Well, first off - there are 2 major "encryptions" used in EADRM;
.PAR - the parameter file which contains the parameters the DRM itself reads, and uses together with the cipher-key found in the .DLF (the decryption information key file)...
.PAR is "encrypted" with a simple Xor encryption w/key:
Code:
private static byte[] Xor(byte[] orgBytes, byte[] keyBytes)
{
for (var i = 0; i < orgBytes.Length; i++)
{
orgBytes[i] = (byte)(orgBytes[i] ^ keyBytes[i % keyBytes.Length]);
}
return orgBytes;
}
Key is static and ALWAYS:
q@pO3o#5jNA6$sjP3qwe1
.DLF is encrypted (yes, really encrypted) with AES-CBC w/zero padded IV:
(also static Key by the way...)
Code:
private static string AesDecrypt(this byte[] cryptText)
{
using (var aes = new RijndaelManaged
{
BlockSize = 128,
KeySize = 128,
Padding = PaddingMode.Zeros,
Mode = CipherMode.CBC,
Key = new byte[] { 0x41, 0x32, 0x72, 0x2D, 0xD0, 0x82, 0xEF, 0xB0, 0xDC, 0x64, 0x57, 0xC5, 0x76, 0x68, 0xCA, 0x09 },
IV = new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
})
{
var decryptor = aes.CreateDecryptor();
var encrypted = cryptText;
var planeText = new byte[encrypted.Length];
using (var memoryStream = new MemoryStream(encrypted))
{
using (var cryptStream = new CryptoStream(memoryStream, decryptor, CryptoStreamMode.Read))
{
cryptStream.Read(planeText, 0, planeText.Length);
return Encoding.ASCII.GetString(planeText).CleanInput();
}
}
}
}
NOTES:
During my research towards making an unpacker for EADRM/OriginStub (without the need to patch any API's), I also discovered that there is currently 3 variations of the DRM/Stub:
Quote:
V1 OriginStub/EADRM:
--------------------
Signature: IREW
Special : Encrypted Code
Visible : OEP & IAT
V2 OriginStub/EADRM:
--------------------
Signature: AE64/XE34
Special : Encrypted Code + Fake .NET entrypoint + Calls Directly to Activation.dll
Also exists on 64bit compiled games!
Visible : OEP & IAT
V3 OriginStub/EADRM:
--------------------
Signature: Code is found inside .ooa section
Special : This variant is mostly used in combination with Denuvo!
Also, most Denuvo games are 64bit compiled!
Visible : Nothing
|
Oh, and no tools will be given for this - just enjoy these few findings and write your own tools