Hidden Expedition - The Crown of Solomon Collector's Edition

[meeshu]

Trying to extract/unpack the password protected Data.pak file from Hidden Expedition - The Crown of Solomon Collector's Edition.

I've successfully extracted/unpacked a similar password protected Data.pak file from another game (Hidden Expedition - Smithsonian Hope Diamond Collector's Edition) using the password finding procedure tutorial here in these forums (run game, dumproc, exetringz, and quickbms).

These data.pak files are just renamed zip files with password protection.

I can't seem to find the zip (pak) password for the Data.pak file for Hidden Expedition - The Crown of Solomon Collector's Edition!? I've tried the password finding procedure (run game, dumproc, exestringz, quickbms) several times, but no password is found!?

What is wrong here?

Screenshot of command line -



And here is passwords list (per exestringz) -

passwords_list.txt

EDIT: I've also tried using two different ZIP password recovery software, but the software terminates suddenly when starting to run the zip password recovery process! It is suspected that there is some "protection" (somewhere) that intercepts and terminates any password recovery software!?

Here is the Hex view of data.pak -

[aluigi]

It's the same password used by all the games developed by Eipix Games:

Code: Select all

7VtaFesmATpMwtiL7Q79nzOyx2mNzypYmwPR39LY55AuhGxrOcLvCy2SnQje

You can find the whole list of passwords here:
http://aluigi.altervista.org/papers.htm#info

[meeshu]

Thank you very much!

That password does work!!

But if Quickbms didn't find the password (using normal procedure of - running game, dumproc, exestringz, then Quickbms with zip password script), then how is/was the password found/verified for the data.pak file in Hidden Expedition - The Crown of Solomon Collector's Edition game?

Thank you.

[aluigi]

The password may be generated at runtime with an algorithm or by concatenating strings, in that case you can't find it with the memory dump.

[meeshu]

Thanks.

So, presumably for this particular game, the password was assumed to be the same password as per other Eipix games? Is that right?

But, if the password happened to be different for this particular game, how would you find it?

[aluigi]

Via debugging

[meeshu]

Thanks.

But, I've tried to follow your tutorial here, but this procedure doesn't seem to work when trying to find the password for Hidden Expedition - The Crown of Solomon Collector's Edition!?

Used OllyDbg version 1.10 for the debugger.

Followed the steps as precisely as possible as per your tutorial. But after running the Quickbms int3.bms script, I can no longer select the game to continue. The game icon is shown in the "taskbar" at the bottom of the screen, but clicking on the game icon doesn't open/resume the game !?

I've also tried to hide OllyDbg by using the "Hidedebugger.dll" plugin, but this made no difference; the game will no longer resume!?

Noticed that the game has "IsDebuggerPresent" routine as shown by signsrch. Maybe this routine is causing the problem??

What is wrong here? What can be done to successfully find the password for this game (as a password finding exercise for using similar procedures on other similar games)?

Thank you.

[aluigi]

All bigfishgames are protected with Armadillo, they must be unprotected first.
ArmaG3ddon by ARTEAM has ever worked perfectly.

[meeshu]

Thanks again!

Ran ArmaGeddon V2.2, and it states that the game executable is NOT an armadillo protected file!?

What to do now?

EDIT: Ran Exeinfo PE version 0.0.5.4 on the game executable and it reported that the header had been tampered with.

Here is Exeinfo PE log -

Exeinfo.log

Here is hex screenshot of game executable header -



Note that this game is the "Lee-GT" version of the game, and it appears to have modified the executable and its header. So there might be some custom protection/encyrption used on the game executable(?)

[aluigi]

Does that mean BigFishGames has changed packer after all these years? Didn't test so, maybe.

[meeshu]

So, how do I find the password for this game then (as an exercise)?

[meeshu]

I tried using Windbg instead of OllyDbg, but that didn't work either! There might be some game protection preventing easy determination of this games password(?)

Has anyone been able to determine the password for this games data.pak file successfully (using various reverse engineering tools), please?

If so, how was the password found, please?

Thank you.

EDIT: Download links added (~ 1 GB download) -

Code: Select all

http://www.filefactory.com/file/3lpilyapxosj/HiddenExp7SolomonCE.zip

https://rapidgator.net/file/4ff10ed2d8ee82320f95fa6506e5237c/HiddenExp7SolomonCE.zip.html

[aluigi]

Does that mean BigFishGames has changed packer after all these years? Didn't test so, maybe.

Just tested and everything is still the same.
ArmaG3ddon worked perfectly and dumped the decrypted executables.

[meeshu]

Thanks for your time!

With slightly better understanding of debugging process, I tried again to find the password for this game. But despite playing game for awhile, OllyDbg failed to find the password!?

Note that I did NOT use Armageddon first on the game executable, as Armageddon and Exeinfo PE both do not detect Armadillo protection(!?)

So this game might still be protected with Armadillo?

How do you know this (since Armageddon and Exeinfo PE didn't find it)?

So in order to find this game password requires that the game executable has to be processed using Armageddon first to remove Armadillo protection!?

How do you know what settings to use in Armageddon to decrypt the (apparent) Armadillo protected game executable?

And how do you actually use Armageddon to decrypt executables? I have no idea at all on how to use Armageddon!

Thank you.

[aluigi]

Many questions and no time to dedicate to the forum