lfnetwork.com mark read register faq members calendar

Thread: Bone: The great cow race
Thread Tools Display Modes
Post a new thread. Add a reply to this thread. Indicate all threads in this forum as read. Subscribe to this forum. RSS feed: this forum RSS feed: all forums
Old 04-15-2006, 11:30 AM   #1
bgbennyboy
Festively Plump
 
bgbennyboy's Avatar
 
Status: Super Moderator
Join Date: Feb 2002
Location: England
Posts: 1,985
LFN Staff Member 
Bone: The great cow race

This time the .ttarch archive isnt so easily readable. Has anyone had a look at it yet? I've been using Filemon to at least give me some info on how bone2 is reading the file.

Using it, I've worked out that the 'ttg_splash1.d3dtx' file is at offset 192876178 (perhaps slightly before or after that). I've been trying to glean some information by comparing it to its equivalent in bone1.
The beginning of the file has repeating patterns of 5679 255A 9CC7 101E - the same pattern that forms the 'corruption' in the Bone1 file (when the bone1 file has been xor'ed with FF). The rest of the file is pretty much the same.

So really I havent got anything yet. My guess is that the .ttarch format hasnt changed significantly for Bone2 - its just been encrypted - probably with the same algorithm used on individual files in the first game.

Any ideas anyone?

bgbennyboy is offline   you may: quote & reply,
Old 04-15-2006, 03:52 PM   #2
john_doe
 
john_doe's Avatar
 
Join Date: Feb 2002
Location: The pit
Posts: 137
I had a look on it. Phew
The index seems to be compressed somehow as imo the "patterns" look different than in the (patially) encrypted files.
And the Dll is encrypted, too, so REing is not that easy...
john_doe is offline   you may: quote & reply,
Old 04-16-2006, 07:19 PM   #3
counting_pine
Rookie
 
counting_pine's Avatar
 
Join Date: Apr 2005
Posts: 157
Some of the file seems to be XORed with FF, while some of it doesn't. If you go to the offset in the DWORD at the beginning of the file (plus 4), you find yourself at some unXORed plain text, while other parts of the file have a suspicious amount of FFs in them.

By the way, has anyone noticed a "!patch_99.ttarch" file in the same folder? It might use the same format. It's also a lot smaller, so it's easier to explore.


Soli Deo Gloria
Jesu Juva
counting_pine is offline   you may: quote & reply,
Old 04-16-2006, 08:06 PM   #4
bgbennyboy
Festively Plump
 
bgbennyboy's Avatar
 
Status: Super Moderator
Join Date: Feb 2002
Location: England
Posts: 1,985
LFN Staff Member 
Well spotted - that text references Activemark which is probably what they use to control the licensing and demo/full version activation.
I noticed the patch_99 file. I dont know if its a proper ttarch though, most of the file is xor'ed with FF - so it could just be a normal file.

I've also attached a txt file with all the visible text from the ttarch (recognised by 10 successive characters) - you can see that there are also compiler logs in there too.
Attached Files
File Type: txt Text data.ttarch.txt (370.3 KB, 184 views)


Last edited by bgbennyboy; 04-16-2006 at 08:25 PM.
bgbennyboy is offline   you may: quote & reply,
Old 04-18-2006, 04:15 PM   #5
john_doe
 
john_doe's Avatar
 
Join Date: Feb 2002
Location: The pit
Posts: 137
The !patch_99.ttarch seems to be a valid ttarch. If you take the first DWORD, seek to that offset within the file, you get another DWORD with the size of the archive data. So imo these first bytes are the compressed index, other than that it's probably the same structure like the non-encrypted ttarchs.

Oh, Bg, and with "compiler logs", do you mean the "class xxx" text? That's probably their serialization stuff. If you look at the CSI files you can see that there's a list with "class D3DMesh" and similar text depending on the type of file. Imo they open a file and according to the next entry in this list more data is read from the file.


Long Live Akatosh
And All The Divines
john_doe is offline   you may: quote & reply,
Old 04-18-2006, 07:37 PM   #6
bgbennyboy
Festively Plump
 
bgbennyboy's Avatar
 
Status: Super Moderator
Join Date: Feb 2002
Location: England
Posts: 1,985
LFN Staff Member 
Yeah I meant the stuff starting on line 3645.
You're absolutely right about !patch_99.ttarch, I completely missed that. So its now a matter of figuring out how the index is compressed, which...isn't easy.

They've really gone to a lot of trouble to protect the resource files this time

bgbennyboy is offline   you may: quote & reply,
Old 04-18-2006, 08:11 PM   #7
john_doe
 
john_doe's Avatar
 
Join Date: Feb 2002
Location: The pit
Posts: 137
Yeah, but it's understandable since the demo also contains the full version. That's also probably why the CSI game's resources aren't encrypted in any way.


Long Live Akatosh
And All The Divines
john_doe is offline   you may: quote & reply,
Old 04-18-2006, 09:49 PM   #8
Dangerzone
Rookie
 
Dangerzone's Avatar
 
Join Date: Apr 2006
Posts: 12
telltale has made a demo of the csi game and placed it on their homepage..............it is only the partial game (the second case)

i do not know if it is encrypted or not..............but it may be worth taking a look at
Dangerzone is offline   you may: quote & reply,
Old 07-30-2006, 06:04 AM   #9
bgbennyboy
Festively Plump
 
bgbennyboy's Avatar
 
Status: Super Moderator
Join Date: Feb 2002
Location: England
Posts: 1,985
LFN Staff Member 
Rather than start yet another telltale thread:
I've just released two more Telltale-related programs - see here for more info.

While I was making Telltale Explorer, I suddenly remembered Telltale's first game - Texas Hold'em. Sure enough it also uses a .ttarch archive, in Texas Hold'em though - nothing is encrypted. The prefs.prop file in the root folder doesnt have an encrypted header (as it does in other versions) and none of the files in the .ttarch are obscured. Its even got the original lua scripts in there in plain text format.

In the absence of a decrypter for the annoying 'pattern' and header encryption, the files in Texas Hold'em are probably the best starting point for anyone looking at the various file formats.

[Edit] Texas Hold'em also confirms what I suspected - that the voice files are encoded with the speex codec. Unfortunately it seems that the only way to play these back is to embed them into an ogg container - does anyone know of another way of playing speex stuff back?


Last edited by bgbennyboy; 08-01-2006 at 07:21 PM.
bgbennyboy is offline   you may: quote & reply,
Old 08-01-2006, 05:47 PM   #10
john_doe
 
john_doe's Avatar
 
Join Date: Feb 2002
Location: The pit
Posts: 137
Older versions of Speex didn't use Ogg as container, iirc I had a DLL somewhere of that old version I used in some of my tools.

I found that "colors.lua" and "colors.lenc" (the lua one from Hold'em, the lenc one from CSI 3) are the same size. But it seems to be something more advanced than a simple xor-based algorithm. Also, I poked around in the disassembly of the mll file and it really seems to be more than xor.

The header of Bone GCR is probably encrypted with the same method.

I'm really excited how Sam 'n Max's format will have changed


Long Live Akatosh
And All The Divines
john_doe is offline   you may: quote & reply,
Post a new thread. Add a reply to this thread. Indicate all threads in this forum as read. Subscribe to this forum. RSS feed: this forum RSS feed: all forums
Go Back   LucasForums > Network > Mixnmojo.com > Community Discussion Forums > SCUMM > Bone: The great cow race

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 11:37 AM.


LFNetwork, LLC ©2002-2011 - All rights reserved.
Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.