Discussion:
Crack Crack Crack/Hack Hack Hack Quake 3 Arena Demo !!!!???
(too old to reply)
Skybuck Flying
2009-01-29 16:04:06 UTC
Permalink
Hello,

I made a Quake 3 Arena Demo Demo/Recording. (A recording of me playing Quake
3 Arena Demo playing against bots and kicking their asses ;) it was a cool
match ! yeah ! (I even got telefragged (Hahaha) but still won on nightmare
skill!).

I want to play this recording so I can see myself do it again and ofcourse
to show off on youtube ! =D and see if it becomes a slightly populair video
or maybe not... but the choice should be mine !? ;) :)

Now I have a problem:

Quake 3 Arena Demo cannot play the recording ?!

The recording is stored in a file called: SkybuckPlaying!.dm3

I searched the internet for reasons, idea's and hacks and cracks, so far
unsuccessfull.

This is what I learned:

1. Quake 3 Arena Demo can probably only play recordings which are located
inside the Pak0.PK3 file.

(It has two demos inside which can be played !)

2. Pak0.PK3 file can be opened with WinRar.

The idea was to add my demo file into the PK3 and then play it which leads
to problem 3:

3. Quake 3 Arena Demo complains the (modified) PK3 file is corrupted.

"Corrupted pak0.pk3: 401698992"

4. I build new executables and dll's with the Quake 3 Arena Source Code.

It doesn't seem to work.. the newly build executables just crash.

5. I also tried to enable "PRE_RELEASE_DEMO" define to maybe see if that
does something. (I am not sure if I added the define correctly but I will
assume I did for now... maybe later I should verify this) (Also the checksum
code is not affected by this define (which is only for productid.txt (and
maybe other stuff?) ) so it won't matter if the define is present or not...
the code should/will be compiled in)

This also did not help the newly build executables keep crashing and such.

6. Assuming the quake 3 source code is the same source code used for the
demo I tried to search for the checksum value's inside source code, even
executables a little bit, and definetly inside the pk3 file... xor-ed, byte
swapped, and such... nothing found in pk3 ?!

(Assuming the same source code was used for the demo as the full version,
maybe they forgot to update the correct checksum value inside the source
code (?))

7. I did some more googling and someone wrote that the demo PK3 has a
different file format compared with the full version ? (I am not sure if
that is true so far it seems to be readable by winrar, so that leaves only
the possibility of extra added secret information to the file?)

I did some file comparisions of unmodified and modified pk3 and the first 45
MB seems to be the same which could indicate any secret information/keys
could be located in the last part of the file.

Alternatively maybe Quake 3 Arena Demo simply calculates a CRC32 over the
PK3 file itself which would seem more logical. (So this would mean no secret
information in the PK3 file itself)

This could mean the displayed value: 401698992 could be a CRC32 value.

However these programmers also used encryption for the productid.txt and
they also xor-ed the checksum in the code with the following value:

DEMO_PAK_CHECKSUM 437558517u (decimal?)
DEMO_PAK_CHECKSUM ^ 0x02261994u (hexadecimal)

Doing this gives:

405964129 (decimal)

Maybe later I will try the crc32 hypothesis ;) to see what that gives ;)

Maybe they applied an xor to it as well so I will try that later on too.

8. This could also mean any extra code in the full source code is a "hoax"
when it comes to "demo protection" to misleads hackers/crackers trying to
crack the demo ! ;)

So the values and techniques reported in the source code and now in this
post at point 7 could be hoax therefore care must be taken not to be put on
a dead-end-trail ;)

Which leads me to the following recommendations to hackers/crackers trying
to crack Quake 3 Arena Demo so that it will start up with modified pak files
and so that it can play demos inside pak files or alternatively maybe get
rid of the crc32 check:

Recommendations:

1. Don't trust the published source code.

2. Instead reverse engineer the executable, look at the asm and hack/crack
it.

3. Ripp out any crc32's, checksums.

4. Search for xor instructions these could be used for encryption purposes.

5. CRC32 has a distinctive access pattern and instruction stream: many
memory loads and xor's.

However zip uses CRC32 too for it's files so this would still prove nothing.

Finally a hack/crack could simply be to get rid of the call to "Com_Error(
ERR_FATAL," assuming the demo was build from similiar sources ;)

This could maybe let the demo simply continue running happily ! ;) :)

A final note:

I do not want to download the full game... because that would be piracy ! ;)
:)

Also I do not want to be virus infected !

Also I do not want the full game ?!

I am perfectly happy with the demo !

I want the demo to my bidding ! It should just play the god damn
recording/demo ! ;)

Who can help me in my conquest to crack this mothafocka ! ;) :) =D

Well I did my "job" ;) for today !...

Can't spent to much time on it you know...

Hoping to get some help from somebody.. but hey... at least thanks for
reading this ! =D

And have a nice day !

And may you always rape (the bot) daemia in the *ss ! ;) :)

Bye,
Skybuck ;) =D
Skybuck Flying
2009-01-29 16:37:27 UTC
Permalink
CRC32 hypothesis explored/tested/examined:

According to my CRC32 routines the CRC32 for pak0.pk3 is:

1811190257 (in decimals)
6BF491F1 (in hexadecimals)

xor-ing with 02261994 gives:

69D28865

Not even close to the reported checksum by the quake3 executable.

The value 401698992 cannot be a file offset, because that would mean file
offset 401 million... the file is only 45 million bytes.

(Maybe it's a simple checksum ?) I shall try that next.

Bye,
Skybuck.
David Eather
2009-01-29 16:44:15 UTC
Permalink
Post by Skybuck Flying
1811190257 (in decimals)
6BF491F1 (in hexadecimals)
69D28865
Not even close to the reported checksum by the quake3 executable.
The value 401698992 cannot be a file offset, because that would mean file
offset 401 million... the file is only 45 million bytes.
(Maybe it's a simple checksum ?) I shall try that next.
Bye,
Skybuck.
Is a "!" a valid symbol in the file-name for the demo program?
Skybuck Flying
2009-01-29 17:05:54 UTC
Permalink
Post by David Eather
Is a "!" a valid symbol in the file-name for the demo program?
Yes I think so...

I have other demo files with other names (just letters and numbers) and they
are also not working.

Bye,
Skybuck.
Skybuck Flying
2009-01-29 17:26:52 UTC
Permalink
I just discovered something slightly funny:

Apperently it is possible to add empty files to the zip file.

I added a file called "b"

And it worked... Quake 3 started.. as long as no other pk3 files present.

I also tried truncating larger modified pk3 files but that didn't work.

Maybe quake 3 arena demo only checks for correct file size ?

Who knows ;)

But my bet for now is on some kind of crc32 check...

Maybe just the crc32 from the zipfile itself (though the sources indicate
otherwise... some kind of special structure ? source code:
"pack->checksum" ).

I tried looking at the pk3 file with a hex editor maybe I should take a
closer look sometime ;)

Bye,
Skybuck.
Skybuck Flying
2009-01-29 17:32:00 UTC
Permalink
Ok,

Little update on the truncating idea (matching file size):

As long as no other modified pk3 files then it says:

"Can't load default.cfg".

So it no longer says corrupted...

So truncating might get it a step further or maybe vice versa me not sure ?

So maybe this could work:

Stuff demos into it.. make pk3 smaller somehow... maybe use compression ?

Or maybe remove some unnecessary file... and then simply pad it with bytes
to make filesize large/the same...

Maybe that will work... since maybe then the zip is complete...

now is partial/sections missing... which could explain this new message...
or maybe not ;)

Bye,
Skybuck.
Skybuck Flying
2009-01-29 17:35:37 UTC
Permalink
Some more experiments:

When I delete atari.cfg from the pk3 which is 41 bytes

It says this:

Corrupted pak0.pk3: 2760330299

Then when I add test.txt which has 41 bytes:

Corrupted pak0.pk3: 1449115608

So it does seem to change somewhat.

