Skip to content
View in the app

A better way to browse. Learn more.
ResHax

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.
Help us keep the site running.

rfc2898 derive bytes

ZenHAX
in Zenhax

Featured Replies

  • Author
  • Localization

chrrox, posted Sun Aug 09, 2020 2:40 am (57970)

does quickbms support this encryption?
https://docs.microsoft.com/en-us/dotnet ... etcore-3.1
I found a unity game using this.

Code:
undefined8 AESCryption$$Decryption(longlong param_1)

{
  code *pcVar1;
  int iVar2;
  longlong *plVar3;
  longlong *plVar4;
  undefined8 uVar5;
  longlong lVar6;
  
  if (DAT_181b54bdf == '\0') {
                    /* WARNING: Subroutine does not return */
    FUN_1801e6140(3);
  }
  plVar3 = (longlong *)FUN_180225950(System.Security.Cryptography.RijndaelManaged_TypeInfo);
  System.Security.Cryptography.RijndaelManaged$$.ctor(plVar3,0);
  if (plVar3 != (longlong *)0x0) {
    (**(code **)(*plVar3   0x218))(plVar3,0x100,*(undefined8 *)(*plVar3   0x220));
    (**(code **)(*plVar3   0x198))(plVar3,0x100,*(undefined8 *)(*plVar3   0x1a0));
    plVar4 = (longlong *)System.Text.Encoding$$get_UTF8(0);
    if (plVar4 != (longlong *)0x0) {
      uVar5 = (**(code **)(*plVar4   0x238))
                        (plVar4,StringLiteral_7505,*(undefined8 *)(*plVar4   0x240));
      plVar4 = (longlong *)FUN_180225950(System.Security.Cryptography.Rfc2898DeriveBytes_TypeInfo);
      System.Security.Cryptography.Rfc2898DeriveBytes$$.ctor(plVar4,StringLiteral_7506,uVar5,0);
      if (plVar4 != (longlong *)0x0) {
        System.Security.Cryptography.Rfc2898DeriveBytes$$set_IterationCount(plVar4,1000,0);
        iVar2 = (**(code **)(*plVar3   0x208))(plVar3,*(undefined8 *)(*plVar3   0x210));
        uVar5 = (**(code **)(*plVar4   0x178))
                          (plVar4,(ulonglong)(uint)((int)((iVar2 >> 0x1f & 7U)   iVar2) >> 3),
                           *(undefined8 *)(*plVar4   0x180));
        (**(code **)(*plVar3   0x1e8))(plVar3,uVar5,*(undefined8 *)(*plVar3   0x1f0));
        iVar2 = (**(code **)(*plVar3   0x188))(plVar3,*(undefined8 *)(*plVar3   400));
        uVar5 = (**(code **)(*plVar4   0x178))
                          (plVar4,(ulonglong)(uint)((int)((iVar2 >> 0x1f & 7U)   iVar2) >> 3),
                           *(undefined8 *)(*plVar4   0x180));
        (**(code **)(*plVar3   0x1c8))(plVar3,uVar5,*(undefined8 *)(*plVar3   0x1d0));
        lVar6 = (**(code **)(*plVar3   0x288))(plVar3,*(undefined8 *)(*plVar3   0x290));
        if ((param_1 != 0) && (lVar6 != 0)) {
          uVar5 = FUN_1800d3b50(4,System.Security.Cryptography.ICryptoTransform_TypeInfo,lVar6,
                                param_1,0,*(undefined4 *)(param_1   0x18));
          FUN_1800a65e0(0,System.IDisposable_TypeInfo,lVar6);
          return uVar5;
        }
      }
    }
  }
  FUN_180214910(0);
  pcVar1 = (code *)swi(3);
  uVar5 = (*pcVar1)();
  return uVar5;
}



StringLiteral_7505 = UIPApbOu
StringLiteral_7506 = Zn2HpaJxv2x23zME
  • Author
  • Localization

aluigi, posted Sun Aug 09, 2020 8:34 am (57975)

