Question. find encryption key

[EAxp3]

❓ There is some form or manual to find the encryption key, especially for Kirikiri .xp3 based games. 🔍 what happens is that I have many games and would like to help find the keys.

I'm tired of game request, I also want to help. 🔨 I can not help with the code, and I don't understand C / C ++ only C #. 👍

[marconii2002]

For Kirikiri .xp3 games with tpm files use crass with tpm1 or tpm2 prametr or xp3viewer.

[rr-]

(...I want to support as many games as possible though.)

[rr-]

Provided you have basic knowledge how machine code and disassemblers work, the easiest way to locate decryption routine is:

1. Locate call to zlib uncompress (there are about 3 calls per each game)
2. Inspect each call and its call hierarchy. Locate the function that processes segm chunk - it should look roughly like this (arc_unpacker's code), or even more to the letter, like this (open source kirikiri z's code). The call hierarchy I referred to is the Read() ← EnsureSegment() ← SetData() ← uncompress() call chain.
3. Decryption function is called right after reading the data as you can see in tTVPXP3ArchiveStream::Read: TVPXP3ArchiveExtractionFilter ( (tTVPXP3ExtractionFilterInfo*) &info );, so you just need to step into it while hooked.
4. Done

Some of Kirikiri games use basic decryption like famous Fate/Stay Night, that xors all the bytes with one number, and then xors 2 bytes at certain places. But most of the games I know of use CXDEC decryption which is a bit crazy:

1. It's loaded with a DLL at runtime so you can't approach it with static analysis. You need to dissect the game as it runs. (Technically this DLL is named cxdec.tpm - despite its extension, yes, it's a DLL.)
2. (After it's loaded) the DLL rather than decrypting the data, proceeds to... assemble machine code in certain memory region in a convoluted way. This machine code will be used to decrypt the data.
3. Each game uses basically the same CXDEC code, but the way the code is assembled slightly differs.
4. This is achieved by 3 parameters: 2 permutations that map differently certain switch statement cases, and two small integers used as seed/key in certain place.

I suggest you to try to reverse a game that's already supported by arc_unpacker to see how it works. It's easier this way cause you already know what to look for thanks to having sources available. A good start would be 「Fate/Stay Night」 to learn how to locate decryption routine and how this routine works, and 「Fate/Hollow Ataraxia」 to understand where to locate CXDEC parameters.

[EAxp3]

That is somewhat complicated. I'll try. thank you very much for your help. 🎃 debugger use? -->ollydbg ?

[rr-]

IDA, ideally with C decompiler. Trial should be good too, although C decompiler tremendously accelerates the work.

[sunho]

For those having a difficulty in first step:

In IDA string view, search for "V2Link." If you follow cross reference, you will find a subroutine corresponding to this

Follow TVPGetFunctionExporter() -> TVPInitExportFuncs() -> TVPExportFunctions() (source)

TVPExportFunctions calls the uncompress function.