Decompression & Extraction of Current .kom Files

07/07/2024 13:21 Zykres#1
Hello everyone,

I am currently in the process of extracting .kom files from Elrios. I had success with the 001.kom file because the header is readable, but the data, especially .lua files, are encrypted (Kom Version 0.3). With the 036.kom file (Version 0.6), the header is likely encrypted as well. My analysis has revealed the following:

The entropy of the first entry (115783 bytes) is 7.94, and all 1MB chunks consistently have an entropy of about 7.999. These high values suggest encryption or strong compression, with encryption being more likely since some patterns would typically be visible in compressed data. There are also recurring 8-byte structures, which could indicate an internal structure of the encrypted data. These structures might be headers or metadata for individual files or data blocks within the KOM file.

The encryption appears to operate in blocks, possibly with its own header for each block. It could be symmetric encryption such as AES in CBC mode, where each block uses an initialization vector.

Does anyone have experience with the exact encryption method used for these .kom files? Any information would be helpful so I know what to look for.
07/07/2024 18:16 MuffinMario#2
Quote:
Originally Posted by Zykres View Post
Hello everyone,

I am currently in the process of extracting .kom files from Elrios. I had success with the 001.kom file because the header is readable, but the data, especially .lua files, are encrypted (Kom Version 0.3). With the 036.kom file (Version 0.6), the header is likely encrypted as well. My analysis has revealed the following:

The entropy of the first entry (115783 bytes) is 7.94, and all 1MB chunks consistently have an entropy of about 7.999. These high values suggest encryption or strong compression, with encryption being more likely since some patterns would typically be visible in compressed data. There are also recurring 8-byte structures, which could indicate an internal structure of the encrypted data. These structures might be headers or metadata for individual files or data blocks within the KOM file.

The encryption appears to operate in blocks, possibly with its own header for each block. It could be symmetric encryption such as AES in CBC mode, where each block uses an initialization vector.

Does anyone have experience with the exact encryption method used for these .kom files? Any information would be helpful so I know what to look for.
There is not one single encryption method used, if you can read the XML header, you can see that there are various algorithm numbers (0,2,3) that all are very different to each other, also in between KOM versions the algorithms may change.

Since you are currently using a KOM V3 file I can tell you that the file in question is not using AES
07/08/2024 06:30 Zykres#3
Quote:
Originally Posted by MuffinMario View Post
There is not one single encryption method used, if you can read the XML header, you can see that there are various algorithm numbers (0,2,3) that all are very different to each other, also in between KOM versions the algorithms may change.

Since you are currently using a KOM V3 file I can tell you that the file in question is not using AES
Thanks!

Then I must have decompressed it incorrectly. I suspect it is compressed with zlib. Is this approach at least correct? I will try again later and revise my code.

What about the more interesting .kom files? These have version 0.6, but the rest of the header is unreadable. For example, the 036.kom file seems to be encrypted. Or am I wrong about that as well?
07/08/2024 15:11 MuffinMario#4
Quote:
Originally Posted by Zykres View Post
Thanks!

Then I must have decompressed it incorrectly. I suspect it is compressed with zlib. Is this approach at least correct? I will try again later and revise my code.

What about the more interesting .kom files? These have version 0.6, but the rest of the header is unreadable. For example, the 036.kom file seems to be encrypted. Or am I wrong about that as well?
XML is encrypted since V4, V5 updated the XMLencryption algorithm as well, algorithms have changed in V4 and V6
07/08/2024 15:58 Zykres#5
Quote:
Originally Posted by MuffinMario View Post
XML is encrypted since V4, V5 updated the XMLencryption algorithm as well, algorithms have changed in V4 and V6
Thank you, I appreciate your help. Do you mind sharing which exact encryption methods are used? That would save me a lot of work.
07/08/2024 16:15 MuffinMario#6
Quote:
Originally Posted by Zykres View Post
Thank you, I appreciate your help. Do you mind sharing which exact encryption methods are used? That would save me a lot of work.
That is indeed the majority of the work :) All I'm going to disclose is that the encryption algorithms are very simple or commonplace. Especially through the ability to straight up attach a debugger to rift you can relatively easy reverse the algorithms in question, given enough patience.
07/08/2024 16:17 Zykres#7
Quote:
Originally Posted by MuffinMario View Post
That is indeed the majority of the work :) All I'm going to disclose is that the encryption algorithms are very simple or commonplace. Especially through the ability to straight up attach a debugger to rift you can relatively easy reverse the algorithms in question, given enough patience.
Yea, i thought you will say that. Thank you for you help so far!