Halo 3 Retail Game Research

[xbox7887]

Hrm...I was thinking. Does the game really read the build information? If it doesn't, that means we SHOULD beable to change it, correct?

What would be the point of trying this and burning it?
Well, this could be useful to see if there is indeed a hash that is 256 (Dec) length over offsets 0-876. Because, technically if you changed the build info. you wouldn't break the CRC checksum since that's generated after the header (or footer if you want to call it). So, if the map doesn't load then there IS a hash that runs over offsets 0-876. I've checked SHA256 and it doesn't seem to work.

I'd hate to waste a disk on this to try it though

Halo 2 checked a few things in the header like the version number or an incorrect map type enum. If you were to change certain things, the map would fail to load...so don't necessarily confuse this with a failed hash. I would suggest just changing the map name instead, to see if the header is included in the hash's scope, although I'm not entirely sure how that would work...having a hash of itself :X

[Ion]

...to see if the header is included in the hash's scope, although I'm not entirely sure how that would work...having a hash of itself :X

It would not be possible to include the hash in the hashed data.

[Prey]

Could just be skipping the hash's location in the header. And nice wok Lux on the JFIF stuff, I'll update the first post later when I have more time.

Also to whoever tested those patches shade put up, did you test offline? Just wondering if it was maybe a server-side check.

[pokecancer]

yeah it seems like it is probably 2048 bit rsa signed which requires a keypair. The keypair consists of a public key and and a private key. If this is the case, we probably won't be able to sign these things properly because no one has the private key which you need to sign. The public key is in the 360 keyvault, but yeah like prey said, someone should try this on systemlink. Also, make sure the 32 bit checksum is correct before testing.

[Madman340]

Just finished reading through this thread, and I have a couple questions...

What is the 'Magic' stuff?

What is the 'Header' and what role does it play in protection from modding?

[Tanasoo]

To put it simply:

The magic is a "magic number" that is used a bunch and you need to have it...

The header is... Well the header of the map file =\ You pretty much need to be able to read that first.

[Digital Marine]

To explain more: (:p)

The "Magic" is, to my understandings, a number that you subtract from reflexives that gives you an offset. So say you have a reflexive of like B12345 (hex), but the map is only 150 MB big. Well, that reflexive won't fit. So there is this "magic" that you subtract, lets say the magic is B122AF (hex). So if you were to subtract the magic from the reflexive you would have 96 (hex) or 150 (dec). That output would be the offset of the meta or whatever it refers to. Well...at least that's my understanding of it.

The header ranges from offset 0x0-0x3000. Inside the header so far it seems like there is things such as the map type (multiplayer, single, etc), the version type (like Halo 2, Halo 3, Halo 3 Beta), offsets to things like the "string table" and "file table"...of course you need the "magic" to find them correctly. (or a "header magic" as Anthony said??). There is also the "internal name", build info, scenario path, CRC checksum, and a lot of other unknown stuff. Also maybe a possibility of a SHA checksum or RSA.

Xbox7887:
I was thinking of just changing the build info from like "halo" to "hal0" or something to see what would happen. Most likely the "hash", if there IS one, would either stop right before the location of the hash, or it'd "pretend" the hash isn't there maybe by just completely skipping the section or nulling the section. If that is indeed a hash I'd suspect it to stop before the hash offset.

Prey:
I tried my own little mods OFFLINE, without the HDD. The "map failed to load". I had my friend try the same too...but he tried the Engineer program made by Shade. I did my mods just through hex, and resigned the CRC by my own program....and we both failed to load our mods. OFFLINE, custom game, by ourselves.

Pokecancer:
It'd doubt it's RSA2048 because it isn't big enough in the map. If you look at the shared map it's quite short. I don't know what the info behind the "hash" could be?? But that's just what I see...not stating anything. :p

To me it looks like this "hash" is from 0x36C-0x46C. That means this is 100 (hex) or 256 (dec).

[pokecancer]

digital, it's 256 bytes(2048 bits) long i believe. i just looked in shared and it seems to confirm that (at offset 876). that mean's there is enough room.

i can't find any other cryptographic hashes that are this long and xbox 360 uses RSA for other stuff also. i guess it's possible it could be a custom algorithm written by bungie but i doubt it.

[Digital Marine]

Oh I see...for some reason I had 2048 bytes, not bits in my head. If it is RSA2048 then I would have to agree...we will most likely not be able to do anything since it'd be very difficult to get the keys. But I don't think it'd be in the "360 key vault", would it? I would assume that Bungie would make it's own keys for their game...

[pokecancer]

if in fact, bungie did create their own keys. they would be in the xex and there are xex decompilers available. it would be difficult to find the keys but they would be in there.

xbox 360 does indeed have a public key in the keyvault that it uses for RSA. it also has the xex keys in there too.

[Shadow LAG]

I'm going to have to agree with you on this one poke. I have a hunch the XEX would have a security of checks and balances, however I was not aware of this XEX decompiler, point me in the direction as to where to find one? I could check in the usual places but I need to know the specific name of this program.

[pokecancer]

mods: not sure if i can post this link, if not just edit it out.
http://www.xboxhacker.net
i think you have to sign up to get access to xex stuff.
also for people who dont know how to make backups go here.

also you will need a compromised xbox to get the key(which is possible with any xbox now)

btw please don't post questions about that site, just search their forums and only post things pertaining to halo 3 technical discussions on here.

[latinomodder]

mods: not sure if i can post this link, if not just edit it out.
http://www.xboxhacker.net
i think you have to sign up to get access to xex stuff.
also for people who dont know how to make backups go here.

also you will need a compromised xbox to get the key(which is possible with any xbox now)

btw please don't post questions about that site, just search their forums and only post things pertaining to halo 3 technical discussions on here.

Actually please don't go there for your noob qs, goto xboxscene for that...

As for the xex keys go there and you could even ask for some one elses

[Shadow LAG]

Did you just call me a noob leo >_>


Anyway I'm waiting for the 30 wire piece of shit Infectus so I can get my UB3R L337 K3Y.

[Anthony]

Did you just call me a noob leo >_>


Anyway I'm waiting for the 30 wire piece of **** Infectus so I can get my UB3R L337 K3Y.

well good luck figuring out how to get to your keyvalut, then after that decrypting the xex... then after that! figure out how its signed while looking through a shitload of unnamed functions in ppc (powerpc) all to find that it may be RSA

[xbox7887]

To explain more: (:p)Xbox7887:
I was thinking of just changing the build info from like "halo" to "hal0" or something to see what would happen. Most likely the "hash", if there IS one, would either stop right before the location of the hash, or it'd "pretend" the hash isn't there maybe by just completely skipping the section or nulling the section. If that is indeed a hash I'd suspect it to stop before the hash offset.

Yes, but don't assume a map failing to load is caused by an outdated hash, as it could just be a simple header check performed by the engine

[Digital Marine]

What if you just delete the hash? o_O

I doubt it'd load...but what if they forgot to program something for an empty hash, ahaha. That'd be funny

[Ion]

I we had a debugger on the 360, this world would be ours now... to play with..

[Prey]

k first post updated..

What if you just delete the hash? o_O

I doubt it'd load...but what if they forgot to program something for an empty hash, ahaha. That'd be funny

? How could you 'delete' the hash? If you removed it from the file completely, then the bytes that fall into its place would instead be read :\ ..not to mention everything else would be messed up from the shift. Or, if you were to instead just insert a load of nulls (0x0), then they would be read as the hash... so there really isn't a way to just del it >_>

Anyway, thanks for verifying that you tried modifications offline, even though they didn't work =P

[Digital Marine]

Prey, I meant by nulling it out. I know that if you delete the chunk then all the offsets would be read wrong. I doubt it'd work if you were to null it out, but it would be interesting to see what happens