EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 03-29-2016, 03:00
n00b n00b is offline
Friend
 
Join Date: Mar 2009
Posts: 41
Rept. Given: 18
Rept. Rcvd 25 Times in 14 Posts
Thanks Given: 8
Thanks Rcvd at 42 Times in 10 Posts
n00b Reputation: 25
[C#] EADRM Encryptions & Few notes...

Well, first off - there are 2 major "encryptions" used in EADRM;
.PAR - the parameter file which contains the parameters the DRM itself reads, and uses together with the cipher-key found in the .DLF (the decryption information key file)...

.PAR is "encrypted" with a simple Xor encryption w/key:

Code:
        private static byte[] Xor(byte[] orgBytes, byte[] keyBytes)
        {
            for (var i = 0; i < orgBytes.Length; i++)
            {
                orgBytes[i] = (byte)(orgBytes[i] ^ keyBytes[i % keyBytes.Length]);
            }
            return orgBytes;
        }
Key is static and ALWAYS: q@pO3o#5jNA6$sjP3qwe1


.DLF is encrypted (yes, really encrypted) with AES-CBC w/zero padded IV:
(also static Key by the way...)

Code:
        private static string AesDecrypt(this byte[] cryptText)
        {
            using (var aes = new RijndaelManaged
            {
                BlockSize = 128,
                KeySize = 128,
                Padding = PaddingMode.Zeros,
                Mode = CipherMode.CBC,
                Key = new byte[] { 0x41, 0x32, 0x72, 0x2D, 0xD0, 0x82, 0xEF, 0xB0, 0xDC, 0x64, 0x57, 0xC5, 0x76, 0x68, 0xCA, 0x09 },
                IV = new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
            })
            {
                var decryptor = aes.CreateDecryptor();
                var encrypted = cryptText;
                var planeText = new byte[encrypted.Length];
                using (var memoryStream = new MemoryStream(encrypted))
                {
                    using (var cryptStream = new CryptoStream(memoryStream, decryptor, CryptoStreamMode.Read))
                    {
                        cryptStream.Read(planeText, 0, planeText.Length);
                        return Encoding.ASCII.GetString(planeText).CleanInput();
                    }
                }
            }
        }
NOTES:

During my research towards making an unpacker for EADRM/OriginStub (without the need to patch any API's), I also discovered that there is currently 3 variations of the DRM/Stub:

Quote:
V1 OriginStub/EADRM:
--------------------
Signature: IREW
Special : Encrypted Code
Visible : OEP & IAT

V2 OriginStub/EADRM:
--------------------
Signature: AE64/XE34
Special : Encrypted Code + Fake .NET entrypoint + Calls Directly to Activation.dll
Also exists on 64bit compiled games!
Visible : OEP & IAT

V3 OriginStub/EADRM:
--------------------
Signature: Code is found inside .ooa section
Special : This variant is mostly used in combination with Denuvo!
Also, most Denuvo games are 64bit compiled!
Visible : Nothing

Oh, and no tools will be given for this - just enjoy these few findings and write your own tools

Last edited by n00b; 04-01-2016 at 03:52. Reason: Seems Command & Conquer has a slight different V2...
Reply With Quote
The Following User Gave Reputation+1 to n00b For This Useful Post:
niculaita (03-29-2016)
The Following 6 Users Say Thank You to n00b For This Useful Post:
chessgod101 (03-29-2016), e0qs (05-22-2016), gsaralji (12-10-2016), Seth333 (06-02-2016), tonyweb (12-17-2016), zeytunak (03-31-2016)
  #2  
Old 12-09-2016, 00:16
evlncrn8 evlncrn8 is offline
VIP
 
Join Date: Sep 2005
Posts: 139
Rept. Given: 26
Rept. Rcvd 53 Times in 23 Posts
Thanks Given: 20
Thanks Rcvd at 29 Times in 17 Posts
evlncrn8 Reputation: 53
.ooa section is just origin, no denuvo implied and are you just assuming .net entrypoint cos of the ff 25 jmp to activation.dll (its not .net at all)
Reply With Quote
The Following User Says Thank You to evlncrn8 For This Useful Post:
tonyweb (12-17-2016)
  #3  
Old 12-17-2016, 17:59
n00b n00b is offline
Friend
 
