Counter-Strike Online 2 (.PKG) Archive

[cra0]

Counter-Strike Online2
I'm not sure if anyone has looked at this at all.


Game: Counter-Strike Online2
Publisher: Nexon


EXE seems packed however you can dump it.



PKG files seem encrypted has a MD5 filename hash at the top i think



Only PKG reference I've found has one of the filenames hardcoded



Which has some decrypt function linked to it.
Not sure if it's related
http://www.openssl.org/docs/crypto/EVP_EncryptInit.html


EXE(PACKED)/(UNPACKED) plus pkg archives
https://www.dropbox.com/sh/dfs4mae81hi26mi/FLswZF_hvZ


Hope someone can help

[Ekey]

Well 1b87c6b551e518d11114ee21b7645a47.pkg - Encrypted main file contained list of avaible PKGs.

Structure only for this file:

Code: Select all

struct PKGHeader
{
	WORD	dwVersion;  // 0x01 0x00
	BYTE	bEncryption;  // ID of encrypt algorithm ( 1 - AES-128-CBC , 0 - BlowFish-CBC )
	BYTE	bFlag;  // 6
	DWORD  dwDataSize;
};

Key generating automaticly

Code: Select all

const char * pPKGName = "1b87c6b551e518d11114ee21b7645a47.pkg";

int __cdecl FileSystem_Init(int bFlag, int bEncryption, const char *pPKGName, int pScrBuffer, int dwSize, int pDstBuffer)
{
  int result;
  char pKey[16] = { 0 };

  if ( FileSystem_MakeKey((signed int)&bEncryption, (int)&pKey, pPKGName) == 1 )
  {
    result = FileSystem_Decrypt((int)&bFlag, pScrBuffer, dwSize, (int)&pKey, pDstBuffer);
  }
  else
  {
    printf("Error: Unable generate key!\n");
    result = 0;
  }
  return result;
}

Default algorithm is AES-128 in CBC mode.

Code: Select all

FileSystem_Decrypt

	static unsigned char pKey[16] = {0x51, 0xFE, 0xAA, 0x02, 0x43, 0x0A, 0xFE, 0xC6, 0xC2, 0x9E, 0x24, 0x24, 0x2B, 0x99, 0xFF, 0x77};
	EVP_CIPHER_CTX ctx;
	EVP_CIPHER_CTX_init(&ctx);
	cipher = EVP_aes_128_cbc();

	EVP_DecryptInit(&ctx, cipher, pKey, 0);
	EVP_DecryptUpdate(&ctx, pBuffer, (int*)&PKGHeader.dwSize, pBuffer, PKGHeader.dwSize);
	EVP_DecryptFinal(&ctx, pBuffer, (int*)&PKGHeader.dwSize);
	EVP_CIPHER_CTX_cleanup(&ctx);

And we get decrypted variant > here

Other PKGs also encrypted with AES, Key and IV generated by other functions > it's MD5 + custom passwords > kbuj37shgh&@4n!2; and [wospo-02i after generating key and iv they converted to string and using as key and iv.

[cra0]

Great work ekey

[Ekey]

Okay, what's next!..... We need generate key and iv for decrypt PKG data's. How it work:

1 ) Get any PKG
2 ) Get name from full path
3 ) Set Password 1
4 ) Calculate MD5 hash for Password 1
5 ) Set Password 2
6 ) Calculate MD5 hash for Password 2
7 ) Convert Password 1 Hash to string
8 ) Convert Password 2 Hash to string
9 ) Set KEY and IV
10 ) Decrypt with AES
11 ) Profit

Example:

Code: Select all

p_PKG_Path = "e:\Games\Counter-Strike Online 2\Data\006c2458c2c24beb0b08e45e1ea3874e.pkg";
char* p_PKG_Name = "006c2458c2c24beb0b08e45e1ea3874e.pkg"
char* p_PKG_Password_1 = "kbuj37shgh&@4n!2;";
char* p_PKG_Password_2 = "[wospo-02i";
char* p_PKG_Set_Password_1 = p_PKG_Password_1 + p_PKG_Name;
char* p_PKG_Set_Password_2 = p_PKG_Password_2 + p_PKG_Name;
char* p_PKG_Hash_Password_1[16]; // 6f24769ebe7c9acc6328ad7d3be1ebc3
char* p_PKG_Hash_Password_2[16]; // 4422261f9839d54f7fece6448b062522
string p_PKG_Key;
string p_PKG_Iv;

