New tool to extract .pak or .npk files

Newbie Spellweaver
Joined
Jun 4, 2022
Messages
86
Reaction score
50
Does anyone have experience with reverse engineering? Or do they understand how .pak files work in Icarus?

Na DLL CrySystem, the CCryPak::CCryPak function is located at: sub_365119C0


.text:000000003651204E mov rax, [r12]
.text:0000000036512052 lea rdx, [rsp+78h+arg_0]
.text:000000003651205A mov rcx, r12
.text:000000003651205D call qword ptr [rax+40h]
This is the call obtaining the encryption key.
You would need to debug the game to get the actual key since this is virtualized.

old rsa key, I believe it is still the same, it is located in CryGame.dll
30 81 89 02 81 81 00 C9 ED 52 CF 94 9C EA DE E1 A7 03 EE 25 C0 71 B9 DC 51 57 81 5B 36 89 E7 FC 04 64 E6 CB FB 99 DC FB 13 24 C3 E0 85 D3 50 FE 9F A3 81 CF 43 D8 30 47 EB C2 61 6F BD 91 BD 5B EE 4B DC 9A 04 E1 25 FA 38 8F A0 B5 F1 A9 1D 76 73 55 AA 11 EA A0 0A 27 BC 84 5C EC 56 DF CA 64 DA DC 01 31 CE 91 3D 90 94 BC D6 3E 71 C6 8E B0 34 AB 5E 5E EB 75 BD 6D EE 57 04 98 D8 DC F4 80 A7 98 C3 20 D7 8E 0B 02 03 01 00 01

What I could see is that the RSA key is the same as before, what changed was the format of the packages, the zip header no longer exists and has been obfuscated in some way, but the end of the zip still exists in the file:

If you open the new .pak files they have the final code of the .zip but I couldn't find the beginning which should be: 50 4B 03 04 , what do you think? Has anyone made any progress?

1732158351781 - New tool to extract .pak or .npk files - RaGEZONE Forums
 

Attachments

  • Screenshot - 20_11_2024 , 23_05_04 - New tool to extract .pak or .npk files - RaGEZONE Forums
    Screenshot - 20_11_2024 , 23_05_04.webp
    70.7 KB · Views: 25
I started looking into it, too. If the zip footer exists at the end but zip header isn’t there and the rest is encrypted. They probably modified their packer

A lot of source code of PakDecrypt.cpp on github to study how it works. You probably have seen them.

I am going to test few ways like 1) find repeating patterns in hex editor 2) manually edit the beginning of the pak file and see what happens, 3) make C# programs to decrypt and so on this weekend.
 
I found this NPK extractor on the forums, it looks like it is from Crysis 3 and should be used for Icarus
 

Attachments

I think that's what Tahoma used to make the PakDecrypt.exe for Icarus, but he didn't include the source code. Have you compiled this source code with the old RSA key and tested old pak file?

Notice the central directory (50 4B 01 02) is missing. So far we know the header and central directory are missing, but the end of central directory is still there.

 
Last edited:
Na DLL CrySystem, the CCryPak::CCryPak function is located at: sub_365119C0

Also, I noticed there are CryptEncrypt and CryptDecrypt functions in new client. The old client doesn't have those functions. It seems the new client calls the decrypt function first before Pak functions.
 
How nice analysis, I'll take a look at the client code
It seems the CryptDecrypt function is coming from Microsoft's advapi32.dll


and here's an example program in code.


So CryptDecrypt function needs a key
 
Back