Tutorial  Updated

How to extract decryption key for Unreal Engine 4 *.pak files

So lately we got two games that are using index encryption which hides informations about file names, compressed and decompressed sizes + offsets where they are. Assets are not encrypted.

Here I will provide a method how to get 32 bytes hex decryption key from main file. This tutorial is based on Ninjala 2.1 version.
Don't share here keys as this is violation of rules. Provided key in this tutorial has been faked.

This method works only with v7 or newer PAKs. v3 and older don't support native PAK encryption.
For v4-v6 after reading this tutorial look HERE.

Method was checked on those games:
Code: 
- Ninjala 2.1
- Five Nights at Freddy's: Help Wanted 1.22
- FUSER
- Little Nightmares II 1.2
- Shin Megami Tensei V 1.0.1
- BassMaster 2022 1.0.2
- SD GUNDAM BATTLE ALLIANCE 1.3.1
- GetsuFumaDen: Undying Moon 1.1.1
- GHOSTRUNNER 1.8

Requirements:
- IDA or Ghidra (you don't need decompilers) with support for ARM64/AArch64
- Knowledge how to extract main from exefs (you can use nxdumptool) and how to use IDA or Ghidra (I won't explain how to load properly main to them)
- Some time


1. Load "main" from exefs to IDA or Ghidra
2. Analyze them so they will be disassembled as much as possible (we don't need any types, demangled symbols, etc. Only assembler)
3. Now next points will depend on what you are using

IDAGhidra

  1. 3.1 After finishing analyzing go to Search -> sequence of bytes...
    upload_2020-10-3_19-38-4.png

    3.2. to showed window paste this:
    Code: 
    00 04 00 AD C0 03 5F D6
    check "Find all occurences" and press OK
    upload_2020-10-3_19-39-11.png


    3.3. After a short while we will get window with all results (in case of Ninjala we have only 2 results)
    upload_2020-10-3_19-41-0.png


    3.4. Jump to result by pressing on it, we need to find function that will look like this
    upload_2020-10-3_19-42-58.png


    By this I mean short function that includes three or four lines with "xmmword" text.
    If function looks different, then this is wrong function and check other results.

    3.5. Press on first xmmword so it will jump to different address (in this case 7106753E30 which you can see after "xmmword_". This way we are at first 16 bytes of our decryption key.
    Go to Hex View tab and copy 16 bytes starting from address where xmmword provides (which means 7106753E30).
    upload_2020-10-3_19-49-16.png


    So in this case we are copying:
    Code: 
    12 11 34 56 78 90 12 34  43 21 09 87 65 43 21 00
    And paste it somewhere, for example to text file and save it.

    Go back to last function where xmmwords were. Now go to second xmmword (in this case xmmword_710675B580).
    Go to Hex View tab and copy 16 bytes starting from address where xmmword provides (which means 710675B580).
    upload_2020-10-3_19-52-6.png

    So in this case we are copying:
    Code: 
    36 36 36 36 36 36 36 36  36 36 36 36 36 36 36 21

    and paste it at the end of file where you have pasted previous 16 bytes. Delete all spaces that are in this file.

    Now our decryption key is ready:
    Code: 
    1211345678901234432109876543210036363636363636363636363636363621
  2. 3.1. After finishing analyzing go to Search -> Memory
    upload_2020-10-3_19-57-33.png


    3.2. Paste to "Search value" window this code:
    Code: 
    00 04 00 AD C0 03 5F D6
    Be sure format is checked as "Hex" and press "Search All".
    upload_2020-10-3_19-58-51.png


    3.3. 3.3. After a short while we will get window with all results (in case of Ninjala we have only 2 results)
    upload_2020-10-3_19-59-42.png


    3.4. Jump to result by pressing on it, we need to find function that will look like this
    upload_2020-10-3_20-0-18.png


    In Ghidra case we have little trouble because on how advanced analyze you had you will get different output in disassembler window. Maybe the best solution will be to check if function you have has 5 or 6 instructions. If not, it's wrong and you should check other results.

    DAT_ can be named differently dependent on quality of analyze. Have that in mind.

    3.5. Press on first "offset DAT_" (in this case "offset DAT_7106753e30") so you will jump to different offset. You are now at the beginning of first 16 bytes of decryption key. Go to "Bytes: " window and copy 16 bytes starting from offset where DAT pointed us (in this case 7106753e30)
    upload_2020-10-3_20-4-30.png


    So in this case we are copying:
    Code: 
    12 11 34 56 78 90 12 34 43 21 09 87 65 43 21 00
    Paste it somewhere, for example to text file, and save it.

    Go back to last function where "offset DAT_" were. Now go to second "offset DAT_" (in this case DAT_710675b580) and now we are at last 16 bytes of decryption key.
    Again go to "Bytes: " window and copy 16 bytes starting from offset where DAT pointed us (in this case 710675b580)

    upload_2020-10-3_20-7-15.png


    So in this case we are copying:
    Code: 
    36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 21

    and paste it at the end of file where you have pasted previous 16 bytes. Delete all spaces that are in this file.

    Now our decryption key is ready:
    Code: 
    1211345678901234432109876543210036363636363636363636363636363621
 
Last edited by masagrator,
  • Like
Reactions: Purple_Shyguy, Syfity, cucholix and 13 others
Click to expand...
M

maztz

New Member
Newbie
Level 1
Joined
Sep 14, 2022
Messages
4
Trophies
0
Age
17
Location
USA
XP
35
Country
United States
masagrator said:
Game on top of encrypting stuff is also using modified PAK. So my tutorial won't work in your case. On PC there is a custom QuickBMS script for Friday 13th that you can find on zenhax, but it seems it's not compatible with Switch pak.
Click to expand...
Yeah I’ve tried it, I guess there is no prevail for the version. I’m better off buying the game on steam. Thanks for helping though.
 
masagrator

masagrator

The patches guy
OP
Developer
Level 22
Joined
Oct 14, 2018
Messages
6,297
Trophies
3
XP
12,073
Country
Poland
monoiris said:
Very nice tutorial,but it seems the v9 games don‘t work.
Any method for the v9 games?
Click to expand...
Bassmaster is v11.27 game and method worked for it. So this tutorial works for every UE4 game. If you can't find key in it and you're 100% sure you are doing everything right, it usually means your PAK is not encrypted.
 
M

monoiris

New Member
Newbie
Level 2
Joined
Jul 26, 2018
Messages
3
Trophies
0
Age
37
XP
130
Country
Australia
masagrator said:
Bassmaster is v11.27 game and method worked for it. So this tutorial works for every UE4 game. If you can't find key in it and you're 100% sure you are doing everything right, it usually means your PAK is not encrypted.
Click to expand...
Thanks for the reply.It turns out that the game is not encrypted.Sorry for the bothering.
 
desf

desf

New Member
Newbie
Level 1
Joined
Jan 26, 2023
Messages
1
Trophies
0
Age
21
XP
12
Country
Brazil
what if the code you send for put at search once you clicked in "memory" do not found nothing?
there's a criteria or something or find this stuff and start search for the key?
Post automatically merged:

but if the code you send for put into search do not work?
there's a criteria for find the right code or there is other and start to find the key?
kinda want to know for mod a game
 
masagrator

masagrator

The patches guy
OP
Developer
Level 22
Joined
Oct 14, 2018
Messages
6,297
Trophies
3
XP
12,073
Country
Poland
desf said:
what if the code you send for put at search once you clicked in "memory" do not found nothing?
there's a criteria or something or find this stuff and start search for the key?
Post automatically merged:

but if the code you send for put into search do not work?
there's a criteria for find the right code or there is other and start to find the key?
kinda want to know for mod a game
Click to expand...
Then either pak is not encrypted or it's using custom encryption.
 
masagrator

masagrator

The patches guy
OP
Developer
Level 22
Joined
Oct 14, 2018
Messages
6,297
Trophies
3
XP
12,073
Country
Poland
Recently found that this method doesn't work for games made with Unreal Engine 4 older than 4.21

Example of how function looks like in Borderlands 3 which uses 4.20.3

1697283081471.png


At unk_7109AC1640 is stored key as 32 bytes instead of splitting it to 2 x 16 bytes parts like in v7 and later.

