Closed GAFO closed 4 years ago
x1nixmzeng
commented
5 years ago Hey, that file is ancient (8 years old)!
The format string you posted is the revision number (changelist) and an MD5 hash of the file, and the byte array is the decryption key.
GAFO
commented
5 years ago Hey, by "That File" you mean "Raiderz_Intl_20110531" ? Well I need the most recent data files to be dumped to reconstruct a client since I want to open my own pserver for private nostalgic reasons :)
Oh its just the changelist and md5, I assumed the byte array itself is a bit big to be 1 key, so I was thinking way too complicated about it haha - Thanks for the info and your work !
x1nixmzeng
commented
5 years ago If I've missed an old client, post a link to the installer I'll update this tool
GAFO
commented
5 years ago Well here would be the Raiderz_Intl_20110531 one : https://mega.nz/#!W94EhKiQ!Pg6-yAFDjGRViS0MelpFFE0StKotgnerSYuf4B6vnEs
Here would be a Revolution one: https://www.mediafire.com/file/p64anl6bs3sx8b9/RevolutionInstall.zip/file
Cant find the one of Wild Raiderz anymore sadly. They shut down and all work gone waste sadly. (according to their fb page) But they would have had the correct textures I think like the second one.
I personally would like to know how you actually find the key, by my theory a breakpoint on the function CreateFile which opens the fileindex and then it should be already loaded in memory, but no luck finding it sadly xD
I mean if you want to do a drivers license and your teacher drives you from A to B its nice but at the end you want to know how to drive if you get what I mean by this analogy :)
Either way thanks for you time :D
x1nixmzeng
commented
5 years ago I don't have any of my old tools handy either, so let's figure this out bit by bit.
If your CreateFile breakpoint didn't hit, did you figure out you need to pass in the 'launcher' arguments to Raiderz.exe?
00D5143A . 68 98EBE900 PUSH Raiderz_.00E9EB98 ; ASCII "Raiderz.exe login %s"
If you pass that in as the command line you can begin debugging.
CreateFile is a good place to start. The open call to fileindex.msf is here
0062FB64 |. 68 E0698F00 PUSH Raiderz.008F69E0 ; /Arg1 = 008F69E0 ASCII "fileindex.msf"
0062FB69 |. 8B0D 2057DE00 MOV ECX,DWORD PTR DS:[DE5720] ; |Raiderz.009CE348
0062FB6F |. E8 CC430000 CALL Raiderz.00633F40 ; \Raiderz.00633F40There's quite a bit happening before the data is read.
Can you figure out what this function is doing?
00630E60 >/$ 56 PUSH ESIHint:
00630E81 |> 8A4C10 FF /MOV CL,BYTE PTR DS:[EAX+EDX-1] ; last but one
00630E85 |. 8B6E 04 |MOV EBP,DWORD PTR DS:[ESI+4]
00630E88 |. 8BD8 |MOV EBX,EAX
00630E8A |. D0E9 |SHR CL,1
00630E8C |. 81E3 FFFF0000 |AND EBX,0FFFF
00630E92 |. 320C2B |XOR CL,BYTE PTR DS:[EBX+EBP]
00630E95 |. 300C10 |XOR BYTE PTR DS:[EAX+EDX],CL
00630E98 |. 83E8 01 |SUB EAX,1
00630E9B |.^75 E4 \JNZ SHORT Raiderz.00630E8100630E85 |. 8B6E 04 |MOV EBP,DWORD PTR DS:[ESI+4]I just spotted just how old this client is.... and it predates the methods in this tool.
Instead, use my tool (which supports repacking) here https://github.com/x1nixmzeng/rzfswizard
GAFO
commented
5 years ago I think I found it: https://i.gyazo.com/eff3225613d7fc00f5e3b063a482d343.png
Thanks for explaination, since Im bad with asm, I rather use the IDA func which converts it to readable code :)
Alright I will check out that wizzard as well and give it a try, thanks a lot :D
EDIT: that wizzard works for that version but it only lets me replace files, not extract them :o
x1nixmzeng
commented
5 years ago Yup that looks right. The wizard is written in Pascal but contains the source code you need to port it to something else.
That section of code basically XOR's the file with a generated table (of 65,535 bytes) then decompresses it
GAFO
commented
5 years ago Alright, well so the key is basically the table means the bytes in it. Seems to be a bit big for a key but as long it works xD
By the way we always talk about 1 key. So on ragezone I saw an unpacker which had private and public key, so it confused me a bit. I think it was this one: https://github.com/toptaran/rzpacker
But there is normally only 1 key per client or do I miss something ?
x1nixmzeng
commented
5 years ago This client doesn't use keys. It's using a large XOR table (which can be generated) and a standard compression algo.
And that link is a port of my tool in this repro to Java :)
GAFO
commented
5 years ago Ah okey, so there are clients which use key and clients which use the xor table - now I somehow get a feeling for an understanding :)
By the way since you are an expert for reversing (Im just a programmer, noob in RE .. xD) do you think you could have a look into the other client i linked or would it be too much trouble or unethical ? Because WildZ as examble closed down and now their work is lost, it would be good to have the fixed textures etc of the other newer client before it eventually closes too, no one has a magic glass ball to see the future if you know what I mean :o
edit: By the way in the pascal wizard I can only find 1 big byte array and thats in the UI.dfm which is most likely not the key since it says Picture.Data and is in the UI O.o Since I dont know anything about pascal I just opened all files with notepad++ and didnt see another array, maybe I was blind tho
edit2: nvm found all i think :)
It sadly doesnt support the keys for the Raiderz_Intl_20110531 (yet) sadly.
Trying to reverse it myself. Just one question: How to convert the keys (format: "r35337 8E405793A58A8A25EC45D1FFC0F860E1") Into the big byte array ? (keys in comments -> big byte arrays in code)
, Greetings ~