March 29, 2024, 15:36
bigger smaller reset     1020px Wide width Full width Reset   * *

Gildor's Forums

  Homepage Facebook Read news on Twitter Youtube channel Github page
Welcome, Guest. Please login or register.
Did you miss your activation email?

« previous next »
Print
Author Topic: How to find Fortnite AES encryption key  (Read 23340 times)
Gildor
Administrator
Hero Member
*****
Posts: 7978



View Profile WWW
« on: April 12, 2018, 23:55 »

I'd like to provide a few hints which might be useful for those who have programming and assembly-level debugging skills.

  • Only pak file index is encrypted. It is read during game startup, so putting any breakpoint after that is useless.
  • Having a good C++ code reference is good. Pak file index loading code is in FPakFile::LoadIndex() - Engine/Source\Runtime\PakFile\Private\IPlatformFilePak.cpp.
  • Decryption is done with following code:
Code:
// Decrypt if necessary
if (Info.bEncryptedIndex)
{
DecryptData(IndexData.GetData(), Info.IndexSize);
}
  • It calls this:
Code:
void DecryptData(uint8* InData, uint32 InDataSize)
{
SCOPE_SECONDS_ACCUMULATOR(STAT_PakCache_DecryptTime);
FAES::FAESKey Key;
FPakPlatformFile::GetPakEncryptionKey(Key);
FAES::DecryptData(InData, InDataSize, Key);
}
  • So, you may see that the key is requested by calling FPakPlatformFile::GetPakEncryptionKey() and passed to FAES object's constructor.
  • Key is requested with following function:
Code:
void FPakPlatformFile::GetPakEncryptionKey(FAES::FAESKey& OutKey)
{
FCoreDelegates::FPakEncryptionKeyDelegate& Delegate = FCoreDelegates::GetPakEncryptionKeyDelegate();
if (Delegate.IsBound())
{
Delegate.Execute(OutKey.Key);
}
else
{
FMemory::Memset(OutKey.Key, 0, sizeof(OutKey.Key));
}
}
It calls delegate, so locating this place is not very easy.
  • So, the best location for breakpoint is FAES::FAesKey class (Engine/Source/Runtime/Core/Public/Misc/AES.h ). Of course, you can't see where this function is located - you don't have any information in assembly mode. However FAES::DecryptData() does the following:
Code:
void FAES::DecryptData(uint8* Contents, uint32 NumBytes, const FAESKey& Key)
{
checkf(Key.IsValid(), TEXT("No valid decryption key specified"));
DecryptData(Contents, NumBytes, Key.Key, sizeof(Key.Key));
}
It receives key as 3rd parameter. It performs some check, and throws an error "No valid decryption key specified". It is possible to find this message, and find places which has a reference to it. If this message is missing (for example, if engine was compiled with switched off error messages), then you should look for FAES::DecryptData() function. It has the following line in its body:
Code:
nrounds = rijndaelSetupDecrypt(rk, KeyBytes, AES_KEYBITS);
This function prepares decryption tables according to key contents, and it uses large data tables. These tables are all in that cpp file, and they are good patterns to find. Even more, I think it is possible to place a hardware breakpoint which will be executed when data read - you just should analyze rijndaelSetupEncrypt() C++ code and find which tables are used for decryption.

Hope this helps.
« Last Edit: October 13, 2020, 09:41 by Gildor » Logged
Gildor
Administrator
Hero Member
*****
Posts: 7978



View Profile WWW
« Reply #1 on: April 13, 2018, 23:34 »

-the creator of the forum and his friend know how to get this key, probably have this key already, but wont share it because "epic games will make it more difficult to find"
I am the creator, and I don't have a key. If I'll have it from this thread - nice, I'd be able to check how UModel works with new Fortnite. If not - not a problem for me at all. If I'd need it - I'd dig for it - I would waste probably a few hours, then got it. But I'm absolutely indifferent for this game.

Regarding "his friend" ... Well, I have a couple of friends who registered on this forum, but they're not involved into Fortnite discussion at all, so I don't understand who you're talking about.

I do not understand people who are so "hungry" to get a pair of new meshes from the new game, it looks like they can't eat, can't sleep, can't do anything else. I see that it was a right decision to separate this thread from main Fortnite discussion. I left a few hours ago from home, and when returned - there are 3 new pages in this thread filled with childish talks. There's absolutely nothing useful here at the moment (probably except a few posts), nothing what could be considered as "information".
Logged
Gildor
Administrator
Hero Member
*****
Posts: 7978



View Profile WWW
« Reply #2 on: April 15, 2018, 23:51 »

"Taking out stuff" is not the main purpose of this program. It is most useful for people who wants to LEARN stuff.

