[Help] Forza Horizon 4 zip archives

[Doliman100]

It seems that the RAGE engine on which the GTA and RDR series are based also uses Arxan's TransformIT. I found two projects for decrypt their resources.
https://github.com/Neodymium146/gta-too ... ryption.cs
https://github.com/0x1F9F1/Swage/blob/m ... /tfit2.cpp

There is an open source messenger that uses TransformIT. The developer has also uploaded the TransformIT 8.0 evaluation kit headers. By the way, the game uses GuardIT 10.5.2.154616 x64.
https://github.com/EOSIO/mojey/blob/mai ... FIT/TFIT.h

The file structure of encrypted files is described here https://github.com/Nenkai/010GameTempla ... za/TFIT.bt. Here are my notes:

Code: Select all

Header {
  u8[16] IV?
  u32 padding -- amount of zeros at the end of the last block
  u8[16] unknown
}
Block {
  u8[200 or 20000] encrypted_data
  u8[16] MAC?
}

The header is used by class Crypto::DecryptionStream constructor.

Code: Select all

00000001408E01BB: the call for sfsdata
0000000141D8E4A0: public: __fastcall Crypto::DecryptionStream::DecryptionStream(class TReference<class IOSys::CBinaryStream, struct ReferencePolicy<class IOSys::CBinaryStream>, struct NonThreadSafeReferencePolicy> const &, class TReference<class Crypto::ICryptoProvider, struct ReferencePolicy<class Crypto::ICryptoProvider>, struct NonThreadSafeReferencePolicy> const &, bool, unsigned long)
  rcx: Crypto::DecryptionStream *
  rdx: IOSys::CAutoMemoryStream::CAutoMemoryStream *
  r8: Crypto::TransformITCryptoProvider<class nullkeywrapper, class keywrapper_sfs_decryptionkey, class keywrapper_sfs_mackey> * -- stores 16-byte fields from the header.
  [rsp+20]: data_block_size -- 0x20000

The data is used by some method of that class. Looks like Crypto::DecryptionStream::ReadFile(...) except for rdx argument.

Code: Select all

00000001408E025C: the call for sfsdata
0000000141D8FAF0: public: virtual class Core::ErrInfo __fastcall Crypto::DecryptionStream::ReadData(void *, long, long &) -- maybe
  rcx: Crypto::DecryptionStream *
  rdx: Crypto::DecryptionStream ** -- null after return
  r8: void *destination
  r9: u32 data_size -- 0x4F80000
  [rsp+20]: u32 *data_size_out -- 0x4F80000

The values are given for the media/sfsdata file, because it is the very first file loaded.

• file size: 0x4F827E4
• data size: 0x4F80000
• block size: 0x20000
• padding: 0x6797
• decrypted file size: 0x4F79869

[smurf100]

I'm not sure if it will help much, because this is way out of my scope, but i did some look into the 2 unknown vars

BaseIV might refer to Initialization Vector,

which according to google is:

"is an arbitrary number that can be used with a secret key for data encryption to foil cyber attacks. This number, also called a nonce (number used once), is employed only one time in any session to prevent unauthorized decryption of the message by a suspicious or malicious actor."

As for the MAC i could think of mac address but that wouldn't make any sense

[Doliman100]

I am working on a standalone application that decrypts such files. Demo console utility in attachment. It only supports non-archived files that use the "file" decryption key from Forza Horizon 5, such as .xml and .ini. FH5 and FH4 use the same table, some other keys for them are included in keys.h file.
I want to package it as a 7-Zip plugin, but feel free to suggest your ideas. After that I'll add the following:

• keys to all other games since FM6Apex
• archive support
• gamedb deobfuscator
• MAC (Message Authentication Code) support
• trimming padding zeroes at the end

There are several problems.

1. Encrypted files don't have any information other than the file size. So there is no way to determine which game version or decryption key to use. It has to brute force over all known keys and tables, which is currently 5 * 6 = 30 attempts. MAC can be used for verification.
2. Same for the block size. It can be either 0x200 or 0x20000 bytes. Although it may depend on a key. I've only seen 0x20000 for sfsdata and gamedbRC.slt.
3. The decryption algorithm uses a table of 278528 bytes supposedly unique for each game and several keys of 272 bytes each.

Here are some related functions.