Join Date: Mar 2009
Posts: 41
Rept. Given: 18
Rept. Rcvd 25 Times in 14 Posts
Thanks Given: 8
Thanks Rcvd at 42 Times in 10 Posts
n00b Reputation: 25
Quote:
Originally Posted by evlncrn8 View Post
.ooa section is just origin, no denuvo implied and are you just assuming .net entrypoint cos of the ff 25 jmp to activation.dll (its not .net at all)
Thats because I haven't analyzed that many newer EA targets - however, my research still stands and is accurate except for that last variation which may or may not be in combination of Denuvo protected games. However, the 0xFF25 EP, is standard EP for almost all .NET compiled assemblies - thus, it -may- resemble the .NET PE EP...
As I also said earlier, I don't claim its actually .NET assembly at all
Reply With Quote
The Following User Says Thank You to n00b For This Useful Post:
tonyweb (12-17-2016)
  #4  
Old 12-17-2016, 20:54
evlncrn8 evlncrn8 is offline
VIP
 
Join Date: Sep 2005
Posts: 139
Rept. Given: 26
Rept. Rcvd 53 Times in 23 Posts
Thanks Given: 20
Thanks Rcvd at 29 Times in 17 Posts
evlncrn8 Reputation: 53
the funny thing too is that the actual license check boils down to a strcmp call (it was a real strcmp api call in the initial versions, which then became inline over the times, and i think the latest is a qt one.. same concept though), so with any valid license from any machine, patching the compare to return 0 (for success) works and has done for every single version of ea access ... amazing how all that digital signing, checking etc all boils down to one string compare heh.. slow clap @ ea, course denuvo (and securom) also have this license check in their code too so that needs found and smacked as well but for ea access, its a piece of piss
Reply With Quote
  #5  
Old 12-18-2016, 14:11
n00b n00b is offline
Friend
 
Join Date: Mar 2009
Posts: 41
Rept. Given: 18
Rept. Rcvd 25 Times in 14 Posts
Thanks Given: 8
Thanks Rcvd at 42 Times in 10 Posts
n00b Reputation: 25
Thats true, but doing a simple patch is always too easy - and thus, not that fun (can be said with most protections really, if you really dig deep enough)... Take for example the infamous Armadillo, they had an amazing protection against cracking - but since they solely relied on big crypto, it had to fail badly anyways; because it all boils down to one single compare in the end no matter what anyone thinks...
Its actually true, you can dig deep enough in absolutely every protection scheme that exists - and in the very end (most developers doesn't even realize this either, thats the worst part) you will find that tiny little compare function one way or another which more or less controls wether your key/serial/whatever is valid or not - its a simple fact of today's computing technology really...

If our current computer technology had been based upon quantum tech already, we would have been seeing TRUE protection schemes that actually has lots tricks to stop us - but we won't see that in our current tech, cuz one bit/byte cannot and never will be able to reflect two different states at the same time
Thus, the very end will always rely on 1 single fucking compare - and yes, this doesn't matter if it has 1 billion layers above to "protect" that 1 little compare :P
Reply With Quote
The Following 2 Users Say Thank You to n00b For This Useful Post:
evlncrn8 (12-18-2016), Hypnz (12-18-2016)
  #6  
Old 02-19-2017, 01:45
n00b n00b is offline
Friend
 
Join Date: Mar 2009
Posts: 41
Rept. Given: 18
Rept. Rcvd 25 Times in 14 Posts
Thanks Given: 8
Thanks Rcvd at 42 Times in 10 Posts
n00b Reputation: 25
Some code that may aid you in creating an actual unpacker or unwrapper:

Yes, this is actual working sources (only partial!!) - and I've chosen to release this publically since EADRM/OriginDRM is more or less dead nowadays anyways...

(The code is crude, and not optimized at all!)

Code:
    /// 
    /// Struct for OEP & IAT + Version of OriginStub + Par file...
    /// 
    public struct OriginParameters
    {
        public OriginVersion VersionDetected;
        public OepIatSet OEPnIAT;
        public string ParamFileString;
    }

    /// 
    /// Struct for .par file...
    /// 
    public struct Parameters
    {
        public string ContentId;

        public string InstalledDistro;

        public string SupportedDistros;
    }

    /// 
    /// Struct for Version of OriginStub...
    /// 
    public enum OriginVersion
    {
        Error = -1,
        V1 = 0, //IREW
        V2 = 1  //AE64
    }

    /// 
    /// Struct for OEP & IAT...
    /// 
    public struct OepIatSet
    {
        public string OEP;
        public string IAT;
    }

    /// 
    /// Struct for OEP & IAT + Version of OriginStub + Par file...
    /// 
    public struct OriginParameters
    {
        public OriginVersion VersionDetected;
        public OepIatSet OEPnIAT;
        public string ParamFileString;
    }

        internal static OriginVersion DetectOriginVersion()
        {
            Debug.WriteLine(DateTime.Now.ToShortTimeString() + " clsDetections::DetectOriginVersion]");
            var sOldBytes = Encoding.ASCII.GetBytes("IREW");
            var sNewBytes = Encoding.ASCII.GetBytes("AE64");
            sFileBytes = File.ReadAllBytes(szFileName);

            var fSearch1 = SearchBytes(sFileBytes, sOldBytes, 0L);
            if (fSearch1 == -1)
            {
                fSearch1 = SearchBytes(sFileBytes, sNewBytes, 0L);
                if (fSearch1 == -1)
                {
                    Debug.WriteLine(DateTime.Now.ToShortTimeString() + " clsDetections::DetectOriginVersion] Returned: " + OriginVersion.Error);
                    return OriginVersion.Error;
                }
                else
                {
                    sAddr = fSearch1;
                    Debug.WriteLine(DateTime.Now.ToShortTimeString() + " clsDetections::DetectOriginVersion] Returned: " + OriginVersion.V2);
                    return OriginVersion.V2;
                }
            }
            sAddr = fSearch1;
            Debug.WriteLine(DateTime.Now.ToShortTimeString() + " clsDetections::DetectOriginVersion] Returned: " + OriginVersion.V1);
            return OriginVersion.V1;
        }

        internal static OriginParameters LoadExePar()
        {
            Debug.WriteLine(DateTime.Now.ToShortTimeString() + " clsAnalyse::LoadExePar]");
            var myParams = new OriginParameters();
            var myOepIat = new OepIatSet();

            myParams.VersionDetected = clsDetections.DetectOriginVersion();
            var outOEP = "";
            var outIAT = "";
            clsDetections.GrabOEPnIAT(out outOEP, out outIAT);
            myOepIat.IAT = outIAT;
            myOepIat.OEP = outOEP;
            myParams.OEPnIAT = myOepIat;
            myParams.ParamFileString = clsDetections.GetParFile();

            myParameters = clsDetections.ReadParameters(myParams.ParamFileString);
            myPrvt = myParams;

            return myParams;
        }

        public static bool PatchChecks()
        {
            Debug.WriteLine(DateTime.Now.ToShortTimeString() + " clsAnalyse::PatchChecks]");
            //var parCrcCheckBytes = "56 57 E8 ?? ?? ?? ?? 83 C4 08 39 ?? ??"; //Generic to both EXE & DLL
            //var requiredToPlayV1Bytes = "83 C4 08 85 C0 0F 94 C3"; //Generic to both EXE & DLL
            //var actExe = DetectEACoreExe();
            //var actDll = DetectEACoreDll();
            //var mFileBytesExe = new byte[1];
            //var mFileBytesDll = new byte[1];
            clsXor.xorList = clsXor.CreateNewCheckSumTable();

            var xorKey = Encoding.ASCII.GetBytes("q@pO3o#5jNA6$sjP3qwe1");
            var szParFileName = clsDetections.DetectParFile();

            if (szParFileName != String.Empty)
            {
                var parFileBytes = File.ReadAllBytes(szParFileName);
                var bytes4 = new byte[4];
                Array.Copy(parFileBytes, 0, bytes4, 0, 4);
                if (clsDetections.FirstBytes(bytes4, xorKey))
                {
                    //OLD NO CRC
                    bwWorker.ReportProgress(0, "[PatchChecks] Returned: PATCHED_PAR_FILE_COMPLETED");
                    File.WriteAllBytes(szParFileName, AddNoOrigin(Encoding.ASCII.GetString(clsXor.Xor(parFileBytes, xorKey)), false));
                    return true;
                }
                else
                {
                    Array.Copy(parFileBytes, 4, bytes4, 0, 4);
                    if (clsDetections.FirstBytes(bytes4, xorKey))
                    {
                        //CRC
                        var parFileBytes2 = new byte[parFileBytes.Length - 4];
                        Array.Copy(parFileBytes, 4, parFileBytes2, 0, parFileBytes2.Length);

                        bwWorker.ReportProgress(0, "[PatchChecks] Returned: PATCHED_PAR_FILE_COMPLETED_CRC_VER");
                        File.WriteAllBytes(szParFileName, AddNoOrigin(Encoding.ASCII.GetString(clsXor.Xor(parFileBytes, xorKey)), true));
                        return true;
                    }
                    else
                    {
                        bwWorker.ReportProgress(0, "[PatchChecks] Returned: FAILED_TO_FIND_XOR_CRC");
                        return false;
                    }
                }
            }
            else
            {
                bwWorker.ReportProgress(0, "[PatchChecks] Returned: FAILED_TO_FIND_PARAMETER_FILE");
                return false;
            }


            //var patchOffsets = new EACorePatch
            //{
            //    crcOffset = -1,
            //    reqToPlayOffset = -1,
            //    szActivationFName = String.Empty
            //};

            //if (actExe != String.Empty) mFileBytesExe = File.ReadAllBytes(actExe);
            //else
            //{
            //    bwWorker.ReportProgress(0, "[PatchChecks] Returned: FAILED_TO_READ_EXE_FILE");
            //    return false;
            //}
            //if (actDll != String.Empty) mFileBytesDll = File.ReadAllBytes(actDll);
            //else
            //{
            //    bwWorker.ReportProgress(0, "[PatchChecks] Returned: FAILED_TO_READ_DLL_FILE");
            //    return false;
            //}

            //long fOffset = 0;

            //if (Pattern.Find(mFileBytesExe, Pattern.Transform(parCrcCheckBytes), out fOffset))
            //{
            //    for (int i = 0; i < 20; i++)
            //    {
            //        if (mFileBytesExe[fOffset + Pattern.Transform(parCrcCheckBytes).Length + i] == 0x74)
            //        {
            //            bwWorker.ReportProgress(0, "[PatchChecks] Returned: CRC_JE_FOUND_EXE");
            //            patchOffsets.crcOffset = fOffset + Pattern.Transform(parCrcCheckBytes).Length + i;
            //        }
            //    }

            //    if (Pattern.Find(mFileBytesExe, Pattern.Transform(requiredToPlayV1Bytes), out fOffset))
            //    {
            //        for (int i = 0; i < 20; i++)
            //        {
            //            if (mFileBytesExe[fOffset + Pattern.Transform(requiredToPlayV1Bytes).Length + i] == 0x72)
            //            {
            //                bwWorker.ReportProgress(0, "[PatchChecks] Returned: REQUIRETOPLAYV1_JB_FOUND_EXE");
            //                patchOffsets.reqToPlayOffset = fOffset + Pattern.Transform(requiredToPlayV1Bytes).Length + i;
            //                patchOffsets.szActivationFName = actExe;
            //                return PatchActivation(patchOffsets, bwWorker);
            //            }
            //        }
            //    }
            //}
            //else if (Pattern.Find(mFileBytesDll, Pattern.Transform(parCrcCheckBytes), out fOffset))
            //{
            //    for (int i = 0; i < 20; i++)
            //    {
            //        if (mFileBytesDll[fOffset + Pattern.Transform(parCrcCheckBytes).Length + i] == 0x74)
            //        {
            //            bwWorker.ReportProgress(0, "[PatchChecks] Returned: CRC_JE_FOUND_DLL");
            //            patchOffsets.crcOffset = fOffset + Pattern.Transform(parCrcCheckBytes).Length + i;
            //        }
            //    }

            //    if (Pattern.Find(mFileBytesDll, Pattern.Transform(requiredToPlayV1Bytes), out fOffset))
            //    {
            //        for (int i = 0; i < 20; i++)
            //        {
            //            if (mFileBytesDll[fOffset + Pattern.Transform(requiredToPlayV1Bytes).Length + i] == 0x72)
            //            {
            //                bwWorker.ReportProgress(0, "[PatchChecks] Returned: REQUIRETOPLAYV1_JB_FOUND_DLL");
            //                patchOffsets.reqToPlayOffset = fOffset + Pattern.Transform(requiredToPlayV1Bytes).Length + i;
            //                patchOffsets.szActivationFName = actDll;
            //                return PatchActivation(patchOffsets, bwWorker);
            //            }
            //        }
            //    }
            //}

            //bwWorker.ReportProgress(0, "[PatchChecks] Returned: FAILED_TO_FIND_PATCH_PATTERNS");
            //return false;
        }

        internal static string GetLicense()
        {
            Debug.WriteLine(DateTime.Now.ToShortTimeString() + " clsAnalyse::GetLicense]");
            var licPath = Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData)
                          + "\\Electronic Arts\\EA Services\\License";

            if (myParameters.ContentId.Trim().Contains(","))
            {
                var a = myParameters.ContentId.Trim().Split(new char[] { ',' });
                foreach (var VARIABLE in a)
                {
                    if (File.Exists(licPath + "\\" + VARIABLE.Trim() + ".dlf"))
                    {
                        var tmpBytes = File.ReadAllBytes(licPath + "\\" + VARIABLE.Trim() + ".dlf");
                        var bMore = new BoyerMoore(new byte[] { 0xC0, 0x1E, 0x0F, 0x86, 0xDA, 0xF1, 0xF8, 0x5F }, tmpBytes);
                        if (bMore.Match() > -1)
                        {
                            bwWorker.ReportProgress(0, "[GetLicense] BOYERMOORE_MATCH_FOUND_SIG");
                            var myArray = new byte[tmpBytes.Length - bMore.Match()];
                            Array.Copy(tmpBytes, bMore.Match(), myArray, 0, tmpBytes.Length - bMore.Match());
                            var tmpXml = clsHelpers.ParseXml(clsAes.AesDecrypt(myArray));

                            bwWorker.ReportProgress(0, "[GetLicense] XML_CIPHERKEY_FOUND");
                            Debug.WriteLine(DateTime.Now.ToShortTimeString() + " clsAnalyse::GetLicense] Returned: " + tmpXml.CipherKey);
                            return tmpXml.CipherKey;
                        }
                    }
                }
            }
            else if (File.Exists(licPath + "\\" + myParameters.ContentId.Trim() + ".dlf"))
            {
                    var tmpBytes = File.ReadAllBytes(licPath + "\\" + myParameters.ContentId.Trim() + ".dlf");
                    var bMore = new BoyerMoore(new byte[] { 0xC0, 0x1E, 0x0F, 0x86, 0xDA, 0xF1, 0xF8, 0x5F }, tmpBytes);
                    if (bMore.Match() > -1)
                    {
                        bwWorker.ReportProgress(0, "[GetLicense] BOYERMOORE_MATCH_FOUND_SIG");
                        var myArray = new byte[tmpBytes.Length - bMore.Match()];
                        Array.Copy(tmpBytes, bMore.Match(), myArray, 0, tmpBytes.Length - bMore.Match());
                        var tmpXml = clsHelpers.ParseXml(clsAes.AesDecrypt(myArray));

