Destiny 2 PKG

Ehnoah · Post by **Ehnoah** » Fri Aug 25, 2017 9:14 pm

Files are in PKG Format, Uploaded samples. Biggest File is ~ 2 GB can go up to 4 I asume.

http://www19.zippyshare.com/v/QZoYkOFu/file.html
http://www19.zippyshare.com/v/1aP4I9aF/file.html

aluigi · Post by **aluigi** » Fri Aug 25, 2017 9:38 pm

The data is encrypted probably with blowfish or xtea, so there is not much to do without the algorithm and the key.
This is the work-in-progress script, which means that you CANNOT use it but it's useful to me or other people when the problem with the encryption is solved:

Code: Select all

comtype oodle   # ???
goto 0xd0
get FILES long
get INFO_OFF long
goto INFO_OFF
for i = 0 < FILES
    get OFFSET long
    get ZSIZE long
    get SIZE long
    get SOME_CRC long
    getdstring ZHASH 16
    getdstring HASH 16
    encryption ??? ???
    if SIZE == 0
        log "" OFFSET ZSIZE
    else
        clog "" OFFSET ZSIZE SIZE
    endif
next i

Just for the record, there was a topic for Destiny 1 but I don't know if the format (and encryption) is the same... anyway there was no solution so it's useless:
viewtopic.php?t=134

Ehnoah · Post by **Ehnoah** » Sat Aug 26, 2017 12:48 am

Destiny 2 got a super crazy Protection so it might not easy to get the Key from the Client also Binary Files are not shipped yet. So I asume we have to wait for the Beta to start to Dig around for the Key.

Ernegien · Post by **Ernegien** » Sat Aug 26, 2017 5:06 am

Feel free to borrow against my research

We'll probably have to wait for the game's exe to drop in order to harvest the decryption information unfortunately.

https://github.com/Ernegien/Destiny2ool ... 2ools.Core

Ehnoah · Post by **Ehnoah** » Sat Aug 26, 2017 6:12 am

I currently working to get the Take Home Client

Which contain the Full Game. I had someone at Blizzard who can share the Key but not sure if they can do on DST2 as well?

Ehnoah · Post by **Ehnoah** » Tue Aug 29, 2017 7:34 am

Ernegien wrote:Feel free to borrow against my research We'll probably have to wait for the game's exe to drop in order to harvest the decryption information unfortunately.

https://github.com/Ernegien/Destiny2ool ... 2ools.Core

Binarys are up. You got Hands on?

toxic72 · Post by **toxic72** » Tue Aug 29, 2017 6:24 pm

So far:

Game has AES and 3DES encryption, the only two found so far.
Several hash algorithms: SHA1, SHA256, MD5, MurMur3, CRC32, Tiger192.
Game still uses Oodle, specifically the LZ variant.
Edit: In addition to Oodle, ZLib is also statically linked to the application.

The following is the only AES key present "5e5b3fcccc60c298c3266226de660799505f9475fc1ba4c1be68f6864c0a0356"

There is at least two separate chunk flags besides uncompressed, most likely encryption, and encryption + compression (Values 3 and 7) in the 3rd byte of chunk flags.
When the third flag is set, there is an additional 16 bytes after the chunk hash, Also to note, Each encrypted chunk in the same package start with the same bytes.

aluigi · Post by **aluigi** » Tue Aug 29, 2017 10:16 pm

Do you have a confirmation of that aes key?
It still gives garbage data when used with aes on the bytes at offset 0x800

toxic72 · Post by **toxic72** » Tue Aug 29, 2017 10:39 pm

aluigi wrote:Do you have a confirmation of that aes key?
It still gives garbage data when used with aes on the bytes at offset 0x800

I'm pretty sure the bytes at 0x800 is a RSA signature verification block.

Edit: Looks like Oodle in D2 is using a hardcoded max block size of 0x40000.

