I have managed to figure out the Crysis 3 PAK file decryption process

The reason I was absent from the blog was because I was working on decrypting the PAK files, I am more or less nearly done. Working on them taught me some things, the ZIP file format, working with Intel's PIN, working with libtomcrypt and slightly less about crypto.

Now, a little bit about the encrypted PAK files. They are essentially zip files, however their Central Directory is encrypted, while the End of central directory left intact in order to locate the CDR. The local file headers which also describe the files are broken, and some fields from ZIP file structure have been either reused or obfuscated on purpose, for instance the compression field in the Central Directory entry(one CDR means one structure describing a file) was set to either 13 or 14(which have specific meaning for the pak files), but they are not correct, the files are compressed with DEFLATE, this is method 8, not 13 or 14. The CDR also has a field, the relative offset to the Local File Header structure, this structure, or rather, after it, is where the compressed file resides, only that it too is encrypted, so it must be decrypted before decompressed.
The CDR is encrypted with a Blowfish cipher, the blowfish keys as well as the IVs(Initialization Vector) are encrypted with an RSA key available on the internet, but while I took advantage of this, I also found out where the key is stored, address 0x3B9ADFD4.

A member of the Xentax forum who had previously decrypted the files, has helped me with some snippets of code, however much of the decryption process I have figured out myself by digging into the ASM for days and then writing my (ugly) code. I just wanted to lay this out, I have taken what help he has offered, but this doesn't mean I did nothing.

Now, after writing the decryption code for the CDR, rebuilding the local file headers, appending the EOCD, I have a (mostly) working archive, all that is left to decrypt the compressed file.
And finished. I have officially written a decrypter for the Crysis 3 PAK files. Source code will be published once I clean it up.

Denuvo cracked?

According to this article http://www.dsogaming.com/news/report-denuvo-drm-system-has-been-cracked/, some part of Denuvo has been cracked.

Well done 3DM. However, there is still no official crack released, I expect fake torrents to be appearing pretending to be a crack from 3DM, they will likely not be, what they will be is malicious.

But while at it, I do want to mention that when it comes to 64-bit practical RE, the tools are just now being developed. It is only in IDA 6.6 that an x64 decompiler was added, but for us mortals, we can never buy this. Personally, I am a fan of Ollydbg, but I admit it has faults and limitations, one of them being no support for x64 RE, x64dbg is trying to fix that, but it will take a long time before it is truly useful for that.

More games to use the new Denuvo DRM

Dragon Age Inquisition.

Lords of the Fallen.

And as a reminder, no there is no crack yet for FIFA15, thus there will be no crack for either of these games, till Denuvo has been researched and defeated, if at all.

Also, I have no ETA on cracks, I am not affiliated with scene groups, I am just a guy that likes RE as a hobby, but I find this protection a pain in the ass already, even though I've never worked with it.

FIFA15 and the new DRM Denuvo

So at first I speculated it had SecuROM, just like FIFA14, but then we(when I say "we" I do mean the internet) find out it has a new DRM called Denuvo and this is why there is no crack yet, it's new and it will take time for it to be studied and bypassed, and maybe the rather low chance of there being no crack at all.
It took me 30 days just to run SecuROM under a debugger, so it's not unlikely the same thing to happen with a new DRM.

I've no idea what Denuvo employs, frankly I do not care, but if it gains traction and remains uncracked, things will get "interesting".

To say this in simple words, there is no crack yet, any crack you do find googling will likely turn out to be a virus.

Addendum: The upcoming GTA V game will also use this DRM. Seems like GTA V will not use Denuvo afterall, http://www.incgamers.com/2014/11/grand-theft-auto-v-will-not-use-denuvo-drm-says-company-co-owner

Sorry, could not think of a title for this post. You probably noticed it's been over a month since my last post, truth be told I took a break from RE to focus on some other things, and now doing very light reverse engineering.

My current goal is, and you've probably noticed I switch it quite often, is to decrypt the Crysis 3 PAK files, which are just Twofish encrypted ZIP files. Thankfully, I was provided with the RSA (private?)key and some code snippets to get me started, but by themselves they are not helpful, so I am stepping in and out of the crysis 3 code which decrypts and caches the pak files.