Code: Select all

0000000145509FD0: fun DecryptBigBlock
  rcx: decryption keys
  rdx: source encrypted
  r8: size 0x200 or 0x20000
  r9: 0x10
  [rsp+20]: destination decrypted
0000000145511A60: fun DecryptBlock
  rcx: decryption keys
  rdx: source encrypted
  r8: destination decrypted
0000000145505770: fun CalculateMAC
  rcx: keys
  r8: u32 0x18
  r9: destination calculated MAC

By the way, here is a list of keys from Forza Horiozn 5. They are stored in memory in an encrypted form and decrypted for short periods of time as needed. So, in order to automatically extract them from the executable dump, reverse engineering of their decryption algorithm is required.

Code: Select all

keywrapper_profile_encryptionkey
keywrapper_profile_decryptionkey
keywrapper_profile_mackey -- User_69C2EF99.ProfileData, User_69C2EF99.VersionFlags

keywrapper_gamedb_decryptionkey
keywrapper_gamedb_mackey -- gamedbRC.slt

keywrapper_file_decryptionkey
keywrapper_file_mackey -- .zip, .xml, .ini

keywrapper_sfs_decryptionkey
keywrapper_sfs_mackey -- sfsdata

keywrapper_photo_encryptionkey
keywrapper_photo_decryptionkey
keywrapper_photo_mackey -- Photo_0000_20211112155819.header, Photo_0000_20211112155819.image, Photo_0000_20211112155819.metadata, Photo_0000_20211112155819.thumb

keywrapper_dynamic_encryptionkey
keywrapper_dynamic_decryptionkey
keywrapper_dynamic_mackey -- CustomRoute_0000_20211112181230.header, CustomRoute_0000_20211112181230.RouteData

keywrapper_telemetry_encryptionkey

As you can see, there is a profile encryption key, so the executable also has the encryption part of this asymmetric algorithm. It also seems possible to make a "save editor".

[smurf100]

that is very nice, we appreaciate alot what you're doing!

[toab776]

Will there be a method 22 .zip decryptor made? Would love to get the .wav from fh4 and fh5 finally after so many years.

[Doliman100]

Here is the decryptor for any file (.ProfileData, .LevelRewardCache, .RouteData, .image, sfsdata, .ini, .xml, ...) from any game sice FM6Apex up to FH5 but .zip, second stage of gamedb.slt and sfsdata of FM7. By calculating the MAC, it automatically tries all existing keys until it finds the right one. Since the Forza Motorsport file format doesn't have a padding size, it just trims trailing zeros, which may be incorrect if they are part of a file.
I'm currently working on gamedb.slt deobfuscation. After that, I'll move to .zip support.
This is a command line utility that accepts two arguments: input and output file paths.

Code: Select all

D:\downloads\TransformIT\TransformIT.exe "C:\Program Files (x86)\DODI-Repacks\Forza Horizon 5\media\Physics\PI.xml" "PI.xml"

Please, post here if it can't decrypt some file.
https://mega.nz/file/K9JClBLT#U95oWc7Yk ... K6y7oCqDVE

[toab776]

Here is the decryptor for any file (.ProfileData, .LevelRewardCache, .RouteData, .image, sfsdata, .ini, .xml, ...) from any game sice FM6Apex up to FH5 but .zip, second stage of gamedb.slt and sfsdata of FM7. By calculating the MAC, it automatically tries all existing keys until it finds the right one. Since the Forza Motorsport file format doesn't have a padding size, it just trims trailing zeros, which may be incorrect if they are part of a file.
I'm currently working on gamedb.slt deobfuscation. After that, I'll move to .zip support.
This is a command line utility that accepts two arguments: input and output file paths.

Code: Select all

D:\downloads\TransformIT\TransformIT.exe "C:\Program Files (x86)\DODI-Repacks\Forza Horizon 5\media\Physics\PI.xml" "PI.xml"

Please, post here if it can't decrypt some file.
https://mega.nz/file/K9JClBLT#U95oWc7Yk ... K6y7oCqDVE

This is simply genius.....

Can you post how i run it from command line step by step?

For those that are only interested in the engine, exhaust and intake audio it would be very handy to have a program that extracts all files from the .zip and makes a new folder and puts them in there. For example all the contents of "G_V10NM_European_Supercar_2_Exh.zip". Because many people who want the audio files are not that good on computers.

[smurf100]

you can already extract audio files using x64 dbg, it is extremely easy, just read the previous posts

[Doliman100]

I tried to figure out how to build it as 7-Zip plugin or quickbms script but it's too complicated due to lack of documentation. For 7-Zip, I don't know how to make it open alone files that aren't part of an archive and detect that file needs to be decrypted without trying all keys on every file that you extract, which will affect performance.
As for quickms, I couldn't figure out how to make it to support non-hardcoded keys.
So if anyone can make something more convenient, you are welcome. Sources are available inside the archive.

