linuslin0 / ACST

Public releases for ACSaveTool
267 stars 42 forks source link

Having trouble with the manual four steps from the FAQ (May be it's me) #147

Closed MisteRibi closed 8 months ago

MisteRibi commented 10 months ago

Hello and Happy New Year.

Sorry in advance for my not perfect English.

I'm following the four steps from the FAQ to do it manually (since the tool can't do what I want) but it doesn't work as expected.

I mean that the decryption part doesn't really (seem to) decrypt since there are no "readable string" at all.

The four steps from the FAQ I'm talking about are the following:

  1. Calculate the MD5 hash of your account ID.
  2. Generate the encryption key using the 16-byte MD5 hash: take the first and last bytes and followed by the rest 14 bytes in reverse order.
  3. Get the rotation offset based on the save data size: size % 16 and do a right rotation on the key.
  4. XOR the key with the save data.

My Ubisoft account ID is 2e21f104-6c21-47e2-add8-90f551b20aa4 Doing the first step give me 4897bd7fec5c95faaa0c961de61db83e Doing the second give me 483eb81de61d960caafa955cec7fbd97

Then the third step is where I'm not sure. I do understand how to get the offset, I get 3 for the options save and 9 for my actual save.

What I'm not sure is the right rotation, so I move the number 3 and 9 times to the right (and also tried left just in case), that give me: For the offset 3 d97483eb81de61d960caafa955cec7fb (left eb81de61d960caafa955cec7fbd97483) For the offset 9 cec7fbd97483eb81de61d960caafa955 (left 61d960caafa955cec7fbd97483eb81de)

And then the fourth step, the XOR the key with the save data, I'm doing it with the bytes on python:

def xor(input: str, output: str, key: bytes) -> bytes:
    with open(input, "rb") as inp:
        data = inp.read()
    l = len(key)
    decoded = bytearray()
    for i in range(len(data)):
        decoded.append(data[i] ^ ord(key[i % l]))
    with open(output, 'ab+') as outp:
        outp.write(decoded)

I could be wrong in any step, can you help me?

What I want is to decrypt the save to see how it is structured to manipulate my old save that I want to transfer that is not compatible since it is the Stadia non-encrypted version.

I can see my ID in the stadia save, I tried changed to my Ubisoft connect ID but it isn't not so simple and the ID in stadia is a little far away while the PC one seem to have the Ubisoft account ID on the top, starting at the fifth byte (if I'm counting correctly).

Thanks in advance and happy new year.

linuslin0 commented 10 months ago

Happy new year. The right rotation is based on bytes of the hash data, not character. In your case, 483eb81de61d960caafa955cec7fbd97 with offset 3 would be 1de61d960caafa955cec7fbd97483eb8. Btw you can use this tool to decrypt your save by giving the right account id or use the detect checkbox. The Encryption ID field can be left as empty.

MisteRibi commented 10 months ago

Thank you very much for your response. I understand my error for the offset.

I tried this new key and your tool to decrypt only and compare it with my script and the pwntools and I don't the same between the decypted and my script/pwntools and I don't know why.

I will troubleshoot this again on my free time.

Thanks again for your response :)

linuslin0 commented 8 months ago

Closing this due to lack of activities, feel free to reopen if you still have questions.