Aquí como podéis ver ID daemon ha conseguido extraer animaciones de TLOU2 por lo que tiene que tener un kernel exploit seguramente para desencriptar el PKG del juego.
Espio wrote: ↑Sun Jul 26, 2020 1:14 am Any progress on exctracting videos from movies.mpk file? The decryption used on the mpk files is the same for the header and info, the salt is different this time { 0x833237C3, 0xBA5CD4B6, 0x3371A06B, 0xAEA7EDB2 }; 0x04 of header is the 4 bytes which replace the first 4 bytes of the salt this time round with 1 pass for decryption. 0x08, 0x0C are both used to replace the first 4 bytes of the salt for each pass respectively. Haven't found the subroutine for where the decryption of the rest of the data is done yet.
Edit: Ok, quite close to figuring out the movie decryption, it's mostly similar to the main file decryption, the differences being that there is an xmm blend this time before the xor salt, which blends against a value from EBP. It was 0 in the example I was debugging the first time it hit the function, 2 the second, 1 the third.So I'l have to see what it actually resolves to to say this is figured out completely (at a guess it could be the current iteration). The xor salt this time is { 0xCE857276, 0x9ACC40E8, 0x8242DBD6, 0xCF703987 } after the md5 hash it xor's a fixed number of times (0x10000 as it's 0x10 bytes a time thats 0x100000 bytes). Not sure how it handles alignment considering this loop is rigid, may just pad bytes up to that in the last few passes. I'd probably have to step out of this function a bit to resolve the last few unknowns, I'll add it to my source once it's done.
Edit2: EBP did turn out to be the current iteration of the function so that it is what gets blended with the result of the murmurhash func, the rest is pretty much the same and thats all their is to the movie decryption. I've added an implementation of it to the tool I posted above.
¿Alguien sabe donde encontrar estas herramientas? ¿Tienen copyright?
