This topic was archived here:

https://web.archive.org/web/20230000000000fw_/https://www.zenhax.com/viewtopic.php?t=14999

chrrox, posted Tue Mar 16, 2021 5:13 pm (62874)

---

Anyone know how RC4 encryption works?

https://pastebin.com/hLHixwxS

https://ffmpeg.org/doxygen/0.6/rc4_8c-source.html

I dumped the decrypted file from memory and its standard zlib with 789C header.

First 5 bytes of file are magic.

Ekey, posted Tue Mar 16, 2021 10:49 pm (62876)

---

chrrox wrote:

First 5 bytes of file are magic.

Are you sure about it? As i see it's a check for first 3 bytes:

Code:

if ( *srcbuffer == 0xEF && srcbuffer[1] == 0xFE )

and second check here

Code:

v20 = srcbuffer[2];
if ( v20 == 0x80 )
{
   v21 = rc4TextureBuffer(*dstbuffer, srcbuffer, (unsigned __int64 *)dstbuffer);
}
if ( v20 == 0xFF )
{
   v21 = rc4DocumentBuffer(*dstbuffer, srcbuffer, (unsigned __int64 *)dstbuffer);
}

also in functions rc4TextureBuffer and rc4DocumentBuffer you can see that 3 is subtracted from the size:

rc4TextureBuffer

Code:

av_rc4_crypt((__int64)&v9, v7, v3   3, v4 - 3);

rc4DocumentBuffer

Code:

av_rc4_crypt((__int64)&v10, (__int64)v7, v3   3, v4 - 3);
if ( (unsigned int)uncompress(v6, &v9, v7, v4 - 3) )

Arguments

Code:

v9/v10 - AVRC4 context
v7 - DstBuffer
v3 - SrcBuffer
v4 - Size

so it should be like this

Code:

AVRC4 ctx;
av_rc4_init(&ctx, lpStrKey, 0x48);
av_rc4_crypt(&ctx, lpDstBuffer, lpSrcBuffer   3, dwSize - 3);

Can you upload decrypted file? btw: What the app?

chrrox, posted Tue Mar 16, 2021 11:54 pm (62878)

---

Here is a few samples with the decrypted files.
When the header starts with EF FE BE AD 02
I remove those bytes then.
I can do a static xor key of 0x80 bytes to decrypt the file.
Only the first 0x80 bytes are encrypted in that case.

https://m.apkpure.com/jp/放 ... .glee.girl

Ekey, posted Wed Mar 17, 2021 12:31 pm (62892)

---

I found 1 more key in decBufferV3 -> https://pastebin.com/uisFCSbF

Code:

uint8_t byte_AA108C [] = {
  0xEF, 0xFE, 0xBE, 0xAD};

Code:

if ( v3 <= 4 || memcmp(&byte_AA108C, lpBuffer, 4u) )

Code:

  v5 = lpBuffer[4];
  if ( (v5 & 1) == 0 )
  {
    v12 = 5;
    v8 = 0;
    goto LABEL_23;
  }

so in this case 2 & 1 = 0

Code:

LABEL_23:

uint8_t unk_AA1090[] = {
    0xDD, 0xAB, 0x91, 0x32, 0x23, 0x81, 0x78, 0x05, 0x34, 0x15};

av_rc4_init((int)v27, (int)&unk_AA1090, 0x50);
  if ( (v5 & 2) != 0 && v13 >= 128 )
    v15 = 128;
av_rc4_crypt((int)v27, v14, v14, v15);
.....
uncompress

this is probably what you are looking for

chrrox, posted Wed Mar 17, 2021 2:36 pm (62894)

---

This works for type 2
not type 1

Code:

append
get NAME basename
string NAME   .png
get SIZE asize
math SIZE - 0x85
encryption rc4 "\xDD\xAB\x91\x32\x23\x81\x78\x05\x34\x15"
log MEMORY_FILE 5 0x80
encryption xor ""
log MEMORY_FILE 0x85 SIZE
get SIZE asize MEMORY_FILE
log NAME 0 SIZE MEMORY_FILE

