Retrieving ZIP passwords from games - the debugger way

[FakePlayer]

thank you alot for this howto. found a Text /clipboard Manager Files Password

[meeshu]

My comments are in relation to my thread here.

As I couldn't get the password for the game in my thread using the procedure shown in this tutorial here, I tried this tutorial using Mini Robot Wars game as an example/test to see what is going wrong.

>quickbms script imt3.bms was created using Notepad. The script being -

Code: Select all

math quickbms_arg1 -= 3
goto quickbms_arg1
for i = 0 < 5
put 0xcc byte
next i

- the script being as per the tutorial in this thread here. Script located in quickbms directory where quickbms could find it.

>Started Mini Robot Wars game by clicking MRW.exe and running it as an Administrator.

>Before playing this game I pressed the keys ALT and TAB to get back to my desktop/system to allow me to do the following procedure.

>Opened a command window under Administrator Rights.

>In the command window, changed the directory to C:\quickbms. This is where the program Quickbms is on my system.

>In the command window, I typed in signsrch -P MRW.exe and pressed the enter key. This ran the program signsrch to find MRW sub processes and their memory addresses.

>signsrch found the ZipCrypto process at memory address 0040426e.



>Then ran OllyDbg V1.1 by clicking OLLYDBG.EXE and running it as an Administrator.

>In OllyDbg selected File, Attach, and then selected MRW.exe process.

>OllyDbg showed some message about Entry Point, and there might be some problem with setting breakpoints.



>I clicked OK on the message box.

>Note that I didn't get this (nor any other) message when attaching other games (in my other thread) using OllyDbg.

>In the command window (set at C:\quickbms directory), I typed

Code: Select all

quickbms -p -a 0x40426e int3.bms process://MRW.exe

and pressed the enter key.

>Shortly some output message was shown in the command window which suggested everything was working fine so far.



>Note that in the command window the directory was set at C:\quickbms where the quickbms program is, and also where the script int3.bms is.

>But trying to ALT and TAB back into Mini Robot Wars didn't work when trying to run the game! This program couldn't be run anymore!? Also tried clicking on Mini Robot Wars icon in the task tray, but again the program would not open/run anymore!?

>Opened Windows Task Manager which showed that Mini Robot Wars was not responding!?



>And nothing had changed in OllyDbg either!

>I then closed OllyDbg which also closed the Mini Robot Wars icon (and MRW process) from the Task Tray.

So something is not working right here!?

What is wrong? Why isn't the debugging working?

Thank you.

[aluigi]

Have you continued the execution of the game with F9 from ollydbg?
It's that play-like > icon in the menu.

Maybe try to run the game in Window mode from its settings, that makes debugging easier.

[meeshu]

Thanks for the comments.

Game execution via the debugger was not done as there was no mention of that step in the tutorial.

But trying again, and this time running game from OllyDbg (F9 key) and then playing the game, soon the password was revealed in OllyDbg. So it now works!

Yes, running in windows mode makes it easier to see what is happening.

[aluigi]

Ops I forgot the most important part of the step-by-step
Now fixed.

[cyberspeed]

Ok, so I wanted to give this a try as well, and I have the following result on the original executable

Code: Select all

  offset   num  description [bits.endian.size]
  --------------------------------------------
  41351b70 3048 DMC compression [32.le.16&]
  413cca40 2005 B64EncodeTable [..64]
  413cca40 1996 rfc3548 Base 64 Encoding with URL and Filename Safe Alphabet [..62]
  41599a20 895  AES Rijndael Si / ARIA X1 [..256]
  41599b20 894  AES Rijndael S / ARIA S1 [..256]
  41599c20 874  SHA256 Hash constant words K (0x428a2f98) [32.le.256]
  41606460 641  CRC-32-IEEE 802.3 [crc32.0x04c11db7 le rev int_min.1024]
  41606460 648  CRC-32-IEEE 802.3 [crc32.0xedb88320 lenorev 1.1024]
  41606860 129  Adler CRC32 (0x191b3141) [32.le.1024]
  41606c60 131  Adler CRC32 (0x01c26a37) [32.le.1024]
  41607060 133  Adler CRC32 (0xb8bc6765) [32.le.1024]
  41607460 645  CRC-32-IEEE 802.3 [crc32.0x04c11db7 be rev int_min.1024]
  41607460 652  CRC-32-IEEE 802.3 [crc32.0xedb88320 benorev 1.1024]
  41607860 130  Adler CRC32 (0x191b3141) [32.be.1024]
  41607c60 132  Adler CRC32 (0x01c26a37) [32.be.1024]
  41608060 134  Adler CRC32 (0xb8bc6765) [32.be.1024]
  41608490 2289 zinflate_lengthStarts [16.le.58]
  41608510 2296 zinflate_distanceStarts [16.le.60]
  4162c465 2417 MBC2 [32.le.248&]
  4162d7a0 2418 MBC2 [32.be.248&]
  4162ecf8 1299 classical random incrementer 0x343FD 0x269EC3 [32.le.8&]
  41786600 639  CRC-32-IEEE 802.3 [crc32.0x04c11db7 lenorev int_min.1024]
  41786600 650  CRC-32-IEEE 802.3 [crc32.0xedb88320 le rev 1.1024]
  41786a70 3038 unlzx table_three [32.le.64]
  41786a70 1605 Generic bitmask table [32.le.128]
  41786a74 2588 bitmask [32.le.128]
  41786ae4 3051 compression algorithm seen in the game DreamKiller [32.be.12&]
  41786ae7 3050 compression algorithm seen in the game DreamKiller [32.le.12&]
  41794780 1933 Vorbis FLOOR1_fromdB_LOOKUP [float.le.1024]
  41796870 896  Rijndael Te0 (0xc66363a5U) [32.le.1024]
  41796c70 898  Rijndael Te1 (0xa5c66363U) [32.le.1024]
  41797070 900  Rijndael Te2 (0x63a5c663U) [32.le.1024]
  41797470 902  Rijndael Te3 (0x6363a5c6U) [32.le.1024]
  41797870 904  Rijndael Te4 (0x63636363U) [32.le.1024]
  41797c70 905  Rijndael Td0 (0x51f4a750U) [32.le.1024]
  41798070 907  Rijndael Td1 (0x5051f4a7U) [32.le.1024]
  41798470 909  Rijndael Td2 (0xa75051f4U) [32.le.1024]
  41798870 911  Rijndael Td3 (0xf4a75051U) [32.le.1024]
  41798c70 913  Rijndael Td4 (0x52525252U) [32.le.1024]
  41799070 914  Rijndael rcon [32.le.40]
  4179a860 1087 Zlib length_code [..256]
  4179a960 1086 Zlib dist_code [..512]
  4179ab60 2294 zinflate_lengthExtraBits [32.le.116]
  4179abdd 2304 zinflate_distanceExtraBits [32.be.120]
  4179abe0 2303 zinflate_distanceExtraBits [32.le.120]
  4179b1cd 1090 Zlib base_length [32.be.116]
  4179b1d0 1089 Zlib base_length [32.le.116]
  4179b250 1091 Zlib base_dist [32.le.120]
  417a1068 3036 unlzx table_three [16.le.32]
  4199cb4a 2545 anti-debug: IsDebuggerPresent [..17]
  44432c4f 1038 padding used in hashing algorithms (0x80 0 ... 0) [..64]
  4456938f 1295 TEA encryption/decryption (0xc6ef3720  0x9e3779b9) [32.le.8&]
  4456941c 2249 TEA1_DS [32.le.4]
  4298192a 917  SSH RSA id-sha1 OBJ.ID. oiw(14) secsig(3) algorithms(2) 26 [..15]
  429831f6 2319 PKCS_DigestDecoration_SHA256 [..19]

- 55 signatures found in the file in 9 seconds

and following result on the dumped/unpacked executable.

Code: Select all

  offset   num  description [bits.endian.size]
  --------------------------------------------
  404b54b2 3048 DMC compression [32.le.16&]
  40b210ed 2249 TEA1_DS [32.le.4]
  40c37b93 876  SHA256 Initial hash value H (0x6a09e667UL) [32.le.32&]
  4106825a 1299 classical random incrementer 0x343FD 0x269EC3 [32.le.8&]
  413cca40 1996 rfc3548 Base 64 Encoding with URL and Filename Safe Alphabet [..62]
  413cca40 2005 B64EncodeTable [..64]
  41599a20 895  AES Rijndael Si / ARIA X1 [..256]
  41599b20 894  AES Rijndael S / ARIA S1 [..256]
  41599c20 874  SHA256 Hash constant words K (0x428a2f98) [32.le.256]
  41606460 648  CRC-32-IEEE 802.3 [crc32.0xedb88320 lenorev 1.1024]
  41606460 641  CRC-32-IEEE 802.3 [crc32.0x04c11db7 le rev int_min.1024]
  41606860 129  Adler CRC32 (0x191b3141) [32.le.1024]
  41606c60 131  Adler CRC32 (0x01c26a37) [32.le.1024]
  41607060 133  Adler CRC32 (0xb8bc6765) [32.le.1024]
  41607460 652  CRC-32-IEEE 802.3 [crc32.0xedb88320 benorev 1.1024]
  41607460 645  CRC-32-IEEE 802.3 [crc32.0x04c11db7 be rev int_min.1024]
  41607860 130  Adler CRC32 (0x191b3141) [32.be.1024]
  41607c60 132  Adler CRC32 (0x01c26a37) [32.be.1024]
  41608060 134  Adler CRC32 (0xb8bc6765) [32.be.1024]
  41608490 2289 zinflate_lengthStarts [16.le.58]
  41608510 2296 zinflate_distanceStarts [16.le.60]
  4162c465 2417 MBC2 [32.le.248&]
  4162d7a0 2418 MBC2 [32.be.248&]
  41786600 639  CRC-32-IEEE 802.3 [crc32.0x04c11db7 lenorev int_min.1024]
  41786600 650  CRC-32-IEEE 802.3 [crc32.0xedb88320 le rev 1.1024]
  41786a70 3038 unlzx table_three [32.le.64]
  41786a70 1605 Generic bitmask table [32.le.128]
  41786a74 2588 bitmask [32.le.128]
  41786ae4 3051 compression algorithm seen in the game DreamKiller [32.be.12&]
  41786ae7 3050 compression algorithm seen in the game DreamKiller [32.le.12&]
  41794780 1933 Vorbis FLOOR1_fromdB_LOOKUP [float.le.1024]
  41796870 896  Rijndael Te0 (0xc66363a5U) [32.le.1024]
  41796c70 898  Rijndael Te1 (0xa5c66363U) [32.le.1024]
  41797070 900  Rijndael Te2 (0x63a5c663U) [32.le.1024]
  41797470 902  Rijndael Te3 (0x6363a5c6U) [32.le.1024]
  41797870 904  Rijndael Te4 (0x63636363U) [32.le.1024]
  41797c70 905  Rijndael Td0 (0x51f4a750U) [32.le.1024]
  41798070 907  Rijndael Td1 (0x5051f4a7U) [32.le.1024]
  41798470 909  Rijndael Td2 (0xa75051f4U) [32.le.1024]
  41798870 911  Rijndael Td3 (0xf4a75051U) [32.le.1024]
  41798c70 913  Rijndael Td4 (0x52525252U) [32.le.1024]
  41799070 914  Rijndael rcon [32.le.40]
  4179a860 1087 Zlib length_code [..256]
  4179a960 1086 Zlib dist_code [..512]
  4179ab60 2294 zinflate_lengthExtraBits [32.le.116]
  4179abdd 2304 zinflate_distanceExtraBits [32.be.120]
  4179abe0 2303 zinflate_distanceExtraBits [32.le.120]
  4179b1cd 1090 Zlib base_length [32.be.116]
  4179b1d0 1089 Zlib base_length [32.le.116]
  4179b250 1091 Zlib base_dist [32.le.120]
  417a1068 3036 unlzx table_three [16.le.32]
  4199cb4a 2545 anti-debug: IsDebuggerPresent [..17]
  43ff08bb 1038 padding used in hashing algorithms (0x80 0 ... 0) [..64]
  4456938f 1295 TEA encryption/decryption (0xc6ef3720  0x9e3779b9) [32.le.8&]

- 54 signatures found in the file in 93 seconds

I have no clue how to progress from here on out, any help please?
What would I pick, and also, if is a Steam 64bit game, what would be best debugger to make that breakpoint?

[alwayslookin2]

Is it possible to do the reverse of this? For example, I know the password of the zip (I can see it in memory and have tested it). And find exactly where it is used in the program using a debugger? I assume you might be able to log every step from the debugger maybe (and then search for that string in the log), or is there another way? Any help is appreciated

[moonpaladin]

Hello, I tried this method to get the password from Nyxlauncher.exe from Rakion Chaos Force from Steam, but have no success, is there any other way to get the password? . I need to open the Rakion.xfs with the SoIFS Explorer, but it required a password.

[aluigi]

@moonpaladin
How do you expect that a method meant for ZIP passwords would magically work on something totally different?
Please don't go off-topic.

[ufo77]

the game
https://www.bigfishgames.com/games/1409 ... ahjong/?pc
what tools to use to get the password for data.zip?
signsrch finds 30 offsets
all stops at the found offsets lead to
ESI 0012F31C ASCII "%s%s%s%s%s%...
maybe someone has a password ready?

[aluigi]

@ufo77

Code: Select all

A30e41CZcGEFDH^2

[ufo77]

@ufo77

Code: Select all

A30e41CZcGEFDH^2

aluigi, Thanks to
Could you write a detailed sequence of steps for finding a password?
Is it possible to make a video? I have little experience. There are similar games from this developer.