Cryptography

From GTAModding
Jump to: navigation, search

This article explains the cryptography present in GTA SA & IV.

GTA San Andreas

Hashing Algorithms

CRC32

San Andreas only uses a kind of CRC32 as a hashing algorithm. It is mainly used for fast string comparison throughout the whole executable and also for GXT keys to speed up the binary search at runtime.

The original C++ implementation of GTA SA's CRC32 hashing algorithm class can be displayed as follows:

class CKeyGen
{
private:
    // Precalculated table of 256 CRC32 hash keys computed according to the polynomial 0xEDB88320.
    static const unsigned int keyTable[] = // 0x008CD068
    {
        0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA, 0x076DC419, 0x706AF48F, 0xE963A535, 0x9E6495A3,
        0x0EDB8832, 0x79DCB8A4, 0xE0D5E91E, 0x97D2D988, 0x09B64C2B, 0x7EB17CBD, 0xE7B82D07, 0x90BF1D91,
        0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE, 0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7,
        0x136C9856, 0x646BA8C0, 0xFD62F97A, 0x8A65C9EC, 0x14015C4F, 0x63066CD9, 0xFA0F3D63, 0x8D080DF5,
        0x3B6E20C8, 0x4C69105E, 0xD56041E4, 0xA2677172, 0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B,
        0x35B5A8FA, 0x42B2986C, 0xDBBBC9D6, 0xACBCF940, 0x32D86CE3, 0x45DF5C75, 0xDCD60DCF, 0xABD13D59,
        0x26D930AC, 0x51DE003A, 0xC8D75180, 0xBFD06116, 0x21B4F4B5, 0x56B3C423, 0xCFBA9599, 0xB8BDA50F,
        0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924, 0x2F6F7C87, 0x58684C11, 0xC1611DAB, 0xB6662D3D,
        0x76DC4190, 0x01DB7106, 0x98D220BC, 0xEFD5102A, 0x71B18589, 0x06B6B51F, 0x9FBFE4A5, 0xE8B8D433,
        0x7807C9A2, 0x0F00F934, 0x9609A88E, 0xE10E9818, 0x7F6A0DBB, 0x086D3D2D, 0x91646C97, 0xE6635C01,
        0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E, 0x6C0695ED, 0x1B01A57B, 0x8208F4C1, 0xF50FC457,
        0x65B0D9C6, 0x12B7E950, 0x8BBEB8EA, 0xFCB9887C, 0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3, 0xFBD44C65,
        0x4DB26158, 0x3AB551CE, 0xA3BC0074, 0xD4BB30E2, 0x4ADFA541, 0x3DD895D7, 0xA4D1C46D, 0xD3D6F4FB,
        0x4369E96A, 0x346ED9FC, 0xAD678846, 0xDA60B8D0, 0x44042D73, 0x33031DE5, 0xAA0A4C5F, 0xDD0D7CC9,
        0x5005713C, 0x270241AA, 0xBE0B1010, 0xC90C2086, 0x5768B525, 0x206F85B3, 0xB966D409, 0xCE61E49F,
        0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4, 0x59B33D17, 0x2EB40D81, 0xB7BD5C3B, 0xC0BA6CAD,
        0xEDB88320, 0x9ABFB3B6, 0x03B6E20C, 0x74B1D29A, 0xEAD54739, 0x9DD277AF, 0x04DB2615, 0x73DC1683,
        0xE3630B12, 0x94643B84, 0x0D6D6A3E, 0x7A6A5AA8, 0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1,
        0xF00F9344, 0x8708A3D2, 0x1E01F268, 0x6906C2FE, 0xF762575D, 0x806567CB, 0x196C3671, 0x6E6B06E7,
        0xFED41B76, 0x89D32BE0, 0x10DA7A5A, 0x67DD4ACC, 0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5,
        0xD6D6A3E8, 0xA1D1937E, 0x38D8C2C4, 0x4FDFF252, 0xD1BB67F1, 0xA6BC5767, 0x3FB506DD, 0x48B2364B,
        0xD80D2BDA, 0xAF0A1B4C, 0x36034AF6, 0x41047A60, 0xDF60EFC3, 0xA867DF55, 0x316E8EEF, 0x4669BE79,
        0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236, 0xCC0C7795, 0xBB0B4703, 0x220216B9, 0x5505262F,
        0xC5BA3BBE, 0xB2BD0B28, 0x2BB45A92, 0x5CB36A04, 0xC2D7FFA7, 0xB5D0CF31, 0x2CD99E8B, 0x5BDEAE1D,
        0x9B64C2B0, 0xEC63F226, 0x756AA39C, 0x026D930A, 0x9C0906A9, 0xEB0E363F, 0x72076785, 0x05005713,
        0x95BF4A82, 0xE2B87A14, 0x7BB12BAE, 0x0CB61B38, 0x92D28E9B, 0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21,
        0x86D3D2D4, 0xF1D4E242, 0x68DDB3F8, 0x1FDA836E, 0x81BE16CD, 0xF6B9265B, 0x6FB077E1, 0x18B74777,
        0x88085AE6, 0xFF0F6A70, 0x66063BCA, 0x11010B5C, 0x8F659EFF, 0xF862AE69, 0x616BFFD3, 0x166CCF45,
        0xA00AE278, 0xD70DD2EE, 0x4E048354, 0x3903B3C2, 0xA7672661, 0xD06016F7, 0x4969474D, 0x3E6E77DB,
        0xAED16A4A, 0xD9D65ADC, 0x40DF0B66, 0x37D83BF0, 0xA9BCAE53, 0xDEBB9EC5, 0x47B2CF7F, 0x30B5FFE9,
        0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6, 0xBAD03605, 0xCDD70693, 0x54DE5729, 0x23D967BF,
        0xB3667A2E, 0xC4614AB8, 0x5D681B02, 0x2A6F2B94, 0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B, 0x2D02EF8D
    };

public:
    // Hash a string till the specified number of characters.
    static unsigned int GetKey(const char *pString, int iSize) // 0x0053CED0
    {
        unsigned int uiHash = 0xFFFFFFFF;
        for(int i = 0; i < iSize; i++)
            uiHash = keyTable[(unsigned char)uiHash ^ *pString++] ^ (uiHash >> 8);
        return uiHash;
    }

    // Hash a string till a null-terminator is found.
    static unsigned int GetKey(const char *pString) // 0x0053CF00
    {
        unsigned int uiHash = 0xFFFFFFFF;
        while(*pString)
            uiHash = keyTable[(unsigned char)uiHash ^ *pString++] ^ (uiHash >> 8);
        return uiHash;
    }

    // Hash a string till a null-terminator is found by converting lowercase characters to uppercase.
    static unsigned int GetUppercaseKey(const char *pString) // 0x0053CF30
    {
        unsigned int uiHash = 0xFFFFFFFF;
        while(*pString)
            uiHash = keyTable[(unsigned char)uiHash ^ toupper(*pString++)] ^ (uiHash >> 8);
        return uiHash;
    }

    // Append a string to the hash key of a previously hashed string.
    static unsigned int AppendStringToKey(unsigned int uiHash, const char *pString) // 0x0053CF70
    {
        while(*pString)
            uiHash = keyTable[(unsigned char)uiHash ^ *pString++] ^ (uiHash >> 8);
        return uiHash;
    }
};

GTA IV

Hashing Algorithms

GTA IV relies on many different hash algorithms work its operation, each for a different purpose. GTA IV's new usage of hashing has allowed it to explore a more binary focused way of hiding data in files, and strings away from plain site.

SHA1

The SHA1 hashing algorithm is used when comparing the files in versions 1.0 and 1.0.1. This check was later removed in 1.0.2.

This section is incomplete. You can help by fixing and expanding it.

CRC32

The Cyclic Redundancy Check 32 bit hashing algorithm is used in the GXT file to match text codes with their counterparts. A C++ implementation of GTA IV's CRC32 hashing algorithm can be displayed as follows:

unsigned int CRC32(char* text)
{
    size_t textLen = strlen(text);
    int i = 0;
    unsigned int retHash = 0;
    if(text[0] == '"')
        i = 1;
    for(i;i<textLen;i++)
    {
        char ctext = text[i];
        if(ctext == '"')
            break;
        if(ctext - 65 > 25)
        {
            if(ctext == '\\')
                ctext = '/';
        }
        else ctext += 32;
        retHash = (1025 * (retHash + ctext) >> 6) ^ 1025 * (retHash + ctext);
    }
    return 32769 * (9 * retHash ^ (9 * retHash >> 11));
}

As you can see it differs from most common hashing algorithms in the way it handles text (by not including " or \ characters). Also usually entry name strings in GXT text archives are stored in upper case, so it may be useful to convert them before creating the hash.

One At A Time Hash

The One At A Time hashing function was originally created by Bob Jenkins. A C++ implementation can be found here and at Wikipedia.

unsigned int oneAtATimeHash(char* inpStr)
{
    unsigned int value = 0,temp = 0;
    for(size_t i=0;i<strlen(inpStr);i++)
    {
        char ctext = tolower(inpStr[i]);
        temp = hashchr;
        temp += value;
        value = temp << 10;
        temp += value;
        value = temp >> 6;
        value ^= temp;
    }
    temp = value << 3;
    temp += value;
    unsigned int temp2 = temp >> 11;
    temp = temp2 ^ temp;
    temp2 = temp << 15;
    value = temp2 + temp;
    if(value < 2) value += 2;
    return value;
}

Encryption Algorithms

AES

The encryption algorithm used for RPF, IMG and SCO files is the Advanced Encryption Standard (AES) in the following configuration:

  • block size: 128 bit (16 byte)
  • key size: 256 bit (32 byte)
  • cypher mode: electronic code book (ECB)
  • repetitions: 16 times

That means all encrypted data (the cyphertext) can be split up into 16 byte blocks and decrypted independently. Decryption is done by executing the AES-128 decrypt routine 16x on each data block. If the last block is smaller than 16 byte, it is left unencrypted in Rockstar's archives.

Key

The 256 bit key necessary to decrypt the cyphertext can be retrieved from gtaiv.exe at the following file offsets:

Game Version Offset
1.0 US 0xA94204
1.0.1 US 0xB607C4
1.0.2 US 0xB56BC4
1.0.3 US 0xB75C9C
1.0.4 US 0xB7AEF4
1.0.6 US 0xBE6540
1.0.7 US 0xBE7540
1.0.0.1 RUS 0xB5B65C
1.0.1.1 RUS 0xB569F4

And from eflc.exe:

Game Version Offset
1.1.1 US 0xC705E0
1.1.2 US 0xBEF028

The key is the same for all game versions on all platforms (PC, XBOX 360, PS3). You may want to use the following SHA1 hash to verify the correctness of the retrieved key:

DE A3 75 EF 1E 6E F2 22 3A 12 21 C2 C5 75 C4 7B F1 7E FA 5E

NOTE: This is not the cypher key! ^

It is recommended to leave modified archives unencrypted.

Example

Program code to decrypt data from GTA IV could look like this:

AES_set_decrypt_key(key, 256, context);

for (int i = 0; i < (int) (data_size/16); i++) {
    void *p = (void *) (data_offset + i*16); // the pointer to the current block
    for (int j = 1; j <= 16; j++)            // 16 (pointless) repetitions
        AES_decrypt_block(p, p, context);
}

See also: Decryption routine in SparkIV (C#, GPL)

Legal Issues

[1] Since the United States complying with WIPO treaties, they created the Digital Millenium Copyright Act in order to bring their copyright laws up to date in the emerging digital world. A key point in this act is the Anti-cirumvention clauses which tell us that it is against the law to break copyright protection mechanisms (even if it is for legal purposes). The MPAA have used this power in the past to sue the makers of De-CSS (The copy protection scheme used in early DVD's). The AES Key that Rockstar used in GTA IV is technically an anti-circumvention measure and so cannot be posted here lest GTAModding be subject to legal ramifications. However since it is available in GTA IV's own binary a lot of people have just read it directly out of the actual executable (the offsets are posted in the section above). This doesn't only apply to people in the United States though, plenty of other countries have made their own legislation to the same effect, and many others have signed Free Trade Agreements with the United States that shoehorn the necessary DMCA provisions into the countries own legislation. Countries that have taken part in Free Trade Agreements include Australia, South Korea and The United Kingdom.

Although other laws contradict this. For example in most countries reverse engineering for the purpose of interoperability (what most people who use the key try to achieve) transcends the anti-circumvention measures proposed by the DMCA. Although the legal issue still remains unclear most modders and site owners choose to be on the side of caution.

External links

Links to detailed explanations of the several hash and encryption algorithms on wikipedia: