This is the follow up from:
- https://zenhax.com/viewtopic.php?f=6&t=16080
- https://zenhax.com/viewtopic.php?f=6&t=16544
So... in early time (before Season 6), Cookie Run's MIDI file is encrypted with Salsa20.
simontime, a Nintendo game reverse engineering guy, who successfully decrypted MIDI file, wrote the program in C
Key and IV are:
Code: Select all
const uint8_t key[] =
{
0xF7, 0x9B, 0xF7, 0x33, 0xF2, 0x3F, 0x9D, 0x7A,
0xF2, 0xA2, 0x91, 0xCB, 0x4D, 0xCB, 0x5E, 0x49,
0x63, 0xE6, 0xA8, 0x71, 0xE0, 0x51, 0x2C, 0xE1,
0x46, 0xBD, 0x03, 0x67, 0x93, 0x56, 0xA4, 0x73
};
const uint8_t iv[] =
{
0xBC, 0x79, 0xCC, 0x75, 0x91, 0xB4, 0x8D, 0x70
};When game step into Season 6, everything changed. The new encryption step in.
There's a rumor that:
-the midis are encrypted in a 24-byte cipher
So, I what have I found:
A lot of encrypted MIDI have this header:
Code: Select all
29 01 38 FD B3 29 45 5E E8Code: Select all
)8ý³)E^èI begin to use IDA Pro to decompile .so file in APK file, but... syrupyy (CRK but translated video creator) said:the midi header MThd followed by 5 extra bytes (4D 54 68 64 00 00 00 06 00 in hex) seems to be the same in many midi files ive looked at (from various diff places not necessarily CROB) and these ones have )8ý³)E^è / 29 01 38 FD B3 29 45 5E E8 in hex where the MThd header and the extra 5 bytes should be
so yeah, I moved to iOS.i tried before but it's obfuscated
it's less obfuscated on ios but ghidra doesn't understand it. id have to check ida pro
In this case, I'm using IDA Pro 7.5 with Hex-Rays (I don't use >=7.7 because crash)
There's a function called *gb* which you can see. I get into *gb::sound*
Today, I want to thank tungdo0602 for giving me OpenGPT API token since I can't login in Vietnam
I'm using a plugin called Gepetto
Sadly, *gb::sound* can't giving me any infomation + few of them are too long that AI can't explain it.
So... I moved to *gb::crepe*
I found something, but not sound related...
It's called:
- gb::crepe::KeyStore::KeyStore
- gb::crepe::KeyStore::loadKey
- gb::crepe::KeyStore::loadMasterKey
The interesting one is loadKey and loadMasterKey
this is loadKey:
So... this is modified Salsa20?
and this is loadMasterKey:
Another one is *gb::buildConfig::crepeKeystoreMasterIndex*
A few unk_ thing, I clicked on it...
I scroll down a bit and I found this:
I think this is not a key for decrypting MIDI, so I ignore it.
So, I found nothing, or I just ignore a lot of it?
I almost become an autism guy because no one help with. So if you found something, please let me know!
There's my question:
- What kind of encryption it is? (hope that this is not ECC)
- Is their code hidden?
- What is their key and IV?
Also, I'll give you IDA Pro if you want it for research. DM me on Discord: Bang1338#5701
Hope you guy can helping me and us! Thank you!