Honestly, no idea.
I have a PKCS5_PBKDF2_HMAC in quickbms but I guess it's used for hashing.
You can check if openssl or tomcrypt have something similar using different names.
  • Author
  • Localization

chrrox, posted Sun Aug 09, 2020 12:08 pm (57979)

that might be it do you have an example of using PKCS5_PBKDF2_HMAC
  • Author
  • Localization

chrrox, posted Sun Aug 09, 2020 12:40 pm (57980)

This function is in the games dll file.
can i call this function in quickbms.
it is not in the export list can i tell quickbms call the function at an offset?
  • Author
  • Localization

chrrox, posted Sun Aug 09, 2020 4:41 pm (57987)

I found the original code used for encryption.
https://pastebin.com/raw/jzd3c8jC
if i use Zn2HpaJxv2x23zME as password with UIPApbOu as the salt it decrypts correctly.
It would be great to get this working in quickbms instead of in unity editor.
Here is a sample encrypted and decrypted file.
https://anonfiles.com/ndL1z1L6o2/item_k ... uniform_7z
  • Author
  • Localization

aluigi, posted Fri Aug 21, 2020 9:17 am (58232)

chrrox wrote:
This function is in the games dll file.
can i call this function in quickbms.
it is not in the export list can i tell quickbms call the function at an offset?

You can't call .NET functions.
  • Author
  • Localization

chrrox, posted Fri Aug 21, 2020 3:56 pm (58250)

I Generated he key and ivec outside of quickbms just need to figure out how to generate them inside quickbms.

in python

Code:
hashlib.pbkdf2_hmac('sha1', b'Zn2HpaJxv2x23zME', b'UIPApbOu', 1000)


Then this works fine inside quickbms.

Code:
set KEY binary "\x48\xBB\x42\xFC\xCA\xD8\x2F\x25\x00\x4E\xBD\x97\xDE\xD7\x4D\x6F\x80\xE0\xAB\x8C\x5A\x15\x29\x7C\xD6\xD4\xBF\xCC\xF0\xCF\x8E\x54"
set IV  binary "\x91\xDA\xF0\xD7\xA3\xA5\x8F\x3C\x49\xE2\x94\x38\xDD\x6B\xD9\x4A\x00\xA2\xF1\x7C\xA5\xF7\x16\x27\xEB\x0F\x61\x1B\xE0\xA3\xF7\xC8"

encryption mcrypt_rijndael-256_cbc KEY IV

get SIZE asize
log NAME 0 SIZE
  • Author
  • Localization

aluigi, posted Fri Aug 21, 2020 4:22 pm (58252)

Great.
You just need the secret and salt field that is taken by that AESConfig resource.

*edit* ah ok I guess your python code is the generator, gotcha
  • Author
  • Localization

aluigi, posted Fri Aug 21, 2020 4:26 pm (58253)

Here we go both key and iv in the result:
Code:
encryption PKCS5_PBKDF2_HMAC_sha1 "Zn2HpaJxv2x23zME" "UIPApbOu" 1000
print "%QUICKBMS_HEXHASH%"
  • Author
  • Localization

aluigi, posted Fri Aug 21, 2020 4:33 pm (58254)

I think this code is complete, you just need to specify the offset:
Code:
encryption PKCS5_PBKDF2_HMAC_sha1 "Zn2HpaJxv2x23zME" "UIPApbOu" 1000

log MEMORY_FILE 0 0
putdstring QUICKBMS_HASH 64 MEMORY_FILE
goto 0 MEMORY_FILE
getdstring KEY 32 MEMORY_FILE
getdstring IV 32 MEMORY_FILE

encryption mcrypt_rijndael-256_cbc KEY IV 0 32
math OFFSET = ???
get SIZE asize
math SIZE - OFFSET
log "dump.dat" OFFSET SIZE

Probably I will add Rfc2898DeriveBytes to next quickbms
  • Author
  • Localization

chrrox, posted Fri Aug 21, 2020 10:17 pm (58265)

aluigi wrote:
Probably I will add Rfc2898DeriveBytes to next quickbms

Very cool.
Here is that sample extracted first.
Unity stores the file compressed then you decrypt the output.
https://anonfiles.com/Z4E2taObo2/item_k ... -enc_bytes
Works just as expected :)
Guest
This topic is now closed to further replies.
Go to topic listing

Account

Navigation

Search

Search

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.