Thanks in advance!P. S. Here's the game on the Play Store (https://play.google.com/store/apps/deta ... ordondashx) if it helps. The game is part of the classic time management game franchise Diner Dash which first started in 2003.
Need help decrypting Gordon Ramsay DASH savegame save.json file
-
doantuankhoi
- Posts: 12
- Joined: Fri Mar 06, 2020 4:44 am
Need help decrypting Gordon Ramsay DASH savegame save.json file
Hi, I really need help decrypting the savegame file (link: https://drive.google.com/open?id=1ZJuzq ... rNhps1ItSb) since I can't mod the lootboxes to acquire unobtainable outfits (the game has stopped receiving new content and they can't be bought even with real money) in the game as it is server-sided, so editing player's data is the only way to do so. I have tried scripts on https://aluigi.altervista.org/quickbms.htm but none of them could help. If anyone could really help me decrypt the file to edit it and encrypt the edited file again to replace, it would be a really great help to me since I want to archive this game real bad. There's no way to get all the outfits now so it's my only option to do this Thanks in advance!
P. S. Here's the game on the Play Store (https://play.google.com/store/apps/deta ... ordondashx) if it helps. The game is part of the classic time management game franchise Diner Dash which first started in 2003.
Thanks in advance!P. S. Here's the game on the Play Store (https://play.google.com/store/apps/deta ... ordondashx) if it helps. The game is part of the classic time management game franchise Diner Dash which first started in 2003.
-
doantuankhoi
- Posts: 12
- Joined: Fri Mar 06, 2020 4:44 am
Need help decrypting Gordon Ramsay DASH savegame file
Hi, I need some scripts to decode the game's save.json savegame file (https://drive.google.com/open?id=1HZ1ww ... yYBb8fpTEa , there are 2 instances of my game progress at 2 different time), since there are many unobtainable items in the game (they can't even be bought with real money), and the game's loot box data is server-sided so it's out of question to even find data for that. Also if the algorithm used to encode the savegame file is found, is it possible to edit the game file and then encrypt it again to make a new save game? Thanks!
-
aluigi
- Site Admin
- Posts: 12984
- Joined: Wed Jul 30, 2014 9:32 pm
Re: Need help decrypting Gordon Ramsay DASH savegame save.json file
I just tried to check if it used deflate compression, didn't scan all the algorithms. No luck with deflate.
It's possible that it may be encrypted.
Both the files have the 0xb0 bytes at the beginning.
It may be an block-cipher encryption like AES.
No key, no decryption.
It's possible that it may be encrypted.
Both the files have the 0xb0 bytes at the beginning.
It may be an block-cipher encryption like AES.
No key, no decryption.
-
doantuankhoi
- Posts: 12
- Joined: Fri Mar 06, 2020 4:44 am
Re: Need help decrypting Gordon Ramsay DASH savegame save.json file
aluigi wrote:I just tried to check if it used deflate compression, didn't scan all the algorithms. No luck with deflate.
It's possible that it may be encrypted.
Both the files have the 0xb0 bytes at the beginning.
It may be an block-cipher encryption like AES.
No key, no decryption.
