[Guide] Finding the PK2 Blowfish Key in 5 Easy Steps

pushedx · 06/17/2010, 10:55

This guide will show how to find the PK2 Blowfish key required for reading and writing to PK2 files. This key stays the same for official Silkroad versions, but private servers modify the key to break tools. By using this guide, you will learn how to easily find the key to make PK2 tools work again (but, I am not covering updating those tools). I've posted this information before and explained the process to people, but I wanted to have a single resource that can be referred to that easily shows it all.

Step 1: Find the initial PK2 loading code in the client. This is easiest done if you simply "search for all referenced text strings" and look for "169841" followed by the name of a PK2 file. Set a breakpoint as shown on the function call. When you step into the function call proceed to Step 2.

Step 2: Locate GFXFileManager’s PK2 loading function. After you stepped into the function call from Step 1, you will need to locate the call to the GFXFileManager DLL. Luckily, this seems to always be shown as CALL EDX, so you should be able to track it down. Set a breakpoint as shown on the function call. When you step into the function call proceed to Step 3.

Step 3: Trace into the higher level function call. Now that we are inside the GFXFileManager DLL, we have to find the top level function that eventually causes the Blowfish key to be generated and used to setup encryption. Carefully refer to the screenshot to locate the function. Set a breakpoint as shown on the function call. When you step into the function call proceed to Step 4. NOTE: Before you step into the function call, the PK2 base key is at the top of the stack. This value is important for non-official versions for my old PK2 writing tools.

Step 4: Trace into the lower level function call. This step might take the longest due to how far down you have to scroll. However, since the format of the GFXFileManager is pretty much the same, it's not hard to find at all. Carefully refer to the screenshot to locate the function. Set a breakpoint as shown on the function call. When you step into the function call proceed to Step 5.

Step 5: "Borrow" the key! Once we step into the final function, we need to set a breakpoint as shown to trace the creation of the Blowfish key. After the breakpoint is hit, we should follow the address in the dump that is written to on the line marked "Blowfish Key" the first time through. The key is always 6 bytes, so as soon as the JL will not execute, you will know the key is complete. From there, you can simply copy it from the dump.

Now, you have the Blowfish Key (Step 5) and the Base PK2 Key (Step 3) required for working with the PK2 files. I'm not going to refer back to my old PK2 tools (which contain some serious flaws) and using these keys because I am in the process of updating them again. However, I still wanted to have a guide to reference about how I go about getting the PK2 keys for different Silkroad versions.

omegalugia · 06/21/2010, 09:22

Olly for the win

Thanks man and nice guide. Really helpful to me, you have no idea.

.1337 · 06/21/2010, 10:46

yes great tutorial , the first one from yours i understood ^^

~~jack11111~~ · 07/11/2010, 13:38

Nice Guide.

~~Bl0wFish~~ · 08/04/2010, 20:11

Nice TuT. Thank You!

peppe27 · 07/08/2011, 02:47

So before step 1 im suppose to open sro_client ? with what program should i do that ?

Ehab almsry · 07/08/2011, 08:06

where we can find all referenced text i dont understand anythig x(

inv123 · 07/08/2011, 08:22

The only prob that the number "169841" is not exist in elite client

Dunno synx did sg. to it

teto_max15 · 07/08/2011, 09:02

what is the name of this Pro ???

walus32 · 07/08/2011, 13:57

i can`t get blowfish esro ;p any one can give me? ;p

Kazuya¹ · 07/08/2011, 16:24

Quote:

Originally Posted by inv123

The only prob that the number "169841" is not exist in elite client Dunno synx did sg. to it

obviously lol. 169841 IS the normal key. and if it doesnt work, then the
key has been changed. so obviously 169841 wouldnt be in there lol.

inv123 · 07/08/2011, 18:32

E lol, but we only need those string than

walus32 · 07/08/2011, 18:54

i found string but cant read key ;p

teto_max15 · 07/08/2011, 20:22

what is Program name ???

~~lorveth~~ · 07/08/2011, 20:58

Search in ollydbg for ".pk2", till you find the latest one, then click on it and follow the guide.