Main package routine: sub_7FF700E7F020, SHA1 verification: sub_7FF700E7FFA0

aluigi · Post by **aluigi** » Tue Aug 29, 2017 11:16 pm

Can you provide an example with the samples provided in the previous posts?
Here I used the following with w64_pvp_0159_0.pkg but still no luck:

Code: Select all

encryption aes "\x5e\x5b\x3f\xcc\xcc\x60\xc2\x98\xc3\x26\x62\x26\xde\x66\x07\x99\x50\x5f\x94\x75\xfc\x1b\xa4\xc1\xbe\x68\xf6\x86\x4c\x0a\x03\x56"
log "dump.dat" 0x2800 0xd30

toxic72 · Post by **toxic72** » Tue Aug 29, 2017 11:31 pm

aluigi wrote:Can you provide an example with the samples provided in the previous posts?
Here I used the following with w64_pvp_0159_0.pkg but still no luck:
Code: Select all
encryption aes "\x5e\x5b\x3f\xcc\xcc\x60\xc2\x98\xc3\x26\x62\x26\xde\x66\x07\x99\x50\x5f\x94\x75\xfc\x1b\xa4\xc1\xbe\x68\xf6\x86\x4c\x0a\x03\x56"
log "dump.dat" 0x2800 0xd30

I never got the AES key to work, It was just found when debugging the game. I'm not sure what it's used for yet. However, as I said previously, all enc blocks start with the same bytes, *in each package itself* so it's possible it's a single key per package.

Edit: Just the first two bytes of each encrypted block, in each package, are the same.
Edit2: Scratch that, variable length bytes at the start of each enc block are the same, found some with two and some with three so far.

apollon08170 · Post by **apollon08170** » Wed Aug 30, 2017 9:35 am

The download OpenBeta is available for all on Blizzard App. :mrgreen:

apollon08170 · Post by **apollon08170** » Wed Aug 30, 2017 9:41 am

aluigi wrote:Can you provide an example with the samples provided in the previous posts?
Here I used the following with w64_pvp_0159_0.pkg but still no luck:
Code: Select all
encryption aes "\x5e\x5b\x3f\xcc\xcc\x60\xc2\x98\xc3\x26\x62\x26\xde\x66\x07\x99\x50\x5f\x94\x75\xfc\x1b\xa4\xc1\xbe\x68\xf6\x86\x4c\x0a\x03\x56"
log "dump.dat" 0x2800 0xd30

Decryptable with Hashcat ?

toxic72 · Post by **toxic72** » Wed Aug 30, 2017 3:42 pm

Looks like the encryption is called "fang" . Ever heard of it?

https://paste.md-5.net/wexomefaxo.cpp

This is ran per block entry, and it always check for fang first, if not, it just copies to the buffer (v52) which is then used for decompression. (Oodle)

Fusion_ · Post by **Fusion_** » Thu Aug 31, 2017 6:01 pm

Little FYI: move your Destiny 2 folder to a safe location before opening Blizzard Launcher since it will delete ALL the game files (because the beta ended)

marn · Post by **marn** » Thu Aug 31, 2017 7:08 pm

Hello!

I've been doing some digging into the unpacking method used.

destiny2.exe decrypts and opens the \packages\w64_client_bootstrap_unp1_0.pkg
The decryption is being handled by the \bin\x64\oo2core_3_win64.dll

