Launchpad wrote: ↑Sat Aug 03, 2019 7:08 am
Hey BruteForce,
Mind sharing? Appears things like numbers get treated like strings, swapped out with the same position in the key (or is there shifting?), and converted back to an INT from a string. Not sure if they are using the default KEY or a custom one I need to dig up. Anyways, if you're willing to share to save me the time I'd appreciate it. Let me know if I can be of any help to you.
0.6.4.2
INVENTORY ITEMS
=================
Game-Win64-Shipping.exe+70D051 - 80 7D BC 00 - cmp byte ptr [rbp-44],00 { 0 }
Game-Win64-Shipping.exe+70D055 - 89 45 B7 - mov [rbp-49],eax
[RSP+CC] == OFFSET (0-0x1C), iteration, or identifier number (0 - 'x')
[RSI+20] or [RSI+30]== number of digits + 1
[RSI+18] or [RSI+28]== pointer to encrypted data, holding info 0x3D is number 9, so:
this (below) is 999,999 (or 999999)
3D 00 3D 00 3D 00 3D 00 3D 00 3D 00
and use 7 as number of digits (999999 is 6 digits, + 1)
OFFSET at [RSP+CC] and what it holds
--------------------------------------
0 Credits
1 DNA
2 Ecos of the Plague
3 Unseen Trinket
4 Jade
5 and higher rest of inventory
Game-Win64-Shipping.exe+70D009 - 0F84 2B010000 - je Game-Win64-Shipping.exe+70D13A
Game-Win64-Shipping.exe+70D00F - 33 C0 - xor eax,eax
Game-Win64-Shipping.exe+70D011 - 48 8D 54 24 40 - lea rdx,[rsp+40]
Game-Win64-Shipping.exe+70D016 - 48 8B CB - mov rcx,rbx
Game-Win64-Shipping.exe+70D019 - 48 89 44 24 40 - mov [rsp+40],rax
Game-Win64-Shipping.exe+70D01E - 48 89 44 24 48 - mov [rsp+48],rax
Game-Win64-Shipping.exe+70D023 - 48 89 45 87 - mov [rbp-79],rax
Game-Win64-Shipping.exe+70D027 - 48 89 45 8F - mov [rbp-71],rax
Game-Win64-Shipping.exe+70D02B - 48 89 45 97 - mov [rbp-69],rax
Game-Win64-Shipping.exe+70D02F - 48 89 45 9F - mov [rbp-61],rax
Game-Win64-Shipping.exe+70D033 - 48 89 45 BF - mov [rbp-41],rax
Game-Win64-Shipping.exe+70D037 - 48 89 45 C7 - mov [rbp-39],rax
Game-Win64-Shipping.exe+70D03B - 48 89 45 CF - mov [rbp-31],rax
Game-Win64-Shipping.exe+70D03F - 48 89 45 D7 - mov [rbp-29],rax
Game-Win64-Shipping.exe+70D043 - E8 48E9FFFF - call Game-Win64-Shipping.exe+70B990
Game-Win64-Shipping.exe+70D048 - 48 8D 4E 08 - lea rcx,[rsi+08]
Game-Win64-Shipping.exe+70D04C - E8 4FB9CEFF - call Game-Win64-Shipping.exe+3F89A0
Game-Win64-Shipping.exe+70D051 - 80 7D BC 00 - cmp byte ptr [rbp-44],00 { 0 }
Game-Win64-Shipping.exe+70D055 - 89 45 B7 - mov [rbp-49],eax
Game-Win64-Shipping.exe+70D058 - 74 07 - je Game-Win64-Shipping.exe+70D061
Game-Win64-Shipping.exe+70D05A - 3B 45 DF - cmp eax,[rbp-21]
Game-Win64-Shipping.exe+70D05D - 0F9D 45 BC - setge byte ptr [rbp-44]
Game-Win64-Shipping.exe+70D061 - 48 63 5F 08 - movsxd rbx,dword ptr [rdi+08]
Game-Win64-Shipping.exe+70D065 - 8D 43 01 - lea eax,[rbx+01]
Game-Win64-Shipping.exe+70D068 - 89 47 08 - mov [rdi+08],eax
Game-Win64-Shipping.exe+70D06B - 3B 47 0C - cmp eax,[rdi+0C]
Game-Win64-Shipping.exe+70D06E - 7E 0A - jle Game-Win64-Shipping.exe+70D07A
Game-Win64-Shipping.exe+70D070 - 8B D3 - mov edx,ebx
Game-Win64-Shipping.exe+70D072 - 48 8B CF - mov rcx,rdi
Game-Win64-Shipping.exe+70D075 - E8 F6CBBCFF - call Game-Win64-Shipping.exe+2D9C70
Game-Win64-Shipping.exe+70D07A - 48 6B DB 70 - imul rbx,rbx,70
Game-Win64-Shipping.exe+70D07E - 48 8D 54 24 40 - lea rdx,[rsp+40]
Game-Win64-Shipping.exe+70D083 - 48 03 1F - add rbx,[rdi]
Game-Win64-Shipping.exe+70D086 - 48 8B CB - mov rcx,rbx
Game-Win64-Shipping.exe+70D089 - E8 325EB4FF - call Game-Win64-Shipping.exe+252EC0
Game-Win64-Shipping.exe+70D08E - 48 8D 4B 10 - lea rcx,[rbx+10]
Maybe there is a better spot to do this, but this seems to be the spot where you can divide out items.
As we discussed, yes the values are stored as unicode script text and the script text then gets converted (each 2 byte 'letter') to an offset to a table of the actual numbers (i.e. text of 0-9).
Each address holding the encrypted or 'stored' value is written over, read from, converted, then extracted the value, then immediately in reverse converted back in a loop.