Hacking Zip Passwords (C9)

[chrrox]

Here is a simple to follow guide that involves 0 knowledge of debugging to follow.
You will need the following tools.
1. HXD or a hex editor that can open a program in ram.
2.Cheat Engine or another program that can pause a process.
3.The game C9

Step1

Launch the game update program.


Step2

Launch Cheat Engine


Step3

Setup the hot key to pause the process in cheat engine


Step4.

Set the hot key to your choice (I choose 7)


Step5

Click on the Process list button (magnifying glass) in cheat engine until you see our process (Exlauncher.exe)
do not attach to the process yet.



Step6

This is what it will look like if you attach to the process in cheat engine and pause it.



Step7

Log into C9 and after you are logged in attach to the process and pause it hitting the key you assigned to that and it should look like this.



Step8

Take note of the file name and the progress bar when you see the file finish and the text change pause the process so it looks close to this.



Step9

Now that you have the process paused while it is extracting a file open up HXD and choose open ram



Step10

in the process list you will notice a new process that was created while the game was extracting the files(Launcher.exe)
so this must be what handles extracting the files so lets attach to it.



Step11

Now lets do a search for our file



Step12

We end up here take a look and see if anything looks odd.



Step13

Take note of the long string that looks like it could be a password and it keeps repeats 2x in this view



Step14

if I scroll a little further down it is still repeating this seems like we have our number



Step 15

Try our password on the zip file and it works.
I will post some more advanced tutorials if there is a demand for it let me know

Code: Select all

66b4427013838ceb5b275d5ba884b0ed9df353e0dc6220955e008d9d

[Mr.Mouse]

This could come in handy for some users. Thanks for posting your method!

[shekofte]

I have a question ? please
i considered that usually data in RAM kept in fragmented form !
whether when we open the memory that assigned to a process in hex editor , it defragment it and show us in its integrated form ?
very very thanks Master

[evilpie]

Data in ram is normally not fragmented.

For example if you alloc 200 bytes of memory for an password, the whole memory is one block.
But when you again alloc memory it could be directly behind the other block or somewhere totally else, you just dont know.

[GenericRipper]

There`s a game that also uses a password-protected ZIP, Metal drift. I tried your method and found some repeating text but it doesn`t work as a password! To be honest there wasn`t actually written "game.zip" inside the launcher.exe but I decided to check it out because of its periodicity

[aluigi]

because this method is not universal.
for example in Metal Drift Demo the key is 37493752032567301837 and I used the classical method to find it:

Code: Select all

- signsrch -e MetalDriftDemo.exe
  0042b6f8 2273 function where is handled the ZipCrypto password [32.le.12&]
- launched the game with ollydbg and set breakpoint at offset 0042B6F0 (that is the starting of the function)
- olly breaks and the password is clearly visible

if the game can't be debugged easily you can even place a byte 0xcc at 3 bytes before the offset reported by signsrch, the debugger will popup immediately when the game will crash.

while if the game executable is encrypted you can launch signsrch when the game is running:
signsrch -P MetalDriftDemo.exe
and then attach olly to the process or write a simple writeprocessmemory tool for placing the 0xcc byte in the process

let us know if the key for the full game differs than the onf of the demo.

oh I forgot the link to signsrch:
http://aluigi.org/mytoolz.htm#signsrch

[GenericRipper]

Thanks for a quick response, at least one of my problems is solved now. And the key you gave me fits the full version ZIP too.

[Klaster]

Can someone help me with another ZIP password protected game? It's called Beat Hazard.

I already found this in hge.dll (beforehand unpacked with UPX):

000042ac 2273 function where is handled the ZipCrypto password [32.le.12&]

But no idea what is next.

[aluigi]

• be sure to have ollydbg installed and that it's set as "Just-in-time debugger":
  select "Options->Just-in-time debugging"
  click on "Make Ollydbg just-in-time debugger"
• open hge.dll with a hex editor (make a backup before)
• go at offset 0x42a9
• place the byte 0xcc there
• save the file and start the game
• windows will show an error dialog, press CANCEL
• when ollydbg starts watch in the right-down window (aka "stack window")
• the password should be one of the first text strings visible in that list

keep us updated if everything worked as expected... and naturally let us know the password :)

[Klaster]

So, the password is lippylippy, lol. aluigi, thanks for help!
Packing whole resources back into ZIP also works fine, see the attachment.

[Mr.Mouse]

Excellent everyone!

[aluigi]

example of how to get the password of Metal Drift using only signsrch 0.1.6 (yeah a fresh new release) and partially ollydbg (partially because it's set only as JIT debugger so it has only the "display" purpose, you don't need to "touch" it):
http://aluigi.org/video/zipcrypto_example.avi

[merlinsvk]

Hey guys,
What to do in this case:

Code: Select all

signsrch -F hge.dll
10009f09 2273 function where is handled the ZipCrypto password [32.le.12&]

- substracted 3 bytes => 10009F06
- open hge.dll in HxD, Ctrl+G, 10009F06, HxD wrote that file doesn't contains that offset (it ends on 0x4BFFFF)

It's from game Akhra The Treasures and I would like to find password for its data.zip

Thanks in advance

[aluigi]

10009f09 is the memory address assigned to that instruction in hge.dll when it's loaded by Windows.
if you are lucky you should find the relative file offset at 0x9f09 of the file.
otherwise use an rva2file offset tool like my quickrva:
http://aluigi.org/mytoolz.htm#quickrva

[aluigi]

the password of the data.zip in "Akhra - The Treasures" is 2yKJ6KhRJKJ/18J5
found in less than one minute :)