Exetools  

Go Back   Exetools > General > Source Code
Reload this Page [C#] EADRM Encryptions & Few notes...
Register Forum Rules FAQ Calendar

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 03-29-2016, 03:00
n00b n00b is offline
Friend
  
Join Date: Mar 2009
Posts: 44
Rept. Given: 18
Rept. Rcvd 25 Times in 14 Posts
Thanks Given: 11
Thanks Rcvd at 61 Times in 20 Posts
n00b Reputation: 26
[C#] EADRM Encryptions & Few notes...
Well, first off - there are 2 major "encryptions" used in EADRM;
.PAR - the parameter file which contains the parameters the DRM itself reads, and uses together with the cipher-key found in the .DLF (the decryption information key file)...

.PAR is "encrypted" with a simple Xor encryption w/key:

Code:
        private static byte[] Xor(byte[] orgBytes, byte[] keyBytes)
        {
            for (var i = 0; i < orgBytes.Length; i++)
            {
                orgBytes[i] = (byte)(orgBytes[i] ^ keyBytes[i % keyBytes.Length]);
            }
            return orgBytes;
        }
Key is static and ALWAYS: q@pO3o#5jNA6$sjP3qwe1


.DLF is encrypted (yes, really encrypted) with AES-CBC w/zero padded IV:
(also static Key by the way...)

Code:
        private static string AesDecrypt(this byte[] cryptText)
        {
            using (var aes = new RijndaelManaged
            {
                BlockSize = 128,
                KeySize = 128,
                Padding = PaddingMode.Zeros,
                Mode = CipherMode.CBC,
                Key = new byte[] { 0x41, 0x32, 0x72, 0x2D, 0xD0, 0x82, 0xEF, 0xB0, 0xDC, 0x64, 0x57, 0xC5, 0x76, 0x68, 0xCA, 0x09 },
                IV = new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
            })
            {
                var decryptor = aes.CreateDecryptor();
                var encrypted = cryptText;
                var planeText = new byte[encrypted.Length];
                using (var memoryStream = new MemoryStream(encrypted))
                {
                    using (var cryptStream = new CryptoStream(memoryStream, decryptor, CryptoStreamMode.Read))
                    {
                        cryptStream.Read(planeText, 0, planeText.Length);
                        return Encoding.ASCII.GetString(planeText).CleanInput();
                    }
                }
            }
        }
NOTES:

During my research towards making an unpacker for EADRM/OriginStub (without the need to patch any API's), I also discovered that there is currently 3 variations of the DRM/Stub:

Quote:
V1 OriginStub/EADRM:
--------------------
Signature: IREW
Special : Encrypted Code
Visible : OEP & IAT

V2 OriginStub/EADRM:
--------------------
Signature: AE64/XE34
Special : Encrypted Code + Fake .NET entrypoint + Calls Directly to Activation.dll
Also exists on 64bit compiled games!
Visible : OEP & IAT

V3 OriginStub/EADRM:
--------------------
Signature: Code is found inside .ooa section
Special : This variant is mostly used in combination with Denuvo!
Also, most Denuvo games are 64bit compiled!
Visible : Nothing

Oh, and no tools will be given for this - just enjoy these few findings and write your own tools
Last edited by n00b; 04-01-2016 at 03:52. Reason: Seems Command & Conquer has a slight different V2...
Reply With Quote
The Following User Gave Reputation+1 to n00b For This Useful Post:
niculaita (03-29-2016)
The Following 6 Users Say Thank You to n00b For This Useful Post:
chessgod101 (03-29-2016), e0qs (05-22-2016), gsaralji (12-10-2016), tonyweb (12-17-2016), zeytunak (03-31-2016)
 

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is On


All times are GMT +8. The time now is 02:11.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )