This topic was archived here:

https://web.archive.org/web/20230000000000fw_/https://www.zenhax.com/viewtopic.php?t=13623

3fb6601e-f154, posted Wed May 13, 2020 10:50 pm (56724)

---

Hello.

This is more of a an education type question. 888 Poker (old client) uses a few files for client operation (.cxm and .cqs). QuickBMS has a script to decrypt this here:

https://aluigi.altervista.org/bms/888.bms

I have written an open source script using this Xor Byte Key and I am able to get the contents of the files to match both an executable that does the same thing, and the output of quickbms. However, my question becomes, how was this key discovered? Here are links to two files that are decrypted with the xor byte key:

Theme files:
https://1drv.ms/u/s!AjR_Gb6uQ7I9gmAHuFv ... G?e=jFHwMy
https://1drv.ms/u/s!AjR_Gb6uQ7I9gmEylWc ... a?e=FaOZft

If we need the executable, I can upload as well. Since the XOR Byte key is known, I'm more interested in the process, as there are numerous other poker clients I'd like to try and mod. Thanks!

aluigi, posted Thu May 14, 2020 12:37 pm (56738)

---

I guess I already replied by email.
It was found by debugging the software, when the program tries to read the file it first decrypt it and it's easy to intercept the decryption function.
Even statical analysis work, moreover with simple encryptions like this.

3fb6601e-f154, posted Thu May 14, 2020 1:27 pm (56748)

---

aluigi,

Correct. I just wanted to make a public post that details this in case anyone else was curious and so we wouldn't go back and forth in email. I cracked open the software in IDA Pro but I was very confused following the program logic, especially when it starts to thread. Should I attach the disassembler to the actual PID? do I even need to run the software to see this in action?

I attempted to crack open cxmConverter.exe (a program written by the author of 888caption), and I set a breakpoint on readfile/writeFile functions. however, all I see is assembly commands, the file descriptor opening, and then the file is written. This is my first attempt at reverse engineering a binary so please bear with me. Are there any other tips you can recommend?

aluigi, posted Thu May 14, 2020 1:39 pm (56749)

---

Just a note is that maybe now the software use anti debugging protections, obfuscation and so on, so doing the job years ago is definitely more easy.

Usually the procedure is the one you mention with a breakpoint on the memory read via ReadFile and then following the operations performed on it.

For this work may also be useful to use a tool of mine called offbreak that automatize most of the work and it does a good job even with software adopting anti debugging techniques.

gisselletdean, posted Mon Mar 06, 2023 1:25 pm (75713)

---

That's an interesting question. It's possible that the XOR byte key was discovered through reverse engineering or other hacking techniques. However, I'm not an expert in this area, so I'm not sure. Have you tried contacting the creators of QuickBMS or the executable you mentioned to see if they have any insights? Also, have you checked online forums or communities dedicated to modding or hacking poker clients? They might have more information on this topic. Good luck with your modding endeavors, and remember to take breaks and enjoy some free casino games occasionally. It should work out for you.

julietlock, posted Tue Apr 04, 2023 9:00 pm (76223)

---

Any update?

CaslRock, posted Tue Apr 04, 2023 9:01 pm (76225)

---

It's interesting to see a file conversion project going on for old poker files from 888. It's always nice to access old files and data that may have otherwise been lost or forgotten.
I'm not very familiar with file conversion on this site, as I gamble at w88, but I appreciate the efforts of the ZenHAX community to work on this project and make the process more accessible to others. Thanks for sharing!