Tutorial How to extract decryption key for Unreal Engine 4 *.pak files

masagrator

The patches guy
OP
Member
Joined
Oct 14, 2018
Messages
4,423
Trophies
2
XP
7,376
Country
Poland
So lately we got two games that are using index encryption which hides informations about file names, compressed and decompressed sizes + offsets where they are. Assets are not encrypted.

Here I will provide a method how to get 32 bytes hex decryption key from main file. This tutorial is based on Ninjala 2.1 version.
Don't share here keys as this is violation of rules. Provided key in this tutorial has been faked.

Method was checked on those games:
Code:
- Ninjala 2.1
- Five Nights at Freddy's: Help Wanted 1.22
- FUSER
- Little Nightmares II 1.2

All of them are using Unreal Engine 4.24.x, other versions may have different function for using it so if this tutorial won't work for some game, write comment in this thread.

Requirements:
- IDA or Ghidra (you don't need decompilers) with support for ARM64/AArch64
- Knowledge how to extract main from exefs (you can use nxdumptool) and how to use IDA or Ghidra (I won't explain how to load properly main to them)
- Some time


1. Load "main" from exefs to IDA or Ghidra
2. Analyze them so they will be disassembled as much as possible (we don't need any types, demangled symbols, etc. Only assembler)
3. Now next points will depend on what you are using

IDAGhidra

  1. 3.1 After finishing analyzing go to Search -> sequence of bytes...
    upload_2020-10-3_19-38-4.png

    3.2. to showed window paste this:
    Code:
    00 04 00 AD C0 03 5F D6
    check "Find all occurences" and press OK
    upload_2020-10-3_19-39-11.png


    3.3. After a short while we will get window with all results (in case of Ninjala we have only 2 results)
    upload_2020-10-3_19-41-0.png


    3.4. Jump to result by pressing on it, we need to find function that will look like this
    upload_2020-10-3_19-42-58.png


    By this I mean short function that includes three or four lines with "xmmword" text.
    If function looks different, then this is wrong function and check other results.

    3.5. Press on first xmmword so it will jump to different address (in this case 7106753E30 which you can see after "xmmword_". This way we are at first 16 bytes of our decryption key.
    Go to Hex View tab and copy 16 bytes starting from address where xmmword provides (which means 7106753E30).
    upload_2020-10-3_19-49-16.png


    So in this case we are copying:
    Code:
    12 11 34 56 78 90 12 34  43 21 09 87 65 43 21 00
    And paste it somewhere, for example to text file and save it.

    Go back to last function where xmmwords were. Now go to second xmmword (in this case xmmword_710675B580).
    Go to Hex View tab and copy 16 bytes starting from address where xmmword provides (which means 710675B580).
    upload_2020-10-3_19-52-6.png

    So in this case we are copying:
    Code:
    36 36 36 36 36 36 36 36  36 36 36 36 36 36 36 21

    and paste it at the end of file where you have pasted previous 16 bytes. Delete all spaces that are in this file.

    Now our decryption key is ready:
    Code:
    1211345678901234432109876543210036363636363636363636363636363621
  2. 3.1. After finishing analyzing go to Search -> Memory
    upload_2020-10-3_19-57-33.png


    3.2. Paste to "Search value" window this code:
    Code:
    00 04 00 AD C0 03 5F D6
    Be sure format is checked as "Hex" and press "Search All".
    upload_2020-10-3_19-58-51.png


    3.3. 3.3. After a short while we will get window with all results (in case of Ninjala we have only 2 results)
    upload_2020-10-3_19-59-42.png


    3.4. Jump to result by pressing on it, we need to find function that will look like this
    upload_2020-10-3_20-0-18.png


    In Ghidra case we have little trouble because on how advanced analyze you had you will get different output in disassembler window. Maybe the best solution will be to check if function you have has 5 or 6 instructions. If not, it's wrong and you should check other results.

    DAT_ can be named differently dependent on quality of analyze. Have that in mind.

