/ubisoft-dmx-decode

Decode the values sent in Ubisoft's dmx.upc.ubisoft.com API. Part of my work to reverse engineer Ubisoft Connect's APIs.

Primary LanguageTypeScriptMIT LicenseMIT

ubisoft-dmx-decode

How to capture requests from Ubisoft Connect

1. Keydumping Setup

  1. Prerequesites:

    • Windows 10 or Windows 11
    • Python 3.9 (I used pyenv)
    • Wireshark
  2. If you're on Windows 11: (source)

    • Search for "Exploit protection" and open
    • Click "Program settings"
    • Click "Add program to customize"
    • Click "Add program by name"
    • Enter lsass.exe and continue
    • Scroll to "Hardware-enforced Stack Protection", turn it Off, and click Apply
    • Restart your computer
  3. Install frida and ensure it works

    > pip install frida-tools
    > frida --version
    15.1.15
  4. Save keylog.js somewhere you'll remember

2. Capturing Keys

  1. Close Ubisoft Connect

  2. Search for "Windows PowerShell", right-click it and Run as administrator

  3. Start capturing keys with

    frida --no-pause lsass.exe -l \path\to\keylog.js
    • If frida can't find lsass.exe, get its process ID from the Task Manager Details tab, or by running Get-Process -Name lsass and use that instead of lsass.exe in the frida command
  4. You should see C:\keylog.log beginning to populate. Keep frida running until you're done capturing packets

3. Capturing Packets

  1. Open Wireshark
  2. Go to Edit > Preferences > Protocols > TLS > (Pre)-Master-Secret log filename > Browse... > navigate to C:\keylog.log, then click OK
  3. View > Name Resolution > Check "Resolve Network Addresses"
  4. Click your adapter in the "Capture" list to begin capturing (I use "Ethernet")
  5. Open Ubisoft Connect and do some things
  6. Click the 🟥 button to stop capture
  7. In the filter bar, enter (ip.dst_host == dmx.upc.ubisoft.com) || (ip.src_host == dmx.upc.ubisoft.com)
  8. Press CTRL+R to reload the packets to ensure decryption applies
  9. Right click a TLSv1.2 packet > Follow > TLS Stream, a window containing some readable text should appear. This means the decryption is working.
  10. Set "Show data as" to YAML, click "Save as...", and save as tls-stream.yml.
  11. Once saved, click the "Filter out this stream" button. Typically there are multiple demux TLS streams in one capture, and you'll need to repeat the above step for each one. Keep saving and filtering until none remain.

4. Decoding the requests

  1. Clone this project
  2. npm i
  3. Move tls-stream.yml to the root of the project
  4. npm start. The output will be written to decodes.json

How to get the .proto's

Only needed if you need to update the protos

  1. Follow steps 1-3 of this guide.
  2. Copy the upc_protos folder here and rename it to proto