- May 12, 2018
- 51
- 47
Note 1: What is described is just a proof of concept and is not intended to be a simple one-click solution.
Note 2: This "tutorial" covers the case where the game has the actually encrypted data.dts file. In other cases
1. Intro
SRPGStudio to encrypt data.dts uses
Things to consider:
1) I was unable to restore the key (too lazy to dig that deep). But I believe it should be possible.
2) The extractor mentioned before uses bitstream for decryption
2. DLL Proxy creator
For encryption and decryption SRPGStudio uses wincrypt. Its functions are defined in advapi32.dll.
And there is this cool tool called
2.1. Create the proxy
Download the tool, open it, select
Replace the sceleton with something like this:
To do an actual decryption SRPGStudio calls CryptDecrypt function (XOR-ing part). And with this we are intercepting the CryptDecrypt call. In the code above we create an array of 20000000 (any other number can be used) full of 0's and ask wincypt to do the decyption on it. And by the nature of how XOR works that way we obtain it, the bitsream. And then we write the bitstream to the filesystem and forward the call to the real CryptDecrypt function.
In the Forwarded.cpp we must find the commented out line
And now we can build our project. Be sure to select Release configuraiton and Win32 target (not x64).
After the build we get our own advapi32.dll file, but we are not ready yet.
2.2. Patching the game.exe
The game will use the original advapi32.dll from C:\Windows\SysWOW64 no matter what we do. So we need to patch game.exe. How to do it? Read the
, select game.exe, in "Original DLL File name" write advapi32.dll, in "Proxy DLL file Name" write advpro32.dll or any other name with the same length, and then click Patch. (dont worry the original game.exe will be backuped.
Now copy our advapi32.dll into the game folder and rename to advpro32.dll. We are ready.
3. Getting the key/bitstream
Open the game, and maybe load the save, see the images, etc. After that there will be a lot of "dump_key{number}.bin" files, and the most of them will be equal to each other. These are our bitstreams that can be used by
4. Using the key/bitstream to decrypt data.dts (finally!)
Now pick some of these dump files (better from the latter part and different from each other) and feed to SRPG-Studio-Extractor. For example:
NOTE: the extractor overwrites the data file when decrypts it, i.e. if you used wrong bitstream/key data.dts file will be corrupted. So be sure to use the extractor on a copy of data.dts every time.
If everything went fine, you will get the decrypted contents (sounds/images/etc) of the data.dts. Finish. *clap* *clap*
------
I believe that not everyone have Visual Studio and want to do all that programming stuff, so the part 2.1 is actually skippable. Instead of building your own advapi32.dll/advpro32.dll, you can grab the one I built from the attachments.
------
I didn't test this thotoughly on multiple games, but I believe it works.
------
I believe that there are people out there who can automate all this stuff and make a proper decryption tool. I hope the reader is one of those people
Note 2: This "tutorial" covers the case where the game has the actually encrypted data.dts file. In other cases
You must be registered to see the links
works just fine.1. Intro
SRPGStudio to encrypt data.dts uses
You must be registered to see the links
. In short: ARC4 generates a stream of bits and XOR's them with the data to be encrypted. Decryption is performed the same way. So, to decrypt data.dts we need either restore bitstream generator's key or somehow obtain the bitstream itself.Things to consider:
1) I was unable to restore the key (too lazy to dig that deep). But I believe it should be possible.
2) The extractor mentioned before uses bitstream for decryption
2. DLL Proxy creator
For encryption and decryption SRPGStudio uses wincrypt. Its functions are defined in advapi32.dll.
And there is this cool tool called
You must be registered to see the links
. With it we can intercept any function call to advapi32.dll. Since the file in the question is a system dll we can only use method 2. It has its own tutorial, I recommend to read it.2.1. Create the proxy
Download the tool, open it, select
You must be registered to see the links
function, select vs2019 Template, choose output directory and click generate. it will create visual studio project for you. Open it (with Visual Studio ofc) and see DllMain.cpp containing the skeleton of CryptDecrypt function and Forwarded.cpp.Replace the sceleton with something like this:
You don't have permission to view the spoiler content.
Log in or register now.
To do an actual decryption SRPGStudio calls CryptDecrypt function (XOR-ing part). And with this we are intercepting the CryptDecrypt call. In the code above we create an array of 20000000 (any other number can be used) full of 0's and ask wincypt to do the decyption on it. And by the nature of how XOR works that way we obtain it, the bitsream. And then we write the bitstream to the filesystem and forward the call to the real CryptDecrypt function.
In the Forwarded.cpp we must find the commented out line
#pragma comment(linker, "/export:CryptDecrypt=advapi32.CryptDecrypt,@ 1199") and replace it with #pragma comment(linker, "/export:CryptDecrypt=_CryptDecrypt@24") . This is needed since our function will be mangled unlike the OG function. The added #pragma creates a proper symbol that redirects the call to our function.And now we can build our project. Be sure to select Release configuraiton and Win32 target (not x64).
After the build we get our own advapi32.dll file, but we are not ready yet.
2.2. Patching the game.exe
The game will use the original advapi32.dll from C:\Windows\SysWOW64 no matter what we do. So we need to patch game.exe. How to do it? Read the
You must be registered to see the links
. Tldr: In DllProxyCreator click
, select game.exe, in "Original DLL File name" write advapi32.dll, in "Proxy DLL file Name" write advpro32.dll or any other name with the same length, and then click Patch. (dont worry the original game.exe will be backuped.Now copy our advapi32.dll into the game folder and rename to advpro32.dll. We are ready.
3. Getting the key/bitstream
Open the game, and maybe load the save, see the images, etc. After that there will be a lot of "dump_key{number}.bin" files, and the most of them will be equal to each other. These are our bitstreams that can be used by
You must be registered to see the links
.4. Using the key/bitstream to decrypt data.dts (finally!)
Now pick some of these dump files (better from the latter part and different from each other) and feed to SRPG-Studio-Extractor. For example:
java -jar ./srpgstudio-extractor-0.1.jar -K ./dump_key44.bin -T ./data.dts -U. It will decrypt the data.dts (if you have picked the correct dump file) and extract its content.NOTE: the extractor overwrites the data file when decrypts it, i.e. if you used wrong bitstream/key data.dts file will be corrupted. So be sure to use the extractor on a copy of data.dts every time.
If everything went fine, you will get the decrypted contents (sounds/images/etc) of the data.dts. Finish. *clap* *clap*
------
I believe that not everyone have Visual Studio and want to do all that programming stuff, so the part 2.1 is actually skippable. Instead of building your own advapi32.dll/advpro32.dll, you can grab the one I built from the attachments.
------
I didn't test this thotoughly on multiple games, but I believe it works.
------
I believe that there are people out there who can automate all this stuff and make a proper decryption tool. I hope the reader is one of those people