search

henriquekieckbusch / Chroma_squad_saveedit

Edit your save file from Chroma Squad Game
GNU General Public License v2.0
1 stars 0 forks source link

How did you reverse engineer this? #1

Closed kevzettler closed 8 years ago

kevzettler commented 8 years ago

Hi I am wondering what steps you took to reverse engineered the .csqd file format and build this script. It works great

henriquekieckbusch commented 8 years ago

Hello! Opening the file we see that # and ! are used to separate (to split) the content. Than I just saved my game many times with different letters and I understood how it was decrypted. Thanks for the message 👍

kevzettler commented 8 years ago

@henriquekieckbusch thanks for the response! I'm studying binary data and working with binary formats and was reverse engineering the .csqd format as an exercise. If you could answer a few more questions it would be really helpful to me and i'd really appreciate it!

Are you saying that you just got lucky and noticed the # and ! characters were being used as delimiters? Did you use any tools to help spot these?

How did you find the cipher vOSnn95Lo8C1fDPMYKIUvrLcYZ8G699o here ? https://github.com/henriquekieckbusch/Chroma_squad_saveedit/blob/master/chroma_saveedit.php#L23

How did you know it was rot13?

What is the i%32 calculation doing?

I've recreated your code in javascript as an exercise to understand it more. It works but makes no sense to me. Its like magic.

var fs = require('fs');
var rot = require('rot');
var path = './CSQ-SaveGameFile-635968661423062140.csqd';
var cipher = 'vOSnn95Lo8C1fDPMYKIUvrLcYZ8G699o';

function readFileHandler(err, data){  
  if(err){throw err;}
  var ret = {};  

  data.split('#').forEach(function(tupple){
    var kvs = tupple.split('!');
    if(kvs.length > 1){
      ret[decrypt(kvs[0])] = decrypt(kvs[1]);
    }
  });

  console.log(ret);
};

function decrypt(string){
  var ret = "";
  string.split('').forEach(function(character, i){
    var charCode = character.charCodeAt(0);
    var rotc = rot(cipher, 13);
    var rotSub = rotc.substring(i%32, (i%32)+1);
    var wtf = -1 * rotSub.charCodeAt(0);
    ret += String.fromCharCode(charCode + wtf);
  });

  return ret;
}

fs.readFile(path, {encoding: "UTF8"}, readFileHandler);
henriquekieckbusch commented 8 years ago

Hi again! rot13 just reverse the letters.. I made just to not show people the real characters (of course pretty easy to show, but it was one more step).. I made many hacks for many games.. but I just do "legal" and "good" things... Even for Chroma Squad, I changed many things in the game.. I put new game characters, infinite lives, I listed many hidden things and I posted in the chromasquad forums.. But since I tough it was not good for the game, I didn't make more things.. So I just do things in the "good side", and when the company that made the game like. The rot13 just change a letter to letter+13 (alphabet places).

This game specific was easy. If you see the file.. you see it just use common letters and ! and # are very visible. I opened the saved game and I changed my "team name" in the game.. and just a small part of the saved game changed.. from that I started understanding.. First I called my team "aaaaa" than "bbbb".. and I got the table of characters.. changing the whole code with the first tests many things started becoming visible. so it was not that difficult see the code first time.

The final code was a strange table (an array each letter representing other).. than I started searching for the maths to show the code in a simple way. Its here I found those letter sequence. just dividing the letter key code it is easy to get too.

There are many types of crypts.. some people use salts many hash keywords with aes/des/etc... but this one specific didnt make anything of this.. it was just a simple "table-character" crypt.

Your js code looks great 👍

thanks for your message!

kevzettler commented 8 years ago

Thanks for the in-depth response!