VRChat added VRCA (?maybe VRCW too) protection
-
i've reversed the dll myself, and it's in fact not related to the avatar encryption, but it's known that everything happens on memory.
If you know about reverse engineering we could create a discord group to help each other, if you are interested dm me.
-
Touching the client is resource intensive. I believe that going around it by bumping TLS or getting bundles from the CDN is our best bet yet.
-
I may be wrong (I don't think so though) but I just ripped an avatar just fine I know that with the newest sdk 3.8 or something they have detections for ripped avis so if you import an avatar it's got to be renamed and all folders need to be moved and renamed to trick it into thinking it's normal. It really pissed me off but it doesn't seem to be impossible, took me a bit but def. doable.
I wasn't able to rip with UTiny like the old days but I have an old bit of software that for my continued use will not be naming but FYI I believe you can. -
Can I ask where you heard about the ripping detections for sdk 3.8? If this is true, that is very frustrating
-
I don't know much about the ripping detection, but recently I ran into a public avatar that in their radial wheel they had a toggle which stated "I know when you rip this avatar" and in the description it outed 2-3 people that have before. But that's as far as I've heard about it
-
I don't know much about the ripping detection, but recently I ran into a public avatar that in their radial wheel they had a toggle which stated "I know when you rip this avatar" and in the description it outed 2-3 people that have before. But that's as far as I've heard about it
@mrblueskelly That sounds more like the original creator found the ripped versions, could be a user thats part of a small community/fandom that got told about their model getting ripped or the people who ripped the model making their versions public since thats what i generally see happen
-
Yeah that sounds more likely honestly, the only "ripping detection" I've heard about is Gonzo which in my opinion the weirdest shit, on the creator side of things I wouldn't touch it with a 10ft pole
-
If anyone knows/finds a way to decrypt encrypted vrcw/world __data files, or a workaround to download/extract the unencrypted files before they're encrypted, please let me know (preferably without requiring a modified VRChat client). Or if someone doesn't want to share how to do it but is willing to provide at least 1 specific unencrypted world file (I have ~40 that I saved from before the update, but not of some worlds that I'm interested in).
-
V vrchat_account referenced this topic
-
V vrchat_account referenced this topic
-
Thread for sharing unencrypted cached world files from before the update:
https://forum.ripper.store/topic/56387/share-any-unencrypted-before-vrchat-update-world-cache-files-__data-vrcw-here -
So few things I discovered from my analysis.
-
For now encryption is client side and assets are encrypted only after they are downloaded
-
Seems they are using AES which is very strong BUT the game has to have a key to decrypt it so just like with Unreal Engine PAK files it should be possible to eventually find where the key is and get it, there are three possibilities, one is that key is hardcoded into the game and is same for all users, second is that key is derived from some sort of unique ID like HWID so that every user has different key (I have yet to test it by transfering cache to another PC) third option is that the decrpytion key isnt even in the game at all and that its sent by the server upon loading into the world.
-
Using Fiddler doesnt work as game seems to use SSL Pinning so when running network sniffing asset related connections are rejected, Fiddler used to work few years ago for getting VRCA and VRCW files from CDN but looks like thats now fixed and VRCX JSON asset URL field is empty and even if you get the URL to asset on CDN connection is rejected because its expecting VRC user agent and auth key, it should be possible to spoof VRC user agent and somehow get users auth key but I havent tried that
I think SARS already does that but I havent tested it for now. -
Even tho encryption is currently done client side its possible that in the future any new uploads of bundles might be encrypted upon upload either in SDK or on server after upload.
Whats already unencrypted on CDN will probably stay that way because it would be very hard on servers CPUs to go and encrypt all the old content but future content is uncertian.
I still gotta check if there is some sort of temp file during encryption process but Im gonna have to do that on old laptop since my main desktop is done with encryption in less than a second while old laptop I dug up freezes for a few seconds during encryption after download is done so I might try killing the game during that process
-
-
Okay, so some more testing.
I set my cache location to secondary drive and proceeded to download quite large in file size worlds and watched SSDs activity.
I found that D drive that cache was set to was idle during download and only shows large activity spike after download is complete so files arent being put into the cache folder until they are done downloading meanwhile C the system drive was showing write speed that match my download speed during download and was showing less and less disk space during large world downloads only for that space to come back seconds after download was done.So what I did was change my router settings to severly limit my download speed and then join the largest possible world I found to allow me some time to check where the game is writing temporary file during the download.
The game stores temporary _data file in C:\Users\username\AppData\LocalLow\Unity\Temp during the download before moving it to cache folder after download is done.
I tried to copy the file to another location just as ingame download hits 100% in hopes to get it before its encrypted but it ended up still being encrypted no matter how many times I tried so either its already encrypted on server or my Core i9 is too fast and gets encryption done before file gets copied or its simply being encrypted in realtime as its written even sa temp file.
I just hope decryption key is somewhere in the game and not sent by the server to the client as getting key from the game itself is gonna be easier because game has SSL pinning which make traffic sniffing harder.
-
So few things I discovered from my analysis.
-
For now encryption is client side and assets are encrypted only after they are downloaded
-
Seems they are using AES which is very strong BUT the game has to have a key to decrypt it so just like with Unreal Engine PAK files it should be possible to eventually find where the key is and get it, there are three possibilities, one is that key is hardcoded into the game and is same for all users, second is that key is derived from some sort of unique ID like HWID so that every user has different key (I have yet to test it by transfering cache to another PC) third option is that the decrpytion key isnt even in the game at all and that its sent by the server upon loading into the world.
-
Using Fiddler doesnt work as game seems to use SSL Pinning so when running network sniffing asset related connections are rejected, Fiddler used to work few years ago for getting VRCA and VRCW files from CDN but looks like thats now fixed and VRCX JSON asset URL field is empty and even if you get the URL to asset on CDN connection is rejected because its expecting VRC user agent and auth key, it should be possible to spoof VRC user agent and somehow get users auth key but I havent tried that
I think SARS already does that but I havent tested it for now. -
Even tho encryption is currently done client side its possible that in the future any new uploads of bundles might be encrypted upon upload either in SDK or on server after upload.
Whats already unencrypted on CDN will probably stay that way because it would be very hard on servers CPUs to go and encrypt all the old content but future content is uncertian.
I still gotta check if there is some sort of temp file during encryption process but Im gonna have to do that on old laptop since my main desktop is done with encryption in less than a second while old laptop I dug up freezes for a few seconds during encryption after download is done so I might try killing the game during that process
@stetamatea On what are you basing your assumption that it's fully client-side?
Avatars are being processed server-side already.. When you switch to an avatar that hasn't been used for a while it says "Server Processing" for quite a bit before sending it to the players, I see 0 reason for them not to encrypt them at that moment.
As someone who's dealt with AES, it's not that bad (performance wise) to encrypt avatars/worlds server-side. -
-
@stetamatea On what are you basing your assumption that it's fully client-side?
Avatars are being processed server-side already.. When you switch to an avatar that hasn't been used for a while it says "Server Processing" for quite a bit before sending it to the players, I see 0 reason for them not to encrypt them at that moment.
As someone who's dealt with AES, it's not that bad (performance wise) to encrypt avatars/worlds server-side.@devonda745 said in VRChat added VRCA (?maybe VRCW too) protection:
@stetamatea On what are you basing your assumption that it's fully client-side?
Avatars are being processed server-side already.. When you switch to an avatar that hasn't been used for a while it says "Server Processing" for quite a bit before sending it to the players, I see 0 reason for them not to encrypt them at that moment.
As someone who's dealt with AES, it's not that bad (performance wise) to encrypt avatars/worlds server-side.On the fact that you can use modified client and it will simply download avatar as usual without any encryption which can then be extracted like usual with assetripper.
Another option that works is by bypassing EAC (there are some non public methods) on vanilla client you can inject cert to avoid SSL pinning and use MITM proxy to get direct URL to assetbundle game downloads and manually download it which again results in unencrypted assetbundle, its only when client processes it that its encrypted.
Same was confirmed in SARS discord server, downloading directly from CDN using VRCHAT client headers and user auth key results in unencrypted assetbundle and same with using modded client, the assets are unencrypted.
Some were able to run older client version before they patched that (now that its patched it checks and forces update) and old client resulted in unencrypted patch.
They are literally serving raw assetbundles from server and client applies encryption when it gets put into cache folder.
I wouldnt be suprised if they start serving encrypted content from server in the future but for now its fully client side.
-
Can someone please help me download only a single avatar from the servers before this situation gets any worse?
-
You don’t really need to go through all that trouble—
wouldn’t it be easier to just use Windows’ built-in features to make the files read-only and then grab them?
Even then, the files were already encrypted, so doesn’t that mean they’re encrypted at the time of download? -
@devonda745 said in VRChat added VRCA (?maybe VRCW too) protection:
@stetamatea On what are you basing your assumption that it's fully client-side?
Avatars are being processed server-side already.. When you switch to an avatar that hasn't been used for a while it says "Server Processing" for quite a bit before sending it to the players, I see 0 reason for them not to encrypt them at that moment.
As someone who's dealt with AES, it's not that bad (performance wise) to encrypt avatars/worlds server-side.On the fact that you can use modified client and it will simply download avatar as usual without any encryption which can then be extracted like usual with assetripper.
Another option that works is by bypassing EAC (there are some non public methods) on vanilla client you can inject cert to avoid SSL pinning and use MITM proxy to get direct URL to assetbundle game downloads and manually download it which again results in unencrypted assetbundle, its only when client processes it that its encrypted.
Same was confirmed in SARS discord server, downloading directly from CDN using VRCHAT client headers and user auth key results in unencrypted assetbundle and same with using modded client, the assets are unencrypted.
Some were able to run older client version before they patched that (now that its patched it checks and forces update) and old client resulted in unencrypted patch.
They are literally serving raw assetbundles from server and client applies encryption when it gets put into cache folder.
I wouldnt be suprised if they start serving encrypted content from server in the future but for now its fully client side.
@stetamatea said in VRChat added VRCA (?maybe VRCW too) protection:
you can use modified client and it will simply download avatar as usual without any encryption which can then be extracted like usual with assetripper.
Another option that works is by bypassing EAC (there are some non public methods) on vanilla client you can inject cert to avoid SSL pinning and use MITM proxy to get direct URL to assetbundle game downloads and manually download it which again results in unencrypted assetbundle, its only when client processes it that its encrypted.
Same was confirmed in SARS discord server, downloading directly from CDN using VRCHAT client headers and user auth key results in unencrypted assetbundle and same with using modded client, the assets are unencrypted.
Do those workaround methods function for worlds too? Is there anyone who uses any of them, willing to provide me a specific world AssetBundle unencrypted?
