notamuted
Newbie
- May 12, 2018
- 81
- 77
Dude, patreon links! Those are not free, need an account, and patreon site doesn't even work with spyware disabled...
This is how patreon looks like when its telemetry is blocked (throws JS errors of course, and no links working, you can't click anywhere, not even the search box nor the "Log in" works):
So no, I do not consider this a proper download link, sorry.
notamuted
Newbie
- May 12, 2018
- 81
- 77
Its free and you don't need an account.
Well, okay, nvm. So I see 3 choices for you: 1) Search the game in other places (it should be somewhere in itch.io if that site works for you) 2) Use a different browser\device 3) Find an another game that does not use the default key (I dont think there are many out there)
uneasy_speedy
Newbie
- Feb 22, 2021
- 70
- 133
Just asking, you're looking for any game with a non-default key? If you tell me how to encrypt the game, I have srpg studio so I can just make a shitty default project and encrypt it.
Wow, that would be really awesome!
If you could create 4 variants of the default project game that would be invaluable help for reverse engineering how the custom key is stored!
1. one without encryption (for a baseline)
2. one with the default key
3. one with an "abcde" key
4. and finally one with "bcdef" key
The first is needed to establish a baseline (get the plain text version of encryption for that particular SRPG version). The second is needed to rule out false positives, and finally comparing the third and fourth would allow me to locate where and how is the custom key stored in the exported game. For this I would need two known custom keys encrypting the same data.
If you could really create these 4 and upload it on meganz, gofile, pixeldrain (or just attach it here if possible), that would help me a lot and I would be extremely grateful!
About encrypting the game, there's a checkbox on the "Release Project" window. About specifying the key, I have no clue, I couldn't find that in the SRPG manual.
You must be registered to see the links
uneasy_speedy
Newbie
- Feb 22, 2021
- 70
- 133
I only figured out the first two, I couldn't find any way to set a custom key. I don't think there is a native way to do it. That said, I can always send more projects for testing as needed.
You must be registered to see the links
Thank you very much! Yeah, I couldn't find the custom key input either.
Anyway, I've implemented what I could, from now on GAME RIPPER can rip SRPG Studio games too!
notamuted
Newbie
- May 12, 2018
- 81
- 77
I've checked these...
1) Can you next time add into the projects some images? It seems these projects contain only *.js script files and 'Project.srpg' file. From which only the latter is encrypted.
2) Assuming 'unencrypt' is indeed not encrypted and for both these projects 'Project.srpg' files are identical - I conclude that 'encrypt' project is encrypted using non-default key.
I suspect it has something to do with srpg studio version. They might have changed the encryption key from known "key", to another one (possibly randomly generated)
uneasy_speedy
Newbie
- Feb 22, 2021
- 70
- 133
I assume it would be possible via plugin similar to rpg maker. I dont know much about scripting I just have SRPG studio. Thanks to the thingie you linked I was actually able to open and edit Heelfall and Loyal Demise, though the latter is only in Chinese for some reason? (even if I load the English translated version)
If you're more specific I can do that, justaplayer asked me to do it with the default project.
Again, thank you guys so much for all your help!
Your how to only extracts the keystream (required by the java app), and not the 16 bytes long key itself (required by GR), would be great to have that too.
So I second noamuted, It would be great if you could add one asset file to the project, so that data.dts would surely contain an encrypted file. It doesn't matter if it's a mapchip PNG or a charachip PNG or a UI window PNG or a sound effect OGG or whatever.
I have also run into a data.dts file in which the "encrypted flag" is set, yet "Project.srpg" seems to be clear text (same as in an unencrypted data.dts). The file version is 0x4DE, so relatively new.
That's quite possible. Could you please change your C++ code so that in section "3. Getting the key/bitstream" it would save not just the keystream but the original key (the 16 bytes long, an MD5 of something) as well? The thing is, I've already implemented this in GR, you could rip a game with a custom key "gameripper.exe -k (arc4 key)" where that arc4 key is 16 bytes of hex values.
Your how to only extracts the keystream (required by the java app), and not the 16 bytes long key itself (required by GR), would be great to have that too.
Not sure about Chinese, but it seems that newer SRPG has some sort of localization support. I guess this is buggy? FYI, only the texts are localized, so if you extract a game with GR, the filenames and the comments in scripts won't change, no matter the locale.
Yes, because I did not know then that Project.srpg isn't always encrypted.
So I second noamuted, It would be great if you could add one asset file to the project, so that data.dts would surely contain an encrypted file. It doesn't matter if it's a mapchip PNG or a charachip PNG or a UI window PNG or a sound effect OGG or whatever.
notamuted
Newbie
- May 12, 2018
- 81
- 77
Okay, I think I cracked the code!
The 'Project.srpgs' file stored in data.dts is encrypted using the key "_dyn" (the first half from "_dynamic"). And the actual resources are encrypted using a different key. That key is the first 16 bytes of decrypted/unencrypted "Project.srpgs" file. These bytes are directly fed to MD5 algorithm like this:
I tested this approach on oathbreaker game and it seems to be working. But I want test it on more srpgs games to be 100% sure.
The 'Project.srpgs' file stored in data.dts is encrypted using the key "_dyn" (the first half from "_dynamic"). And the actual resources are encrypted using a different key. That key is the first 16 bytes of decrypted/unencrypted "Project.srpgs" file. These bytes are directly fed to MD5 algorithm like this:
Python:
def decrypt_asset(input_buf:bytes,_:str)->bytes:
h = MD5.new()
pwd= bytes([0x90, 0x51, 0xCA, 0xE7, 0x42, 0xF3, 0x95, 0xFC, 0x5C, 0x5A, 0xAE, 0x6F, 0xAF, 0x83, 0x01, 0xF8])
h.update(pwd)
key = h.digest()
cipher = ARC4.new(key)
decrypted_data = cipher.decrypt(input_buf)
return decrypted_dataAlso I tested it with your tool and it seems to work as well. I took `hashlib.md5(pwd).hexdigest()` and inserted it into the custom key field (F2 button).
So, I too kindly ask you to provide a srpg project with stored assets (images, etc).
View attachment advpro32_dumps_md5input.zip I've attached "advpro32_dumps_md5input.zip" to this comment. It dumps the data passed to 'CryptHashData' call with 2x length as `dumphashinput_31.bin`. (i.e. it will dump fill "keyset" instead of the actually used "key").
Nice!
The first 16 bytes of Project.srpg are 100% the same as the last 16 bytes of system.dat, and I've also tried these without luck (I couldn't test Oathbraker sadly). This was my first though too btw.
Could you please confirm that Oathbreaker's system.dat file is indeed contains 0x53, 0x44, 0x41, 0x54, 0x00, 0x00, 0x00, 0x00, 0x90, 0x51, 0xCA, 0xE7, 0x42, 0xF3, 0x95, 0xFC, 0x5C, 0x5A, 0xAE, 0x6F, 0xAF, 0x83, 0x01, 0xF8? (That's 4 bytes "SDAT" magic, 4 bytes zeros, and 16 bytes same as the decrypted Project.srpg's first 16 bytes).
I have also tried this, but didn't work for me. Admittedly I couldn't get my hands on any custom key games at all, so this is promising!
Thank you for your feedback! I'm glad it worked! So you are certain that the custom key is MD5(creator uuid)? Awesome!
I don't understand, this seems pointless. It should output the hKey (or maybe the hHash?) argument to ARC4 function CryptDecrypt (so the same that you've tried with GR's F2 and worked). We are interested in the ARC4's key, regardless of how it is constructed (MD5 of "key", "_dyn", creator uuid or whatever). We need the key as it is passed to CryptDecrypt, because knowing that we can generate the entire keystream.
notamuted
Newbie
- May 12, 2018
- 81
- 77
I confirm. These are exactly the same bytes
I am not sure about creator uuid (I don't know what these bytes are), but the custom key is indeed is md5 from these 16 bytes.
It outputs pbData passed to CryptHashData (md5 input - i.e. these 16 bytes, the default 'key' key, etc...).
hKey and hHash are handles of uknown type, so they can't be dumped. I believe the thing you want is stored inside wincrypt and cannot be accessed by regular means.
uneasy_speedy
Newbie
- Feb 22, 2021
- 70
- 133
notamuted
Newbie
- May 12, 2018
- 81
- 77
Thanks. I succesfully decrypted and extracted all 8 stored images.
Now we can with certainty say that everything said above is true.
Well, that's what the SRPG manual says (
You must be registered to see the links
)system.dat
This file contains a value that uniquely identifies the creator of the project.
And because it's 16 bytes long, it's safe to call it UUID (Universally Unique IDentifier, but MS likes to call it GUID, Globally Unique IDentifier).
Not sure about that, I think the "handle" is just a simple struct pointer. But okay.
Anyway, I've implemented your method in GR, it should work work with Oathbreaker too. Could you give it a spin and report back? I double checked the code, but I couldn't test it myself.
notamuted
Newbie
- May 12, 2018
- 81
- 77
Yup. It works
But, I have a bug to report...
I compared the outputs of Gameripper and
You must be registered to see the links
(with manually provided key) - and there is a difference. It seems Gameripper misses some images and can't properly process foldered(?) images (extracts only the first file). I've attached `tree` outputs for both results.View attachment GameRipper_datadts_list.txt
View attachment HNIdesu_datadts_list.txt
Last edited:
Unfortunately I can't see anything on those outputs because they use some weird codepage. Multiple subfolders shouldn't be a problem, I've tested that and it works.
Could you please run it as "gameripper.exe -vvv" and attach the generated gameripper.log file here?
notamuted
Newbie
- May 12, 2018
- 81
- 77
The files appear broken if opened in browser. If you download them and open in notepad or other text editor they'll look normal.
Sure
View attachment gameripper.log.zip
Thank you very much for your feedback and the provided logs! Thanks to that, I was able to figure out what's going on.
It seems this wasn't a folder issue per se, rather some images might have color variations (for charachips this means different cloth colors; for backgrounds a variant at day, at night, at afternoon etc.). So far only the first variation was saved, but I was able to implement this and now these are saved in a folder as XXXX.png (where XXXX is a number) just like how the java app does.
I've updated the attachments in the GR post and the binaries in the gitlab repo as well! Thanks again!