Decompression & Extraction of Current .kom Files

Zykres · 07/07/2024, 13:21

Hello everyone,

I am currently in the process of extracting .kom files from Elrios. I had success with the 001.kom file because the header is readable, but the data, especially .lua files, are encrypted (Kom Version 0.3). With the 036.kom file (Version 0.6), the header is likely encrypted as well. My analysis has revealed the following:

The entropy of the first entry (115783 bytes) is 7.94, and all 1MB chunks consistently have an entropy of about 7.999. These high values suggest encryption or strong compression, with encryption being more likely since some patterns would typically be visible in compressed data. There are also recurring 8-byte structures, which could indicate an internal structure of the encrypted data. These structures might be headers or metadata for individual files or data blocks within the KOM file.

The encryption appears to operate in blocks, possibly with its own header for each block. It could be symmetric encryption such as AES in CBC mode, where each block uses an initialization vector.

Does anyone have experience with the exact encryption method used for these .kom files? Any information would be helpful so I know what to look for.

MuffinMario · 07/07/2024, 18:16

Quote:

Originally Posted by Zykres

Hello everyone,

I am currently in the process of extracting .kom files from Elrios. I had success with the 001.kom file because the header is readable, but the data, especially .lua files, are encrypted (Kom Version 0.3). With the 036.kom file (Version 0.6), the header is likely encrypted as well. My analysis has revealed the following:

The entropy of the first entry (115783 bytes) is 7.94, and all 1MB chunks consistently have an entropy of about 7.999. These high values suggest encryption or strong compression, with encryption being more likely since some patterns would typically be visible in compressed data. There are also recurring 8-byte structures, which could indicate an internal structure of the encrypted data. These structures might be headers or metadata for individual files or data blocks within the KOM file.

The encryption appears to operate in blocks, possibly with its own header for each block. It could be symmetric encryption such as AES in CBC mode, where each block uses an initialization vector.

Does anyone have experience with the exact encryption method used for these .kom files? Any information would be helpful so I know what to look for.

There is not one single encryption method used, if you can read the XML header, you can see that there are various algorithm numbers (0,2,3) that all are very different to each other, also in between KOM versions the algorithms may change.

Since you are currently using a KOM V3 file I can tell you that the file in question is not using AES

Zykres · 07/08/2024, 06:30

Quote:

Originally Posted by MuffinMario

There is not one single encryption method used, if you can read the XML header, you can see that there are various algorithm numbers (0,2,3) that all are very different to each other, also in between KOM versions the algorithms may change.

Since you are currently using a KOM V3 file I can tell you that the file in question is not using AES

Thanks!

Then I must have decompressed it incorrectly. I suspect it is compressed with zlib. Is this approach at least correct? I will try again later and revise my code.

What about the more interesting .kom files? These have version 0.6, but the rest of the header is unreadable. For example, the 036.kom file seems to be encrypted. Or am I wrong about that as well?

MuffinMario · 07/08/2024, 15:11

Quote:

Originally Posted by Zykres

Thanks!

Then I must have decompressed it incorrectly. I suspect it is compressed with zlib. Is this approach at least correct? I will try again later and revise my code.

What about the more interesting .kom files? These have version 0.6, but the rest of the header is unreadable. For example, the 036.kom file seems to be encrypted. Or am I wrong about that as well?

XML is encrypted since V4, V5 updated the XMLencryption algorithm as well, algorithms have changed in V4 and V6

Zykres · 07/08/2024, 15:58

Quote:

Originally Posted by MuffinMario

XML is encrypted since V4, V5 updated the XMLencryption algorithm as well, algorithms have changed in V4 and V6

Thank you, I appreciate your help. Do you mind sharing which exact encryption methods are used? That would save me a lot of work.

MuffinMario · 07/08/2024, 16:15

Quote:

Originally Posted by Zykres

Thank you, I appreciate your help. Do you mind sharing which exact encryption methods are used? That would save me a lot of work.

That is indeed the majority of the work

All I'm going to disclose is that the encryption algorithms are very simple or commonplace. Especially through the ability to straight up attach a debugger to rift you can relatively easy reverse the algorithms in question, given enough patience.

Zykres · 07/08/2024, 16:17

Quote:

Originally Posted by MuffinMario

That is indeed the majority of the work All I'm going to disclose is that the encryption algorithms are very simple or commonplace. Especially through the ability to straight up attach a debugger to rift you can relatively easy reverse the algorithms in question, given enough patience.

Yea, i thought you will say that. Thank you for you help so far!