This guide will show how to find the PK2 Blowfish key required for reading and writing to PK2 files. This key stays the same for official Silkroad versions, but private servers modify the key to break tools. By using this guide, you will learn how to easily find the key to make PK2 tools work again (but, I am not covering updating those tools). I've posted this information before and explained the process to people, but I wanted to have a single resource that can be referred to that easily shows it all.
Step 1: Find the initial PK2 loading code in the client. This is easiest done if you simply "search for all referenced text strings" and look for "169841" followed by the name of a PK2 file. Set a breakpoint as shown on the function call. When you step into the function call proceed to Step 2.
Step 2: Locate GFXFileManager’s PK2 loading function. After you stepped into the function call from Step 1, you will need to locate the call to the GFXFileManager DLL. Luckily, this seems to always be shown as CALL EDX, so you should be able to track it down. Set a breakpoint as shown on the function call. When you step into the function call proceed to Step 3.
Step 3: Trace into the higher level function call. Now that we are inside the GFXFileManager DLL, we have to find the top level function that eventually causes the Blowfish key to be generated and used to setup encryption. Carefully refer to the screenshot to locate the function. Set a breakpoint as shown on the function call. When you step into the function call proceed to Step 4. NOTE: Before you step into the function call, the PK2 base key is at the top of the stack. This value is important for non-official versions for my old PK2 writing tools.
Step 4: Trace into the lower level function call. This step might take the longest due to how far down you have to scroll. However, since the format of the GFXFileManager is pretty much the same, it's not hard to find at all. Carefully refer to the screenshot to locate the function. Set a breakpoint as shown on the function call. When you step into the function call proceed to Step 5.
Step 5: "Borrow" the key! Once we step into the final function, we need to set a breakpoint as shown to trace the creation of the Blowfish key. After the breakpoint is hit, we should follow the address in the dump that is written to on the line marked "Blowfish Key" the first time through. The key is always 6 bytes, so as soon as the JL will not execute, you will know the key is complete. From there, you can simply copy it from the dump.
Now, you have the Blowfish Key (Step 5) and the Base PK2 Key (Step 3) required for working with the PK2 files. I'm not going to refer back to my old PK2 tools (which contain some serious flaws) and using these keys because I am in the process of updating them again. However, I still wanted to have a guide to reference about how I go about getting the PK2 keys for different Silkroad versions.
Step 1: Find the initial PK2 loading code in the client. This is easiest done if you simply "search for all referenced text strings" and look for "169841" followed by the name of a PK2 file. Set a breakpoint as shown on the function call. When you step into the function call proceed to Step 2.
[Only registered and activated users can see links. Click Here To Register...]
Step 2: Locate GFXFileManager’s PK2 loading function. After you stepped into the function call from Step 1, you will need to locate the call to the GFXFileManager DLL. Luckily, this seems to always be shown as CALL EDX, so you should be able to track it down. Set a breakpoint as shown on the function call. When you step into the function call proceed to Step 3.
[Only registered and activated users can see links. Click Here To Register...]
Step 3: Trace into the higher level function call. Now that we are inside the GFXFileManager DLL, we have to find the top level function that eventually causes the Blowfish key to be generated and used to setup encryption. Carefully refer to the screenshot to locate the function. Set a breakpoint as shown on the function call. When you step into the function call proceed to Step 4. NOTE: Before you step into the function call, the PK2 base key is at the top of the stack. This value is important for non-official versions for my old PK2 writing tools.
[Only registered and activated users can see links. Click Here To Register...]
Step 4: Trace into the lower level function call. This step might take the longest due to how far down you have to scroll. However, since the format of the GFXFileManager is pretty much the same, it's not hard to find at all. Carefully refer to the screenshot to locate the function. Set a breakpoint as shown on the function call. When you step into the function call proceed to Step 5.
[Only registered and activated users can see links. Click Here To Register...]
Step 5: "Borrow" the key! Once we step into the final function, we need to set a breakpoint as shown to trace the creation of the Blowfish key. After the breakpoint is hit, we should follow the address in the dump that is written to on the line marked "Blowfish Key" the first time through. The key is always 6 bytes, so as soon as the JL will not execute, you will know the key is complete. From there, you can simply copy it from the dump.
[Only registered and activated users can see links. Click Here To Register...] [Only registered and activated users can see links. Click Here To Register...]
Now, you have the Blowfish Key (Step 5) and the Base PK2 Key (Step 3) required for working with the PK2 files. I'm not going to refer back to my old PK2 tools (which contain some serious flaws) and using these keys because I am in the process of updating them again. However, I still wanted to have a guide to reference about how I go about getting the PK2 keys for different Silkroad versions.
