are these unity files encrypted? [blazblue alternative dark war]

[omegali]

im trying to check these asset unity files from a mobile game but i cant seem to find out how to open them.(i chose files at random since i cant really know what they are.).

[omegali]

i just realized im in the wrong topic. how do i move my post if anyone knows.

[aluigi]

I moved your topic to the Game Archive section.

[Ekey]

Yep, they are encrypted. What the game name?

[chrrox]

yeah need the games name files look xored.

[omegali]

Yep, they are encrypted. What the game name?

blazblue alternative dark war.



since i cant seem to find my reply i said earlier ill just resend it.

oh abit of looking around i realized i sent my reply as a private message.

[Ekey]

Can you upload APK / IPA ?

[omegali]

Can you upload APK / IPA ?

sorry for being late. i tried to upload but it said limit size is 5 mib does a link to an apk store work i guess?

https://m.apkpure.com/blazblue-alternat ... works.bbdw

also the game got updated recently not sure if that matters.

[omegali]

i was playing around with the functions using frida from the tutorial section. i tried looking for the xor key i found a vtable that could possibly have them during the function(at least from what the names say create_decryptor and some stuff like that. any idea how to access such table?(and if not any idea on where to look inside the function) thanks!

[omegali]

here is the function that does the decryption.

Code: Select all

System_Byte_array *__fastcall LCFAPLDGGLP__NFJIFEEICOA(System_Byte_array *PJEAFCNEPKL, const MethodInfo *method)
{
  LCFAPLDGGLP_c *v3; // x0
  System_Security_Cryptography_AesCryptoServiceProvider_o *v4; // x0
  System_Security_Cryptography_AesCryptoServiceProvider_o *v5; // x19
  _QWORD *v6; // x0
  _QWORD *v7; // x21
  __int64 v8; // x8
  unsigned int v9; // w22
  unsigned __int64 v10; // x10
  System_Security_Cryptography_ICryptoTransform_c **v11; // x11
  __int64 v12; // x0
  System_Byte_array *v13; // x20
  System_Security_Cryptography_AesCryptoServiceProvider_c *v14; // x8
  unsigned __int64 v15; // x10
  unsigned int *v16; // x11
  __int64 v17; // x0
  int savedregs; // [xsp+30h] [xbp+0h]

  if ( (unk_906F846 & 1) == 0 )
  {
    sub_19DD368();
    unk_906F846 = 1;
  }
  v3 = LCFAPLDGGLP_TypeInfo;
  if ( (LCFAPLDGGLP_TypeInfo->_2.bitflags2 & 2) != 0 && !LCFAPLDGGLP_TypeInfo->_2.cctor_finished )
    j_il2cpp_runtime_class_init_0();
  v4 = LCFAPLDGGLP__NGMMBFBDEHB((const MethodInfo *)v3);
  v5 = v4;
  if ( !v4 )
    ((void (*)(void))sub_19DD438)();
  v6 = (_QWORD *)((__int64 (__fastcall *)(System_Security_Cryptography_AesCryptoServiceProvider_o *, const MethodInfo *))v4->klass->vtable._24_CreateDecryptor.methodPtr)(
                   v4,
                   v4->klass->vtable._24_CreateDecryptor.method);
  if ( !PJEAFCNEPKL )
    sub_19DD438(v6);
  v7 = v6;
  if ( !v6 )
    sub_19DD438(0LL);
  v8 = *v6;
  v9 = PJEAFCNEPKL->max_length;
  if ( *(_WORD *)(*v6 + 0x126LL) )
  {
    v10 = 0LL;
    v11 = (System_Security_Cryptography_ICryptoTransform_c **)(*(_QWORD *)(v8 + 176) + 8LL);
    while ( *(v11 - 1) != System_Security_Cryptography_ICryptoTransform_TypeInfo )
    {
      ++v10;
      v11 += 2;
      if ( v10 >= *(unsigned __int16 *)(*v6 + 0x126LL) )
        goto LABEL_13;
    }
    v12 = v8 + 16LL * (unsigned int)(*(_DWORD *)v11 + 5) + 304;
  }
  else
  {
LABEL_13:
    v12 = sub_1991060(v6, (__int64)System_Security_Cryptography_ICryptoTransform_TypeInfo, 5u);
  }
  v13 = (System_Byte_array *)(*(__int64 (__fastcall **)(_QWORD *, System_Byte_array *, _QWORD, _QWORD, _QWORD))v12)(
                               v7,
                               PJEAFCNEPKL,
                               0LL,
                               v9,
                               *(_QWORD *)(v12 + 8));
  savedregs = 61;
  if ( v5 )
  {
    v14 = v5->klass;
    if ( v5->klass->_2.interface_offsets_count )
    {
      v15 = 0LL;
      v16 = (unsigned int *)((char *)v14->_1.interfaceOffsets + 8);
      while ( *((System_IDisposable_c **)v16 - 1) != System_IDisposable_TypeInfo )
      {
        ++v15;
        v16 += 4;
        if ( v15 >= v5->klass->_2.interface_offsets_count )
          goto LABEL_20;
      }
      v17 = (__int64)&v14->vtable + 16 * *v16;
    }
    else
    {
LABEL_20:
      v17 = sub_1991060(v5, (__int64)System_IDisposable_TypeInfo, 0);
    }
    (*(void (__fastcall **)(System_Security_Cryptography_AesCryptoServiceProvider_o *, _QWORD))v17)(
      v5,
      *(_QWORD *)(v17 + 8));
  }
  return v13;
}