                        bwWorker.ReportProgress(0, "[GetLicense] XML_CIPHERKEY_FOUND");
                        Debug.WriteLine(DateTime.Now.ToShortTimeString() + " clsAnalyse::GetLicense] Returned: " + tmpXml.CipherKey);
                        return tmpXml.CipherKey;
                    }
            }
            else
            {
                bwWorker.ReportProgress(0, "[GetLicense] GAME_NOT_RUN_FIRST");
                Debug.WriteLine(DateTime.Now.ToShortTimeString() + " GetLicense] Returned: Game Never Ran before!");
                return "ERROR: Run game once first!";
            }
            bwWorker.ReportProgress(0, "[GetLicense] XML_CIPHERKEY_NOT_FOUND");
            Debug.WriteLine(DateTime.Now.ToShortTimeString() + " clsAnalyse::GetLicense] Returned: NULL");
            return string.Empty;
        }


        internal static byte[] AddNoOrigin(string toFix, bool useChecksum)
        {
            Debug.WriteLine(DateTime.Now.ToShortTimeString() + " clsAnalyse::AddNoOrigin]");
            if (!toFix.Contains("RequiredToPlayV1"))
            {
                var a =
                    clsXor.Xor(
                        Encoding.ASCII.GetBytes(
                            toFix.Replace("InstalledDistro = ", "InstalledDistro = RequiredToPlayV1,")),
                        Encoding.ASCII.GetBytes("q@pO3o#5jNA6$sjP3qwe1"));
                var b = clsXor.Xor2(clsHelpers.CreateCorrectTable(a));
                var bitBugA = new byte[1];
                if (useChecksum)
                {
                    bitBugA = new byte[a.Length + b.Length];
                    Array.Copy(b, 0, bitBugA, 0, b.Length);
                    Array.Copy(a, 0, bitBugA, b.Length, a.Length);
                    return bitBugA;
                }
                else
                {
                    return a;
                }
            }
            else
            {
                var a = clsXor.Xor(Encoding.ASCII.GetBytes(toFix), Encoding.ASCII.GetBytes("q@pO3o#5jNA6$sjP3qwe1"));
                var b = clsXor.Xor2(clsHelpers.CreateCorrectTable(a));
                var bitBugA = new byte[1];

                if (useChecksum)
                {
                    bitBugA = new byte[a.Length + b.Length];
                    Array.Copy(b, 0, bitBugA, 0, b.Length);
                    Array.Copy(a, 0, bitBugA, b.Length, a.Length);
                    return bitBugA;
                }
                else
                {
                    return a;
                }
            }
        }

        internal static bool PatchActivation(EACorePatch patchDetails)
        {
            Debug.WriteLine(DateTime.Now.ToShortTimeString() + " clsAnalyse::PatchActivation]");
            if (patchDetails.crcOffset != -1 && patchDetails.reqToPlayOffset != -1
                && patchDetails.szActivationFName != String.Empty)
            {
                var mBytes = File.ReadAllBytes(patchDetails.szActivationFName);
                File.Copy(patchDetails.szActivationFName, patchDetails.szActivationFName + ".bak", true);
                mBytes[patchDetails.crcOffset] = 0xEB;
                mBytes[patchDetails.reqToPlayOffset] = 0xEB;
                try
                {
                    File.WriteAllBytes(patchDetails.szActivationFName, mBytes);
                    bwWorker.ReportProgress(0, "[PatchActivation] Returned: FILE_PATCHED_AND_SAVED");
                    return true;
                }
                catch (Exception ex)
                {
                    bwWorker.ReportProgress(0, "[PatchActivation] Returned: FILE_PATCH_FAILED (" + ex.Message + ")");
                    return false;
                }
            }
            bwWorker.ReportProgress(0, "[PatchActivation] Returned: FILE_PATCH_FAILED_MISSING_DETAILS");
            return false;
        }
As I said earlier in this reply; this code is far from complete, its just something that may or may not help an experienced coder create something they want with - and yes, the code is entirely mine and mine alone

Anywho; use this code as you wish, but credit me if you do
Reply With Quote
The Following 2 Users Say Thank You to n00b For This Useful Post:
chants (02-19-2017), tonyweb (02-19-2017)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On



All times are GMT +8. The time now is 23:54.


ICP05004977
vBulletin Security provided by vBSecurity v2.2.0 (Lite) - vBulletin Mods & Addons Copyright © 2017 DragonByte Technologies Ltd.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX