READ THE RULES: Click here

Follow us on Facebook: https://www.facebook.com/xentax/ :)

Hacking Zip Passwords (C9)

Read or post any tutorial related to file format analysis for modding purposes.
User avatar
chrrox
Moderator
Posts: 2541
Joined: Sun May 18, 2008 3:01 pm
Has thanked: 57 times
Been thanked: 1269 times

Hacking Zip Passwords (C9)

Post by chrrox » Fri Aug 21, 2009 5:18 am

Here is a simple to follow guide that involves 0 knowledge of debugging to follow.
You will need the following tools.
1. HXD or a hex editor that can open a program in ram.
2.Cheat Engine or another program that can pause a process.
3.The game C9

Step1

Launch the game update program.
Image

Step2

Launch Cheat Engine
Image

Step3

Setup the hot key to pause the process in cheat engine
Image

Step4.

Set the hot key to your choice (I choose 7)
Image

Step5

Click on the Process list button (magnifying glass) in cheat engine until you see our process (Exlauncher.exe)
do not attach to the process yet.

Image

Step6

This is what it will look like if you attach to the process in cheat engine and pause it.

Image

Step7

Log into C9 and after you are logged in attach to the process and pause it hitting the key you assigned to that and it should look like this.

Image

Step8

Take note of the file name and the progress bar when you see the file finish and the text change pause the process so it looks close to this.

Image

Step9

Now that you have the process paused while it is extracting a file open up HXD and choose open ram

Image

Step10

in the process list you will notice a new process that was created while the game was extracting the files(Launcher.exe)
so this must be what handles extracting the files so lets attach to it.

Image

Step11

Now lets do a search for our file

Image

Step12

We end up here take a look and see if anything looks odd.

Image

Step13

Take note of the long string that looks like it could be a password and it keeps repeats 2x in this view

Image

Step14

if I scroll a little further down it is still repeating this seems like we have our number

Image

Step 15

Try our password on the zip file and it works.
I will post some more advanced tutorials if there is a demand for it let me know

Code: Select all

66b4427013838ceb5b275d5ba884b0ed9df353e0dc6220955e008d9d

User avatar
Mr.Mouse
Site Admin
Posts: 4040
Joined: Wed Jan 15, 2003 6:45 pm
Location: Dungeons of Doom
Has thanked: 412 times
Been thanked: 558 times
Contact:

Re: Hacking Zip Passwords (C9)

Post by Mr.Mouse » Fri Aug 21, 2009 7:35 am

This could come in handy for some users. Thanks for posting your method!

User avatar
shekofte
mega-veteran
mega-veteran
Posts: 217
Joined: Sun Jan 18, 2009 1:45 pm
Location: Sagittarius
Has thanked: 238 times
Been thanked: 12 times
Contact:

Re: Hacking Zip Passwords (C9)

Post by shekofte » Wed Aug 26, 2009 1:00 pm

I have a question ? please
i considered that usually data in RAM kept in fragmented form !
whether when we open the memory that assigned to a process in hex editor , it defragment it and show us in its integrated form ?
very very thanks Master
ILLUSORY VIDEO GAMES ARE MORE IMPORTANT THAN PRECIOUS INTERNATIONAL FOOTBALLs

evilpie
beginner
Posts: 23
Joined: Sun Nov 29, 2009 10:13 pm
Been thanked: 9 times

Re: Hacking Zip Passwords (C9)

Post by evilpie » Sat Mar 06, 2010 2:27 pm

Data in ram is normally not fragmented.

For example if you alloc 200 bytes of memory for an password, the whole memory is one block.
But when you again alloc memory it could be directly behind the other block or somewhere totally else, you just dont know.

GenericRipper
advanced
Posts: 41
Joined: Sun Mar 21, 2010 5:41 pm
Has thanked: 40 times
Been thanked: 4 times

Re: Hacking Zip Passwords (C9)

Post by GenericRipper » Wed Apr 21, 2010 1:33 pm

There`s a game that also uses a password-protected ZIP, Metal drift. I tried your method and found some repeating text but it doesn`t work as a password! To be honest there wasn`t actually written "game.zip" inside the launcher.exe but I decided to check it out because of its periodicity

User avatar
aluigi
VVIP member
VVIP member
Posts: 1917
Joined: Thu Dec 08, 2005 12:26 pm
Location: www.ZENHAX.com
Has thanked: 4 times
Been thanked: 644 times
Contact:

Re: Hacking Zip Passwords (C9)

Post by aluigi » Wed Apr 21, 2010 2:42 pm

because this method is not universal.
for example in Metal Drift Demo the key is 37493752032567301837 and I used the classical method to find it:

Code: Select all

- signsrch -e MetalDriftDemo.exe
  0042b6f8 2273 function where is handled the ZipCrypto password [32.le.12&]
- launched the game with ollydbg and set breakpoint at offset 0042B6F0 (that is the starting of the function)
- olly breaks and the password is clearly visible
if the game can't be debugged easily you can even place a byte 0xcc at 3 bytes before the offset reported by signsrch, the debugger will popup immediately when the game will crash.

while if the game executable is encrypted you can launch signsrch when the game is running:
signsrch -P MetalDriftDemo.exe
and then attach olly to the process or write a simple writeprocessmemory tool for placing the 0xcc byte in the process

let us know if the key for the full game differs than the onf of the demo.

oh I forgot the link to signsrch:
http://aluigi.org/mytoolz.htm#signsrch

GenericRipper
advanced
Posts: 41
Joined: Sun Mar 21, 2010 5:41 pm
Has thanked: 40 times
Been thanked: 4 times

Re: Hacking Zip Passwords (C9)

Post by GenericRipper » Wed Apr 21, 2010 6:24 pm

Thanks for a quick response, at least one of my problems is solved now. And the key you gave me fits the full version ZIP too.