Hi, thanks for the quick reply. I'm still working on where to look for the key to decrypt, so I'm going to list some of my deductions on where the key might be (and potential code dump in the game's lib on how it encrypt and decrypt data) and the full list of all the files in some folders most related to game data. I'm still new to this so if there's some script for my to put the key in for trial-and-error decrypting, please tell me where to do so since I want avoid inconveniencing you as much as possible:
1. cookieFile.txt in the game's files folder in the internal memory (https://drive.google.com/open?id=1jXgBt ... xKiK5kQ-Xx):
Code: Select all
endpoint1.collection.us2.sumologic.com FALSE / FALSE null AWSALB EHto3xdm69GYvXqEAv41qjpOuBMh3NYuqe5yHsDrwm4N9G8wYJJbnb5B9lT/rf/pzUdlyov3yHX56DOOp6hYms44bn7OqlNHTvst4JrXoKWG6QTiALOeU8qBf7H6
endpoint1.collection.us2.sumologic.com FALSE / FALSE null SameSite None
2. INSTALLATION file in the game's file folder in the internal memory (https://drive.google.com/open?id=1uuXdW ... 1YACPdFlvV):
Code: Select all
466c56eb-beae-42c6-8944-4c3d43259a6bFull list of the game's files folder:
3. __hs__db_key_values in the game's databases folder in the internal memory, which contains these 2 values only (https://drive.google.com/open?id=1UyAWS ... ZhgnMc3kJJ):
screenOrientation in binary:
Code: Select all
aced0005737200116a6176612e6c616e
672e496e746567657212e2a0a4f78187
3802000149000576616c756578720010
6a6176612e6c616e672e4e756d626572
86ac951d0b94e08b0200007870ffffff
ffdisableAnimations in binary:
Code: Select all
aced0005737200116a6176612e6c616e
672e426f6f6c65616ecd207280d59cfa
ee0200015a000576616c7565787000Full list of the game's databases folder (all of the -journal files are encrypted too):
4. .hptc_kache_glu.gordondashx in the game's code_cache folder (only file in the folder) is in encryption as well: https://drive.google.com/open?id=1m3zur ... 43ACnZqi8T - still don't know what it does
5. The game's lib files (https://drive.google.com/open?id=1DJX3X ... cXUjr_0hsA), which I only uploaded 2 of them here since they are my main point of investigation that has the libpfgame.so file with 2 suspicious strings, Aes_Setkey_Dec and Aes_Setkey_Enc. For convenience, I will upload its code here from IDA and I can't really understand ARM codes so it will take me sometime to learn it after I posted this:
Aes_SetKey_Dec
Code: Select all
.text:00A32A48 EXPORT Aes_SetKey_Dec
.text:00A32A48 Aes_SetKey_Dec ; DATA XREF: LOAD:0000221C↑o
.text:00A32A48 ; __unwind {
.text:00A32A48 PUSH {R4-R6,LR}
.text:00A32A4A MOV R4, R2
.text:00A32A4C MOV R5, R0
.text:00A32A4E BLX j_Aes_SetKey_Enc
.text:00A32A52 CMN.W R4, #0x14
.text:00A32A56 IT EQ
.text:00A32A58 POPEQ {R4-R6,PC}
.text:00A32A5A LDR R3, =(_GLOBAL_OFFSET_TABLE_ - 0xA32A6C)
.text:00A32A5C ADD.W R1, R5, #0x20
.text:00A32A60 LDR R2, =(unk_15636B8 - 0x18E9058)
.text:00A32A62 ADD.W R0, R4, #0x14
.text:00A32A66 LDR R5, =(unk_192E168 - 0x18E9058)