[toab776]

you can already extract audio files using x64 dbg, it is extremely easy, just read the previous posts

If i wanted to extract the .wav only from the method 22 zip i can do this how using that?

[smurf100]

read this

[Doliman100]

I've added support for gamedb deobfuscation and .zip. It just takes off the encryption from .zip without extracting files. All flags and fields are untouched, so I think you can decrypt files from the latest version of FH3 and use them in OpusDev. I also removed zero trimming from FM files as it is too inaccurate. The next step is to support encryption for .ProfileData and others that have an encryption key.

I also added boost::program_options so it's more user friendly now.

Code: Select all

.\TransformIT.exe --yes --input='C:\Program Files (x86)\DODI-Repacks\Forza Horizon 5\media\ProfileSchema.zip' --output='out.zip'

Here is a list of encrypted .zip files from FH5 and FH3.

Code: Select all

-- FH5
media\Audio\EngineSynth\*.zip
media\Stripped\TIDETables.zip
media\Camera.zip
media\EntityModel.zip
media\GameTunableSettings.zip
media\ProfileSchema.zip
media\Rendering.zip
media\RenderScenarios.zip
media\Rules.zip
media\stateflow.zip

-- FH3
media\audio\enginesynth\pc\*.zip
media\camera.zip
media\entitymodel.zip
media\gametunablesettings.zip
media\matchmakingstateflow.zip
media\profileschema.zip
media\rules.zip
media\stateflow.zip

Upd 1. Fixed an unexpected end of data error.
Upd 2. Fixed zero file size error and added support for offset recalculation for extra field 0x1123.
Upd 3. Fixed zero file skipping caused by previous fix.
https://mega.nz/folder/T5IkFIbB#obP-SfTD2Y2MyaqXPAuwlg

[Skajdrovski]

Thank you for the tool. I've successfully decrypted 'GameTunableSettings.zip', but when I try 'Rules.zip' file, program returns this:

Code: Select all

PS C:\Users\Skajdrovski\Downloads\TransformIT_v3.1> ./TransformIT.exe --yes --input='C:\XboxGames\Forza Horizon 5\Content\media\Rules.zip' --output='Rules.zip'
File name: ANNAVO.rulebot.bin
Game: Forza Horizon 5
Key: File
Data block size: 0x200
Padding size: 430
Data size: 0x200
IV: BB 03 0E CC 4C F1 95 56 91 58 85 4B F7 44 44 40

File name: ANNAVO.rulebot.xml
Game: Forza Horizon 5
Key: File
Data block size: 0x200
Padding size: 414
Data size: 0x400
IV: C1 84 5E 65 25 2E 9C 2E C8 CF 2F 46 CC 0B 81 FD

File name: AnnouncerVO.rulebot.bin
Game: Forza Horizon 5
Key: File
Data block size: 0x200
Padding size: 408
Data size: 0x200
IV: D5 1B 7B 41 36 C2 8E 69 46 DC 84 DF E8 41 5C 11

File name: AnnouncerVO.rulebot.xml
Game: Forza Horizon 5
Key: File
Data block size: 0x200
Padding size: 477
Data size: 0x400
IV: 98 9F 05 DC 8A 1D AD 6B D9 BE 87 A2 CA 64 2E 17

File name: Asphalt_Expedition.rulebot.bin
Game: Forza Horizon 5
Key: File
Data block size: 0x200
Padding size: 248
Data size: 0x200
IV: 23 D9 8F EA 5D C6 0D 6D C1 D8 E1 00 5B 21 F5 FA

File name: Asphalt_Expedition.rulebot.xml
Game: Forza Horizon 5
Key: File
Data block size: 0x200
Padding size: 474
Data size: 0x600
IV: FF 91 FA D7 F1 3D 9C 21 A0 05 95 BB BC F2 8A EF

File name: AstraFreeroam.rulebot.bin/
Error: None of the keys matched.

Code: Select all

-- FH5
media\Rules.zip

[Doliman100]

Send me the original zip file and which game version do you use? The file from 1.405.2.0 (Steam) [EMPRESS] decrypts well.

[Skajdrovski]

I'm using the latest version (3.604.481.0) from Microsoft Store.
https://drive.google.com/file/d/1_ESQU3 ... sp=sharing