Retrieving ZIP passwords from games - the zero skills way

[aluigi]

The following is probably the easiest way to retrieve the password used for the archives of some games, in fact it's quite common to find ZIP archives (sometimes with non-zip extensions like pak, dat) and protected by password using the ZipCrypto algorithm.

In this method I will use no debuggers, no breakpoints, no signsrch... nothing that makes you feel a pro

Necessary tools:
QuickBMS http://aluigi.org/quickbms.htm
ZIP password scanner (script) http://aluigi.org/papers/bms/zip_pwd_scan.bms
exestringz http://aluigi.org/mytoolz.htm#exestringz
dumproc http://aluigi.org/mytoolz.htm#dumproc

Alternatively you can use:
exestringz -> strings http://technet.microsoft.com/en-us/sysi ... 97439.aspx
dumproc -> procdump http://technet.microsoft.com/en-us/sysi ... 96900.aspx


The example game for this tutorial is Mini Robot Wars:
http://www.bigfishgames.com/download-ga ... index.html


Locate the ZIP archive:



This step is not ever necessary but it's a good way to avoid problems with packed/protected executables and games that built the password at runtime.
So, launch the game:



Launch dumproc specifying the name of the executable:

Code: Select all

dumproc mrw.exe dump.dat

Please note that sometimes you may have two processes of the same game, remember to specify the PID of the second one, like in the following case:

In that specific case you had to specify the exact pid of the game, so:

Code: Select all

dumproc 3692 dump.dat

Now use exestringz on the dumped process with the -b option:

Code: Select all

exestringz -b -q 1 dump.dat passwords_list.txt

The alternative command for the "strings" tool is:

Code: Select all

strings dump.dat > passwords_list.txt

Launch the ZIP scanner script against the ZIP archive:

Code: Select all

z:\>quickbms zip_pwd_scanner.bms "C:\Program Files (x86)\Mini Robot Wars\DATA"

QuickBMS generic files extractor and reimporter 0.5.32
by Luigi Auriemma
e-mail: aluigi@autistici.org
web:    aluigi.org
        (Jul 19 2014 - 10:03:02)

                  http://quickbms.aluigi.org
               http://twitter.com/luigi_auriemma

- open input file C:\Program Files (x86)\Mini Robot Wars\DATA
- open script zip_pwd_scanner.bms
- set output folder .

  offset   filesize   filename
--------------------------------------
- enter in folder C:\Program Files (x86)\Mini Robot Wars
- open input file C:\Program Files (x86)\Mini Robot Wars\passwords_list.txt
- enter in folder .
- open input file z:\\passwords_list.txt
- SCRIPT's MESSAGE:
  the error "incomplete input file number 1" means that no password was found

- SCRIPT's MESSAGE:
  FILE: Resource/

- SCRIPT's MESSAGE:
  FILE: Resource/Button/

- SCRIPT's MESSAGE:
  FILE: Resource/Button/Btn_Adv_Lab_Disable.png

- SCRIPT's MESSAGE:
  scanning in progress, please wait patiently...

- SCRIPT's MESSAGE:
  Password found:

  EC?^!98$$%ab17

- SCRIPT's MESSAGE:
  (hex visualization for debugging)
  45433f5e21393824242561623137


- 0 files found in 1 seconds
  coverage file 0     0%   10982      123799172
  coverage file 1    45%   97303      213932
  coverage file -1  366600%   39534144   10784
  coverage file -2  366600%   39578136   10796

The password has been found: EC?^!98$$%ab17


This is the final recap of the steps:
- launch the game
- dump the process
- dumps the strings in a wordlist file
- crack the zip using the wordlist


That's all.
It's super easy, it requires no skills and works most of the times.

[raykingnihong]

Hi aluigi my friend very good tutorial I am learning

[CriticalError]

Hello luigi many thanks for the great tutorial, I download this game for understand that, and really all be ok to the last step, and I stuck there, after run zip password script I got no password, all scanning going well but no found nothing so whats wrong?

[aluigi]

There is something really very strange in that message, it looks like your script is corrupted.
The reason is simple, your messages are truncated so the password was found but you cannot see it.

Example:
the -> the error "incomplete input file number 1" means that no password was found
FILE -> FILE: name of the file
Password -> Password found: followed by the textual password on the next line
hex -> (hex visualization for debugging)

[CriticalError]

ok so now all be working fine, I redownload script and work very well, now my question is, I try it in another game, I got all files but in the end I got it, thats mean the password is not stored in .exe?

PS: about the dump.dat the only way to dump this one to convert to txt password dump is via strings, because exestringz for some reason when try dump it it only stuck there in console like dumping, but it never ends.

[aluigi]

If you don't receive the "Password found" message, it means that it's not in the exe. It may happen sometimes so don't be surprised

strings is ok too.

