Halo 3 Retail Game Research

[Ion]

So you know WHERE the hash is located now?

[LuxuriousMeat]

Prey, I meant by nulling it out. I know that if you delete the chunk then all the offsets would be read wrong. I doubt it'd work if you were to null it out, but it would be interesting to see what happens

I imagine that it would be just like when the hash was wrong since, technically, your just writing a wrong hash...

[Prey]

So you know WHERE the hash is located now?

876 it seems, also just updated the first post with that so thanks for reminding me =)

Prey, I meant by nulling it out. I know that if you delete the chunk then all the offsets would be read wrong. I doubt it'd work if you were to null it out, but it would be interesting to see what happens

[...]Or, if you were to instead just insert a load of nulls (0x0), then they would be read as the hash... so there really isn't a way to just del it >_>[...]

[Crofty]

If its like previous ways bungie have done there encryptions (i.e. Patch_v3) then the bytes may have to be nulled out and then the file will be signed and the encryption written to the nulled bytes.

[Digital Marine]

Hrm, I'm stumped on the magic dynamic calculation. I've figured out the magics for every map except for mainmenu.map and shared.map. To me it looks like the magic's are calculated from the map size. Just I can't figure out how yet.

[Ion]

Why don't you guys just null out the part that reads the hash in the xex? However, I'm not sure how to find the memoryaddress to it without a debugger...

[Anthony]

Why don't you guys just null out the part that reads the hash in the xex? However, I'm not sure how to find the memoryaddress to it without a debugger...

thats a great idea.. but would you mind telling me the MS private key to resign the xex?

[Anthony]

Hrm, I'm stumped on the magic dynamic calculation. I've figured out the magics for every map except for mainmenu.map and shared.map. To me it looks like the magic's are calculated from the map size. Just I can't figure out how yet.

Well the way I use (yes its dynamic not this static function below) does not include using the map size...

Since I can't help you with the actual calculation as its not my research to share.. I can share a function that I wrote for shade for his magic.. this should do the trick because the map magics wont be changing anytime soon

hope this helps
just pass it the map internal name

Code: Select all

        private uint GetMagicFromInternalName(string Name)
        {
            switch (Name)
            {
                case "005_intro":
                    {
                        return 0xB724D000;
                    }
                case "010_jungle":
                    {
                        return 0xACEBC000;
                    }
                case "020_base":
                    {
                        return 0xA6D47000;
                    }
                case "030_outskirts":
                    {
                        return 0xAA39A000;
                    }
                case "040_voi":
                    {
                        return 0xA7BAE000;
                    }
                case "050_floodvoi":
                    {
                        return 0xA7E9B000;
                    }
                case "070_waste":
                    {
                        return 0xA6191000;
                    }
                case "100_citadel":
                    {
                        return 0xA19C9000;
                    }
                case "110_hc":
                    {
                        return 0xAE931000;
                    }
                case "120_halo":
                    {
                        return 0xA80D9000;
                    }
                case "130_epilogue":
                    {
                        return 0xB74A3000;
                    }
                case "chill":
                    {
                        return 0xBA060000;
                    }
                case "construct":
                    {
                        return 0xB9B9A000;
                    }
                case "salvation":
                    {
                        return 0xBADEE000;
                    }
                case "cyberdyne":
                    {
                        return 0xB9D20000;
                    }
                case "deadlock":
                    {
                        return 0xB94D3000;
                    }
                case "guardian":
                    {
                        return 0xB9BF8000;
                    }
                case "isolation":
                    {
                        return 0xB8D02000;
                    }
                case "mainmenu":
                    {
                        return 0xBC931000;
                    }
                case "riverworld":
                    {
                        return 0xB950F000;
                    }
                case "shrine":
                    {
                        return 0xB97CF000;
                    }
                case "snowbound":
                    {
                        return 0xBA84D000;
                    }
                case "zanzibar":
                    {
                        return 0xB81A0000;
                    }
            }
            return 0x0;
        }

[Digital Marine]

Yeah, Anthony, I was thinking of doing the same way. But I hate to hardcode things like that. :\ So there is a way to calculate the magics... I'll keep looking...but probably tomorrow.

