Skybuck Flying
2009-01-29 16:04:06 UTC
Hello,
I made a Quake 3 Arena Demo Demo/Recording. (A recording of me playing Quake
3 Arena Demo playing against bots and kicking their asses ;) it was a cool
match ! yeah ! (I even got telefragged (Hahaha) but still won on nightmare
skill!).
I want to play this recording so I can see myself do it again and ofcourse
to show off on youtube ! =D and see if it becomes a slightly populair video
or maybe not... but the choice should be mine !? ;) :)
Now I have a problem:
Quake 3 Arena Demo cannot play the recording ?!
The recording is stored in a file called: SkybuckPlaying!.dm3
I searched the internet for reasons, idea's and hacks and cracks, so far
unsuccessfull.
This is what I learned:
1. Quake 3 Arena Demo can probably only play recordings which are located
inside the Pak0.PK3 file.
(It has two demos inside which can be played !)
2. Pak0.PK3 file can be opened with WinRar.
The idea was to add my demo file into the PK3 and then play it which leads
to problem 3:
3. Quake 3 Arena Demo complains the (modified) PK3 file is corrupted.
"Corrupted pak0.pk3: 401698992"
4. I build new executables and dll's with the Quake 3 Arena Source Code.
It doesn't seem to work.. the newly build executables just crash.
5. I also tried to enable "PRE_RELEASE_DEMO" define to maybe see if that
does something. (I am not sure if I added the define correctly but I will
assume I did for now... maybe later I should verify this) (Also the checksum
code is not affected by this define (which is only for productid.txt (and
maybe other stuff?) ) so it won't matter if the define is present or not...
the code should/will be compiled in)
This also did not help the newly build executables keep crashing and such.
6. Assuming the quake 3 source code is the same source code used for the
demo I tried to search for the checksum value's inside source code, even
executables a little bit, and definetly inside the pk3 file... xor-ed, byte
swapped, and such... nothing found in pk3 ?!
(Assuming the same source code was used for the demo as the full version,
maybe they forgot to update the correct checksum value inside the source
code (?))
7. I did some more googling and someone wrote that the demo PK3 has a
different file format compared with the full version ? (I am not sure if
that is true so far it seems to be readable by winrar, so that leaves only
the possibility of extra added secret information to the file?)
I did some file comparisions of unmodified and modified pk3 and the first 45
MB seems to be the same which could indicate any secret information/keys
could be located in the last part of the file.
Alternatively maybe Quake 3 Arena Demo simply calculates a CRC32 over the
PK3 file itself which would seem more logical. (So this would mean no secret
information in the PK3 file itself)
This could mean the displayed value: 401698992 could be a CRC32 value.
However these programmers also used encryption for the productid.txt and
they also xor-ed the checksum in the code with the following value:
DEMO_PAK_CHECKSUM 437558517u (decimal?)
DEMO_PAK_CHECKSUM ^ 0x02261994u (hexadecimal)
Doing this gives:
405964129 (decimal)
Maybe later I will try the crc32 hypothesis ;) to see what that gives ;)
Maybe they applied an xor to it as well so I will try that later on too.
8. This could also mean any extra code in the full source code is a "hoax"
when it comes to "demo protection" to misleads hackers/crackers trying to
crack the demo ! ;)
So the values and techniques reported in the source code and now in this
post at point 7 could be hoax therefore care must be taken not to be put on
a dead-end-trail ;)
Which leads me to the following recommendations to hackers/crackers trying
to crack Quake 3 Arena Demo so that it will start up with modified pak files
and so that it can play demos inside pak files or alternatively maybe get
rid of the crc32 check:
Recommendations:
1. Don't trust the published source code.
2. Instead reverse engineer the executable, look at the asm and hack/crack
it.
3. Ripp out any crc32's, checksums.
4. Search for xor instructions these could be used for encryption purposes.
5. CRC32 has a distinctive access pattern and instruction stream: many
memory loads and xor's.
However zip uses CRC32 too for it's files so this would still prove nothing.
Finally a hack/crack could simply be to get rid of the call to "Com_Error(
ERR_FATAL," assuming the demo was build from similiar sources ;)
This could maybe let the demo simply continue running happily ! ;) :)
A final note:
I do not want to download the full game... because that would be piracy ! ;)
:)
Also I do not want to be virus infected !
Also I do not want the full game ?!
I am perfectly happy with the demo !
I want the demo to my bidding ! It should just play the god damn
recording/demo ! ;)
Who can help me in my conquest to crack this mothafocka ! ;) :) =D
Well I did my "job" ;) for today !...
Can't spent to much time on it you know...
Hoping to get some help from somebody.. but hey... at least thanks for
reading this ! =D
And have a nice day !
