Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The author of this post is the developer of GameFinder: a .NET library for finding games installed via different stores. Recently, EA deprecated Origins and moved to EA Desktop. While trying to add support, the author learned that EA had added some level of encryption. This post is about breaking that encryption.

The author found a IS file and through it into hexdump. The beginning of it appears to be a hash and the rest of it looks like junk. They through the rest of the file into CyberChef with Shannon Entropy turned on in order to determine if the file was encrypted. Since the randomness is high, the file is likely encrypted.

How is this encrypted? The author noticed that the files changed during the stopping and starting of downloads. So, they prepared a HUGE download of Apex legends and slowed down the speed to 512kb/s. At this point, they started using Process Monitor with a file on the file of interest to see what was accessing it.

The only executable that turned up was EABackgroundService.exe. Even cooler, Process Monitor will show the stack at the time of execution. This allows for decrypted data to be seen and for us to identify the region of code that executes these steps. Pretty neat!

From following paths in x64dbg and Ghidra, they were able to identify the functions that processed the data - hurray for debug strings! In particular, the error message "AES256 CBC encryption failed" failed was helpful. There is a function call to EVP_aes_256_cbc(), which is from the OpenSSL library. Nice! Now we know how these operations are being performed.

By stepping in x64dbg around here, they could find the aes key and IV that was being used. The key appears to be hardcoded while the IV is not. They include a CyberChef setup with the encrypted data, key, IV and everything in here as well. Pretty neat reproduction steps that people can follow along with!

How are is the key and IV generated? Right before the encryption function, which takes in the key and IV, the author found another function that handles this. The IV is ALWAYS constant - why even use CBC the!? SHA3_256("allUsersGenericId" + "IS") was the code used to generate the IV.

The key generation is much more involved. The code "allUsersGenericId" + "IS" + "a2a0ad25aa3556c035b34ea63863794e54ad5b53" was the string used for hashing. The first two are constants but the final string looks weird. Since this is 160, it must be a SHA-1 hash. Looking into the code for the function evp_SHA1 turns up a single function. While in this function, it appears to be taking a SHA1 hash of the hardware information.

Quite a bit of data was used to generate the hash: baseboard manufactuerer, serial number, bios serial number, processor ID and several more bits of information. To access this information, the author used the WMI API. With this, they could decrypt the file on any machine.

The author makes a bunch of complaints about this being useless encryption. If you have control of the machine and the data has to be decrypted for use, then EVERY encryption is made; it's more about obfuscation then anything else. It took this man 4 days to figure out, which most people would just stop at.