The easiest way to find function is by searching for bytes
Code: 
20 69 E8 3C 00 68 A8 3C
Which corresponds to
Code: 
LDR             Q0, [X9,X8]
STR             Q0, [X0,X8]

Sadly, this is still not the end of issues with Borderlands 3 because it uses custom index parsing, so it's not possible to unpack PAK from this game using unrealpak. But extracted key from there definitely works as we are getting properly decrypted names of files.
 
Last edited by masagrator,
  • Like
Reactions: Eiffel2018

Site & Scene News

Go to forum More news

Popular threads in this forum

Emulation Homebrew  duckstation for Switch

Can you trade in a banned switch for an unbanned one?

Why is Atmosphere so dominant?

Crosscode Hacking thread

Hacking  Weird findings from that DQ trilogy switch port

Migswitch backups without certificate files

switch change sd card, but android start fail

Hacking Hardware  Picofly on "old" Samsung EMMC glitching fails sometimes

General chit-chat
Help Users
  • AncientBoi @ AncientBoi:
    eeewww
  • K3Nv2 @ K3Nv2:
    I thought it was the toilet
  • AncientBoi @ AncientBoi:
    lol
  • AncientBoi @ AncientBoi:
    okies. Time to go watch YT paranormal ghost things. L8er my luvs :D
     +1
  • K3Nv2 @ K3Nv2:
    I got a massive clue
  • BakerMan @ BakerMan:
    this mf def ain't watching ghost shit, he boutta beat his meat fr
     +1
  • K3Nv2 @ K3Nv2:
    Nah he's about to be the ghost in your bedroom
     +1
  • Xdqwerty @ Xdqwerty:
    @K3Nv2, and leave ectoplasm all over the place
  • BakerMan @ BakerMan:

    this is him being described
     +2
  • Xdqwerty @ Xdqwerty:
    Sigh
  • SylverReZ @ SylverReZ:
    @AncientBoi, https://www.youtube.com/watch?v=7jUWpmU-X8k
  • Xdqwerty @ Xdqwerty:
    Yawn
  • SylverReZ @ SylverReZ:
    https://www.youtube.com/watch?v=pRSjvck1WTI
  • Xdqwerty @ Xdqwerty:
    @SylverReZ, I dislike the kind of drm where you have to play single player games online all the time bc of some verification bs
     +1
  • SylverReZ @ SylverReZ:
    @Xdqwerty, Don't use games that have Easy Anti-Cheat as its been exploited many times.
  • Xdqwerty @ Xdqwerty:
    @SylverReZ, my PC can't run most AAA games so i wont
     +1
  • Xdqwerty @ Xdqwerty:
    Most of the modern AAA games
     +1
  • Xdqwerty @ Xdqwerty:
    @SylverReZ, I also heard one of the Prince of Persia games was so unfinished that it required the "24/7 online" drm so a puzzle could be done and the game could be finished. And that when the Ubisoft servers were closed the (cracked) game was impossible to finish or something like that
  • SylverReZ @ SylverReZ:
    @Xdqwerty, That's extra scummy. Ubisoft nowadays ship out incomplete games like Skull and Bones which was being worked on for nearly a decade now.
     +1
  • Xdqwerty @ Xdqwerty:
    @SylverReZ, i think they have been doing that since late 2000s
     +1
  • Xdqwerty @ Xdqwerty:
    Either that or their old games were unfinished aswell but we can't notice it
  • Psionic Roshambo @ Psionic Roshambo:
    I like that games can be fixed after the fact, hate that it's being abused via beta tests... And DLC... I was a 7800 owner back in the day and loved Impossible Mission, turns out I couldn't beat it because it was actually impossible lol
  • Psionic Roshambo @ Psionic Roshambo:
    I never knew about it at the time but a fixed version was available but you had to mail in your broken copy lol
  • Psionic Roshambo @ Psionic Roshambo:
    So that version is semi rare
  • Xdqwerty @ Xdqwerty:
    @Psionic Roshambo, I have a rom of the ds version of impossible mission
    Xdqwerty @ Xdqwerty: @Psionic Roshambo, I have a rom of the ds version of impossible mission