Help with some encrypted files... by bxaimc at 10:57 PM EDT on April 26, 2017
So, I need some help if anyone is up to the challenge.
Here I have 2 files, one decrypted and one encrypted. They're the same file (I assume). So, if anyone is familiar with encryption, I'd appreciate the pointers. Note, it looks like xor to me but I don't know where to start with that....
At every 0x60 it starts with this xor key: A3DD5146 7C495B1C 81258155 9A6BAFD5 Then the xor seems to change based on the previous -0x10 decoded value? ex. dec at 0x03 is AF, xor at 0x13 is 91 dec at 0xC3 is AD, xor at 0xD3 is 93 dec at 0x08 is 25, xor at 0x18 is 0A dec at 0xC8 is 25, xor at 0xD8 is 0A (values near 0x08 and 0xC8 change, while 25 is fixed )
Do you have a reason to believe that audio is encrypted with a fundamentally different algorithm? My purpose is to give bnnm and others something to look at from the same game, that decode() function might be the same. Hopefully it isn't an unrelated distraction.
If you do know for sure that audio uses a different algorithm, please elaborate.
@hcs - I'm just pointing out the exact purpose of the tool you have kept for a long time ago. The moment I used that tool on my copy of that game is the moment I knew exactly the purpose of its tool.
As bnnm said, it seems to use an XOR algorithm for its "audio" files.
I'm sorry to keep dragging out this discussion, I guess I'm not being clear.
I know what this program (docdec) is for, for decrypting archives of video in DoC.
The audio in DoC is also encrypted, as far as I know no one knows yet how this encryption works. I propose that the audio and video encryption might be similar.
docdec clearly won't work without modification as it is expecting an archive with an index table, but the central decode() function might well be identical. And as things seem to repeat over the frame size, it may be encrypted one frame at a time. The key will need to be found (if it isn't in the at3 header it might be in an index somewhere). The codes table might also be different, but it should be possible to determine it with a before and after pair like bxaimc posted, or find it in the game based on figuring out the first few values.
There will be a lot of looking at data and guessing still, but it's easier to guess if you know possibilities that you can recognize​.
I could be entirely wrong about this, but it seems like a good lead to me. I'll be looking into it myself from this angle, though I don't have a whole lot of hope.
For what it's worth, every ^ in that source code is an XOR operation.