Game Hacking
by Tom Temple
19 November 2005
Game makers these days have got to realize that the first thing people are going to do is look at the whole thing with HexEdit. In some cases like Quake 3, that was welcome. All the data for was stored in a .zip archive in individual recognizable files. If you wanted to add bots that looked like, say, girls on the ski team or put writing on the walls in some level it took very little effort to figure out how to do that.
The first game that I hacked on Xbox was Leasure Suit Larry, Magna Cum Laude (nothing modivates a man like sex). There were censor bars on the private parts so I grepped the disk for the ascii representation of “nudity”. It apeared a couple of times. There was a file \data\jamfiles\xbox\AppInit.jam containing the following gem.
// Nudity Setting—set this value to 1 to remove censor bars (for european version) DataLink { Name “NudityMode”Type BooleanData 1 }
Except it used to say “Data 0”. After that, I always looked at my new games to see if there was easily unlockable stuff. It’s nice being rewarded with unlocks but if I’m just renting a game for the week, and I’m not really into it, I definitely don’t feel like putting in the time to beat it on kill your friends hard just to see the alternate ending. But if the game itself doesn’t have something obvious, like the ascii string “unlock” in someplace decypherable (i.e. not the executable) or “hard_mode_finished” in the save game memory, I don’t put more effort into it.
But the buzz surrounding GTA:SA was so much, I had to investigate. If I were the sort who grepped for “sex”, I would have found many many appearances, most of them they are either inocuous like “sex_appeal”, “sexywoman.mdl”, or non-obvious like “SEX” without anything decypherable nearby. But then there is this one, in the file \data\scripts\scripts.img
gf_date.scm00AC00AD00AE00AF00B000B1008800000004000000
gf_meeting.scm000000AE00AF00B000B1008C00000007000000
gf_sex.scm0000AC00AD00AE00AF00B000B1009300000005000000
Here is where I lose the trail. This looks to me like padding, a base address and an offset, but I can’t find what it referrences.
There is an appearance of the same three things, “GF_DATE… GF_MEETING…GF_SEX” in the file \data\scripts\main.scm which suggests to me those files are in there except it is not clear to me how to find them. But it is also not surprising that someone else figured it out.
Finally I get to my whole motivation for posting. I just got Karaoke Revolution Party. It is pretty sweet. They didn’t screw anything up from Karaoke Revolution and the added 1) more songs 2) duets and 3) DDR and singing at the same time.
I wanted to just drop it in and have all the songs. I don’t want to have to gradually earn them. I was also hoping that I could also play the songs from the first one without changing disks or anything. With the first one, it wasn’t a problem. It wasn’t hard to find this in config\db.dta
;; initial unlocked songs are these, plus all showtime songs
(kUnlockSong believe bornto...
But now I’m looking at the second one and there is no such file. Well, there is, it’s just in an .ark file somewhere. All of the important game data (except it seems, the dancing steps) are in these archive files—sort of like quake 3 except these don’t appear to be standard files. They are compressed and have the file info obfuscated (though I think still present). There is a separate file that gives the filenames and structure for what is clearly in there. We know (some of) what is in there because, people have already found playable .ogg files in continuous blocks (I guess since .ogg doesn’t compress further?). But the key is to be to figure out the compression scheme and dig out the file “unlock.dta” that is surely in there.
Now there is a separate tack to take. When you unlock a song and then save your game, the song stays unlocked. Clearly then, there is an unlock record on in the savedata. But it isn’t obvious how that data is organized. I’m going to start over and play and save and check a few times to see what changes. I’ll let you know.
Nov 19, 11:44 PM
Hmm. That Karaoke Revolution Party db.dta file looks a lot like Lisp code. Semicolons for comments and data in fully-parenthesized lists? Mmm, tasty s-expressions. Makes me wonder if maybe they used a Lisp-like extension language internally. Some games do, and it would be an exciting way to hack your own add-ons.
Nov 20, 12:26 AM
Tom, are you going to be able to unluck a song for this little experiment?
I wouldn’t.
Nov 20, 10:56 AM
Yeah, I had no problem. In fact, in the amount of time I spent looking at the stuff, I could have unlocked all the unlockable songs. But then there are characters you can unlock too. But the big question is about importing from Karaoke Revolution 1. There is another question too about the premium content that you can buy on Xbox live. In KR1 it turns out that the premium songs were already in the game and all the purchase accomplished was unlocking them. If that is the case again, people are going to be very interested in figuring out the unlocking process.
Very interested only in the academic sense of course, w.r.t. safegaurding that mode of media distribution in the future. Everyone knows that unlocking stuff that came on the disk that you bought is just as bad as sharing music.
Dec 4, 12:30 PM
It turns out that people had a much easier time dissabling the signature check on downloaded content than decoding unlock.dta. As it happens, changing the string
c0 f3 a7 74 04 6a 05 eb af
to
c0 f3 a7 eb 04 6a 05 eb af
in the executable accomplishes this.
This doesn’t unlock anything, in fact, it doesn’t do anything at all unless you have the downloaded content. W.r.t whether they were already on there, it looks like yes, but maybe not entirely. Some of those playable ogg files on the disk are “downloadable” songs. The downloads themselves seem to be about 200-300KB per song—not enough to be the whole song but too much to not be content.
BTW, I think figured out how to change the words that appear on the screen. I’m going to have a blast with that.
Dec 4, 12:42 PM
And if the file location is interesting to you, that string I gave is at 0×46b0 and the byte of interest is 0×47b3.
Dec 5, 09:53 AM
The dilemma for the developers is this: If you distribute the content on the original disc, there’s the very real possibility that somebody will decode it and rip it into a nice friendly format for everyone to hear. So long to so-called “premium content.” On the other hand, if you don’t do it that way, then when somebody buys a license, you have to send them not only an access code, but also the content. That makes the distribution harder to get right, especially in the face of crashed hard disks, lost keys, stupid customers, etc.
What you’re describing is a hybrid solution similar to that the folks at Sassafras Software used in the Keyserver: Clip out some smallish-but-essential piece of data from the content, and when you send them their license, send them the content. Of course, nothing prevents you from grabbing it and reassembling, but it at least raises the bar a little bit.
This is why all the DRM proponents are pushing so hard for TPM type solutions. They want a piece of hardware you can’t control that lives in your machine and handles the decoding. You can’t make it impervious, but you can make it so that all but the most determined efforts to crack it will result in your license codes getting shredded.
Me, I hate the idea of somebody else owning a piece of my computer. But at this point I think it’s probably more a question of “when”, rather than “whether”.