The decrypting thread callstack:
: Call Site

Code: Select all

 # Child-SP          RetAddr           : Args to Child          
00 000000c2`9c3ff858 00007fff`fd73988f : 00000000`00000008 00000000`00000004 00000004`fbee05c6 000005c6`00000013 : ntdll!NtWaitForSingleObject+0x14
01 000000c2`9c3ff860 00007ff7`b81bbfd2 : 000001db`843406f0 000001db`85792e48 00000013`00000000 00000000`00000548 : KERNELBASE!WaitForSingleObjectEx+0x9f
02 000000c2`9c3ff900 00007ff7`b8170b36 : ffffffff`20c00006 000001db`00000001 000001db`85792cf0 000001db`857921a0 : destiny2!opus_get_version_string+0x3388e2
03 000000c2`9c3ff930 00007ff7`b8170b8a : 000001db`8578d800 ffffffff`00000004 0000ffff`00000001 00007ff7`b99c7898 : destiny2!opus_get_version_string+0x2ed446
04 000000c2`9c3ff960 00007ff7`b81a3413 : 000001db`8573d780 000001db`00000004 000000c2`9c3ff9c0 00000000`0000000a : destiny2!opus_get_version_string+0x2ed49a
05 000000c2`9c3ff990 00007ff7`b816b762 : 000001db`85792e40 00000000`00000004 00000000`00000000 00007ff7`b8153f04 : destiny2!opus_get_version_string+0x31fd23
06 000000c2`9c3ffab0 00007ff7`b816ec89 : 000001db`8573d780 00000000`00000004 00000000`00000010 00000000`00000012 : destiny2!opus_get_version_string+0x2e8072
07 000000c2`9c3ffb30 00007ff7`b81a3758 : 00000000`00010004 00007ff7`b81bd525 000001dc`5eca7fb0 00007ff7`b99c78bc : destiny2!opus_get_version_string+0x2eb599
08 000000c2`9c3ffb60 00007ff7`b81a380f : 00007ff7`b99c7898 00007ff7`b99c7898 00000000`00000000 00007ff7`b81a3780 : destiny2!opus_get_version_string+0x320068
09 000000c2`9c3ffba0 00007fff`ffcf2774 : 00007ff7`b99c7898 00000000`00000000 00000000`00000000 00000000`00000000 : destiny2!opus_get_version_string+0x32011f
0a 000000c2`9c3ffbe0 00007ff8`00610d51 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14
0b 000000c2`9c3ffc10 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21

oo2core_3_win64.dll relative functions:

Code: Select all

Name    Address    Ordinal
OodleLZ_Decompress 000000018005F8B0 18
OodleLZDecoder_DecodeSome 000000018005E180 2

Still a WIP, but the key has to be stored here somewhere

Ehnoah · Post by **Ehnoah** » Thu Aug 31, 2017 8:20 pm

Did you also recorded the Launch Process Maybe?

I know it is :

destiny2.exe -uid Destiny2
"C:\Program Files (x86)\Blizzard App\Battle.net.9262\Loader64.exe" 11048 "C:\Program Files (x86)\Blizzard App\Battle.net.9262\bzrclient64.dll"

Where 11048 is Process ID. However it seems not to work, so I missing one step.

aluigi · Post by **aluigi** » Thu Aug 31, 2017 9:25 pm

@marn
oodle is only for decompression, the data you have there has been already decrypted somewhere else

marn · Post by **marn** » Thu Aug 31, 2017 9:26 pm

aluigi wrote:@marn
oodle is only for decompression, the data you have there has been already decrypted somewhere else

Yup

Trying to further debug the .exe but they have pretty good anti-debugging checking in the GFSDK_Aftermath_lib.dll

masterx244 · Post by **masterx244** » Fri Sep 01, 2017 12:07 pm

marn wrote:
aluigi wrote:@marn
oodle is only for decompression, the data you have there has been already decrypted somewhere else

Yup

Trying to further debug the .exe but they have pretty good anti-debugging checking in the GFSDK_Aftermath_lib.dll

Send a bunch of thanks to NVidia for that file

ZenHAX

Destiny 2 PKG

Destiny 2 PKG

Re: Destiny 2 PKG

Re: Destiny 2 PKG

Re: Destiny 2 PKG

Re: Destiny 2 PKG

Re: Destiny 2 PKG

Re: Destiny 2 PKG

Re: Destiny 2 PKG

Re: Destiny 2 PKG

Re: Destiny 2 PKG

Re: Destiny 2 PKG

Re: Destiny 2 PKG

Re: Destiny 2 PKG

Re: Destiny 2 PKG

Re: Destiny 2 PKG

Re: Destiny 2 PKG

Re: Destiny 2 PKG

Re: Destiny 2 PKG

Re: Destiny 2 PKG

Re: Destiny 2 PKG