor, posted Mon Sep 04, 2017 1:51 pm (26238)

Sir Kane wrote:
It's AES-GCM with one of two static 128 bit keys (a flag in the block table entry indicates which to use). The 12 byte nonce is initialized using some static data, then modified with package ID and a constant that matches the pkg version or whatever it is. The authentication tag is the last 16 bytes in the block table entry.

I've managed to decrypt and decompress some data earlier and just need to make a usable tool.

Attached the source for a simple extraction tool with the keys and nonce stripped.


works like a charm! honestly, that is great work on how quick you managed find out how the decryption works.
now i assume a specific amount of files will add up to one "real" file? like if i extracted 10 files with 1kb each they would have to be merged in order to be complete?
  • Author
  • Localization

toxic72, posted Mon Sep 04, 2017 2:49 pm (26241)

Ginsor wrote:
Sir Kane wrote:
It's AES-GCM with one of two static 128 bit keys (a flag in the block table entry indicates which to use). The 12 byte nonce is initialized using some static data, then modified with package ID and a constant that matches the pkg version or whatever it is. The authentication tag is the last 16 bytes in the block table entry.

I've managed to decrypt and decompress some data earlier and just need to make a usable tool.

Attached the source for a simple extraction tool with the keys and nonce stripped.


works like a charm! honestly, that is great work on how quick you managed find out how the decryption works.
now i assume a specific amount of files will add up to one "real" file? like if i extracted 10 files with 1kb each they would have to be merged in order to be complete?


No, the way the game works is all of the entry data is concatenated into blocks. Those blocks were encrypted / compressed (Encryption = AES, Decompress = Oodle). The entry table points to entries within the final decompressed block buffer, so, all of the entries you see are single file entries for each package file. Pretty simple format, pretty similar to Destiny 1's package format.
  • Author
  • Localization

sanktanglia, posted Fri Sep 15, 2017 4:37 am (26516)

What sort of data is available in the decrypted chunks? is there anything like item/ability/etc data or is it all just assets? and any hints on where to look for the nonce?
Guest
This topic is now closed to further replies.
Go to topic listing

Account

Navigation

Search

Search

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.