# Hacking 'I Wanna Be The Boshy' Game Saves ### *A cursory glance at reversing Multimedia Fusion framework components* Original Post: 2014-10-03 ![Boshy Logo](https://3700770608-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ld5rUxSncVR1sxGtsic%2F-Ld5rl3PJzv3euHTPTwc%2F-Ld5rmoY_6D7tpf1qjB_%2F01.png?generation=1555967202996485\&alt=media) ## Background 'I Wanna be the Boshy' runs on Multimedia Fusion 2's - an engine to help expedite game development in the days before modern frameworks like Unity or XNA. During a playthrough, I wondered about how the game saves progress, unlocks, and potential secrets. By default, data is passed around in MMF2 via *ini* files - IWBTB is no different: ![Boshy INI Files](https://3700770608-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ld5rUxSncVR1sxGtsic%2F-Ld5rl3PJzv3euHTPTwc%2F-Ld5rmo_rY4TjrOoNvcw%2F03.png?generation=1555967202443033\&alt=media) Unlike normal ini files, however, these are encrypted: ![Boshy INI Encrypted](https://3700770608-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ld5rUxSncVR1sxGtsic%2F-Ld5rl3PJzv3euHTPTwc%2F-Ld5rmobMGfVooqQLdNS%2F04.png?generation=1555967203513353\&alt=media) ## Initial Analysis After some runtime analysis via procmon, we can see that it unpacks itself and operates out of a directory: ![Boshy Procmon](https://3700770608-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ld5rUxSncVR1sxGtsic%2F-Ld5rl3PJzv3euHTPTwc%2F-Ld5rmod4u9dFGcIJaMa%2F02.png?generation=1555967203271702\&alt=media) In the directory, we see a whole bunch of mfx modules which are basically renamed .dll files. The most interesting of which is INI++ ![MFX Files](https://3700770608-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ld5rUxSncVR1sxGtsic%2F-Ld5rl3PJzv3euHTPTwc%2F-Ld5rmofkjfpnj7igiIE%2F05.png?generation=1555967203730882\&alt=media) ## INI++ From a cursory glance, it looks like this *"INI++"* MMF2 module supports some type of basic encryption: ![INIPP Page](https://3700770608-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ld5rUxSncVR1sxGtsic%2F-Ld5rl3PJzv3euHTPTwc%2F-Ld5rmohkK5hn1XBZl9r%2F06.png?generation=1555967202543671\&alt=media) This module acts like a read/write wrapper for ini files; it takes a password and encrypts the data. It also supports MD5 hashing without changing the size of the output file (from the site). Hrmmm... password based, no padding... Throwing the INIPP dll in IDA will get you something like this with IDAScope (I used it to see what crypto modules they were using): ![IDAScope Output](https://3700770608-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ld5rUxSncVR1sxGtsic%2F-Ld5rl3PJzv3euHTPTwc%2F-Ld5rmojLBUm4i7Ip-TV%2F07.png?generation=1555967201193526\&alt=media) As we don't see any AES constants or algorithms, the encrpytion is probably more like obfuscation and a basic cipher like RC4 or similar... Well , guess it's time to start digging for "crypto" functions in the binary (Hint: just look for a bunch of bitwise operations and/or array shaking). ![RC4 Function](https://3700770608-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ld5rUxSncVR1sxGtsic%2F-Ld5rl3PJzv3euHTPTwc%2F-Ld5rmol9T3E1H1vHvZn%2F08.png?generation=1555967201824889\&alt=media) Bingo! This is classic unoptimized RC4... *note*: Alternatively, we could have also looked at an open source python implementation of MMF2 called anaconda which has ported this extension module... ![RC4 Function Anaconda](https://3700770608-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ld5rUxSncVR1sxGtsic%2F-Ld5rl3PJzv3euHTPTwc%2F-Ld5rmondr3Y5BQDxEJG%2F09.png?generation=1555967200650574\&alt=media) ## ARCFOUR? What's an ARCFOUR? Weak Crypto! **"ba dum tss"** Well, now we know that it's using RC4... time to figure out where the key is coming from. But first, let's build a POC for converting the data... [Conversion Python Script](https://github.com/batteryshark/writeups/tree/54a5494093e50ac24845c5b420969ddb586fe802/20141003/code/converter.py) So now we know the algorithm and have a POC... but we still don't know the damn password! Fortunately, MMFS2 is publicly available and so is this plugin. ## Getting the Password After making a small test project that simply starts and writes an ini file with some data into an encrypted file, I find that the password allows no special characters and one line. ![Test Password](https://3700770608-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ld5rUxSncVR1sxGtsic%2F-Ld5rl3PJzv3euHTPTwc%2F-Ld5rmopFJhq9iEx0sTu%2F10.png?generation=1555967201769745\&alt=media) I compiled my project and set out in its running memory to find my password in plaintext because... #YOLO I guess... ![Test Password](https://3700770608-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ld5rUxSncVR1sxGtsic%2F-Ld5rl3PJzv3euHTPTwc%2F-Ld5rmorLEWKwYPCSpia%2F11.png?generation=1555967199917735\&alt=media) Doing the same thing on IWBTB will net you a lot more text, but looking near the areas in memory where I found my password, theirs stuck out as well ![Boshy Password](https://3700770608-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ld5rUxSncVR1sxGtsic%2F-Ld5rl3PJzv3euHTPTwc%2F-Ld5rmotfi4xgVIDHJoI%2F12.png?generation=1555967199435732\&alt=media) The result: ![Boshy Save Decrypted](https://3700770608-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ld5rUxSncVR1sxGtsic%2F-Ld5rl3PJzv3euHTPTwc%2F-Ld5rmovleNUNhlZkzFF%2F13.png?generation=1555967203841619\&alt=media) The src below will decrypt/encrypt any of Boshy's INI files - the algorithm is reversible... just run again to re-encrypt. Decrypt a fully unlocked save available online if you want :) [Boshy Python Script](https://github.com/batteryshark/writeups/tree/54a5494093e50ac24845c5b420969ddb586fe802/20141003/code/boshy.py) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://mercaldim.gitbook.io/writeups/20141003.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.