Also, Epic knows about my program very well. Not all of them, but at least several people from the top of programming department. Nobody from Epic or other game company been told me that I'm bad and doing illegal stuff. I've got "thank you" from a few gaming companies over 10 years. There were just a few strange people on youtube etc - not game developers at all, who blamed me that I AM STEALING STUFF (cool - I'm almost not using UModel, and even if using - only for viewing content, and for testing of new umodel's functionality).

Fortnite game has protection, but it is not against extraction. You can't use extracted assets for anything public anyway. But it is because this is an ONLINE game, where people cheats. Cheaters are the primary and may be only the reason of protected game executable and data files.
Logged
Gildor
Administrator
Hero Member
*****
Posts: 7978



View Profile WWW
« Reply #3 on: April 16, 2018, 01:28 »

Your right Gildor , but do you 'blame ' us just because you think we want the aes key for cheating Huh?? Wink
and how could we just extract the files
I'm absolutely not blaming anyone. In short, I've just told that Epic is okay with UModel, that protection is just against cheaters, and that there are not so many people who's against umodel (and probably against me) - and they're not related to game development process at all.
Logged
stairwave
Newbie
*
Posts: 5


View Profile
« Reply #4 on: June 11, 2018, 19:33 »

I think we should close this thread now, this is not going anywhere.

All you need to know is:
 AES key: 0x81c42e03b21760a5c457c8db7d52ba066f0633d0891fd9e37cf118f27687924a

Change the value from 06 to 05 like in my screenshot (it's always 27 bytes from the end) in every pak.
 

And please, for the future: think, check if it wasn't answered a few replies before, google, try out... and then ask, don't immediately type down a question the moment it comes up because most of the time you can answer them by thinking about it. Otherwise this cool Post gets filled with repeated questions and things found on google.


Logged
Juso3D
Moderator
Hero Member
*****
Posts: 910


Welcome to Gildor Forums


View Profile
« Reply #5 on: June 11, 2018, 19:38 »

The post stairwave made is all you need, simply open each pak file up with a hex editor, I used HxD, search for

12 6F 5A 06

then change it to

12 6F 5A 05

and save the file, then use umodel with same recent aes key.

Did a major clean up this thread to make it easier to find the key, left a few key posts for 0x41 post count (Deserves it) and Gildor's key finding tip, thread is still locked until new key or workaround is needed, and to stop the post flooding, for now everything is here that you need.
« Last Edit: June 13, 2018, 07:46 by Blenux » Logged

Blender + Linux User Here.
XchickenXslayerX
Newbie
*
Posts: 13


View Profile
« Reply #6 on: June 19, 2018, 10:28 »

In which program and on which files do you have to run the codes to get the aes key?
Logged
Gildor
Administrator
Hero Member
*****
Posts: 7978



View Profile WWW
« Reply #7 on: June 19, 2018, 10:48 »

There's no "getting codes" process. This is reverse engineering. Are you a programmer? Do you know assembly language? Did you ever disassembled any program?
Logged
XchickenXslayerX
Newbie
*
Posts: 13


View Profile
« Reply #8 on: June 19, 2018, 15:40 »

There's no "getting codes" process. This is reverse engineering. Are you a programmer? Do you know assembly language? Did you ever disassembled any program?
No not really, but I want to learn disassembling and reverse engineering. Do you know how to start with it?
Logged
Gildor
Administrator
Hero Member
*****
Posts: 7978



View Profile WWW
« Reply #9 on: June 19, 2018, 16:45 »

No. I started 25 years ago, on 8-bit platform.
Logged
HunteriX
Newbie
*
Posts: 2


View Profile
« Reply #10 on: June 19, 2018, 19:35 »

I'm new here.

What about this :


38 encrypted?
Logged
Juso3D
Moderator
Hero Member
*****
Posts: 910


Welcome to Gildor Forums


View Profile
« Reply #11 on: June 19, 2018, 21:51 »

I'm new here.

What about this :


38 encrypted?
They are files that ain't important.
Logged

Blender + Linux User Here.
HunteriX
Newbie
*
Posts: 2


View Profile
« Reply #12 on: June 19, 2018, 22:17 »

They are files that ain't important.

Tnx for reply.
It's strange because now I see the difference. Example on the latest patch missing the folder PWB ( Packages / PWB ).
I think the latest patch has clouded this folder.
Logged
Gildor
Administrator
Hero Member
*****
Posts: 7978



View Profile WWW
« Reply #13 on: June 19, 2018, 23:17 »

Encrypted files are ini.
Logged
FabianFG
Jr. Member
**
Posts: 57


View Profile
« Reply #14 on: June 25, 2018, 09:40 »

I really started working on the topic a few days ago and I found a really easy solution without any AES Key.
I wrote a Pak Extractor which works without the Key.
For those who wanna learn it. Look in the Pak files and compare them with files you have in UModel Saved. And then just try to find similarities
Logged
Print 
« previous next »
Jump to:  

Powered by SMF | SMF © 2006-2009, Simple Machines LLC
Leviathan design by Bloc | XHTML | CSS