Thread: [C#] EADRM Encryptions & Few notes...
View Single Post
  #1  
Old 03-29-2016, 03:00
n00b n00b is offline
Friend
  
Join Date: Mar 2009
Posts: 43
Rept. Given: 18
Rept. Rcvd 25 Times in 14 Posts
Thanks Given: 11
Thanks Rcvd at 59 Times in 20 Posts
n00b Reputation: 26
[C#] EADRM Encryptions & Few notes...
Well, first off - there are 2 major "encryptions" used in EADRM;
.PAR - the parameter file which contains the parameters the DRM itself reads, and uses together with the cipher-key found in the .DLF (the decryption information key file)...

.PAR is "encrypted" with a simple Xor encryption w/key:

Code:
        private static byte[] Xor(byte[] orgBytes, byte[] keyBytes)
        {
            for (var i = 0; i < orgBytes.Length; i++)
            {
                orgBytes[i] = (byte)(orgBytes[i] ^ keyBytes[i % keyBytes.Length]);
            }
            return orgBytes;
        }
Key is static and ALWAYS: q@pO3o#5jNA6$sjP3qwe1


.DLF is encrypted (yes, really encrypted) with AES-CBC w/zero padded IV:
(also static Key by the way...)

Code:
        private static string AesDecrypt(this byte[] cryptText)
        {
            using (var aes = new RijndaelManaged
            {
                BlockSize = 128,
                KeySize = 128,
                Padding = PaddingMode.Zeros,
                Mode = CipherMode.CBC,
                Key = new byte[] { 0x41, 0x32, 0x72, 0x2D, 0xD0, 0x82, 0xEF, 0xB0, 0xDC, 0x64, 0x57, 0xC5, 0x76, 0x68, 0xCA, 0x09 },
                IV = new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
            })
            {
                var decryptor = aes.CreateDecryptor();
                var encrypted = cryptText;
                var planeText = new byte[encrypted.Length];
                using (var memoryStream = new MemoryStream(encrypted))
                {
                    using (var cryptStream = new CryptoStream(memoryStream, decryptor, CryptoStreamMode.Read))
                    {
                        cryptStream.Read(planeText, 0, planeText.Length);
                        return Encoding.ASCII.GetString(planeText).CleanInput();
                    }
                }
            }
        }
NOTES:

During my research towards making an unpacker for EADRM/OriginStub (without the need to patch any API's), I also discovered that there is currently 3 variations of the DRM/Stub:

Quote:
V1 OriginStub/EADRM:
--------------------
Signature: IREW
Special : Encrypted Code
Visible : OEP & IAT

V2 OriginStub/EADRM:
--------------------
Signature: AE64/XE34
Special : Encrypted Code + Fake .NET entrypoint + Calls Directly to Activation.dll
Also exists on 64bit compiled games!
Visible : OEP & IAT

V3 OriginStub/EADRM:
--------------------
Signature: Code is found inside .ooa section
Special : This variant is mostly used in combination with Denuvo!
Also, most Denuvo games are 64bit compiled!
Visible : Nothing

Oh, and no tools will be given for this - just enjoy these few findings and write your own tools
Last edited by n00b; 04-01-2016 at 03:52. Reason: Seems Command & Conquer has a slight different V2...
Reply With Quote
The Following User Gave Reputation+1 to n00b For This Useful Post:
niculaita (03-29-2016)
The Following 6 Users Say Thank You to n00b For This Useful Post:
chessgod101 (03-29-2016), e0qs (05-22-2016), gsaralji (12-10-2016), tonyweb (12-17-2016), zeytunak (03-31-2016)