infosec/2021/03/01/obtaining-unreal-pak-decryption-key/

[utterances-bot]

How I Extracted an Unreal Engine Game’s WWise Audio - Just Still

When you really want a game’s soundtrack, but the publisher hasn’t released them yet.

https://stillu.cc/infosec/2021/03/01/obtaining-unreal-pak-decryption-key/

[Commander-Firestrike]

Super useful, thanks!
Just want to note: The first image following "After we’ve found the address, we can set a breakpoint on its parent routine and watch it run" contains cpu instructions which show the name of the game!

[Still34]

Damn it! I knew I'd miss something. Ah well, I'll fix that later.

[Still34]

Semi-fixed, can't be bothered to remove the cache in the git timeline though.

[tired-cow]

Thanks for sharing this; it was really useful!

[Still34]

Thanks for sharing this; it was really useful!

Glad that it helped! Figured the resource was a bit scarce when I wrote the article.

[ImWayden]

Hi, im stuck at the debugging, i don't know how i can launch Unrealpak while it's trying to unpack my encrypted .pak, i mean i need cmd to do the unrealpak.exe -Test *.pak i tried to use the command directly in X64dbg (initdbg UnrealPak.exe -Test *.pak) using the "change command line" option it launch UnrealPak but don't seem to do anything else :/

[ImWayden]

oh ok i just needed to debug the application directly instead of trying to debug unrealPak.exe damn i feel so dumb

[Cont0rt]

Before I begin I'd like to mention that I have no knowledge on this stuff. I just want to figure out what some songs used in Layers of Fear 2 are since they seem to me modified tracks from the 1930s or something. Point is, I can't seem to figure out what I'm supposed to do since I can't understand 90% of it. If someone could explain in stupid that would be great thanks!

[Still34]

Before I begin I'd like to mention that I have no knowledge on this stuff. I just want to figure out what some songs used in Layers of Fear 2 are since they seem to me modified tracks from the 1930s or something. Point is, I can't seem to figure out what I'm supposed to do since I can't understand 90% of it. If someone could explain in stupid that would be great thanks!

I'd look into it if I had a copy of the game, which I don't unfortunately.

[fusdechus]

Hey there, Still! I have some questions about this process and was wondering, if you're free, would be able to help me understand it? This is my Discord (Base64): ZnVzZGVjaHVzIzg3MDA=

In any case, thank you so much for this post! It's helped me get to where I'm at now :)

[NikoTheDragon]

im struggling to figure out what im doing wrong, i keep on getting the same error despite making sure the key is right, Assertion failed: Key.Num() == sizeof(FAES::FAESKey::Key)

anyone could help me out?

[NewGameDeveloper2023]

Hi Still, I am very new to game development and there is so much I do not know but I am trying to learn every day. I have recently found a game that I like and I am just trying to extract the audio from it because of the music and some voice audio. I have unpacked the .pak file with Unreal Pak editor, because quick bms did not work, and even though I have all the files now they are all encrypted. Umodel is able to open the texture uasset files but not the audio files which I need. I tried to export them with Umodel as well but nothing happened. Do you have any advice on how I can open and listen to them? I also found one .bnk file but it looks to be encrypted as well. Any help will be greatly appreciated, thank you!

[PolicyChanges]

so this was the birth of shrekmidion? Thanks for the detailed write up!

[mortalis13]

im struggling to figure out what im doing wrong, i keep on getting the same error despite making sure the key is right, Assertion failed: Key.Num() == sizeof(FAES::FAESKey::Key)

anyone could help me out?

Recently I've encountered this problem too.
In my case I discovered I was converting incorrect string to base64, I took the key like 0x1234ABCD... and directly converted it, as string (with and without 0x part). But in the end what needs to be passed to base64 is the bytes that represent that key.
So it would be a sequence like [0x12, 0x34, 0xAB, ...] in C++ for example.

So maybe it was something similar in your case. I'll explain my case details if it helps.

I discovered it thanks to the UE source code. In the error Assertion failed... it tells about a file where that error happened.
For example, it was KeyChainUtilities.h line 81.
So I checked that file from their official Github repo (for the corresponding engine version) and from that I found the FAESKey::Key is an array of size 32. And Key.Num() is the length of the decoded encryption key.

And as it was decoding my string key which had 64 characters (32 x 2-digit hex), it compared 64 == 32 which results in false.
So I separated that string into real bytes and encoded them to base64 (with a couple of Python commands).
Then the UE tool worked fine.

[Still34]

so this was the birth of shrekmidion? Thanks for the detailed write up!

Yup - shame I haven't really done much with it haha

Hi Still, I am very new to game development and there is so much I do not know but I am trying to learn every day. I have recently found a game that I like and I am just trying to extract the audio from it because of the music and some voice audio. I have unpacked the .pak file with Unreal Pak editor, because quick bms did not work, and even though I have all the files now they are all encrypted. Umodel is able to open the texture uasset files but not the audio files which I need. I tried to export them with Umodel as well but nothing happened. Do you have any advice on how I can open and listen to them? I also found one .bnk file but it looks to be encrypted as well. Any help will be greatly appreciated, thank you!

You're usually not able to do much with the .u* files as they're typically Unreal files that are not actually cooked into the output as far as I know.

im struggling to figure out what im doing wrong, i keep on getting the same error despite making sure the key is right, Assertion failed: Key.Num() == sizeof(FAES::FAESKey::Key)
anyone could help me out?

Recently I've encountered this problem too. In my case I discovered I was converting incorrect string to base64, I took the key like 0x1234ABCD... and directly converted it, as string (with and without 0x part). But in the end what needs to be passed to base64 is the bytes that represent that key. So it would be a sequence like [0x12, 0x34, 0xAB, ...] in C++ for example.

So maybe it was something similar in your case. I'll explain my case details if it helps.

I discovered it thanks to the UE source code. In the error Assertion failed... it tells about a file where that error happened. For example, it was KeyChainUtilities.h line 81. So I checked that file from their official Github repo (for the corresponding engine version) and from that I found the FAESKey::Key is an array of size 32. And Key.Num() is the length of the decoded encryption key.

And as it was decoding my string key which had 64 characters (32 x 2-digit hex), it compared 64 == 32 which results in false. So I separated that string into real bytes and encoded them to base64 (with a couple of Python commands). Then the UE tool worked fine.

For those who are struggling to identify which code is which, you can usually tell by looking around for the string references in the debugger and comparing it to the original source code.

[TheG0dC0der]

hello, I am trying to get a texture from a game, I have found the key (at least I think so) and tried to convert it to base64.

however it does not work and I am unsure about many things, for one I don't know if I am inputting the key correctly into the unrealpak cmd. in your post you show the command: . "$env:programfiles\Epic Games\UE_4.25\Engine\Binaries\Win64\UnrealPak.exe" "$env:userprofile\Desktop\DUMP\<REDACTED>\Content\Paks\<REDACTED>-WinGDK.pak" -Extract "$env:userprofile\Desktop\DUMP_PAK" -CryptoKeys="Crypto.json" but I am unaware where Crypto.json is, since there was no file path I assumed it was in the same folder as unrealpak.exe but did not find it and made a .json file there with the same name. I then input the .json data showed under the command. i replaced the <redacted> part with my key and it didn't work, I got the key.num() == sizeof(FAES::FAESKey::Key) error and tried to make sense of that guys solution. I tried separating my string and turning each byte to its value before encoding. but I kept getting the same error.

the game uses UE5 and I have UE5 downloaded

my discord: dGhlZ29kY29kZXI=

[TheG0dC0der]

nvm i found the correct key somehow, and i realized how crypto.json is set up. but now i am getting a new error and i don't understand why

Assertion failed: SerializeNum >= 0 [File:D:\build\++UE5\Sync\Engine\Source\Runtime\Core\Public\Containers\Array.h] [Line: 3494] 

0x00007ff92748f039 UnrealPak-PakFileUtilities.dll!TArrayPrivateFriend::Serialize<FPakCompressedBlock,TSizedDefaultAllocator<32> >() []
0x00007ff9274c2732 UnrealPak-PakFileUtilities.dll!FPakEntry::Serialize() []
0x00007ff9274a8f3f UnrealPak-PakFileUtilities.dll!ExtractFilesFromPak() []
0x00007ff9274a475d UnrealPak-PakFileUtilities.dll!ExecuteUnrealPak() []
0x00007ff77d96e6ed UnrealPak.exe!wmain() []
0x00007ff77d96f7fc UnrealPak.exe!__scrt_common_main_seh() []
0x00007ff9d2397614 KERNEL32.DLL!UnknownFunction []
0x00007ff9d3ee26b1 ntdll.dll!UnknownFunction []

read the lines of code in the file and something about serialization( imma be honest i don't understand exactly what that is) and now i need help with that

[mortalis13]

With this tool it's much easier to encode in base64 )
https://base64.guru/converter/encode/hex

Check that you paste the key without the leading 0x if the key has it.

Not sure what the SerializeNum mean, it's needed to investigate the source code and where it leads from Array.h.
Maybe try with another UE version, I think there are multiple 5.X versions.
I only tested this method with UE 4.X, maybe the 5th version has some other requirements...

Have you downloaded the source code?

[TheG0dC0der]

With this tool it's much easier to encode in base64 )
https://base64.guru/converter/encode/hex

Check that you paste the key without the leading 0x if the key has it.

Not sure what the SerializeNum mean, it's needed to investigate the source code and where it leads >from Array.h.
Maybe try with another UE version, I think there are multiple 5.X versions.

Have you downloaded the source code?

thank you for the encoder, the problem was I encoded the key without changing them to what they represent, aka you have to type in the key to a hex editor in a text document to get the correct stuff to base64 encode.

how would I try with a different version of UE5 do I download 5.1 and such from the epic launcher(that is where I got my UE5).

and what source code are you talking about I download, if talking about array.h I looked at the file on my computer and not the public repository. so yes downloaded.

Edit: i tried again with 5.1.1 instead of 5.2.1 same error, different line

Assertion failed: SerializeNum >= 0 [File:D:\build\++UE5\Sync\Engine\Source\Runtime\Core\Public\Containers\Array.h] [Line: 1253] 

0x00007ff9924702a9 UnrealPak-PakFileUtilities.dll!operator<<() []
0x00007ff9924a2239 UnrealPak-PakFileUtilities.dll!FPakEntry::Serialize() []
0x00007ff9924883ed UnrealPak-PakFileUtilities.dll!ExtractFilesFromPak() []
0x00007ff992483bce UnrealPak-PakFileUtilities.dll!ExecuteUnrealPak() []
0x00007ff6a281be27 UnrealPak.exe!wmain() []
0x00007ff6a281ce2c UnrealPak.exe!__scrt_common_main_seh() []
0x00007ff9d2397614 KERNEL32.DLL!UnknownFunction []
0x00007ff9d3ee26b1 ntdll.dll!UnknownFunction []

[TheG0dC0der]

now that i look at what its saying i think i have the wrong key. now i am trying to follow the tutorial with x64dbg this time, problem is i don't know how to use it. i am confused on what i open in x64dbg as well. a explanation would be great.

[mortalis13]

The source code can be accessed from Github, when UE adds you to their organization, cause it's a private repository. Check these instructions to get access. https://www.unrealengine.com/en-US/ue-on-github

Also, I tried to decode with an incorrect key (but with correct key length) and I don't receive the SerializeNum error, it says something about a corrupt .pak file.

So one way to get more info on that is investigating their code from Github. You'd need to find that file Array.h, and check what it does in the line 1253.

[TheG0dC0der]

Also, I tried to decode with an incorrect key (but with correct key length) and I don't receive the >SerializeNum error, it says something about a corrupt .pak file.

so it is the correct key? i still think its wrong cause the key i got had /'s in it which i think is what cause the seralizenum problem considering it is not a number, i tried replacing them with 0's and got the corrupt pak index error.

so once again i need help with more detail on how to use x64dbg thanks.

[RigoLigoRLC]

Successfully unpacked a game that ceased operation with this guide, It was using 4.27.1 but the latest tool available on GitHub 4.27.0 also worked for it. And its key was exported onto the stack (lea rdx, qword ptr [rsp+40] before call qword ptr [rax+48]) and has no register change after obtaining the key, so took some time for me to figure out. Much thanks for sharing!

[mortalis13]

I checked version 4.26 and the key is set inside the call qword ptr ds:[rax+48], on ss in some cases, and on ds in other. Like here, the line I stopped was before the block containing the error message "Failed to find...":

Though after the call, the next line lea r8, ss... sets the key addr to R8.

Anyway I found that entering the mentioned call the key can be spotted much easier than checking what register changed.
After some steps, there's a block setting the key by 4 literal bytes, in 8 consecutive lines:

[mortalis13]

Also I found in one game, the audio files weren't in the WwiseAudio folder, and weren't Wwise at all.
Took me some effort, and found them in the 3rd / 4th level folder, \SONS\Musique, supposedly named in french )
So it's matter of searching through the folders or through the list of assets which can be retrieved with the UnrealPak tool.

And also the folder contained only .uasset, .uexp files, the same as for textures or other asset types.
Anyway was able to export the audio from them with Unreal Editor, only enabling the cooked content support.