This topic was archived here:

https://web.archive.org/web/20230000000000fw_/https://www.zenhax.com/viewtopic.php?t=640

Shine, posted Wed Feb 18, 2015 3:52 pm (3260)

---

I am trying to found then password of this game following Luigi's tutorial.
web: http://pko.91play.com.tw/

Here is my step by step walk-through:
1. run ollydbg.exe
2. run loader.exe
3. in cmd "signsrch -P loader.exe"
4. found the handle address of crypto at 0x47fadd
5. in ollydbg debugger, attach loader.exe process
6. in cmd "quickbms -p -a 0x47fadd int3.bms process://loader.exe"
7. when it break, I can't found any ASCII string or anything similar?

PS: I am sure the package is a modified zip with "UZ" signature.
CRC csize and usize are removed from 0304 but they are in 0708 block
filename are simply xor with 0xB2

samples: http://www.mediafire.com/download/kvv47 ... O_Mini.rar

Help, please!

aluigi, posted Wed Feb 18, 2015 4:55 pm (3263)

---

Put the int3 breakpoint at address 0x47fafd and check the string pointed by the EDX register.

Shine, posted Thu Feb 19, 2015 8:45 am (3273)

---

Sorry Luigi!
Now my ollydbg won't even break!?
Here is a video recorded what I had done. please help again!
http://youtu.be/RjZdX56IYDQ

Thank you very much.

Shine, posted Fri Feb 20, 2015 7:50 am (3284)

---

Can anyone help to find the password, please!

aluigi, posted Fri Feb 20, 2015 12:02 pm (3287)

---

In the first post you said that olly break at the first address (0x47fadd instead of 0x47fafd), are you sure?
You can set breakpoints also from olly.

Ekey, posted Fri Feb 20, 2015 3:58 pm (3293)

---

Breakpoint fails because this part of code already passed after attaching.

1) Run Olly
2) Open Loader.exe
3) Go to offset 0x47fadd (CTRL G)
4) Set breakpoint (F3)
5) Run target (F9)
6) Wait while olly stopped on breakpoint

Shine, posted Sat Feb 21, 2015 8:54 am (3313)

---

Thanks Luigi and Ekey.
I am a n00b!

I try it from the first post again, and it not break as well!
I much be doing something wrong first time! Sorry.
but that time I get something like this: 0368F250 029F5D18 ASCII "hTemp/exe/game/cpkl\"
but the password not right.

So what can I start now?
Thank you for reading.

aluigi, posted Sat Feb 21, 2015 11:18 am (3318)

---

Have you tried to run the game?
That one is just a loader that should have no reason to read the content of the files, just patching them.

Shine, posted Wed Feb 25, 2015 8:17 am (3455)

---

Today I am trying yo run the game and find the pw.

I run loader.exe, wait for update completed. And it go into the game
From task manager, I found the process is pko.exe
run "signsrch -P pko.exe" and get the address 0xb6a62d function where is hanfled the Zipcrypto password
run ollydbg and attach pko.exe. press ctrl-G and goto offset 0xb6a62d. press F2 to set breakpoint

now ollydbg keep breaking at that point and only "d!" was shown.
I test the pw as "d!" and it is wrong!?

please help!

Client can be download form here: http://download.pko.91play.com.tw/91pla ... 150112.zip

aluigi, posted Wed Feb 25, 2015 10:54 am (3459)

---

You are very close to the solution.
Now press F8 various times and the debugger will go the next instructions.
After the address 0x0b6a64a take a look at the EDX register because the password should be there.

Shine, posted Thu Feb 26, 2015 7:57 pm (3483)

---

Sorry for my n00b, I still can't find the password!
After the address 0x0b6a64a, EDX value changed.
It show 0x04a22828. But no ascii?

aluigi, posted Thu Feb 26, 2015 8:47 pm (3485)

---

Ok, rigth-click on EDX and select "Follow in Dump".
The data pointed by the registry will be visible in the Dump windows (the left-bottom one).

Shine, posted Fri Feb 27, 2015 9:59 am (3494)

---

Still no luck to get the password!?
I can only see the filename in ascii.

here is what I did!
http://youtu.be/ln5pz_aqS-A

aluigi, posted Fri Feb 27, 2015 11:21 am (3496)

---

The password is the one you see in the Dump window: "\x26\x3a\x4a\x52\x56\x52\x4a\x05\x5e\xaa\xba\x26\xe0\x24"

You can test it in quickbms using the following code:

Code:

get SIZE asize

encryption zipcrypto "\x26\x3a\x4a\x52\x56\x52\x4a\x05\x5e\xaa\xba\x26\xe0\x24"
log dump0.dat 0 SIZE

encryption zipcrypto "\x26\x3a\x4a\x52\x56\x52\x4a\x05\x5e\xaa\xba\x26\xe0\x24" 1
log dump1.dat 0 SIZE

Open the results with a hex editor and run offzip on them to check if they have been correctly decrypted.

It's not the first time that a game uses a non-textual key (like Virtual RC Racing).

In my opinion probably it uses a different key for each archived file, probably generated at runtime or it's a field of the archive.