**edit**

The data for type 1 starts at offset 8
If i take a large file and xor it I can use that key for any file smaller.
RC4 seems to just generate a xor pad.

chrrox, posted Wed Mar 17, 2021 3:19 pm (62897)

---

Found one that starts at 9 for zlib data
https://transferxl.com/00jKqh0JKrpW1L

Ekey, posted Wed Mar 17, 2021 4:12 pm (62900)

---

chrrox wrote:

Found one that starts at 9 for zlib data
https://transferxl.com/00jKqh0JKrpW1L

yep, it works with cfac38f25204c6.bak file.

Code:

   AVRC4 ctx;
   av_rc4_init(&ctx, lpStrKeyV3, 0x50);
   av_rc4_crypt(&ctx, lpDstBuffer, lpSrcBuffer   8, dwSize - 8);

chrrox, posted Wed Mar 17, 2021 4:28 pm (62901)

---

Yup it works cool.

Code:

idstring "\xEF\xFE\xBE\xAD"
get NAME basename
get TYPE byte
get SIZE asize
if SIZE < 0x80
cleanexit
endif
if TYPE == 1
   comtype zlib_dynamic
   do
      get TMP byte
   while TMP & 0x80
   savepos POS
   string NAME   .dat
   math SIZE - POS
   encryption rc4 "\xDD\xAB\x91\x32\x23\x81\x78\x05\x34\x15"
   log MEMORY_FILE POS SIZE
   encryption xor ""
   get SIZE asize MEMORY_FILE
   clog NAME 0 SIZE SIZE MEMORY_FILE

elif TYPE == 2
   append
   string NAME   .png
   math SIZE - 0x85
   encryption rc4 "\xDD\xAB\x91\x32\x23\x81\x78\x05\x34\x15"
   log MEMORY_FILE 5 0x80
   encryption xor ""
   log MEMORY_FILE 0x85 SIZE
   get SIZE asize MEMORY_FILE
   log NAME 0 SIZE MEMORY_FILE
endif

Ekey, posted Wed Mar 17, 2021 7:57 pm (62904)

---

nice

melon7plus, posted Thu May 20, 2021 7:24 am (64147)

---

chrrox wrote:

Yup it works cool.

Code:

idstring "\xEF\xFE\xBE\xAD"
get NAME basename
get TYPE byte
get SIZE asize
if SIZE < 0x80
cleanexit
endif
if TYPE == 1
   comtype zlib_dynamic
   do
      get TMP byte
   while TMP & 0x80
   savepos POS
   string NAME   .dat
   math SIZE - POS
   encryption rc4 "\xDD\xAB\x91\x32\x23\x81\x78\x05\x34\x15"
   log MEMORY_FILE POS SIZE
   encryption xor ""
   get SIZE asize MEMORY_FILE
   clog NAME 0 SIZE SIZE MEMORY_FILE

elif TYPE == 2
   append
   string NAME   .png
   math SIZE - 0x85
   encryption rc4 "\xDD\xAB\x91\x32\x23\x81\x78\x05\x34\x15"
   log MEMORY_FILE 5 0x80
   encryption xor ""
   log MEMORY_FILE 0x85 SIZE
   get SIZE asize MEMORY_FILE
   log NAME 0 SIZE MEMORY_FILE
endif

trying to decrypt live2d model files by using your script, but it didn't work, could you please tell me how to decrypt those files? thanks a lot.

gef48, posted Tue Jun 21, 2022 1:45 pm (72213)

---

could someone send me the final script

gef48, posted Tue Jun 21, 2022 1:54 pm (72214)

---

Ekey wrote:

chrrox wrote:

Found one that starts at 9 for zlib data
https://transferxl.com/00jKqh0JKrpW1L

yep, it works with cfac38f25204c6.bak file.

Code:

   AVRC4 ctx;
   av_rc4_init(&ctx, lpStrKeyV3, 0x50);
   av_rc4_crypt(&ctx, lpDstBuffer, lpSrcBuffer   8, dwSize - 8);