and here is LCFAPLDGGLP__NGMMBFBDEHB

Code: Select all

System_Security_Cryptography_AesCryptoServiceProvider_o *__fastcall LCFAPLDGGLP__NGMMBFBDEHB(const MethodInfo *method)
{
  System_Security_Cryptography_AesCryptoServiceProvider_o *v1; // x19
  struct System_Text_Encoding_o *v2; // x0
  LCFAPLDGGLP_c *v3; // x0
  __int64 v4; // x0
  __int64 v5; // x0

  if ( (unk_906F859 & 1) == 0 )
  {
    sub_19DD368();
    unk_906F859 = 1;
  }
  v1 = (System_Security_Cryptography_AesCryptoServiceProvider_o *)sub_19DD430(System_Security_Cryptography_AesCryptoServiceProvider_TypeInfo);
  System_Security_Cryptography_AesCryptoServiceProvider___ctor(v1, 0LL);
  if ( !v1 )
    goto LABEL_10;
  ((void (__fastcall *)(System_Security_Cryptography_AesCryptoServiceProvider_o *, __int64, const MethodInfo *))v1->klass->vtable._7_set_BlockSize.methodPtr)(
    v1,
    128LL,
    v1->klass->vtable._7_set_BlockSize.method);
  ((void (__fastcall *)(System_Security_Cryptography_AesCryptoServiceProvider_o *, __int64, const MethodInfo *))v1->klass->vtable._17_set_KeySize.methodPtr)(
    v1,
    128LL,
    v1->klass->vtable._17_set_KeySize.method);
  v3 = LCFAPLDGGLP_TypeInfo;
  if ( (LCFAPLDGGLP_TypeInfo->_2.bitflags2 & 2) != 0 && !LCFAPLDGGLP_TypeInfo->_2.cctor_finished )
  {
    j_il2cpp_runtime_class_init_0();
    v3 = LCFAPLDGGLP_TypeInfo;
  }
  v2 = v3->static_fields->GOOEIIOGBEF;
  if ( !v2
    || (v4 = ((__int64 (__fastcall *)(struct System_Text_Encoding_o *, _QWORD, const MethodInfo *))v2->klass->vtable._18_GetBytes.methodPtr)(
               v2,
               StringLiteral_8244,
               v2->klass->vtable._18_GetBytes.method),
        ((void (__fastcall *)(System_Security_Cryptography_AesCryptoServiceProvider_o *, __int64, const MethodInfo *))v1->klass->vtable._11_set_IV.methodPtr)(
          v1,
          v4,
          v1->klass->vtable._11_set_IV.method),
        (v2 = LCFAPLDGGLP_TypeInfo->static_fields->GOOEIIOGBEF) == 0LL) )
  {
LABEL_10:
    sub_19DD438(v2);
  }
  v5 = ((__int64 (__fastcall *)(struct System_Text_Encoding_o *, _QWORD, const MethodInfo *))v2->klass->vtable._18_GetBytes.methodPtr)(
         v2,
         StringLiteral_9220,
         v2->klass->vtable._18_GetBytes.method);
  ((void (__fastcall *)(System_Security_Cryptography_AesCryptoServiceProvider_o *, __int64, const MethodInfo *))v1->klass->vtable._13_set_Key.methodPtr)(
    v1,
    v5,
    v1->klass->vtable._13_set_Key.method);
  ((void (__fastcall *)(System_Security_Cryptography_AesCryptoServiceProvider_o *, __int64, const MethodInfo *))v1->klass->vtable._19_set_Mode.methodPtr)(
    v1,
    1LL,
    v1->klass->vtable._19_set_Mode.method);
  ((void (__fastcall *)(System_Security_Cryptography_AesCryptoServiceProvider_o *, __int64, const MethodInfo *))v1->klass->vtable._21_set_Padding.methodPtr)(
    v1,
    2LL,
    v1->klass->vtable._21_set_Padding.method);
  return v1;
}

i cant understand what is going in v13 in the main function.

[bnnm]

Should work for the latest data:

Code: Select all

# BlazBlue Alternative: Dark War

# "5TGB&YHN7UJM(IK<"
set MEMORY_FILE1 binary "\x35\x54\x47\x42\x26\x59\x48\x4e\x37\x55\x4a\x4d\x28\x49\x4b\x3c"
# "!QAZ2WSX#EDC4RFV"
set MEMORY_FILE2 binary "\x21\x51\x41\x5A\x32\x57\x53\x58\x23\x45\x44\x43\x34\x52\x46\x56"

get SIZE asize

get NAME basename
string NAME += ".unity3d"

encryption aes_128_cbc MEMORY_FILE1 MEMORY_FILE2 0 16

log NAME 0x0 SIZE