PKO online Pak password (火鳳三國)

[Shine]

I am trying to found then password of this game following Luigi's tutorial.
web: http://pko.91play.com.tw/

Here is my step by step walk-through:
1. run ollydbg.exe
2. run loader.exe
3. in cmd "signsrch -P loader.exe"
4. found the handle address of crypto at 0x47fadd
5. in ollydbg debugger, attach loader.exe process
6. in cmd "quickbms -p -a 0x47fadd int3.bms process://loader.exe"
7. when it break, I can't found any ASCII string or anything similar?

PS: I am sure the package is a modified zip with "UZ" signature.
CRC csize and usize are removed from 0304 but they are in 0708 block
filename are simply xor with 0xB2

samples: http://www.mediafire.com/download/kvv47 ... O_Mini.rar

Help, please!

[aluigi]

Put the int3 breakpoint at address 0x47fafd and check the string pointed by the EDX register.

[Shine]

Sorry Luigi!
Now my ollydbg won't even break!?
Here is a video recorded what I had done. please help again!
http://youtu.be/RjZdX56IYDQ

Thank you very much.

[Shine]

Can anyone help to find the password, please!

[aluigi]

In the first post you said that olly break at the first address (0x47fadd instead of 0x47fafd), are you sure?
You can set breakpoints also from olly.

[Ekey]

Breakpoint fails because this part of code already passed after attaching.

1) Run Olly
2) Open Loader.exe
3) Go to offset 0x47fadd (CTRL+G)
4) Set breakpoint (F3)
5) Run target (F9)
6) Wait while olly stopped on breakpoint

[Shine]

Thanks Luigi and Ekey.
I am a n00b!

I try it from the first post again, and it not break as well!
I much be doing something wrong first time! Sorry.
but that time I get something like this: 0368F250 029F5D18 ASCII "hTemp/exe/game/cpkl\"
but the password not right.

So what can I start now?
Thank you for reading.

[aluigi]

Have you tried to run the game?
That one is just a loader that should have no reason to read the content of the files, just patching them.

[Shine]

Today I am trying yo run the game and find the pw.

I run loader.exe, wait for update completed. And it go into the game
From task manager, I found the process is pko.exe
run "signsrch -P pko.exe" and get the address 0xb6a62d function where is hanfled the Zipcrypto password
run ollydbg and attach pko.exe. press ctrl-G and goto offset 0xb6a62d. press F2 to set breakpoint

now ollydbg keep breaking at that point and only "d!" was shown.
I test the pw as "d!" and it is wrong!?

please help!

Client can be download form here: http://download.pko.91play.com.tw/91pla ... 150112.zip

[aluigi]

You are very close to the solution.
Now press F8 various times and the debugger will go the next instructions.
After the address 0x0b6a64a take a look at the EDX register because the password should be there.

[Shine]

Sorry for my n00b, I still can't find the password!
After the address 0x0b6a64a, EDX value changed.
It show 0x04a22828. But no ascii?

[aluigi]

Ok, rigth-click on EDX and select "Follow in Dump".
The data pointed by the registry will be visible in the Dump windows (the left-bottom one).

[Shine]

Still no luck to get the password!?
I can only see the filename in ascii.

here is what I did!
http://youtu.be/ln5pz_aqS-A

[aluigi]

The password is the one you see in the Dump window: "\x26\x3a\x4a\x52\x56\x52\x4a\x05\x5e\xaa\xba\x26\xe0\x24"

You can test it in quickbms using the following code:

Code: Select all

get SIZE asize

encryption zipcrypto "\x26\x3a\x4a\x52\x56\x52\x4a\x05\x5e\xaa\xba\x26\xe0\x24"
log dump0.dat 0 SIZE

encryption zipcrypto "\x26\x3a\x4a\x52\x56\x52\x4a\x05\x5e\xaa\xba\x26\xe0\x24" 1
log dump1.dat 0 SIZE

Open the results with a hex editor and run offzip on them to check if they have been correctly decrypted.

It's not the first time that a game uses a non-textual key (like Virtual RC Racing).

In my opinion probably it uses a different key for each archived file, probably generated at runtime or it's a field of the archive.