Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 16:49

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 98 posts ]  Go to page 1, 2, 3, 4  Next
Author Message
 Post subject: Race wtcc research
PostPosted: 03 Oct 2007 10:57 

Joined: 03 Oct 2007 10:31
Posts: 4
In section research I found a zip about Race WTCC.what is it?


Top
 Profile  
 
 
 Post subject:
PostPosted: 03 Oct 2007 11:15 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
wtcced is a program which decrypts and encrypts the files used in the Race WTCC and Race 07 games, useful in case you want to modify them like the .plr file containing informations and settings of your player or the various data files like .gmt, .trk and so on.

Using it is very simple since automatically decrypts the file if it's encrypted and viceversa, like the following examples:

decrypt:
wtcced username.plr plain.txt

encrypt:
wtcced plain.txt username.plr

Note that when you use the encryption sometimes is needed to specify the encryption type which is 1 by default (all the informations about the type of the original encrypted file are showed during the decryption process), so if you are working on the .plr file of Race 07 you need to use:

wtcced -v 2 plain.txt username.plr

or

wtcced -v 3 plain.gmt sr4_hood_a.gmt


Top
 Profile  
 
 Post subject:
PostPosted: 03 Oct 2007 13:25 

Joined: 03 Oct 2007 10:31
Posts: 4
Thanks a lot,but how you know the encrypt algortim?


Top
 Profile  
 
 Post subject:
PostPosted: 03 Oct 2007 14:51 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
The algorithm is blowfish so it's easy to find due to its tables.
Then for the key is enough to set a breakpoint to the initialization of the blowfish algorithm and it's done.

For example this is what signsrch finds in the race 07 demo executable:

offset num description [bits.endian.size]
--------------------------------------------
00353340 83 CRC-32-IEEE 802.3 poly 0x04C11DB7 [32.le rev.1024]
0055d270 190 Blowfish bfp table [32.le.72]
0055d2b8 192 Blowfish ks0 table [32.le.1024]
0055d6b8 194 Blowfish ks1 table [32.le.1024]
0055dab8 196 Blowfish ks2 table [32.le.1024]
0055deb8 198 Blowfish ks3 table [32.le.1024]
002e103e 289 MD5 digest [32.le.272&]
0056f0e8 309 padding used in hashing algorithms (0x80 0 ... 0) [..64]
0055d290 325 Haval hash pass2 [32.le.128&]
00353df8 357 Zlib dist_code [..512]
00353ff8 358 Zlib length_code [..256]
003540f8 359 Zlib base_length [32.le.116]
00354170 361 Zlib base_dist [32.le.120]
002bb12f 567 classical random incrementer 0x343FD 0x269EC3 [32.le.8&]
003540f8 1085 Rar29 LDecode [32.le.112]
002e103e 1287 RIPEMD-128 InitState [32.le.16&]
0055d270 1299 Haval init [32.le.32&]
0055d310 1301 Haval mc3 [32.le.128]
0055d390 1303 Haval mc4 [32.le.128]
0055d410 1305 Haval mc5 [32.le.128]
0055d3f0 1451 HAVAL1_DS [32.le.32]
0055d370 1453 HAVAL2_DS [32.le.32]
00354310 1523 zinflate_lengthStarts [32.le.116]
003537b0 1525 zinflate_lengthExtraBits [32.le.116]
0035438d 1526 zinflate_lengthExtraBits [32.be.116]
00354410 1527 zinflate_distanceStarts [32.le.120]
00353828 1529 zinflate_distanceExtraBits [32.le.120]
00353825 1530 zinflate_distanceExtraBits [32.be.120]
0055d2b8 1561 Blowfish_s_init [32.le.4096]


Top
 Profile  
 
 Post subject:
PostPosted: 03 Oct 2007 15:34 

Joined: 03 Oct 2007 10:31
Posts: 4
Mmm ok,I'm not an expert... I understand a little.... sorry for my english...I'm italian


Top
 Profile  
 
 Post subject:
PostPosted: 03 Oct 2007 16:29 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
Oh cacchio, un italiano che vive in Olanda?
Comunque se ti va' possiamo parlare pure italiano ih ih ih


Top
 Profile  
 
 Post subject:
PostPosted: 04 Oct 2007 10:58 

Joined: 03 Oct 2007 10:31
Posts: 4
Olanda?

Si in italiano ?? meglio!

Ho capito che hai visto nel codice dell'exe del demo che c'?? la stringa blowfish init e quindi hai capito che usava quell'algoritmo per criptare.
Invece non ho capito come ricavare la chiave :-(


Top
 Profile  
 
 Post subject:
PostPosted: 04 Oct 2007 12:18 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
ah no, mi sa' che ho fatto confusione io con l'olanda... dannati pensieri accavallati ih ih ih

Comunque una volta che sai dove sono situate le funzioni del blowfish devi seguire il programma con un debugger per capire quando viene passata la key (init) e naturalmente qual e'.
Diciamo che questa e' la parte un po' piu' lunga e a volte noiosa


Top
 Profile  
 
 Post subject:
PostPosted: 04 Oct 2007 15:22 
Prima devo decompilare l'exe per??, cosa usi?
SoftIce potrebbe fare al caso mio?


Top
  
 
 Post subject:
PostPosted: 04 Oct 2007 16:14 
ollydbg (http://www.ollydbg.de) o immudbg (http://www.immunitysec.com/products-immdbg.shtml) per debuggare il processo.
Sono free quindi butta softice ih ih ih

Ma come mai ti interessa debuggare wtcc?
tanto l'algoritmo e le chiavi sono pubbliche


Top
  
 
 Post subject:
PostPosted: 22 Oct 2007 09:57 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
How to extract multiple files in one shot?

Download the find.exe tool from here:

http://gnuwin32.sourceforge.net/downlin ... in-zip.php

and use it as in the following example:

c:
cd "\program files\Race - The WTCC Game\gamedata"
find -exec c:\wtcced.exe "{}" "c:\decrypt\{}" ;
or
find -iname "*.dds" -exec c:\wtcced.exe "{}" "c:\decrypt\{}" ;

the first step allows us to enter in the WTCC gamedata folder
then we find all the files and execute c:\wtcced.exe
or we do it only for the dds files

note that on linux you must use \; instead of ; at the end of the find command


Top
 Profile  
 
 Post subject:
PostPosted: 22 Oct 2007 10:01 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
How to extract multiple files in one shot?

Download the find.exe tool from here:

http://gnuwin32.sourceforge.net/downlin ... in-zip.php

and use it as in the following example:

c:
cd "\program files\Race - The WTCC Game\gamedata"
find -exec c:\wtcced.exe "{}" "c:\decrypt\{}" ;
or
find -iname "*.dds" -exec c:\wtcced.exe "{}" "c:\decrypt\{}" ;

the first step allows us to enter in the WTCC gamedata folder
then we find all the files and execute c:\wtcced.exe
or we do it only for the dds files

note that on linux you must use \; instead of ; at the end of the find command


Top
 Profile  
 
 Post subject:
PostPosted: 21 Nov 2007 12:30 

Joined: 21 Nov 2007 12:15
Posts: 3
hi I have a problem using that comand it says something like a missing libintl3.dll, can you make a batch file to make as noob users life a bit easier:)

thanks


Top
 Profile  
 
 Post subject:
PostPosted: 21 Nov 2007 13:39 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
The DLL required by find.exe is available here:

http://gnuwin32.sourceforge.net/downlin ... in-zip.php

about the .bat file check the attached one I have created in this moment and follow this steps:

- rename the attached file as wtcced_all.bat
- create a new folder in C: called wtcced (c:\wtcced\)
- copy your GameData folder in C:\wtcced
- copy wtcced_all.bat, wtcced.exe, find.exe and libintl3.dll in c:\wtcced
- execute wtcced_all.bat
- at the end of the process you will see a new folder called decrypt (c:\wtcced\decrypt) containing a new GameData folder with ALL the decrypted files


