Wolf Rpg File Decrypter
Rita Seliba
All DX archives follow the same format, except they may have a unique 12-byte encryption key. The purpose of this program is to allow users to maintain a keystore that the program will use to automatically try each key and attempt to decrypt the archive.
Hi thanks for the tutorial.
Just want to ask you about how encrypt back all of those wolf rpg picture files that has been decrypted from .wolf into folder with .png format.
I tried DXA encode but it become .dxa instead of .wolf.
Problem is, even if you add the keys to the key.ini and DXextract clearly finds the key, it is still unable to decrypt these files.
I guess it is because of the way the decode function is programmed.
Thanks for sharing. I wasn't aware the author of DXLib already provided stand-alone tools for unpacking. Feels kind of silly for me to have put together this tool that doesn't even do repacking and also doesn't support new versions beyond v4.
Attach the running process to ollydbg then go to View -> Handles, then find a open file like \Moekuri\Data\Dat.dxa or \Moekuri\Data\etc.dxa and right click to view the Hex code, if it shows viewable hex code, dump the file to your desktop as a .bin file.
After dumping the file or files, open it in a program like Mad Edit or HxD and try adding the 12 byte string hex code to keys.ini saving it and repeating until you find the correct string. Remember always start from Offset 00000000.
My tool requires users to supply the decryption key (stored in keys.ini).
The new Mad Father game may be using a different decryption key, or it may be using a different encryption algorithm, or a completely different archive format.
Transition to uint64 values allows reconstruction of the key from the header (there are enough null bytes) and the last 12 bytes of the file (which are all 0 except one 0x40 byte).
All files are encrypted with the same key rotated bytewise per file, and the method of rotation can be found from the exe linked above.
C705CA7D8DE3DEF1D90C85F4 Wolf RPG Editor v2.20 beta
This is the base key used to decrypt the header (first 48 bytes of DXv6 archive). All files and the table of content at the end of the archive are encrypted using variations of this base key, 12 in total (including the key itself), 1 per file and TOC. I forgot to add it to the previous message.
To use SHA include the SHA header wolfssl/wolfcrypt/sha.h. The structure to use is Sha, which is a typedef. Before using, the hash initialization must be done with the wc_InitSha() call. Use wc_ShaUpdate() to update the hash and wc_ShaFinal() to retrieve the final hash:
To use RIPEMD-160, include the header wolfssl/wolfcrypt/ripemd.h. The structure to use is RipeMd, which is a typedef. Before using, the hash initialization must be done with the wc_InitRipeMd() call. Use wc_RipeMdUpdate() to update the hash and wc_RipeMdFinal() to retrieve the final hash
wolfCrypt also provides GMAC for message digest needs. The structure Gmac is found in the header wolfssl/wolfcrypt/aes.h, as it is an application AES-GCM. GMAC initialization is done with wc_GmacSetKey().
CBC mode is supported for both encryption and decryption and is provided through the wc_AesSetKey(), wc_AesCbcEncrypt() and wc_AesCbcDecrypt() functions. Please include the header wolfssl/wolfcrypt/aes.h to use AES. AES has a block size of 16 bytes and the IV should also be 16 bytes. Function usage is usually as follows:
CTR mode is available for both encryption and decryption through the wc_AesCtrEncrypt() function. The encrypt and decrypt actions are identical so the same function is used for both. For a usage example, see the function aes_test() in file wolfcrypt/test/test.c.
wolfCrypt provides support for the Camellia block cipher. To use Camellia include the header wolfssl/wolfcrypt/camellia.h. The structure you can use is called Camellia. Initialization is done through wc_CamelliaSetKey(). CBC encryption/decryption is provided through wc_CamelliaCbcEnrypt() and wc_CamelliaCbcDecrypt() while direct encryption/decryption is provided through wc_CamelliaEncryptDirect() and wc_CamelliaDecryptDirect().
The most common stream cipher used on the Internet is ARC4. wolfCrypt supports it through the header wolfssl/wolfcrypt/arc4.h. Usage is simpler than block ciphers because there is no block size and the key length can be any length. The following is a typical usage of ARC4.
ChaCha with 20 rounds is slightly faster than ARC4 while maintaining a high level of security. To use it with wolfCrypt, please include the header wolfssl/wolfcrypt/chacha.h. ChaCha typically uses 32 byte keys (256 bit) but can also use 16 byte keys (128 bits).
wc_Chacha_SetKey only needs to be set once but for each packet of information sent wc_Chacha_SetIV() must be called with a new iv (nonce). Counter is set as an argument to allow for partially decrypting/encrypting information by starting at a different block when performing the encrypt/decrypt process, but in most cases is set to 0. ChaCha should not be used without a mac algorithm (e.g. Poly1305 , hmac).
wolfCrypt provides support for RSA through the header wolfssl/wolfcrypt/rsa.h. There are two types of RSA keys, public and private. A public key allows anyone to encrypt something that only the holder of the private key can decrypt. It also allows the private key holder to sign something and anyone with a public key can verify that only the private key holder actually signed it. Usage is usually like the following:
Now out holds the ciphertext from the plain text in. wc_RsaPublicEncrypt() will return the length in bytes written to out or a negative number in case of an error. wc_RsaPublicEncrypt() needs a RNG (Random Number Generator) for the padding used by the encryptor and it must be initialized before it can be used. To make sure that the output buffer is large enough to pass you can first call wc_RsaEncryptSize() which will return the number of bytes that a successful call to wc_RsaPublicEnrypt() will write.
Now plain will hold plainSz bytes or an error code. For complete examples of each type in wolfCrypt please see the file wolfcrypt/test/test.c. Note that the wc_RsaPrivateKeyDecode function only accepts keys in raw DER format.
wolfCrypt provides support for Diffie-Hellman through the header wolfssl/wolfrypt/dh.h. The Diffie-Hellman key exchange algorithm allows two parties to establish a shared secret key. Usage is usually similar to the following example, where sideA and sideB designate the two parties.
In the following example, dhPublicKey contains the Diffie-Hellman public parameters signed by a Certificate Authority (or self-signed). privA holds the generated private key for sideA, pubA holds the generated public key for sideA, and agreeA holds the mutual key that both sides have agreed on.
A wolfSSL server can do Ephemeral Diffie-Hellman. No build changes are needed to add this feature, though an application will have to register the ephemeral group parameters on the server side to enable the EDH cipher suites. A new API can be used to do this:
To remove the wolf-rbac Plugin, you can delete the corresponding JSON configuration from the Plugin configuration. APISIX will automatically reload and you do not have to restart for this to take effect.
WOLF is part of the Dharma ransomware family. It is designed to block access to files (to keep them encrypted) until a sum of money is paid. WOLF also renames files and generates two ransom notes (displays a pop-up window and creates the "info.txt" file).
WOLF's ransom notes instruct victims to write an email to sea...@onionmail.org or sea...@msgsafe.io and wait for further instructions. Also, it warns victims not to rename encrypted files or try to decrypt them with third-party software because it may cause permanent data loss.
Ransomware victims cannot decrypt their files for free unless there is a third-party tool on the Internet. Usually, cybercriminals behind ransomware attacks are the only ones who can help victims to decrypt files. Data recovery without loss of money is possible only when victims have a copy of their data (a data backup).
Cybercriminals should not be paid. Pretty often, victims who pay a ransom get scammed - they do not receive any decryption tool. Also, it is recommended to eliminate ransomware from the infected system before it has encrypted more files or infected other computers on a local network.
Ransomware is a type of malware that encrypts files so that it would be impossible for victims to access them without a decryption tool purchased from the attackers. Most ransomware variants are pretty similar (they encrypt files, modify their filenames and generate ransom notes). More ransomware examples are RTX, Gyjeb, and MOON.
Cybercriminals use Trojans, emails, unreliable sources for downloading files, programs, unofficial software updaters, and software cracking tools to proliferate malware. A Trojan is a type of malware that can be used for different purposes, for example, to steal information or distribute malware.
It is common for Trojans to be used to distribute ransomware. Another popular way to deliver malware is to send emails containing malicious links or attachments. Recipients infect computers by opening malicious files.
Unreliable sources for downloading programs, files are used to distribute malware by disguising malicious files as legitimate. Users infect computers by downloading and opening those files. Fake software updaters infect computers by injecting malware instead of installing updates, fixes, or exploiting bugs, flaws of outdated software.
Software cracking tools (or installers for cracked software) often are bundled with malware/have malicious code injected into them. Users infect computers through those tools when they try to activate licensed software without paying for it.
Installed software has to be updated and activated with tools provided by its official developer. It is never safe to use third-party tools for that. Website links and files (attachments) in irrelevant emails received from unknown, suspicious senders should not be opened - they can be malicious.
c80f0f1006