Retrieving ZIP passwords from games - the debugger way

[aluigi]

In the other thread we have seen the easiest method to get the password from the ZIP archives used by various games.

The following method instead is a bit more advanced and can be used not only for the ZIP archives, but also for other types of passwords like those used for encryptions like AES and blowfish.
Like all my tutorials, I will try to make everything as easy as I can.

Tools:
Signsrch http://aluigi.org/mytoolz.htm#signsrch
Ollydbg or Windbg or any other debugger
http://ollydbg.de/
http://www.microsoft.com/click/services ... =300135395

Optional tools:
QuickBMS http://quickbms.aluigi.org


The example game for this tutorial is Mini Robot Wars:
http://www.bigfishgames.com/download-ga ... index.html



First step - check the files in the folder of the game and start it.



Start signsrch on the process of the game, in this case mrw.exe but you can specify also the PID in case of conflicts.
If the game runs on two processes, you must specify the PID of the second one.



Output of signsrch:



Attach a debugger to the game, the following example is Windbg.
Windbg is faster than ollydbg and more compatible with "some" games, but it's not easy to use like ollydbg and other visual debuggers.



Now it's necessary to put a breakpoint or finding another way to interrupt the debugger when the zipcrypto function is called.
The simplest way obviously is going with the debugger at the beginning of the instruction pointed by the offset visualized by signsrch.

But if you want something more easy you can use the following script for quickbms:

Code: Select all

math quickbms_arg1 -= 3
goto quickbms_arg1
for i = 0 < 5
    put 0xcc byte
next i

With the following command:

Code: Select all

quickbms -p -a 0x40426e int3.bms process://mrw.exe

*edit* type the command "g" in Windbg for continuing the execution of the game.


The following is an example of that command with Ollydbg in the background:



*edit* Press F9 or click on the PLAY-like button > of Ollydbg for continuing the execution of the game.

Now play the game and wait the debugger.
Ollydbg:

Windbg:



It's quite easy and doesn't need a big knowledge of debugging, moreover if you use ollydbg in which you must do absolutely nothing.

I don't know if exist easiest ways to explain this, but if you know... tell me

[Ekey]

My method >

1) Load target in Olly
2) Right Click -> Search for -> All Constant
3) In Hexdecimal enter -> 012345678 -> Push Ok
4) Set Breakpoint on found constant
5) Run target and you can see password in FPU Registers

[aluigi]

I forgot to add a tip: if the password is not immediately visible in the registers and in the stack, go step-by-step through the next instructions till you see something like "MOV *, BYTE PTR [*]".
You can do that with F8 in Ollydbg or F10 in Windbg.

[devilkkw]

is it valid for self extracting zip?
on my try, i found only password i've input.

[aluigi]

If the self-extracting executable contains the password (and so you are not prompted to insert it), obviously you can get it.

[devilkkw]

thank you.
and if it ask for password? no way?

[aluigi]

In that case you have to crack it with specific software. Anyway this is OT so don't ask about this stuff in this thread.

[devilkkw]

sorry for OT and many thank's for answer.
indeed, you speak about ollydbg,in this tutorial you retrive password for 32bit application, but what is your suggestion for 64bit application? because we still waiting for olly64

[aluigi]

Windbg and other 64bit debuggers work perfectly.

Considering that, currently, there is almost ever a 32bit version of a software/game and the 64bit-only games are still rare (only the big games based on big engines, Cry and Unreal), the lack of a 64bit version of olly is not a problem.
I agree that the this situation will change in future but the big engines used for 64bit-only games don't use ZIP archives.

[devilkkw]

nice clarification.
thank you more

[eriger777]

What if signsrch doesn't show the password encryption address? Its a .pkg file you can view the contents but when you try to extract it asks for a password.

[aluigi]

@eriger777
What game?

[eriger777]

@eriger777
What game?

Black Prophecy. I can provide sample files if needed. The game isn't around anymore http://www.gamershell.com/download_70492.shtml that's the download. The files are I:\Program Files (x86)\Gamigo\Black Prophecy Client\GFX

[aluigi]

One of the first results on Google:
http://www.ownedcore.com/forums/mmo/gen ... -help.html

Download zip.bms, open it with a text editor and use the following at line 25:

Code: Select all

set ZIP_PASSWORD binary "\xB7\x27\x4A\x3B\xCB\xDD\x4B\xD8\xB4\xCD\x8D\xD8\x2D\x8F\x00\xDB"

and at line 84 use this:

Code: Select all

encryption zipcrypto ZIP_PASSWORD 1 0 16

[eriger777]

One of the first results on Google:
http://www.ownedcore.com/forums/mmo/gen ... -help.html

Download zip.bms, open it with a text editor and use the following at line 25:

Code: Select all

set ZIP_PASSWORD binary "\xB7\x27\x4A\x3B\xCB\xDD\x4B\xD8\xB4\xCD\x8D\xD8\x2D\x8F\x00\xDB"

and at line 84 use this:

Code: Select all

encryption zipcrypto ZIP_PASSWORD 1 0 16

This is what I get.

[aluigi]

Unfortunately the script doesn't support the AES encryption so I guess you have to use other solutions.

[eriger777]

Unfortunately the script doesn't support the AES encryption so I guess you have to use other solutions.

And how would I go about doing that?

[aluigi]

I don't know if there are libraries that allow to use passwords containing NULL bytes, minizip wants a string.
I may even suspect that the password provided in that forum in reality is directly the AES encryption key but probably I'm wrong.

In the next version of quickbms I will add support to the function used to derive the key from the ZIP password and salt for being able to use the AES encryption in zip.bms.

[eriger777]

Hey! did you ever add that option to quickbms?

[aluigi]

Sure, zip.bms already implements the AES passwords from many months.