Apple VGM Ripping from iOS/Android game's network-based audio files

[vsr3y]

Hi,

I'm trying to rip VGM from a game called Star Legends: The Blackstar Chronicles. It is available as iOS and Android game. But digging through .ipa and .apk files using WinRAR, there are no audio files to be found. Maybe that's because the game's assets are pulled from the developers' servers.

After downloading, launching it, and getting past log-in screen, the game shows the following image and log:

Connecting to PatchServer...
Receiving ios002.pak
Receiving ios001.pak
Receiving pak.cfg

I suspect that the audio files are in those files, but I'm unable to obtain it because I don't know where they are stored, both in iOS and Android. I welcome any suggestions and appreciate your help!

Also, I tried screen recording as well but some tracks are cluttered with SFX that can't be disabled. It's not satisfactory this way.
Here's the .apk file to dig around and the .ipa's contents is identical to this'.
bit.ly/3rI3HMU

 

[FAST6191]

Hmm, while not a new concept I don't know that I had seen network delivered resources for AndrIOS before.

Three main approaches assuming they are in those files

1) You do a RAM dump and see if you can fish things out of that. Check the credits -- if the devs bought in a MOD/IT/S3M library to play back MOD music then they might well have credited the library makers. Might have to do multiple dumps to get each song as it is playing.

2) You find where the files are stored temporarily (don't know what options Android gives to devs to use but there are likely only a few of them, though a search for "temp and cache directories android" does say there might be a fair few possibilities). A full file system dump before launch (maybe even install) and after while it is running might give you some idea. There are means of running full blown versions of android in a virtual machine on a PC -- you don't need to be able to play the game, just boot it.

3) You kick it old school and take the audio out of a headphone jack, bluetooth, hdmi or whatever and do a loop back recording. Hopefully there is a sound test, sfx volume control or options to start a level and get somewhere without sound effects in your ear as trying to get rid of such things in post can be tricky (though if it is repetitive enough you might get a clean section later you can copy-past over one marred by sound effects)
Do also check they or the musicians that did them have not posted the songs to the internet somewhere such that you can fire youtube-dl at it. If you can find the musicians then you can also try asking them -- an email saying "I loved your songs in [game], do you have a clean copy so I can listen to them?" often getting you many places.

Devs that do network delivered resources might well be inclined to encrypt/protect things -- protection of things is one of the big three reasons to ever do that sort of thing (the other two being rapid turnaround without having to do a proper patching setup and trading bandwidth for long term storage capacity).

Such things are almost certain to go over SSL as well, and possibly have a handshake, so a simple session on wireshark to either grab the files or grab their urls to in turn grab on a PC will likely not do you much good, and if you are asking this then I doubt we will get too far trying to get you doing a man in the middle type hack. However this would be option 4). If you want to at least run your phone through your laptop's network to intercept (or drop security such that a simple person on the network can intercept) the traffic (let's not do ARP poisoning) to see then by all means give it a go -- usually only a few seconds to see.

 

[vsr3y]

Ok, I've been trying most of your suggestions so far. Here's the results:

1.1 I'm not knowledgeable in RAM Dumping. Despite googling how to do it, I still don't fully understand how to do it. Do you suggest any resources or URLs to get started on this? However, I tried reinstalling the game on my iOS device and get to the resource loading screen while looking at iOS real-time log with iOS probing software. In the loading screen, it lists 6 items:
ios005.pak-ios001.pak and pak.cfg.
I was able to find start and end points from entries that contain "Loading 6 products" and "Returning 6 products." I found the 6 labels which I assume they correspond to the files in question. The relevant log and labels are included in the attached file.

1.2 Concerning using the MOD/IT/S3M library, the game is an MMORPG and has no end credits so I don't have access to the names of the composers. I also dug through their official website which, again, doesn't contain information about the names of the developers, let alone composers. I shot an email to their support twice praising the game and inquiring about the audio, to which they have yet to reply.

2.1 I've tried checking temp and cache files on Android without finding the relevant files. However, I'll try to look into it with software on PC while running the game.

2.2 Regarding full file system dump, I don't quite understand how to do this either despite my attempts to do so. Again, do you have any suggestions on where to get started on this? However, for Android virtual machine on PC, I have Bluestacks installed which I used to record from in 3.1. Not sure if this correlates to your suggestion of booting it though.

3.1 I tried loopback recording using Windows WASAPI and Microphone: Speaker (loopback) option in Audacity. Some tracks came out better than the audio in iOS screen recordings. Sadly, some tracks are still cluttered with SFX. The game is weird with Music option requiring SFX option to be turned on for it to be on, but not the other way around.

3.2 Concerning the musicians, like 1.2, I don't have access to the names of the composers so I can't contact them directly unless through developer's support email which hit a dead-end.

4. I don't have the slightest clue how to intercept my phone through laptop's network. Do you perhaps have any suggestions on resources I could get into?


Thank you so much for your quick reply. I appreciate your help. Also, if I'm doing anything wrong, don't hesitate to point it out.
Happy New Year, here's to a hopefully better year!

