![]() Grim dawn.exe+176B8F - 33 D2 - xor edx,edx Which looks like this currently in the client: The call that is currently interesting to us is the ‘DecryptBuffer’ call. I have not analyzed that far yet as of this first post. (fastcall) DecryptBuffer (Guessed name this is also guessed to what it does.)Īfterward, multiple other calls are made to localization objects and such.This function calls things in the following order: We land up inside of a function within the games executable. However, Grim Dawn does have debug info in it so it makes that job a bit easier too.) (This is a bit of guess work to decide which function is that one. So we follow the returns of each call until we land up in a function that looks more of a base. Next we follow the function base to its base call that invoked the use of this string. Next, we allow the game to run and read the file again. So we can set a conditional breakpoint here for when ECX is our value. However, we do know that when ECX = 0x01580064 that it is referencing our string. This seems to be a common function used for a lot of different strings. Setting a breakpoint inside of this function yields a ton of breaks. In this case, we land up in the first instruction result here: Now we can use Cheat Engines debugger to see how the file name is used. Luckily in this case, the first one is used and we are saved the hassle of doing all that work. Next, we need to use Cheat Engines debugger to set breakpoints on each of the entries to see which is accessed while reading the profiles. So we need to alter the result by -1 for the addresses. Taking a look at each result, we see that there is a slash at the front of the names of the files. So we can use Cheat Engine to scan the games memory for the file name. So first, we know the file name is ‘player.gdc’. ![]() Next, I moved onto looking at how the game is accessing the file. ![]() Looking at the files for Grim Dawn, that is not the case though, there is no readable data or anything that looks familiar off-hand. In some cases, the file may be fully unprotected, or use an encryption/encoding method that looks familiar due to using a similar character set and so on. By that I mean opening the raw file in a text editor / hex editor and seeing how the content looks. Phase 1 of looking into the save game files is static analysis. So I am very excited to play Grim Dawn itself as well.) I love ARPG style games and was a huge TitanQuest fan. (Don’t get me wrong, I did buy Grim Dawn before seeing this topic. So seeing that there was a challenge in decrypting the profile files intrigued me. I enjoy reverse engineering things and modding games further then what they allow by default toolsets or addon systems. I just bought Grim Dawn yesterday and saw this topic while it was downloading. It is simply a hobby of mine to do things like this. Any information regarding this topic, the game (Grim Dawn) or any other material is not for the purpose of harm or exploitation of the game, its content, or any other related entity. Please note: The information shared in this post is for educational purposes only. This is not a complete method (yet) but this does get rid of one of the layers of ‘security’ that are added to the files. Here is some information for reference in terms of “decrypting” the profile files.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |