BattleBlock Theater WMA files

[puggsoy]

This game's got some pretty weird audio files. They've all got the .wma extension, but only some of them actually have a header and work. Here's one that works and here's one that doesn't. An automatic assumption is that it's the same format and simply missing a header, but if that's the case I don't know how to build the header.

Any help would be appreciated

[puggsoy]

OK, after looking at some RAM dumps and managing to extract a working version of the menu music, I've come to the conclusion that the files that don't work are probably compressed or obfuscated in some way. I would be really, really grateful if somebody was able to figure out what sort of compression is used!!

I've attached a zip containing the compressed file and the uncompressed file I extracted.

[aluigi]

It's encryption with a 64bit block-cipher without using ivec, probably blowfish or *tea.
You can see that at offset 0x1300 of both the files where there is a long sequence of zeroes in the RIFF file and 5 identical 8bytes patters in the other file.

[puggsoy]

Thank you! However in that case it seems I would need a key, do you have any ideas on how I could find it?

[aluigi]

Yes you need the key.
You can check with signsrch if there are known encryption algorithms in the executable, it's useful if you want to debug/analyze the executable because it tells you where to search.
If the game uses OpenSSL you will see tons of encryption algorithms... very confusing

Consider that sometimes it's also possible that the game uses a custom obfuscation but I don't think this is the case, other times games use customized encryption algorithms (like xtea with different constants and so on).

[puggsoy]

Thanks, I checked the executable with signsrch and got this:

Code: Select all

Signsrch 0.2.3
by Luigi Auriemma
e-mail: aluigi@autistici.org
web:    aluigi.org
  optimized search function by Andrew http://www.team5150.com/~andrew/
  disassembler engine by Oleh Yuschuk

- open file "BattleBlockTheater.exe"
- 4026880 bytes allocated
- load signatures
- open file E:\Resource Ripping\Tools\Signsrch\signsrch.sig
- 3069 signatures in the database
- start 2 threads
- start signatures scanning:

  offset   num  description [bits.endian.size]
  --------------------------------------------
  00000497 1016 MD4 digest [32.le.24&]
  00000497 1036 SHA1 / SHA0 / RIPEMD-160 initialization [32.le.20&]
  000004ac 2053 RIPEMD-128 InitState [32.le.16&]
  0001366d 3048 DMC compression [32.le.16&]
  001c4d30 2291 zinflate_lengthStarts [32.le.116]
  001c4dc5 2295 zinflate_lengthExtraBits [32.be.116]
  001c4dc8 2294 zinflate_lengthExtraBits [32.le.116]
  001c4e40 2298 zinflate_distanceStarts [32.le.120]
  001c4eb8 2303 zinflate_distanceExtraBits [32.le.120]
  001c9208 648  CRC-32-IEEE 802.3 [crc32.0xedb88320 lenorev 1.1024]
  001c9208 641  CRC-32-IEEE 802.3 [crc32.0x04c11db7 le rev int_min.1024]
  001c9608 129  Adler CRC32 (0x191b3141) [32.le.1024]
  001c9a08 131  Adler CRC32 (0x01c26a37) [32.le.1024]
  001c9e08 133  Adler CRC32 (0xb8bc6765) [32.le.1024]
  001ca208 652  CRC-32-IEEE 802.3 [crc32.0xedb88320 benorev 1.1024]
  001ca208 645  CRC-32-IEEE 802.3 [crc32.0x04c11db7 be rev int_min.1024]
  001ca608 130  Adler CRC32 (0x191b3141) [32.be.1024]
  001caa08 132  Adler CRC32 (0x01c26a37) [32.be.1024]
  001cae08 134  Adler CRC32 (0xb8bc6765) [32.be.1024]
  001cc640 2289 zinflate_lengthStarts [16.le.58]
  001cc6c0 2296 zinflate_distanceStarts [16.le.60]
  001cc740 1087 Zlib length_code [..256]
  001cc840 1086 Zlib dist_code [..512]
  001cd088 1089 Zlib base_length [32.le.116]
  001cd100 1091 Zlib base_dist [32.le.120]
  002d52ea 2545 anti-debug: IsDebuggerPresent [..17]
  002d5800 1563 libavcodec ff_zigzag_direct [..64]
  002d5978 2875 libavcodec ff_mjpeg_val_ac_luminance [..162]
  002d5ab0 2876 libavcodec ff_mjpeg_val_ac_chrominance [..162]
  002f2070 2065 Haval init [32.le.32&]
  002f2070 919  Blowfish bfp table [32.le.72]
  002f2090 1054 Haval hash pass2 [32.le.128&]
  002f20b8 921  Blowfish ks0 table [32.le.1024]
  002f20b8 2335 Blowfish_s_init [32.le.4096]
  002f2110 2067 Haval mc3 [32.le.128]
  002f2170 2219 HAVAL2_DS [32.le.32]
  002f2190 2069 Haval mc4 [32.le.128]
  002f21f0 2217 HAVAL1_DS [32.le.32]
  002f2210 2071 Haval mc5 [32.le.128]
  002f24b8 923  Blowfish ks1 table [32.le.1024]
  002f28b8 925  Blowfish ks2 table [32.le.1024]
  002f2cb8 927  Blowfish ks3 table [32.le.1024]
  002fd904 2417 MBC2 [32.le.248&]
  0032a1fb 1038 padding used in hashing algorithms (0x80 0 ... 0) [..64]
  0033fed5 3050 compression algorithm seen in the game DreamKiller [32.le.12&]