    3.5. Press on first "offset DAT_" (in this case "offset DAT_7106753e30") so you will jump to different offset. You are now at the beginning of first 16 bytes of decryption key. Go to "Bytes: " window and copy 16 bytes starting from offset where DAT pointed us (in this case 7106753e30)
    upload_2020-10-3_20-4-30.png


    So in this case we are copying:
    Code:
    12 11 34 56 78 90 12 34 43 21 09 87 65 43 21 00
    Paste it somewhere, for example to text file, and save it.

    Go back to last function where "offset DAT_" were. Now go to second "offset DAT_" (in this case DAT_710675b580) and now we are at last 16 bytes of decryption key.
    Again go to "Bytes: " window and copy 16 bytes starting from offset where DAT pointed us (in this case 710675b580)

    upload_2020-10-3_20-7-15.png


    So in this case we are copying:
    Code:
    36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 21

    and paste it at the end of file where you have pasted previous 16 bytes. Delete all spaces that are in this file.

    Now our decryption key is ready:
    Code:
    1211345678901234432109876543210036363636363636363636363636363621
 
Last edited by masagrator,
General chit-chat
Help Users
  • No one is chatting at the moment.
  • gudenau @ gudenau:
    Beagle 480
    Gift
  • T-hug @ T-hug:
    Dune 2021 1080p HDRip X264 AC3-EVO
    Gift
  • kenenthk @ kenenthk:
    Dune? Reminds me of seeing my ex naked
    Gift
  • mr_switch @ mr_switch:
    Oh yeah Dune movie is out, watching it later
    Gift
  • mr_switch @ mr_switch:
    Here is hoping 2022 is a good year for DC cinematic universe
    Gift
  • gudenau @ gudenau:
    Honestly don't really know what Dune is.
    Gift
  • gudenau @ gudenau:
    Anyone here know much about Jetbrains InteliJ Idea?
    Gift
  • Sonic Angel Knight @ Sonic Angel Knight:
    Oh, T-hug was here :blink:
    Gift
  • Sonic Angel Knight @ Sonic Angel Knight:
    Hey, where the admins at? Come in the chat. I got a idea. How bout a Sound notification or something when someone tags you in chat? :ninja:
    Gift
  • DinohScene @ DinohScene:
    Post it in the v8 feedback thread
    Gift
  • Gift
  • OzKenny1983 @ OzKenny1983:
    Post what sorry? I'm guessing we were talking about this ages ago, but I haven't been on GBATemp in almost a year so my memory is failing me :-/
    Gift
  • DinohScene @ DinohScene:
    feedback and or bugs that may have popped up since the migration to XenForo 2!
    Gift
  • OzKenny1983 @ OzKenny1983:
    Umm...I think you might have the wrong person, since that may as well have been written in Chinese. I have nothing to do with the management of this site, nor have I ever been involved. I'm just a member, and hardly even qualify as that...like I said my last post was almost a year ago lol
    Gift
  • DinohScene @ DinohScene:
    Lol no, Sonic Angel Knight had an idea, best would be to post it in that thread haha
    Gift
  • OzKenny1983 @ OzKenny1983:
    Sorry, don't know Sonic Angel Knight either...
    Gift
  • The Real Jdbye @ The Real Jdbye:
    this new xenforo version keeps logging me out, whyh
    Gift
  • godreborn @ godreborn:
    not sure. I haven't had that issue. the only computer related issue I've been having is with my isp and the smtp server getting authentication errors randomly. I'm going to have to call them again. this started happening again after changing my password.
    Gift
  • godreborn @ godreborn:
    you may have to check the box that says "stay signed in." psx place used to have a problem like this for random people, including myself. that will prevent being logged out or it did anyway.
    Gift
  • The Real Jdbye @ The Real Jdbye:
    it's happened 3 times already and of course i ticked the box
    Gift
  • linuxares @ linuxares:
    Yeah happened to me as well
    Gift
  • Gift
  • Julie_Pilgrim @ Julie_Pilgrim:
    just installed gentoo, i came out alive somehow
    Gift
  • Julie_Pilgrim @ Julie_Pilgrim:
    honestly the install itself wasn't that hard, the hard part was getting my hardware to work
    Gift
  • x65943 @ x65943:
    Is it true what they say, did your neck sprout hairs afterwards?
    Gift
    x65943 @ x65943: Is it true what they say, did your neck sprout hairs afterwards?