And may you always rape (the bot) daemia in the *ss ! ;) :)
Bye,
Skybuck ;) =D
I made a Quake 3 Arena Demo Demo/Recording. (A recording of me playing Quake
3 Arena Demo playing against bots and kicking their asses ;) it was a cool
match ! yeah ! (I even got telefragged (Hahaha) but still won on nightmare
skill!).
I want to play this recording so I can see myself do it again and ofcourse
to show off on youtube ! =D and see if it becomes a slightly populair video
or maybe not... but the choice should be mine !? ;) :)
Now I have a problem:
Quake 3 Arena Demo cannot play the recording ?!
The recording is stored in a file called: SkybuckPlaying!.dm3
I searched the internet for reasons, idea's and hacks and cracks, so far
unsuccessfull.
This is what I learned:
1. Quake 3 Arena Demo can probably only play recordings which are located
inside the Pak0.PK3 file.
(It has two demos inside which can be played !)
2. Pak0.PK3 file can be opened with WinRar.
The idea was to add my demo file into the PK3 and then play it which leads
to problem 3:
3. Quake 3 Arena Demo complains the (modified) PK3 file is corrupted.
"Corrupted pak0.pk3: 401698992"
4. I build new executables and dll's with the Quake 3 Arena Source Code.
It doesn't seem to work.. the newly build executables just crash.
5. I also tried to enable "PRE_RELEASE_DEMO" define to maybe see if that
does something. (I am not sure if I added the define correctly but I will
assume I did for now... maybe later I should verify this) (Also the checksum
code is not affected by this define (which is only for productid.txt (and
maybe other stuff?) ) so it won't matter if the define is present or not...
the code should/will be compiled in)
This also did not help the newly build executables keep crashing and such.
6. Assuming the quake 3 source code is the same source code used for the
demo I tried to search for the checksum value's inside source code, even
executables a little bit, and definetly inside the pk3 file... xor-ed, byte
swapped, and such... nothing found in pk3 ?!
(Assuming the same source code was used for the demo as the full version,
maybe they forgot to update the correct checksum value inside the source
code (?))
7. I did some more googling and someone wrote that the demo PK3 has a
different file format compared with the full version ? (I am not sure if
that is true so far it seems to be readable by winrar, so that leaves only
the possibility of extra added secret information to the file?)
I did some file comparisions of unmodified and modified pk3 and the first 45
MB seems to be the same which could indicate any secret information/keys
could be located in the last part of the file.
Alternatively maybe Quake 3 Arena Demo simply calculates a CRC32 over the
PK3 file itself which would seem more logical. (So this would mean no secret
information in the PK3 file itself)
This could mean the displayed value: 401698992 could be a CRC32 value.
However these programmers also used encryption for the productid.txt and
they also xor-ed the checksum in the code with the following value:
DEMO_PAK_CHECKSUM 437558517u (decimal?)
DEMO_PAK_CHECKSUM ^ 0x02261994u (hexadecimal)
Doing this gives:
405964129 (decimal)
Maybe later I will try the crc32 hypothesis ;) to see what that gives ;)
Maybe they applied an xor to it as well so I will try that later on too.
8. This could also mean any extra code in the full source code is a "hoax"
when it comes to "demo protection" to misleads hackers/crackers trying to
crack the demo ! ;)
So the values and techniques reported in the source code and now in this
post at point 7 could be hoax therefore care must be taken not to be put on
a dead-end-trail ;)
Which leads me to the following recommendations to hackers/crackers trying
to crack Quake 3 Arena Demo so that it will start up with modified pak files
and so that it can play demos inside pak files or alternatively maybe get
rid of the crc32 check:
Recommendations:
1. Don't trust the published source code.
2. Instead reverse engineer the executable, look at the asm and hack/crack
it.
3. Ripp out any crc32's, checksums.
4. Search for xor instructions these could be used for encryption purposes.
5. CRC32 has a distinctive access pattern and instruction stream: many
memory loads and xor's.
However zip uses CRC32 too for it's files so this would still prove nothing.
Finally a hack/crack could simply be to get rid of the call to "Com_Error(
ERR_FATAL," assuming the demo was build from similiar sources ;)
This could maybe let the demo simply continue running happily ! ;) :)
A final note:
I do not want to download the full game... because that would be piracy ! ;)
:)
Also I do not want to be virus infected !
Also I do not want the full game ?!
I am perfectly happy with the demo !
I want the demo to my bidding ! It should just play the god damn
recording/demo ! ;)
Who can help me in my conquest to crack this mothafocka ! ;) :) =D
Well I did my "job" ;) for today !...
Can't spent to much time on it you know...
Hoping to get some help from somebody.. but hey... at least thanks for
reading this ! =D
And have a nice day !
And may you always rape (the bot) daemia in the *ss ! ;) :)
Bye,
Skybuck ;) =D