Miscellaneous Forums > Scripting and Reverse Engineering
Mobius Final Fantasy [Unity]
(1/4) > >>
Maki:
mobiusff_Data/mobius_data/Hash/...
Compressed Unity3D standalone files with MD5 hash names
Opeanable/decompressable with UnityEx 1.4.3
After decompressing, real package name is at: 0x40. Example name: CAB-b90836_android (terminated with /0)
About fileformats:
MUSIC:
example: music_saranotheme.txt is in AKB2 container. In order to make it working OGG delete 320 bytes from start, so the file starts with OggS header. Voila
Textures:
DXT
AES crypt
e.g. assetList_hash_win.dat is AES crypted
AES128
IV :
--- Code: ---$MEVIUS-PROJECT#
--- End code ---
Key:
--- Code: ---SQUARE-ENIX-BD1%
--- End code ---
CipherMode: CBC
PaddingMode: ISO10126
assetList_hash_win.dat
OffsetSizeDescription0x0016 bytesAES IV - Treat as UTF8 bytes0x16variesCompressed data
Deciphered:
OffsetSizeDescription0x004 bytesProbably entries count0x04EntryCount*48Entry
ENTRY:
OffsetSizeDescription0x0040 bytesANSI file relative path0x28unsigned intFile revision (uint)0x2CintFile size
Example MD5 file names:
Text/CutScene/ev_0000_010/ev_0000_010TxtRes__jp
Full JP filelist:
http://cache.jp.mobiusfinalfantasy.com/asset/20170127_0007/mobius_data_middle/win/assetList_hash_win_JP.bin (unknown format, probably AES with default IV and key, too lazy to test UPDATE:Nope, doesn't work)
http://cache.jp.mobiusfinalfantasy.com/asset/20170217_1633/mobius_data_middle/win/managementList_hash_win_JP.txt
http://cache.jp.mobiusfinalfantasy.com/asset/20170217_1633/mobius_data_middle/win/datasheetList_hash_win_JP.txt
Albeoris:
Decrypted Assembly-CSharp.dll (PC):
https://yadi.sk/d/dI9_Cqw_3ECdtr
Maki:
--- Quote from: Albeoris on 2017-02-17 10:24:18 ---Decrypted Assembly-CSharp.dll (PC):
https://yadi.sk/d/dI9_Cqw_3ECdtr
--- End quote ---
Thanks! What was the obfuscation?
EDIT: Oh, there's a debug menu. :D
Albeoris:
--- Quote from: Maki on 2017-02-17 11:44:15 ---Thanks! What was the obfuscation?
EDIT: Oh, there's a debug menu. :D
--- End quote ---
Idk, just dump the game process and look at the dump via HEX-editor. (:
Maki:
Okay, the AssetList_hash_win.dat is AES secured
IV = is the first 16 characters, grab them as ASCII to string and convert by Encoding.UTF8 to bytes
Key = Key is calculated from 64-bit library of NativeLibrary.dll, function getCryKey2. Get's one uint argument which in code is passed as MainLoop.key (which is null uint)
Code is:
--- Code: ---.text:0000000180001020 arg_0 = dword ptr 8
.text:0000000180001020
.text:0000000180001020 mov [rsp+arg_0], ecx
.text:0000000180001024 xor edx, edx
.text:0000000180001026 mov r8d, 0FFFFFFFEh
.text:000000018000102C lea r10, byte_18005B090
.text:0000000180001033 lea r9, byte_18005C950
.text:000000018000103A nop word ptr [rax+rax+00h]
.text:0000000180001040
.text:0000000180001040 loc_180001040: ; CODE XREF: getCryKey2+57�j
.text:0000000180001040 lea eax, [r8-1]
.text:0000000180001044 mov rcx, r8
.text:0000000180001047 add rdx, 2
.text:000000018000104B and eax, 3
.text:000000018000104E and ecx, 3
.text:0000000180001051 add r8d, 2
.text:0000000180001055 movzx eax, byte ptr [rsp+rax+arg_0]
.text:000000018000105A movzx ecx, byte ptr [rsp+rcx+arg_0]
.text:000000018000105F xor al, [rdx+r10-2]
.text:0000000180001064 xor cl, [rdx+r10-1]
.text:0000000180001069 mov [rdx+r9-2], al
.text:000000018000106E mov [rdx+r9-1], cl
.text:0000000180001073 cmp rdx, 22h
.text:0000000180001077 jl short loc_180001040
.text:0000000180001079 mov rax, r9
.text:000000018000107C retn
--- End code ---
EDIT: The file names are casual MD5, nothing much
I'll try to hack into process and grab the key from memory
UPDATE: There's some exception protection as it's throwing them like a crazy when started (may be related to webview of news) so it kind of kills my IDA64, attaching later to process after finishing web activity loading doesn't trigger getCryKey2 anymore (it's only at the semi-beginning to set the AESIV and AESKEY and is not used anymore. I'm still digging. Anyway, I found this:
--- Code: ---$MEVIUS-PROJECT#,SQUARE-ENIX-BD1%
--- End code ---
It has 33 characters
The managed code gets IntPtr to result of the getCryKey2, treats it via Marshal as ANSI text and splits to IV and key via string.split based on ',' character.
meaning, that this may be the secret key:
$MEVIUS-PROJECT# - for default IV
SQUARE-ENIX-BD1% - for default key
both have 16 characters, so 128bit, looks fine. Let's see..
@UPDATE
Yep:
AES128
IV : $MEVIUS-PROJECT#
Key: SQUARE-ENIX-BD1%
CipherMode.CBC
PaddingMode.ISO10126
What if they have seen that extracting Final Fantasy IX code was easy so they obfuscated the IL assembly and hid the key in AMD64 (x86-64) DLL? 8)
Well, not really the key is hidden. Just let Mobius run and generate the keys, then attach to process, find NativePlugins DLL and getCryKey2 function and jump to byte array at getCryKey2+C. They don't flush the buffer after saving the key to managed Mevius.App.Api.AesKey and Mevius.App.Api.IV
@UPDATE3:
Found the dictionary for fileList, the two unknowns in entries are: fileRevision and fileSize
Content categories. First character is first hash name (not the files, it's far more complicated xD)
--- Code: --- "pc",
"mon",
"npc",
"weapon",
"guardian",
"fa",
"summon",
"test",
"exte"
--- End code ---
Now the server:
Sample HTTP 1.1 GET request for asset file:
--- Code: ---cache.jp.mobiusfinalfantasy.com/asset/20170217_1633/mobius_data_middle/win/Hash/a1/092b86e0aa0970e80dbc9bc152fbe3_win.unity3d
--- End code ---
Info file:
http://web.jp.mobiusfinalfantasy.com/asset/mobius_info_JP.txt
Navigation
[0] Message Index
[#] Next page
Go to full version