The image you posted show that you selected passwords_list.txt as input file which is wrong, you must select the ZIP protected by password as input file (passwords_list.txt is loaded automatically by the script).

[romli1987]

Hi guys, I'am newbie in programming,
and i want to try edit some *.xml file on archive this game
https://www.awem.com/cradle-of-rome-2.html (Cradle Of Rome2)
and yes I can extract those archive (resources.pak) with this bms script
http://aluigi.altervista.org/bms/awem.bms
but when I re-importing (using awem.bms) always failed.
I try open that .pak file with peazip always ask for password.
may i ask to you guys to retrieve password for this game (resources.pak), or make a script for re-importing?
sorry for my bad English.

Many thanks.

[aluigi]

If it's really a ZIP archive then first check the "pak"-related passwords listed here:
http://aluigi.altervista.org/papers.htm#info

[romli1987]

If it's really a ZIP archive then first check the "pak"-related passwords listed here:
http://aluigi.altervista.org/papers.htm#info

thanks for a link, and i have check for Cradle Of Rome 2 [resources.pak] not found.
Ctrl+f and type "Cradle" [without Quotes] only found 1 result [to these link http://aluigi.altervista.org/papers/uniginex.zip]
help me please..
thanks for reply..

[aluigi]

You made a big mess and you are 100% OT.

resources.pak is a AWEM archive that you correctly extracted with my script.

If you extract the files in the same folder of the game, delete resources.pak and run the game, it may work.
"If" it doesn't work then you can try the reimport feature of quickbms.
If the reimport feature doesn't work correctly or you are not satisfied with it (it has some limits unfortunately) then there are no solutions ready to use.
In this case the script is not valid for reimporting.

Anyway this is TOTALLY unrelated to the ZIP files of this topic, so do NOT post here.

P.S.: I confirm that the game works perfectly with the files extracted in the game folder and resources.pak is deleted

[romli1987]

You made a big mess and you are 100% OT.

resources.pak is a AWEM archive that you correctly extracted with my script.

If you extract the files in the same folder of the game, delete resources.pak and run the game, it may work.
"If" it doesn't work then you can try the reimport feature of quickbms.
If the reimport feature doesn't work correctly or you are not satisfied with it (it has some limits unfortunately) then there are no solutions ready to use.
In this case the script is not valid for reimporting.

Anyway this is TOTALLY unrelated to the ZIP files of this topic, so do NOT post here.

P.S.: I confirm that the game works perfectly with the files extracted in the game folder and resources.pak is deleted

whaaaaaaaaa thanks you very much, I will try that trick..
and I am so SORRY for wrong post ...

note : you can delete my post in this topic

[okami29]

Hi I tried to dump Wolcen but I have this error message :
Is it because it's a 64 bit process (I think) :

[aluigi]

Yeah, you have to use alternatives for 64bit processes.
The Windows Task Manager (taskmgr) has a "Create Dump File" when you right-click on a process in the Processes tab, the dump is big but it's perfect for your needs.
Process Explorer has a similar feature with the additional possibility to create a smaller dump that probably doesn't contain the key you need, so you have to use the "Create Full Dump" option.
ProcDump is the same of the previous 2 suggestions: procdump -ma process_name
The full dump is useful if the key is generated at runtime instead of being hard-coded in the executable.
There are many tools that allow to dump only the main module of the process and not the whole memory without attaching debuggers, feel free to search on Google.

[Parody]

How to do this with an android game?

[okami29]

My dump file size is more than 3GB then when using exestringz I have an error Not enough space.
What can I do ?

[Donut duck]

How to do his for Mac? I need password for btd battles 4.8.2 for Mac!

[Changaa]

Please Help. I am loading the passwords_txt and everything, it scans, but it doesnt say it couldnt get a password or anything. It goes straight to the "files found". Thx!

[Trystar007]

Ok this is confusing me when i launch dumproc i cant specify the game because it closes immediately am i doing something wrong? and when i get a dump dat using windows task manager the file size is 0 bytes which makes no sense please help.

[aluigi]

The reasons behind dumproc may be two: process is "protected" (anticheat and so on) and/or is 64bit (dumproc is 32bit), probably both.
Try Process Explorer launched as Administrator, select the process, "Create Dump" and try Mini dump first, Full dump may be better in some situations.
dumproc should be no longer used.

You have not specified the name of the game so the other users can't help you much but your other posts are about Fortnite, please note that this topic is completely useless for finding the AES key of that game. Just trying to save your time

[Trystar007]

Thank you for replying and notifying me that this wont work for Fortnite, So that brings me to another question how are other people getting the fortnite keys? The key for the game is constantly changing so could you direct me to a post that could help me with getting the key? thanks again