[Anthony]

Yeah, Anthony, I was thinking of doing the same way. But I hate to hardcode things like that. :\ So there is a way to calculate the magics... I'll keep looking...but probably tomorrow.

yeah I know what you mean, I don't like hardcoding stuff like that either >_< good thing I dont have to

[Ion]

yeah I know what you mean, I don't like hardcoding stuff like that either >_< good thing I dont have to

What do you mean? Are you sitting on something you're not telling us?

[Anthony]

yeah I know what you mean, I don't like hardcoding stuff like that either >_< good thing I dont have to

What do you mean? Are you sitting on something you're not telling us?

yes... I know how to calculate the magic... properly...

[Shadow LAG]

[Tanasoo]

>_< Sooooooo... Anyone want to do RAW extraction so I can get to work? :0

[Shadow LAG]

.... Get to work on what? RAW extraction from a file, game ISO, what?

[kornman00]

>_< Sooooooo... Anyone want to do RAW extraction so I can get to work? :0

If people can't figure out how to properly calculate the "magic number", then I doubt they will at anytime soon figure out resource extraction, let alone the keys needed to sign the maps.

[Shadow LAG]

I assume then your speaking of halo 3 map file raw extraction. You cant just plant a seed in the ground and then have a tree without water and soil first.

[Digital Marine]

...as its not my research to share...

He did tell us he knows how, but he didn't research it.

Hrm, so you say it's not based on the filesize? Because I started noticing a pattern. This is what I started with:

If you were to take guardian.map and write down the filesize and the hex at offset 16.
Filesize: 101883904 (dec)
Offset16: BEE8BDDC (hex)

Now search for "tags", ASCII. You should get a result at offset 0x05293E00. Subtract 24 (hex) from that offset since that's where the Tag Index starts. So now you have 5293DDC.

So, at offset 16 (BEE8BDDC) should be translated to the tag index (5293DDC). So to find the magic you would subtract them. Offset 16 - Tag Index. BEE8BDDC - 5293DDC = B9BF8000. That is the magic for Guardian.

But now, take the magic and add the filesize to it. B9BF8000 + 101883904 (dec) = BFD22000. Okay, so what good is this number? Well, for multiplayer maps, about half the maps use this number...atleast from how I look at it. So take, for example, construct.map.

Filesize: 102268928 (dec)
Offset16: BEE1C020 (hex)

So now take the number from above, BFD22000, and subtract the filesize from that. BFD22000 (hex) - 102268928 (dec) = B9B9A000 (hex).

That SHOULD be the magic for construct now. To test take offset 16 and subtract the magic from it to see if it brings you to the tag index. BEE1C020 - B9B9A000 = 5282020 (hex). Go there and you're at the tag index.

Problem with that is with single player maps...the numbers vary a lot...

Tanasoo, I'm still working on RAW extracts. I looked through the zone stuff and it isn't the same. I've also tried to look for similar images that was used in the old deadlock. No luck.

Korn:
We can find the magic manually. So technically we should be able to extract models and bitmaps and stuff. As for the signing, I'm putting that aside until we can figure out more about the map I myself could care less about modding the maps, I just want to help figure out things about the maps

Anthony:
Are magics calculated from the help of offset 16? I noticed you didn't have campaign.map and shared.map. And both of those have 0x0 at offset 16...

[kornman00]

Anthony:
Are magics calculated from the help of offset 16? I noticed you didn't have campaign.map and shared.map. And both of those have 0x0 at offset 16...

No, and the shared caches were stripped of everything but the actual resource data which is shared across all the different maps. It didn't really matter in Halo 2, but keeping all that extra data (extra since the shared caches are never actually loaded) in the caches now isn't practicable (due to how large regular caches are now and the limits of the medium).

[Digital Marine]

Yeah, I know what the shared is for. But it doesn't need a magic for anything? I would assume there is something in there that needs a magic. Hrm, oh wells...

But, we should be able to at least extract local images from the maps...