1 ) Open -> p_PKG_Path
2 ) Get Name -> p_PKG_Name
3 ) Set Password 1 -> p_PKG_Set_Password_1
4 ) Get MD5 hash from Password 1 =
    
    MD5Init(&ctx);
    MD5Update(&ctx, p_PKG_Set_Password_1, strlen(p_PKG_Set_Password_1));
    MD5Final(p_PKG_Hash_Password_1, &ctx);
   
5 ) Set Password 2 -> p_PKG_Set_Password_2
6 ) Get MD5 hash from Password 2 =

    MD5Init(&ctx);
    MD5Update(&ctx, p_PKG_Set_Password_2, strlen(p_PKG_Set_Password_2));
    MD5Final(p_PKG_Hash_Password_2, &ctx);

7 ) p_PKG_Key = 6f24769ebe7c9acc6328ad7d3be1ebc3
8 ) p_PKG_Iv = 4422261f9839d54f7fece6448b062522
9 ) Set Key / Iv and Decrypt data =

    p_PKG_Iv = 4422261f9839d54f7fece6448b062522 -> 7fece6448b062522 - also need reverse
    p_PKG_Key  = 6f24769ebe7c9acc6328ad7d3be1ebc3 -> 6f24769ebe7c9acc

    >>> pkg_aes_decrypt(int ctx, int pKey, int*pIV, int dwKeySize, int dwBlockSize) <<<

    pkg_aes_init(&context, pKey, pIv, 16, 16);

10 ) Lalalala ...... Done :)

Result

[oamio]

Omg, very good Elky, cra0

[aluigi]

@ekey can you take a look at the following script?
Unfortunately your examples don't match the steps you provide.

Code: Select all

get wVersion short
get bEncryption byte
get bFlag byte
get dwDataSize long

get p_PKG_Name filename
set p_PKG_Password_1 binary "hs2kbuj37shgh&@4n!2;"
set p_PKG_Password_2 binary "[wospo-02i"

string p_PKG_Set_Password_1 p= "%s%s" p_PKG_Password_1 p_PKG_Name
string p_PKG_Set_Password_2 p= "%s%s" p_PKG_Password_2 p_PKG_Name

encryption md5 p_PKG_Set_Password_1
print "%QUICKBMS_HEXHASH%"
string KEY l QUICKBMS_HEXHASH
string KEY >>= 16
print "key  %KEY% %p_PKG_Set_Password_1%"

encryption md5 p_PKG_Set_Password_2
print "%QUICKBMS_HEXHASH%"
string IVEC l QUICKBMS_HEXHASH
string IVEC << 16
#string IVEC r IVEC # reverse?
print "ivec %IVEC% %p_PKG_Set_Password_2%"

if bEncryption == 0
    encryption blowfish KEY IVEC
else
    encryption aes_128_cbc KEY IVEC
endif

savepos OFFSET
log "dump.dat" OFFSET dwDataSize

[Ekey]

Well this part not needed because it's only for 1b87c6b551e518d11114ee21b7645a47.pkg

Code: Select all

get wVersion short
get bEncryption byte
get bFlag byte
get dwDataSize long

In other PKGs with datas > Header is 32 bytes - just md5 hash null terminated string of full file.

PS: and yes my bad > password 1 -> kbuj37shgh&@4n!2;

Code: Select all

--------------------------------------
- SCRIPT's MESSAGE:
  6F24769EBE7C9ACC6328AD7D3BE1EBC3

- SCRIPT's MESSAGE:
  key  6f24769ebe7c9acc kbuj37shgh&@4n!2;006c2458c2c24beb0b08e45e1ea3874e.pkg

- SCRIPT's MESSAGE:
  4422261F9839D54F7FECE6448B062522

- SCRIPT's MESSAGE:
  ivec 7fece6448b062522 [wospo-02i006c2458c2c24beb0b08e45e1ea3874e.pkg

[Ekey]

Ok here correct one

Code: Select all

goto 0x21
savepos OFFSET
get SIZE asize
math SIZE -= 0x21

get p_PKG_Name filename
set p_PKG_Password_1 binary "kbuj37shgh&@4n!2;"
set p_PKG_Password_2 binary "[wospo-02i"
string p_PKG_Set_Password_1 p= "%s%s" p_PKG_Password_1 p_PKG_Name
string p_PKG_Set_Password_2 p= "%s%s" p_PKG_Password_2 p_PKG_Name

encryption md5 p_PKG_Set_Password_1
print "%QUICKBMS_HEXHASH%"
string KEY l QUICKBMS_HEXHASH
string KEY >>= 16
print "key  %KEY% %p_PKG_Set_Password_1%"

encryption md5 p_PKG_Set_Password_2
print "%QUICKBMS_HEXHASH%"
string IVEC l QUICKBMS_HEXHASH
string IVEC << 16
print "ivec %IVEC% %p_PKG_Set_Password_2%"

encryption aes_128_cbc KEY IVEC
log "dump.dat" OFFSET SIZE

After use script



Simple PKG in attach

[aluigi]

Thanks for the update Ekey.
But there are still a couple of things that don't work:

1)
how to decrypt 1b87c6b551e518d11114ee21b7645a47.pkg?
I tried the following but doesn't work:

Code: Select all

encryption aes_128_ecb "\x51\xFE\xAA\x02\x43\x0A\xFE\xC6\xC2\x9E\x24\x24\x2B\x99\xFF\x77"
log "dump.dat" 8 0x100

2)
the files in the archives (like those in 006c2458c2c24beb0b08e45e1ea3874e.pkg) are encrypted

[Ekey]

Thanks for the update Ekey.
But there are still a couple of things that don't work:

1)
how to decrypt 1b87c6b551e518d11114ee21b7645a47.pkg?
I tried the following but doesn't work:

Code: Select all

encryption aes_128_ecb "\x51\xFE\xAA\x02\x43\x0A\xFE\xC6\xC2\x9E\x24\x24\x2B\x99\xFF\x77"
log "dump.dat" 8 0x100

Hm i will check it later.

2)
the files in the archives (like those in 006c2458c2c24beb0b08e45e1ea3874e.pkg) are encrypted

Yeah files inside also encrypted. I guess it's AES but not sure.

PS: Also it is necessary while decrypt need align the blocks by 16 bytes each. I use XySSL and for correct decrypt need set XYSSL_PADLOCK_C and YSSL_HAVE_X86, otherwise the first and the last block will be in the form of trash like this >

[Ekey]

Thanks for the update Ekey.
But there are still a couple of things that don't work:

1)
how to decrypt 1b87c6b551e518d11114ee21b7645a47.pkg?
I tried the following but doesn't work:

Code: Select all

encryption aes_128_ecb "\x51\xFE\xAA\x02\x43\x0A\xFE\xC6\xC2\x9E\x24\x24\x2B\x99\xFF\x77"
log "dump.dat" 8 0x100

Strange because generated key is \x51\xFE\xAA\x02\x43\x0A\xFE\xC6\xC2\x9E\x24\x24\x2B\x99\xFF\x77
Try BlowFish

2)
the files in the archives (like those in 006c2458c2c24beb0b08e45e1ea3874e.pkg) are encrypted

Files data also encrypted with AES. As key using MD5 string from header

[Ekey]

[cra0]

11/10 Bravo

[Ekey]

Well final : how file data decrypting? it's easyyyyyyyyyy

Example:

FileName: cstrike/materials/dev/identitylightwarp.vtf
Extract Filename from full path: > identitylightwarp.vtf
Split with Password_3 > 37uh@!jsn;b
You get filename like > 37uh@!jsn;bidentitylightwarp.vtf
Now calculate md5 hash
Set output hash as key and iv
Read file data
Set Key/IV
Decrypt data
Save data
Profit! huh!

[Ekey]

Okay. Unpacker for tests > here

Enjoy!