FGO Waltz

[mikoamoy]

I found the files within the hash json
the file should be unity but it was .bundles
and it's encrypted and this bundle shuld be contain model files
samples
https://mega.nz/folder/00wj2ZwZ#vz_jIhCcJAQY-BPLyAOrAQ

aluigi could u help me?

[chrrox]

Here is The main exe and metadata.
https://transferxl.com/00j3fNs9tCwsHg
I believe the decryption function is

Code: Select all

void Athena.Asset.Loader.AthenaAssetBundleCachingResource$$LoadFromFileStream

in here it calls

uVar3 = Dress.Core.DressEnv$$GetEncryptKey(0);
plVar4 = (longlong *)System.Text.Encoding$$get_UTF8(0);
uVar5 = Dress.Core.DressEnv$$GetEncryptSalt(0);

then i calls

Code: Select all

void Athena.Utility.SeekableAesStream$$.ctor

I believe this generates the static xor key

Code: Select all

  System.IO.Stream$$.ctor(param_1,0);
  *(undefined8 *)(param_1 + 0x28) = param_2;
  plVar3 = (longlong *)
           thunk_FUN_100cbcb9c(System.Security.Cryptography.PasswordDeriveBytes_TypeInfo);
  System.Security.Cryptography.PasswordDeriveBytes$$.ctor(plVar3,param_3,param_4,0);
  plVar6 = (longlong *)thunk_FUN_100cbcb9c(System.Security.Cryptography.AesManaged_TypeInfo);
  System.Security.Cryptography.AesManaged$$.ctor(plVar6,0);

sample encrypted file

[Ekey]

Upload to another filesharing, on this site I get an error.

Code: Select all

<Error>
<Code>NoSuchKey</Code>
<Message>The specified key does not exist.</Message>
<Key>a556f6b73cd43dec27d345e6a677c06b-0.zip</Key>
<BucketName>m-use1-09</BucketName>
<Resource>/m-use1-09/a556f6b73cd43dec27d345e6a677c06b-0.zip</Resource>
<Region>us-east-1</Region>
<RequestId>162CC748D03081C3</RequestId>
<HostId>c355d7fb-3390-4b20-b108-c9331f9103a5</HostId>
</Error>

As i see by your snipped of code, here is a very similar encryption scheme as in "Prison Princess"

[chrrox]

https://file.io/YpEuA0jdwfo9

[Ekey]

https://file.io/YpEuA0jdwfo9

Where do you find such filesharing service's?



Upload to Mediafire, GoogleDrive, Mega or Zippyshare

Edited: Full game name is "Fate/Grand Order Waltz in the MOONLIGHT/LOSTROOM" ?

[chrrox]

Yes that is the game.
https://www17.zippyshare.com/v/0LSWU4aD/file.html

it will run in nox emulator if you change model information to huawei in all 3 fields and use android 7.

[Ekey]

Do you have a cache of files like obb or something like this?

[chrrox]

Yes this is complete game directory
https://www64.zippyshare.com/v/LoKDgSXY/file.html

android cs generation.

[chrrox]

The b64 encoded keys are here

void __cdecl Dress_Core_DressEnv___cctor(const MethodInfo *method)

Code: Select all

m_Items[0] = PqW6CKKXvwBZA1KJfzDRafWGzWcNFQIYLblOUintwbaXPtLHdarvX4XzWvXAyLIccfqfpxHv946OpukGTNNku7q4Z7WzKlhJ2GCfSsVC2a90rgP9qsc2sMYdlDguDL0W
m_Items[1] = OjNsqG9RpXxY3kwjl9f4XkyplPffbSMZolFgCxX1xchxTbIVJxV6zFpt0QALdT6LMSjOljgOLjEQSJtKs01Y1edWaCPi3H9UchktItWcBXusjhsuyH9GHjmx3HhAL8YZ
m_Items[2] = rOCRMGuSqwTsXmGcjQH4qNqSDoi6rzvZ4c1BSNBekGFG0lLkR3PxNPozhgOQbQGQpVBS4YAZ3Cr6MavKCEeuxw3Vqnwuktqk9uP7OigAV2qAaegdibkOMovUFIQO4Ol0
m_Items[3] = hiwA5RDasdzt7RKJyZnSE3bnY6P82NIPMdqwVPT1IL9bTjVgVH3qUhPzRAYJuLBZCSdPiaeRBraghAqiDWF2bqU9rY2Mpr5oBvfsZyZFv8tHEH0wt46sX3AWV6aZScaf
m_Items[4] = LKBnipPpd2DNJWX9bjYTBly2OPqtcDTQuT5eFI38dGV3AC5tK32qUh9bMcQB4csAaAIuxCwHw44DEuO7Hm7VZnfjAoUyr8pjQuXIdgwn5lCkNrxcvOPhxlcCloPSDVZl
m_Items[5] = 2mToFoinYnrkSTBvTpKWyZQR3bgIDTF1414ti8Xobz36Ha4PcNjMh6QlkxSTX2gIPcV5qJ65mVIaBosgMuBwozLtxd2p6ky0h1HZ2dnqvIsLKZu3SFXrZJtvmMHZK59m

referenced
Dress_Core_DressEnv_TypeInfo->static_fields->encryptKeys;

m_Items are encryptKeys

[chrrox]

These are the 2 functions called for generating the password.
https://pastebin.com/nqJmw1Bs
https://pastebin.com/5y0y3EHR

I also see this in memory hat lines up with the array it building

Code: Select all

Dress_Core_DressEnv__GetEncryptKey

OjNsqG9RpXxY3kwjl9f4XkyplPffbSMZolFgCxX1xchxTbIVJxV6zFpt0QALdT6LMSjOljgOLjEQSJtKs01Y1edWaCPi3H9UchktItWcBXusjhsuyH9GHjmx3HhAL8YZ - 1

LKBnipPpd2DNJWX9bjYTBly2OPqtcDTQuT5eFI38dGV3AC5tK32qUh9bMcQB4csAaAIuxCwHw44DEuO7Hm7VZnfjAoUyr8pjQuXIdgwn5lCkNrxcvOPhxlcCloPSDVZl - 4

hiwA5RDasdzt7RKJyZnSE3bnY6P82NIPMdqwVPT1IL9bTjVgVH3qUhPzRAYJuLBZCSdPiaeRBraghAqiDWF2bqU9rY2Mpr5oBvfsZyZFv8tHEH0wt46sX3AWV6aZScaf - 3

PqW6CKKXvwBZA1KJfzDRafWGzWcNFQIYLblOUintwbaXPtLHdarvX4XzWvXAyLIccfqfpxHv946OpukGTNNku7q4Z7WzKlhJ2GCfSsVC2a90rgP9qsc2sMYdlDguDL0W - 0


Dress_Core_DressEnv__GetEncryptSalt

hiwA5RDasdzt7RKJyZnSE3bnY6P82NIPMdqwVPT1IL9bTjVgVH3qUhPzRAYJuLBZCSdPiaeRBraghAqiDWF2bqU9rY2Mpr5oBvfsZyZFv8tHEH0wt46sX3AWV6aZScafg - 3

OjNsqG9RpXxY3kwjl9f4XkyplPffbSMZolFgCxX1xchxTbIVJxV6zFpt0QALdT6LMSjOljgOLjEQSJtKs01Y1edWaCPi3H9UchktItWcBXusjhsuyH9GHjmx3HhAL8YZa - 1

rOCRMGuSqwTsXmGcjQH4qNqSDoi6rzvZ4c1BSNBekGFG0lLkR3PxNPozhgOQbQGQpVBS4YAZ3Cr6MavKCEeuxw3Vqnwuktqk9uP7OigAV2qAaegdibkOMovUFIQO4Ol0  - 2

2mToFoinYnrkSTBvTpKWyZQR3bgIDTF1414ti8Xobz36Ha4PcNjMh6QlkxSTX2gIPcV5qJ65mVIaBosgMuBwozLtxd2p6ky0h1HZ2dnqvIsLKZu3SFXrZJtvmMHZK59m  - 5



*SPAM* - ?

[chrrox]

Here is the solution to fgo waltz decryption.

Code: Select all

#script for quickbms by chrrox
#special thanks to aluigi for xorpad fast function.
set MEMORY_FILE10 string "
void decrypt(unsigned char *data, int size) {
    int i, c;
    for(i = 0; i < size; i++) {
        c = i >> 4;
        switch(i & 15) {
            case 0:            break;
            case 1:  c >>= 8;  break;
            case 2:  c >>= 16; break;
            case 3:  c >>= 24; break;
            default: c = 0;
        }
        data[i] ^= c;
    }
}
"

get NAME basename
string NAME + .dec
get SIZE asize
math SIZE + 16
putvarchr MEMORY_FILE SIZE 0
calldll MEMORY_FILE10 decrypt tcc RET MEMORY_FILE SIZE
encryption mcrypt_rijndael-128_ecb "\x43\x20\x68\x9B\x21\x9A\x85\xBF\x9F\x66\x5D\xFB\xEF\x90\xBF\x49"  "" 1 16
math SIZE - 16
log MEMORY_FILE2 16 SIZE MEMORY_FILE
encryption "" ""
getdstring KEY SIZE MEMORY_FILE2
encryption xor KEY
log NAME 0 SIZE

[mikoamoy]

After years it finally worked!

Thanks Chrox

[Yuzu]

Hey, does anyone still have the OBB? I need the file to continue playing offline

[breakdown64]

Hey, does anyone still have the OBB? I need the file to continue playing offline

Yo. I happened to stumble upon this forum so hello.

Android 10 has broken this app (I think) and I have got it to work on an emulator running android 7, but a fresh apk needs to be downloaded since it is no longer on the play store. The app just shows an "Unable to contact servers" error message and kicks you out of the app.

Either I am not doing the correct method of importing this data on a fresh apk or the code needs to be modified so it does not need to attempt to contact the servers? I just copy pasted the data into the Android>Obb file. Would love to know more. Cheers.


https://file.io/S1Y6NCjzvZc0