Attachments:
wtcced_all.bat.txt [482 Bytes]
Downloaded 655 times


Last edited by aluigi on 21 Nov 2007 15:03, edited 1 time in total.
Top
 Profile  
 
 Post subject:
PostPosted: 21 Nov 2007 14:31 

Joined: 21 Nov 2007 12:15
Posts: 3
wow... that was fast, I??ve tried that but now it says i misses the libiconv2.dll, I??m trying to search for that dll in google but no sucess till now:(


Top
 Profile  
 
 Post subject:
PostPosted: 21 Nov 2007 15:02 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
libiconv is here:
http://gnuwin32.sourceforge.net/downlin ... in-zip.php

If you need other files take them from the gnuwin32 website:

http://gnuwin32.sourceforge.net/packages.html


Top
 Profile  
 
 Post subject:
PostPosted: 21 Nov 2007 16:07 

Joined: 21 Nov 2007 12:15
Posts: 3
It worked fine Luigi, thank??s a lot, and thanks again for answearing so fast.


Top
 Profile  
 
 Post subject: GTL
PostPosted: 17 Dec 2007 18:39 

Joined: 17 Dec 2007 18:37
Posts: 5
Did you try to decrypt GT Legends files? Should be a similar algorithm, but hasn't been cracked yet.


Top
 Profile  
 
 Post subject:
PostPosted: 18 Dec 2007 09:51 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
The algorithm is probably just the same (GTR2 too) but the key is different and I don't know it


Top
 Profile  
 
 Post subject:
PostPosted: 19 Dec 2007 05:17 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
well i didnt read every post here, but are the car ''setting'' files there too ? .. so i can change vehicle specs ? (top speed, number of gears ..etc)...i dont have game installed right now, so i cant look.


Top
 Profile  
 
 Post subject:
PostPosted: 20 Dec 2007 13:10 

Joined: 17 Dec 2007 18:37
Posts: 5
aluigi wrote:
The algorithm is probably just the same (GTR2 too) but the key is different and I don't know it


Is this because Starforce is blocking debuggers? Or do you just not own the game?


Top
 Profile  
 
 Post subject:
PostPosted: 20 Dec 2007 13:15 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
the first one


Top
 Profile  
 
 Post subject:
PostPosted: 21 Dec 2007 08:45 

Joined: 17 Dec 2007 18:37
Posts: 5
There is always the possibilty to try a brute force attack on the key. How much of a help would be the fact that we know part of the clear text, like for instance, all .trk files start with the sequence "CUBEASF", and all .gdb start with the track name?


Top
 Profile  
 
 Post subject:
PostPosted: 21 Dec 2007 11:23 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
I don't think it's possible (and I don't have the needed knowledge too)


Top
 Profile  
 
 Post subject:
PostPosted: 23 Dec 2007 05:18 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
isnt it possible to get game's source code from somewhere ?


Top
 Profile  
 
 Post subject: rFactor
PostPosted: 30 Jan 2008 21:19 

Joined: 17 Dec 2007 18:37
Posts: 5
Recently I found out that some rFactor files are also encrypted, for example the F1 BMW Sauber model. Do you know the key ?


Top
 Profile  
 
 Post subject:
PostPosted: 30 Jan 2008 22:53 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
I know the keys only for the Race WTCC games


Top
 Profile  
 
 Post subject:
PostPosted: 22 Aug 2008 15:42 

Joined: 22 Aug 2008 15:38
Posts: 1
can't decrypt new GTR addon for Race WTCC, it says "- file version 5" "Error: unsupported file version".
can you add support for new file version?


Top
 Profile  
 
 Post subject:
PostPosted: 22 Aug 2008 20:31 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
I have just released version 0.2.2


Top
 Profile  
 
 Post subject:
PostPosted: 23 Aug 2008 00:14 

Joined: 21 Aug 2008 19:45
Posts: 1
THX Luigi :)


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 98 posts ]  Go to page 1, 2, 3, 4  Next

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: