Chinese Game UPK

[sulcage]

I am trying to unpack these files, originally it came in a .pak file which I extracted fairly simply, inside was the Unreal Assets UPK etc. The game is fairly unknown outside of China I would say.

Initially when I opened it up I thought it was a simple XOR with 3C but it appears not to be as far as I can tell, I couldn't find much with IDA except a few routines and keys related to the pak file opening. Any ideas?

Attached one of the smaller UPK.

Pretty sure is UE3.

[sulcage]

I tried XOR

Code: Select all

22 26 60 63

On the first 4 bytes to give the correct values but feels like I just brute forced it.

Code: Select all

22 26 60 63 ?? ?? 3C 3C ?? ?? ?? ??

bytes [5][6] are version according to spec, which I am not sure the value, [7][8] license, which I think should be [0][0].

[sulcage]

Okay, I decided to try another file that I know is plain text, and that I know the values of. I xored plaint text file against the encrypted one then tested various key lengths but will on decrypt properly the bytes for the length of the key, any idea what other techniques to try?

Attached both encrypted and plain file, the xor keys on whole file are below, any help is much appreciated.

Code: Select all

115 31 142 31 161 142 141 45 81 224 239 141 170 159 224 221 31 18 141 142 86 96 
89 141 224 101 141 187 32 180 238 81 187 186 251 170 158 161 159 86 141 187 115 70 32 
147 230 81 187 186 251 170 147 81 56 81 255 31 142 31 161 142 141 56 86 224 86 96 192 
109 141 18 141 159 147 120 107 180 238 81 187 186 251 170 158 161 159 86 141 187 115 
35 32 147 230 81 187 186 251 170 147 81 56 81 255 81 224 239 141 192 109 141 18 141 
159 147 120 107 180 238 81 187 186 251 170 158 161 159 86 141 187 115 18 32 147 230 
81 187 186 251 170 147 81 56 81 255 58 141 224 239 192 109 141 18 141 159 147 120 107 
180 238 81 187 186 251 170 158 161 159 86 141 187 115 23 32 147 230 81 187 186 251 
170 147 81 56 81 255 94 159 224 221 141 187 192 109 141 18 141 159 147 120 107 180 
238 81 187 186 251 170 158 161 159 86 141 187 115 100 32 147 230 81 187 186 251 170 
147 81 56 81 255 35 141 224 170 186 142 192 109 141 18 141 159 147 120 107 180 238 81 
187 186 251 170 158 161 159 86 141 187 115 85 32 147 230 81 187 186 251 170 147 81 56 
81 255 177 224 239 224 31 141 192 109 141 18 141 159 147 120 107 180 238 81 187 186 251 
170 158 161 159 86 141 187 115 46 32 147 230 81 187 186 251 170 147 81 56 81 255 94 187 
186 184 141 9 86 161 159 141 192 109 141 18 141 159 147 120 107 180 238 81 187 186 251 
170 158 161 159 86 141 187 115 236 32 147 230 81 187 186 251 170 147 81 56 81 255 94 224 
103 142 192 109 141 18 141 159 147 120 107 180 238 81 187 186 251 170 158 161 159 86 141 
187 115 101 32 147 230 81 187 186 251 170 147 81 56 81 255 81 224 239 141 56 170 141 9 161 
106 161 9 192 109 141 18 141 159 147 120 107

[sulcage]

Keys for first part of one file, after xor against original.

In bold 56-56 when xored on original value = 'tt' in ASCII and 60-60 = 'ss', i checked whole encrypted file for these two and the encrypted values were the same always, I think i am a little closer or way off, again any insight is a great help, I am quite new to this type of stuff!

73-DF-8E-BB-8D-E0-9F-1F-65-2D-51-8D-8E-8D-BB-
E0-9F-38-8D-56-56-A1-8E-1F-60-20-B4-EE-25-A1-
8E-A1-EF-FB-EF-1F-65-A1-56-BA-BB-49-A1-8D-67-
AA-BA-BB-56-38-A1-44-8D-99-93-23-12-65-46-B4-
EE-25-A1-8E-A1-EF-FB-EF-1F-65-A1-56-BA-BB-49-
A1-8D-67-AA-BA-BB-56-38-A1-44-8D-93-93-23-46-
12-64-B4-EE-1F-8E-E0-6D-9F-8D-38-56-DD-9F-FB-
60-5E-BB-8D-60-60-FB-BB-8D-93-3A-BB-FB-8D-B4-
EE-B4-EE

Suppose I could just build a lookup table, as I really can't see any pattern

[sulcage]

Eventually built a lookup table and decrypts all the stuff fine, but still interested in any analysis, I feel like I missed something obvious and bruteforced it!