.text:00A32A68 ADD R3, PC
.text:00A32A6A ADD.W LR, R2, R3
.text:00A32A6E ADD R3, R5
.text:00A32A70
.text:00A32A70 loc_A32A70 ; CODE XREF: Aes_SetKey_Dec+76↓j
.text:00A32A70 LDR R5, [R1]
.text:00A32A72 SUBS R0, #1
.text:00A32A74 UBFX.W R2, R5, #8, #8
.text:00A32A78 MOV.W R4, R5,LSR#24
.text:00A32A7C LDRB.W R12, [LR,R4]
.text:00A32A80 UXTB R4, R5
.text:00A32A82 UBFX.W R5, R5, #0x10, #8
.text:00A32A86 LDRB.W R2, [LR,R2]
.text:00A32A8A LDRB.W R5, [LR,R5]
.text:00A32A8E LDRB.W R4, [LR,R4]
.text:00A32A92 ORR.W R2, R2, #0x100
.text:00A32A96 ORR.W R5, R5, #0x200
.text:00A32A9A LDR.W R6, [R3,R4,LSL#2]
.text:00A32A9E ORR.W R4, R12, #0x300
.text:00A32AA2 LDR.W R2, [R3,R2,LSL#2]
.text:00A32AA6 LDR.W R5, [R3,R5,LSL#2]
.text:00A32AAA EOR.W R2, R2, R6
.text:00A32AAE LDR.W R4, [R3,R4,LSL#2]
.text:00A32AB2 EOR.W R2, R2, R5
.text:00A32AB6 EOR.W R2, R2, R4
.text:00A32ABA STR.W R2, [R1],#4
.text:00A32ABE BNE loc_A32A70
.text:00A32AC0 POP {R4-R6,PC}
.text:00A32AC0 ; End of function Aes_SetKey_DecAes_SetKey_Enc
Code: Select all
.text:00A3291C EXPORT Aes_SetKey_Enc
.text:00A3291C Aes_SetKey_Enc ; CODE XREF: j_Aes_SetKey_Enc+8↑j
.text:00A3291C ; DATA XREF: LOAD:0000222C↑o
.text:00A3291C
.text:00A3291C var_34 = -0x34
.text:00A3291C var_30 = -0x30
.text:00A3291C var_2C = -0x2C
.text:00A3291C var_28 = -0x28
.text:00A3291C
.text:00A3291C ; __unwind {
.text:00A3291C PUSH.W {R4-R11,LR}
.text:00A32920 SUB SP, SP, #0x14
.text:00A32922 ADD.W R12, R2, #0x1C
.text:00A32926 MOVS R3, #3
.text:00A32928 MOVS R7, #0
.text:00A3292A MOV.W R11, R2,LSR#2
.text:00A3292E MOV LR, R2
.text:00A32930 ADD.W R3, R3, R2,LSR#3
.text:00A32934 STR R3, [R0]
.text:00A32936 CMP.W R7, R2,LSR#2
.text:00A3293A BEQ loc_A32964
.text:00A3293C ADD.W R3, R0, #0x10
.text:00A32940 MOV R7, R11
.text:00A32942
.text:00A32942 loc_A32942 ; CODE XREF: Aes_SetKey_Enc+44↓j
.text:00A32942 LDRB R5, [R1,#1]
.text:00A32944 SUBS R7, #1
.text:00A32946 LDRB R6, [R1]
.text:00A32948 LDRB R4, [R1,#2]
.text:00A3294A LDRB R2, [R1,#3]
.text:00A3294C ORR.W R6, R6, R5,LSL#8
.text:00A32950 ADD.W R1, R1, #4
.text:00A32954 ORR.W R6, R6, R4,LSL#16
.text:00A32958 ORR.W R2, R6, R2,LSL#24
.text:00A3295C STR.W R2, [R3],#4
.text:00A32960 BNE loc_A32942
.text:00A32962 MOV R7, R11
.text:00A32964
.text:00A32964 loc_A32964 ; CODE XREF: Aes_SetKey_Enc+1E↑j
.text:00A32964 CMP R7, R12
.text:00A32966 BCS loc_A32A34
.text:00A32968 ADD.W R1, R0, R7,LSL#2
.text:00A3296C STR R1, [SP,#0x38+var_28]
.text:00A3296E MOV R1, #0xFFFFFFE4
.text:00A32972 MOVS R5, #0
.text:00A32974 SUB.W R1, R1, LR
.text:00A32978 STR.W LR, [SP,#0x38+var_30]
.text:00A3297C ADD R1, R7
.text:00A3297E STR R1, [SP,#0x38+var_2C]
.text:00A32980 ADDS R1, R7, #4
.text:00A32982 SUB.W R1, R1, LR,LSR#2
.text:00A32986 ADD.W R4, R0, R1,LSL#2
.text:00A3298A LDR R0, =(_GLOBAL_OFFSET_TABLE_ - 0xA32992)
.text:00A3298C LDR R1, =(unk_15636B8 - 0x18E9058)
.text:00A3298E ADD R0, PC ; _GLOBAL_OFFSET_TABLE_
.text:00A32990 ADD.W R8, R1, R0 ; unk_15636B8
.text:00A32994 LDR R1, =(unk_15637B8 - 0x18E9058)
.text:00A32996 ADD R0, R1 ; unk_15637B8
.text:00A32998 STR R0, [SP,#0x38+var_34]
.text:00A3299A
.text:00A3299A loc_A3299A ; CODE XREF: Aes_SetKey_Enc+116↓j
.text:00A3299A LDR R0, [SP,#0x38+var_28]
.text:00A3299C ADDS R6, R7, R5
.text:00A3299E MOV R1, R11
.text:00A329A0 ADD.W R9, R0, R5,LSL#2
.text:00A329A4 MOV R0, R6
.text:00A329A6 LDR.W R10, [R9,#0xC]
.text:00A329AA BLX __aeabi_uidivmod
.text:00A329AE CBZ R1, loc_A329E4
.text:00A329B0 LDR R0, [SP,#0x38+var_30]
.text:00A329B2 CMP R0, #0x1C
.text:00A329B4 BCC loc_A32A20
.text:00A329B6 CMP R1, #4
.text:00A329B8 BNE loc_A32A20
.text:00A329BA UBFX.W R0, R10, #8, #8
.text:00A329BE UBFX.W R1, R10, #0x10, #8
.text:00A329C2 UXTB.W R2, R10
.text:00A329C6 MOV.W R3, R10,LSR#24
.text:00A329CA LDRB.W R0, [R8,R0]
.text:00A329CE LDRB.W R2, [R8,R2]
.text:00A329D2 LDRB.W R1, [R8,R1]
.text:00A329D6 LDRB.W R3, [R8,R3]
.text:00A329DA ORR.W R0, R2, R0,LSL#8
.text:00A329DE ORR.W R0, R0, R1,LSL#16
.text:00A329E2 B loc_A32A1C
.text:00A329E4 ; ---------------------------------------------------------------------------
.text:00A329E4
.text:00A329E4 loc_A329E4 ; CODE XREF: Aes_SetKey_Enc+92↑j
.text:00A329E4 MOV R0, R6
.text:00A329E6 MOV R1, R11
.text:00A329E8 BLX __aeabi_uidivmod
.text:00A329EC LDR R1, [SP,#0x38+var_34]
.text:00A329EE MOV.W R6, R10,LSR#24
.text:00A329F2 LDRB.W R6, [R8,R6]
.text:00A329F6 UXTB.W R3, R10
.text:00A329FA LDRB.W R3, [R8,R3]
.text:00A329FE LDRB R0, [R1,R0]
.text:00A32A00 UBFX.W R1, R10, #0x10, #8
.text:00A32A04 UBFX.W R2, R10, #8, #8
.text:00A32A08 LDRB.W R1, [R8,R1]
.text:00A32A0C LDRB.W R2, [R8,R2]
.text:00A32A10 EORS R0, R2
.text:00A32A12 UXTB R0, R0
.text:00A32A14 ORR.W R0, R0, R1,LSL#8
.text:00A32A18 ORR.W R0, R0, R6,LSL#16
.text:00A32A1C
.text:00A32A1C loc_A32A1C ; CODE XREF: Aes_SetKey_Enc+C6↑j
.text:00A32A1C ORR.W R10, R0, R3,LSL#24
.text:00A32A20
.text:00A32A20 loc_A32A20 ; CODE XREF: Aes_SetKey_Enc+98↑j
.text:00A32A20 ; Aes_SetKey_Enc+9C↑j
.text:00A32A20 LDR.W R0, [R4,R5,LSL#2]
.text:00A32A24 ADDS R5, #1
.text:00A32A26 EOR.W R0, R0, R10
.text:00A32A2A STR.W R0, [R9,#0x10]
.text:00A32A2E LDR R0, [SP,#0x38+var_2C]
.text:00A32A30 ADDS R0, R0, R5
.text:00A32A32 BNE loc_A3299A
.text:00A32A34
.text:00A32A34 loc_A32A34 ; CODE XREF: Aes_SetKey_Enc+4A↑j
.text:00A32A34 ADD SP, SP, #0x14
.text:00A32A36 POP.W {R4-R11,PC}
.text:00A32A36 ; End of function Aes_SetKey_EncOther AES strings I found from searching libpfgame.so:
6. Strings I found in libjs.so:
Full list of the game's lib folder:
Full list of the game's internal memory folder, which includes all previous files:
Full list of the game's sdcard memory folder, which mostly contains sprites, assetlist, plist files so it might not be significant:
If there's no way to decrypt this using these data, should I risk modifying the game's lib file to not encode using AES anymore? Thanks!
Edit: Added one extra piece of info.