User avatar
Klaster
ultra-n00b
Posts: 3
Joined: Mon Dec 01, 2008 8:40 am
Location: Russia, Krasnoyarsk
Has thanked: 2 times
Contact:

Re: Hacking Zip Passwords (C9)

Post by Klaster » Sun Apr 25, 2010 10:29 am

Can someone help me with another ZIP password protected game? It's called Beat Hazard.

I already found this in hge.dll (beforehand unpacked with UPX):
000042ac 2273 function where is handled the ZipCrypto password [32.le.12&]
But no idea what is next.
Last edited by Klaster on Sun Apr 25, 2010 11:09 am, edited 2 times in total.

User avatar
aluigi
VVIP member
VVIP member
Posts: 1917
Joined: Thu Dec 08, 2005 12:26 pm
Location: www.ZENHAX.com
Has thanked: 4 times
Been thanked: 644 times
Contact:

Re: Hacking Zip Passwords (C9)

Post by aluigi » Sun Apr 25, 2010 10:50 am

  • be sure to have ollydbg installed and that it's set as "Just-in-time debugger":
    select "Options->Just-in-time debugging"
    click on "Make Ollydbg just-in-time debugger"
  • open hge.dll with a hex editor (make a backup before)
  • go at offset 0x42a9
  • place the byte 0xcc there
  • save the file and start the game
  • windows will show an error dialog, press CANCEL
  • when ollydbg starts watch in the right-down window (aka "stack window")
  • the password should be one of the first text strings visible in that list
keep us updated if everything worked as expected... and naturally let us know the password :)
Last edited by aluigi on Sun Apr 25, 2010 4:17 pm, edited 2 times in total.

User avatar
Klaster
ultra-n00b
Posts: 3
Joined: Mon Dec 01, 2008 8:40 am
Location: Russia, Krasnoyarsk
Has thanked: 2 times
Contact:

Re: Hacking Zip Passwords (C9)

Post by Klaster » Sun Apr 25, 2010 11:52 am

So, the password is lippylippy, lol. aluigi, thanks for help!
Packing whole resources back into ZIP also works fine, see the attachment.
You do not have the required permissions to view the files attached to this post.

User avatar
Mr.Mouse
Site Admin
Posts: 4040
Joined: Wed Jan 15, 2003 6:45 pm
Location: Dungeons of Doom
Has thanked: 412 times
Been thanked: 558 times
Contact:

Re: Hacking Zip Passwords (C9)

Post by Mr.Mouse » Tue Apr 27, 2010 10:49 pm

Excellent everyone! :)

User avatar
aluigi
VVIP member
VVIP member
Posts: 1917
Joined: Thu Dec 08, 2005 12:26 pm
Location: www.ZENHAX.com
Has thanked: 4 times
Been thanked: 644 times
Contact:

Re: Hacking Zip Passwords (C9)

Post by aluigi » Fri May 14, 2010 12:36 pm

example of how to get the password of Metal Drift using only signsrch 0.1.6 (yeah a fresh new release) and partially ollydbg (partially because it's set only as JIT debugger so it has only the "display" purpose, you don't need to "touch" it):
http://aluigi.org/video/zipcrypto_example.avi

merlinsvk
ultra-veteran
ultra-veteran
Posts: 411
Joined: Mon Oct 27, 2008 12:11 am
Location: Slovakia
Has thanked: 35 times
Been thanked: 117 times

Re: Hacking Zip Passwords (C9)

Post by merlinsvk » Mon Feb 28, 2011 10:28 pm

Hey guys,
What to do in this case:

Code: Select all

signsrch -F hge.dll
10009f09 2273 function where is handled the ZipCrypto password [32.le.12&]
- substracted 3 bytes => 10009F06
- open hge.dll in HxD, Ctrl+G, 10009F06, HxD wrote that file doesn't contains that offset (it ends on 0x4BFFFF)

It's from game Akhra The Treasures and I would like to find password for its data.zip

Thanks in advance

User avatar
aluigi
VVIP member
VVIP member
Posts: 1917
Joined: Thu Dec 08, 2005 12:26 pm
Location: www.ZENHAX.com
Has thanked: 4 times
Been thanked: 644 times
Contact:

Re: Hacking Zip Passwords (C9)

Post by aluigi » Tue Mar 01, 2011 12:43 pm

10009f09 is the memory address assigned to that instruction in hge.dll when it's loaded by Windows.
if you are lucky you should find the relative file offset at 0x9f09 of the file.
otherwise use an rva2file offset tool like my quickrva:
http://aluigi.org/mytoolz.htm#quickrva

User avatar
aluigi
VVIP member
VVIP member
Posts: 1917
Joined: Thu Dec 08, 2005 12:26 pm
Location: www.ZENHAX.com
Has thanked: 4 times
Been thanked: 644 times
Contact:

Re: Hacking Zip Passwords (C9)

Post by aluigi » Tue Mar 01, 2011 1:14 pm

the password of the data.zip in "Akhra - The Treasures" is 2yKJ6KhRJKJ/18J5
found in less than one minute :)

Post Reply