VRChat added VRCA (?maybe VRCW too) protection
-
so i went out of my way and memory dumped vrchat so if anyone want to look throw it go for it https://drive.google.com/file/d/1VsTPjzQY9LgPkNshV0nZHF6O3mmfIHsF/view
-
so i went out of my way and memory dumped vrchat so if anyone want to look throw it go for it https://drive.google.com/file/d/1VsTPjzQY9LgPkNshV0nZHF6O3mmfIHsF/view
@crystaldustie can this be used to rip models again ?
-
Since VRC is a DX11 game, would it be possible to use gpu buffer rippers like NinjaRipper to extract at least the mesh & textures? Or would anticheat cause problems here?
-
AES-GCM and breaking it on nonce reuse
In this post, we will look at how the security of the AES-GCM mode of operation can be completely compromised when a nonce is reused.
frereit's blog (frereit.de)
@crystaldustie vrchat is encryted in aes gcm
-
so i went out of my way and memory dumped vrchat so if anyone want to look throw it go for it https://drive.google.com/file/d/1VsTPjzQY9LgPkNshV0nZHF6O3mmfIHsF/view
@crystaldustie how you do memory dump? there is a part i want to check
I'm bad at understanding english word
I fix .vrca stuff for free and for fun! Depending on file, every outcome and vary might be different than the original avatar has due to the toggles and much more, send me a pm if you need an avi that i can ripp (public avatar only, private still risky, unless you have the cache of those avatar you can send them over for request for fix) and fix for you or cracking a password locked avatar or send me .vrca file or vrchat avatar link through my pms!VRCHAT HAS ADDED SORT OF PROTECTION ON __DATA (aka .vrca or .vrcw) FILE, EVERY FUTURE REQUEST IS CLOSED UNTIL ALTERNATIVE PROGRAM FOR EXTRACTING FILE OUT IS MADE
-
@crystaldustie how you do memory dump? there is a part i want to check
-
and use process hacker
-
so i went out of my way and memory dumped vrchat so if anyone want to look throw it go for it https://drive.google.com/file/d/1VsTPjzQY9LgPkNshV0nZHF6O3mmfIHsF/view
@crystaldustie pretty cool, lotta data to shift through and sort. Put that bad boy in a hex editor and type "avtr" lmao. Or throw it into WinDbg.
Oh yea thought I'd share this, VRChat creates a __data file in C:\Users\username\AppData\LocalLow\Unity\Temp\
It's an avatar data file. VRChat creates it and instantly deletes it. I set permissions to not allow VRChat to delete files in that folder in hopes it might be some sorta briefly made unencrypted data file, I genuinely believe the VRChat devs would be that lazy to do something like this lol. Unfortunately file is still encrypted, though it's essential to loading the avatar.
Disable VRChat's access to the folder and the avatar throws an error bot.
-
@Reym run vrchat without eac
@crystaldustie sounds risky, do i just task kill eac as the game starts?
I'm bad at understanding english word
I fix .vrca stuff for free and for fun! Depending on file, every outcome and vary might be different than the original avatar has due to the toggles and much more, send me a pm if you need an avi that i can ripp (public avatar only, private still risky, unless you have the cache of those avatar you can send them over for request for fix) and fix for you or cracking a password locked avatar or send me .vrca file or vrchat avatar link through my pms!VRCHAT HAS ADDED SORT OF PROTECTION ON __DATA (aka .vrca or .vrcw) FILE, EVERY FUTURE REQUEST IS CLOSED UNTIL ALTERNATIVE PROGRAM FOR EXTRACTING FILE OUT IS MADE
-
@crystaldustie sounds risky, do i just task kill eac as the game starts?
-
@Reym u need to just go to vrchat main exe that is in a steam folder and launch that
@crystaldustie
That version of the game isn't very useful because from a server side perspective it doesn't even give the ok to download models that aren't yours, I guess it's ok if you need to rip models that are yours , but I checked the network traffic for this and it doesn't actually send data that isn't yours -
@Reym @crystaldustie @Dr.beep not sure if it is useful but you can still kill the EAC process post launch. still download models, go to public worlds and such. though im sure theres some background service running, however I tried poking around with Process Explorer and didnt see anything related to EAC running.
But I dont think this is useful as injections need to happen pre-launch unless someone has anything they can go off of with this?
-
Did anyone else see this? Lmao
https://youtu.be/QTq0nKzni5s?si=m4G_-t5paDo_eJtI -
Did anyone else see this? Lmao
https://youtu.be/QTq0nKzni5s?si=m4G_-t5paDo_eJtI -
@StinkerGuy115 lmao what is that
@DeepDishBussy No idea some dude ig showing that they can still rip models post encryption patch. Was poking around google and came across it.
-
I think the video may have been satirical based on the description
DM me if any of my links go down or if there's an update you need.
-
I think the video may have been satirical based on the description
@DeepDishBussy Honestly I agree, like some edgelord posting their clips of them using a client.
Been really interested in this whole thing myself. I ran wireshark with procmon and compared them to the Output log txt file in the LocalLow folder for VRChat so i can get time stamps of what happens.
There are several servers VRChat communicates with for like authentication. From what it looks like, it seems it just kinda is reading and confirming with a server as it's downloading the files. You find that it repeatedly is checking with a server while it is reading from the __data file.
I did a TCP stream follow of one of the addresses it was communicating with and I saw it initializes by communicating with a "photonengine.io" then it goes to a site called "http://www.digicert.com" and another one by the domain of rapidssl.com
VRChat also around this phase is repeatedly interacting with the PhotoEncryptorPlugin.dll while reading from the __data files in the cache folder. I dont know if any of this is user authentication or actual encryption of the files themself. Can reverse engineer the dll with Ghidra, or just pop it into a hex editor lol.