My knowledge of cryptography is comparable to my knowledge of Chinese and C++, and even then I know C++ a lot better than crypto, and trust me, I don't know that much about C++ and literally nothing about Chinese.

Alice Madness Returns, disappointed...

Well, I am shocked, in all my time I have never seen such a sloppy job.

I downloaded the RELOADED release of the game, expecting the game to work, waited for a while for the game to install, only to be greeted by the message "Failed to find default engine .ini file" upon launching the game. I said to myself, its ok , it happens. I tried desperately to fix the issue for half an hour, to no avail.

Then I deemed the release of RELOADED just plain bad, but the madness returns!!
I downloaded the skidrow release, surprise surprise, all missing files were there, I launch the game, greeted by the skidrow logo, then...a crash in kernelbase.dll.

But the madness did not end there, I then started to search for a working crack, I tried a RELOADED crackfix, so far so good, until I actually try to launch it, this time the game did not crash, instead I am greeted with a box saying "The game has been modified or tampered with".
Ridiculous, simply madness, but hey it didn't end there, I downloaded the Theta crackfix, I launch it, bam, crash in kernelbase.DLL.

After wasting over an hour trying to make the game run, I finally gave up.
I have never ever seen such a sloppy attempt to crack a game. It isn't even a crack, but "crac", as its incomplete.

I have not posted in a few days. The reason is because I was preoccupied by SecuROM, for two days straight since my last post I had been working on my dumped exe, figuring out why it crashed beyond a certain point. It took me 2 days, almost sleepless and not eating at all to figure out the problem.

It was difficult as my trace was inconclusive, it showed the main thread simply continuing execution to some invalid address. After working on it for days, I found out that my trace was being b0rked by OllyExt, a plugin for Ollydbg 2.01, so I disabled that and found my problem.

The offending code was a huge jump table, I guess at some point execution jumped to that location, but the jump table itself had unfilled addresses to pointers to the FMOD Sound System.

From then on because of my poor pointer arithmetic skills and almost no knowledge of the PE format, it was a whole day before I wrote a small tool to identify the pointers in the original exe to those in the FMOD Sound system DLL(s). This was further delayed by some unknown bug where the index of an exported function did not match the index of the name array, if it was a C unmangled exported function. All C++ mangled/decorated functions's indexes into the name array were correct.

Then I generated my own table of GetProcAddress-es to include in my stub. After that execution of the exe continued, till I stumbled on another problematic area, of some address not being correct, one that is filled by the SecuROM VM before OEP is reached.

So thats going to take some more days.

RtlUserThreadStart modification.

And back to SecuROM folks. Two days ago I stumbled on some stuff by accident. Turns out, SecuROM modifies the IAT of some modules(predetermined I believe) during runtime, and replaces pointers to various kernel routines such as CreateThread,LoadLibraryExA,LoadlibraryExW,LoadLibraryW to its own obfuscated routines, this in several modules.
I wrote my own tool to repatch back to the old routines. It worked fine after I patched back the old pointers, with the exception of RtlUserThreadStart, securom gets the address of this routine(via GetProcAddress, not in IAT of any module), and modifies this jump at RtlUserThreadStart+0x8, to point to a trampoline jump in a codecave in ntdll.dll, and then another jump back into securom code. If this code is not executed, securom cannot continue, it just waits.

SecuROM v8.10 might pack more than I thought.

Once you bypass the anti-debug APIs, you realise that bypassing those is the easy part, now I feel a bit ashamed that it took me 30 days just to bypass them. Oh well.

I've identified a few threads that are started before OEP which are essential, I've only just started to analyse them, they are obfuscated so reading the assembly will be difficult.

A small sidenote unrelated to all of this. There is a method on the internet for finding out the version of securom, searching for the string 'AddD' will show a version number next to it, for Securom v8, this method no longer works, there is a version displayed, but it's not correct.

Everybody trying to discourage me.

I've noticed that lately a lot of people are trying to discourage me from trying to crack SecuROM. One of the securom developers himself told me to give up. And a bunch of other people.

It's definitely a confidence breaker, but I will get over it. Meanwhile, give up on trying to make me give up ;)