RC4 encryption glee games.

[chrrox]

Anyone know how RC4 encryption works?

https://pastebin.com/hLHixwxS

https://ffmpeg.org/doxygen/0.6/rc4_8c-source.html

I dumped the decrypted file from memory and its standard zlib with 789C header.

First 5 bytes of file are magic.

[Ekey]

First 5 bytes of file are magic.

Are you sure about it? As i see it's a check for first 3 bytes:

Code: Select all

if ( *srcbuffer == 0xEF && srcbuffer[1] == 0xFE )

and second check here

Code: Select all

v20 = srcbuffer[2];
if ( v20 == 0x80 )
{
   v21 = rc4TextureBuffer(*dstbuffer, srcbuffer, (unsigned __int64 *)dstbuffer);
}
if ( v20 == 0xFF )
{
   v21 = rc4DocumentBuffer(*dstbuffer, srcbuffer, (unsigned __int64 *)dstbuffer);
}

also in functions rc4TextureBuffer and rc4DocumentBuffer you can see that 3 is subtracted from the size:

rc4TextureBuffer

Code: Select all

av_rc4_crypt((__int64)&v9, v7, v3 + 3, v4 - 3);

rc4DocumentBuffer

Code: Select all

av_rc4_crypt((__int64)&v10, (__int64)v7, v3 + 3, v4 - 3);
if ( (unsigned int)uncompress(v6, &v9, v7, v4 - 3) )

Arguments

Code: Select all

v9/v10 - AVRC4 context
v7 - DstBuffer
v3 - SrcBuffer
v4 - Size

so it should be like this

Code: Select all

AVRC4 ctx;
av_rc4_init(&ctx, lpStrKey, 0x48);
av_rc4_crypt(&ctx, lpDstBuffer, lpSrcBuffer + 3, dwSize - 3);

Can you upload decrypted file? btw: What the app?

[chrrox]

Here is a few samples with the decrypted files.
When the header starts with EF FE BE AD 02
I remove those bytes then.
I can do a static xor key of 0x80 bytes to decrypt the file.
Only the first 0x80 bytes are encrypted in that case.

https://m.apkpure.com/jp/%E6%94%BE%E7%B ... .glee.girl

[Ekey]

I found 1 more key in decBufferV3 -> https://pastebin.com/uisFCSbF

Code: Select all

uint8_t byte_AA108C [] = {
  0xEF, 0xFE, 0xBE, 0xAD};

Code: Select all

if ( v3 <= 4 || memcmp(&byte_AA108C, lpBuffer, 4u) )

Code: Select all

  v5 = lpBuffer[4];
  if ( (v5 & 1) == 0 )
  {
    v12 = 5;
    v8 = 0;
    goto LABEL_23;
  }

so in this case 2 & 1 = 0

Code: Select all

LABEL_23:

uint8_t unk_AA1090[] = {
    0xDD, 0xAB, 0x91, 0x32, 0x23, 0x81, 0x78, 0x05, 0x34, 0x15};

av_rc4_init((int)v27, (int)&unk_AA1090, 0x50);
  if ( (v5 & 2) != 0 && v13 >= 128 )
    v15 = 128;
av_rc4_crypt((int)v27, v14, v14, v15);
.....
uncompress

this is probably what you are looking for

[chrrox]

This works for type 2
not type 1

Code: Select all

append
get NAME basename
string NAME + .png
get SIZE asize
math SIZE - 0x85
encryption rc4 "\xDD\xAB\x91\x32\x23\x81\x78\x05\x34\x15"
log MEMORY_FILE 5 0x80
encryption xor ""
log MEMORY_FILE 0x85 SIZE
get SIZE asize MEMORY_FILE
log NAME 0 SIZE MEMORY_FILE

**edit**

The data for type 1 starts at offset 8
If i take a large file and xor it I can use that key for any file smaller.
RC4 seems to just generate a xor pad.

[chrrox]

Found one that starts at 9 for zlib data
https://transferxl.com/00jKqh0JKrpW1L

[Ekey]

Found one that starts at 9 for zlib data
https://transferxl.com/00jKqh0JKrpW1L

yep, it works with cfac38f25204c6.bak file.

Code: Select all

   AVRC4 ctx;
   av_rc4_init(&ctx, lpStrKeyV3, 0x50);
   av_rc4_crypt(&ctx, lpDstBuffer, lpSrcBuffer + 8, dwSize - 8);

[chrrox]

Yup it works cool.

Code: Select all

idstring "\xEF\xFE\xBE\xAD"
get NAME basename
get TYPE byte
get SIZE asize
if SIZE < 0x80
cleanexit
endif
if TYPE == 1
   comtype zlib_dynamic
   do
      get TMP byte
   while TMP & 0x80
   savepos POS
   string NAME + .dat
   math SIZE - POS
   encryption rc4 "\xDD\xAB\x91\x32\x23\x81\x78\x05\x34\x15"
   log MEMORY_FILE POS SIZE
   encryption xor ""
   get SIZE asize MEMORY_FILE
   clog NAME 0 SIZE SIZE MEMORY_FILE

elif TYPE == 2
   append
   string NAME + .png
   math SIZE - 0x85
   encryption rc4 "\xDD\xAB\x91\x32\x23\x81\x78\x05\x34\x15"
   log MEMORY_FILE 5 0x80
   encryption xor ""
   log MEMORY_FILE 0x85 SIZE
   get SIZE asize MEMORY_FILE
   log NAME 0 SIZE MEMORY_FILE
endif

[Ekey]

nice

[melon7plus]

Yup it works cool.

Code: Select all

idstring "\xEF\xFE\xBE\xAD"
get NAME basename
get TYPE byte
get SIZE asize
if SIZE < 0x80
cleanexit
endif
if TYPE == 1
   comtype zlib_dynamic
   do
      get TMP byte
   while TMP & 0x80
   savepos POS
   string NAME + .dat
   math SIZE - POS
   encryption rc4 "\xDD\xAB\x91\x32\x23\x81\x78\x05\x34\x15"
   log MEMORY_FILE POS SIZE
   encryption xor ""
   get SIZE asize MEMORY_FILE
   clog NAME 0 SIZE SIZE MEMORY_FILE

elif TYPE == 2
   append
   string NAME + .png
   math SIZE - 0x85
   encryption rc4 "\xDD\xAB\x91\x32\x23\x81\x78\x05\x34\x15"
   log MEMORY_FILE 5 0x80
   encryption xor ""
   log MEMORY_FILE 0x85 SIZE
   get SIZE asize MEMORY_FILE
   log NAME 0 SIZE MEMORY_FILE
endif

trying to decrypt live2d model files by using your script, but it didn't work, could you please tell me how to decrypt those files? thanks a lot.

[gef48]

could someone send me the final script

[gef48]

Found one that starts at 9 for zlib data
https://transferxl.com/00jKqh0JKrpW1L

yep, it works with cfac38f25204c6.bak file.

Code: Select all

   AVRC4 ctx;
   av_rc4_init(&ctx, lpStrKeyV3, 0x50);
   av_rc4_crypt(&ctx, lpDstBuffer, lpSrcBuffer + 8, dwSize - 8);