[C#] EADRM Encryptions & Few notes...

n00b · #1 03-29-2016, 03:00

Well, first off - there are 2 major "encryptions" used in EADRM;
.PAR - the parameter file which contains the parameters the DRM itself reads, and uses together with the cipher-key found in the .DLF (the decryption information key file)...

.PAR is "encrypted" with a simple Xor encryption w/key:

Code:

        private static byte[] Xor(byte[] orgBytes, byte[] keyBytes)
        {
            for (var i = 0; i < orgBytes.Length; i++)
            {
                orgBytes[i] = (byte)(orgBytes[i] ^ keyBytes[i % keyBytes.Length]);
            }
            return orgBytes;
        }

Key is static and ALWAYS: q@pO3o#5jNA6$sjP3qwe1

.DLF is encrypted (yes, really encrypted) with AES-CBC w/zero padded IV:
(also static Key by the way...)

Code:

        private static string AesDecrypt(this byte[] cryptText)
        {
            using (var aes = new RijndaelManaged
            {
                BlockSize = 128,
                KeySize = 128,
                Padding = PaddingMode.Zeros,
                Mode = CipherMode.CBC,
                Key = new byte[] { 0x41, 0x32, 0x72, 0x2D, 0xD0, 0x82, 0xEF, 0xB0, 0xDC, 0x64, 0x57, 0xC5, 0x76, 0x68, 0xCA, 0x09 },
                IV = new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
            })
            {
                var decryptor = aes.CreateDecryptor();
                var encrypted = cryptText;
                var planeText = new byte[encrypted.Length];
                using (var memoryStream = new MemoryStream(encrypted))
                {
                    using (var cryptStream = new CryptoStream(memoryStream, decryptor, CryptoStreamMode.Read))
                    {
                        cryptStream.Read(planeText, 0, planeText.Length);
                        return Encoding.ASCII.GetString(planeText).CleanInput();
                    }
                }
            }
        }

NOTES:

During my research towards making an unpacker for EADRM/OriginStub (without the need to patch any API's), I also discovered that there is currently 3 variations of the DRM/Stub:

Quote:

V1 OriginStub/EADRM:
--------------------
Signature: IREW
Special : Encrypted Code
Visible : OEP & IAT

V2 OriginStub/EADRM:
--------------------
Signature: AE64/XE34
Special : Encrypted Code + Fake .NET entrypoint + Calls Directly to Activation.dll
Also exists on 64bit compiled games!
Visible : OEP & IAT

V3 OriginStub/EADRM:
--------------------
Signature: Code is found inside .ooa section
Special : This variant is mostly used in combination with Denuvo!
Also, most Denuvo games are 64bit compiled!
Visible : Nothing

Oh, and no tools will be given for this - just enjoy these few findings and write your own tools

Thread Tools
Show Printable Version Email this Page
Display Modes
Switch to Linear Mode Switch to Hybrid Mode Threaded Mode

The Following User Gave Reputation+1 to n00b For This Useful Post:
niculaita (03-29-2016)

The Following 6 Users Say Thank You to n00b For This Useful Post:
chessgod101 (03-29-2016), e0qs (05-22-2016), gsaralji (12-10-2016), tonyweb (12-17-2016), zeytunak (03-31-2016)