 

[FAST6191]

Afraid I have not had to properly tangle with andrIOS debugging/ROM hacking of random programs to get into serious specifics or suggestions. Most of the above was the general case really or how I would approach it for systems I know in earnest (most systems work the same really, and I have seen enough fun and games from andrIOS over the years to know tools of such potency do exist there). Sucks that there are no credits and their support is not being helpful, was mostly noted to just be complete (though most such things that skip credits tend to be Japanese or Korean games so that does raise the possibility of a CD or virtual download somewhere, one would have hoped the support or site would have mentioned it but hey).

Debug modes and virtual machines (emulators by any other name) then being what I seek, which may well mean root and unlocked modes required as apparently Google and Apple know better what you should be doing. Whether the more limited debug options available to mere mortals will do I don't know.
Virtual machines by virtue of running on a host system mean you can dump the whole thing from that. They are quite powerful for this and can dodge a lot of protections and hardware limitations too.
Debug modes will hopefully at least allow you to grab the memory associated with an application.
If there is a hibernate mode then that also by necessity means a memory dump happens, though this is less of a thing on mobile phones from what I have seen.

Bluestacks would be an example of a virtual machine, though a limited one compared to some others (if it works in the X86 version of android in virtualbox that offers quite a bit more to play with).
Booting it is probably the wrong term. I was thinking more that for most hacking purposes I don't care if the emulator looks like a mess with graphical glitches everywhere and takes 3 seconds to register a key press (give or take having to play to a certain point) -- if it gets in then I can poke at its memory to make cheats, as long as it plays in something like real time (even if it means looking at a blank wall) I can do the loop back audio, if I can use a debugger then I can do all that entails and I can see if my theories about the game files also work by changing things to see the results and so on and so on.

On MOD/IT/S3M (though you could extend this to various other audio formats -- they all tend to have fingerprints) then sucks that the thing is not given away nice and easy. Keep it in mind if you do eventually get a nice unencrypted RAM dump, asset dump or something.

Network intercept stuff is going to be harder. There are many things you can play with here
Most will probably start out with a packet scanner
https://www.wireshark.org/ being the most well known, though some still go for http://www.tcpdump.org/
This will grab all packets as they pass through your connection/adapter.

However modern network setups mean on wireless only the intended machine gets the data (older stuff would encrypt it but anybody with the encryption would get it, one of the reasons why you were told to check for SSL or use a VPN in coffee shops/libraries/public wifi a few years back as such things got very easy -- see "firesheep"), and it has been many many years since wired networks broadcast everything every which way. To that end on a PC doing it yourself for a PC program is not so bad, and if you set your PC as a wireless access point (or have it act as a gateway* whether by legit means or by doing an ARP poisoning hack**) then you can grab stuff as it passes through.
There are other tools that people might use for PC purposes http://www.nirsoft.net/utils/cports.html that might have less info but still good, and maybe easier to parse. Nirsoft have some wonderful tools as well (their password viewers are good stuff) and related to the filesystem thing (though obviously for Windows) is ofview -- https://www.nirsoft.net/utils/opened_files_view.html .

*most don't tend to do this in a home scenario, however businesses usually will as a site blocker and monitor for their staff.

**it was a suggested method for a pokemon related hack on the 3ds a few years back... even among the self selected users of this site the screw ups there were a sight to behold. As doing this would mean you probably then get to power off and restart every device on your network... Still an option however.

Modern non server versions of windows also have very limited network abilities (see raw sockets, or indeed the lack thereof since an early service pack for Windows XP) but that should matter less if you are only doing packet grabbing.

Anyway for most then packet grabbing typically means they set their wireless card (or an extra one) as an access point for their device of choice, bridge the connection (presumably to a wired one unless you are using multiple wireless cards) and sit in the middle grabbing packets.

Encrypted data (there was a big push to put everything they can over SSL the other year, and it is not so hard on servers these days) then mainly being junk, other than noting where it is going and how much of it happened. You can try to do things like man in the middle attacks as you note the session keys and do things there but that is getting into more big boy hacker territory.

Sucks that sound effects come along for the ride to spoil the loop back option. For the sake of stating the obvious then I assume you tried to find a quiet corner of whatever map without any background waterfalls, enemies attacking you or the like. Depending upon how quick the looped/repeated sections happen you might be able to reconstruct the audio if you are bored enough (if you have a piano motif marred by swordplay then maybe wait until it returns and see if that part is cleaner before copy pasting that over the older version, you can also play with inversion*** if you can get a clean version of the background sound effects, which you might if the music slider means only sound effects get played).
For some games then sometimes people force other tracks to be played in quiet areas, though poking memory and program flow might set off a cheat alarm which might then cost you your account so be careful with that one (or you can try your hand at finding whatever cheat detection they have and disabling it, good luck on that one). Similarly you might (there are ways to code it that will make that harder) be able to force the audio uncoupled from the sound effects slider but again anti cheat will be a concern.

*opposite waves cancel each other out. Audacity then having a nice invert option (try it if you want -- make a track, even a sine tone will do, duplicate it and invert one of them). Not as useful in most game audio mixes as max volume tends to be the default leaving no room for other things to be recovered but has been used in the past.