- 45 signatures found in the file in 8 seconds
- done

Unfortunately I can't really make heads or tails of this, not sure what to do now. However it does look like we can conclude that the encryption is indeed Blowfish. It also seems to mention zlib, which is used for the BAF animation files.

[puggsoy]

I'm not sure exactly what to do now, how would I go about finding the key? And can you confirm whether this is Blowfish or not?

If you need the .exe I can upload it.

[aluigi]

Basically now it's a job for the debugger or the disassembler, but I guess you have no experience with this type of analysis.
If you can upload the executable, Ekey or I may take a look at it.

[puggsoy]

Thank you, I have attached the executable

I would like to know how to do these things myself, if you do figure it out then I would appreciate an explanation of how you did it. However if that is too complex then I understand

[aluigi]

I tried the key "\x61\xf4\x4d\x75\x89\x4b\xbb\x2c\x71\x0f\x3b\xa4\xa9\x38\x56\x74\x12\x74\xa9\x99\xd2\xab\x0f\xc8\x99\x3a\x02\xd3" with both blowfish and bf_ecb (the endianess is changed automatically so no need of generating 2 keys) but without good results.
Anyway it was just a quick check.

[Ekey]

Because it's not BlowFish, check > 004100BA -> SHA + Mersenne Twister and > 0046AFB0

[puggsoy]

What does that mean? I've looked it up and I know that SHA is a hash algorithm and Mersenne Twister is a PRNG, but I don't understand what you mean by "check > 004100BA ->" or "> 0046AFB0"?

I would really like to decrypt these files if it's possible.

[Ekey]

SHA + Mersenne Twister used for generate key and decrypt

[puggsoy]

What does that mean? Is there any way to decrypt them? Sorry but I'm not very experienced with decrypting files.

[puggsoy]

https://github.com/magcius/bbtucrypt/

Someone figured it out and made a program to decrypt the files. Apparently it uses Mersenne Twister to generate a key, and then Blowfish for the decryption, or something along those lines. That's just the code, I have a compiled version here.

Usage is pretty simple:

Code: Select all

decrypt infile outfile

One important thing to note is that the encryption relies on the filename, and the program doesn't remove parent directories from the input path, so you need to use the program in the same folder as the file(s) you're converting. So for example this doesn't work:

Code: Select all

decrypt sounds\gameplay_1.wma gameplay_1.dec

Because the input needs to be "gameplay_1.wma" not "sounds\gameplay_1.wma". That said, the extension is ignored and it's case insensitive.

By the way, if somebody would be able to reverse this to make an encryption program, that would also be very cool

[Aduck]

Thanks for that complied version. I've spent too much on complying it lol

[SirRouzel]

https://github.com/magcius/bbtucrypt/

Someone figured it out and made a program to decrypt the files. Apparently it uses Mersenne Twister to generate a key, and then Blowfish for the decryption, or something along those lines. That's just the code, I have a compiled version here.

Usage is pretty simple:

Code: Select all

decrypt infile outfile

One important thing to note is that the encryption relies on the filename, and the program doesn't remove parent directories from the input path, so you need to use the program in the same folder as the file(s) you're converting. So for example this doesn't work:

Code: Select all

decrypt sounds\gameplay_1.wma gameplay_1.dec

Because the input needs to be "gameplay_1.wma" not "sounds\gameplay_1.wma". That said, the extension is ignored and it's case insensitive.

By the way, if somebody would be able to reverse this to make an encryption program, that would also be very cool

If it's not much Asking... Can you give me a Hand with this?

So far i tried using the .exe like this:

decrypt.exe gameplay_1.wma test.wma

But somehow, i can't still listen to the music at all... I am doing something wrong?

I tried as well with: .dec but... I have no idea what else do i need for that file

[puggsoy]

Ah right, sorry about that. They are actually listenable in Audacity, but yeah most players have issues with them. I forgot to mention that you need to convert them using xWMAEncode, which you can download here. You can use it convert files to .wav (this is also needed for any other .wma files from the game, even those that weren't initially encrypted). Here's the syntax:

Code: Select all

xWMAEncode gameplay_1.wma gameplay_1.wav

This will convert to uncompressed .wav. You can also use the batch script I've included to convert all the .wma files in the same directory as the .exe, and put them in a subfolder.

[1463826312]

I don't know what I did wrong, I rename gameplay_1.wma to 1.wma, then use PowerShell to type .\decrypt 1.wma 2.wma
I found that the generated 2.wma was 16 bytes smaller than 1.wma. Finally, I used PowerShell to input .\xWMAEncode 2.wma 3.wav, but no file was generated
Just prompt in the PowerShell window:
ERROR: Input file type is neither PCM nor xWMA
Converting 2.wma to 3.wav failed with error E_INVALIDARG (Invalid arguments)
And when I import 2.wma into Audacity, it prompts that the copyright issue cannot be played
If anyone else sees this post I'd like some help, thanks a lot!

Ah right, sorry about that. They are actually listenable in Audacity, but yeah most players have issues with them. I forgot to mention that you need to convert them using xWMAEncode, which you can download here. You can use it convert files to .wav (this is also needed for any other .wma files from the game, even those that weren't initially encrypted). Here's the syntax:

Code: Select all

xWMAEncode gameplay_1.wma gameplay_1.wav

This will convert to uncompressed .wav. You can also use the batch script I've included to convert all the .wma files in the same directory as the .exe, and put them in a subfolder.

[1463826312]

Don't know if you solved this problem, sorry to bother you after all these years

https://github.com/magcius/bbtucrypt/

Someone figured it out and made a program to decrypt the files. Apparently it uses Mersenne Twister to generate a key, and then Blowfish for the decryption, or something along those lines. That's just the code, I have a compiled version here.

Usage is pretty simple:

Code: Select all

decrypt infile outfile

One important thing to note is that the encryption relies on the filename, and the program doesn't remove parent directories from the input path, so you need to use the program in the same folder as the file(s) you're converting. So for example this doesn't work:

Code: Select all

decrypt sounds\gameplay_1.wma gameplay_1.dec

Because the input needs to be "gameplay_1.wma" not "sounds\gameplay_1.wma". That said, the extension is ignored and it's case insensitive.

By the way, if somebody would be able to reverse this to make an encryption program, that would also be very cool

If it's not much Asking... Can you give me a Hand with this?

So far i tried using the .exe like this:

decrypt.exe gameplay_1.wma test.wma

But somehow, i can't still listen to the music at all... I am doing something wrong?

I tried as well with: .dec but... I have no idea what else do i need for that file