Bye,
Skybuck.
Skybuck Flying
2009-01-29 16:54:27 UTC
Permalink
Checksum hypothesis tried:

Constrained to 32 bits.

Checksum would be: 1677152593 (assuming extra bytes would be padded)

Otherwise if ignoring last few bytes:

Checksum would be: 1388822617

This indicates what the last bytes could have been:

1677152593 - 1388822617 = 288329976

File size is:

46,853,694

46853694 mod 4 = 2

Last two bytes appear to be zero so they don't add to checksum.

So doesn't matter anyway.

Let's see what happens when these checksums are inverted like internet
checkusm

xor FFFFFFFF if I am not mistaken ;)

First method: 2617814702
Second method: 2906144678

Still totally different ?! ;)

So this is probably not it ?! ;)

Bye,
Skybuck... :( :)
Skybuck Flying
2009-01-29 17:38:57 UTC
Permalink
Another little strange thingy happened... my graphics resolution was
lowered/changed... don't know why...

Almost seems as if it stored settings inside pk3 but probably not...

It probably resetted it because of the bad stuff etc ?!

Hmm...

Bye,
Skybuck.
Skybuck Flying
2009-01-29 17:47:19 UTC
Permalink
Something else weird happened as well.

My hud is now gone ?!?

Like the health indicator ammo indicator ?!

Checked everywhere in menu's no where are options.

Very strange !

Bye,
Skybuck.
Skybuck Flying
2009-01-29 17:50:27 UTC
Permalink
Even the score display is not working anymore ?!?!?

Totally strange.

For now I will assume it's some kind of wacky driver bug or something.

I hope not a date/time check or so... since I copied the original pk3...

I will try to use original pk3 and see if it returns to normal.

Nope... totally strange.

Fucking game.

Bye,
Skybuck.
Skybuck Flying
2009-01-29 18:00:36 UTC
Permalink
Ok,

The settings responsible for the hud is in the q3config.cfg:

seta cg_draw2d "1"

Apperently quake3 resetted itself and forgot to re-enable this settings
or maybe it put it off for safety or so ?

Weird anyway ;)

Glad it's back on ! ;) :)

Bye,
Skybuck.
sittingduck
2009-01-29 17:27:18 UTC
Permalink
Post by Skybuck Flying
I made a Quake 3 Arena Demo Demo/Recording.
Weak trolling attempt.
You overplayed the stupid part.
--
http://improve-usenet.org
No passion so effectually robs the mind of all its powers of acting and
reasoning as fear. - Edmund Burke
Rod Pemberton
2009-01-30 10:14:15 UTC
Permalink
"Skybuck Flying" <***@hotmail.com> wrote in message news:45a77$4981d382$d5337e4d$***@cache6.tilbu1.nb.home.nl...
I'm not sure why you keep posting to NG's that are unrelated to your
questions...
Post by Skybuck Flying
I made a Quake 3 Arena Demo Demo/Recording
...
Post by Skybuck Flying
I want to play this recording
Goto "DEMOS" in the main menu. Your demo should be listed there. Select
it.
Post by Skybuck Flying
...playing against bots... ...see if it becomes a slightly populair
video...
Against bots? Um, I'm sorry to say, that's not going to happen... unless
you manage to impress non-Q3A players.
Post by Skybuck Flying
Quake 3 Arena Demo cannot play the recording ?!
Did you install onto a legitimate copy of Q3A?... Did you apply the final
Q3A update version?... q3pointrelease_132.exe
Post by Skybuck Flying
The recording is stored in a file called: SkybuckPlaying!.dm3
The extension should be something like: .dm_68

That's dm underscore two_digit_number. Look under "DEMOS" in the main menu.
Your demo should be in the "Quake III Arena\baseq3\demos" or maybe it's just
"demo" singular directory. If you set g_synchronousClients "1" and used
"record <demoname>" and "stopdemo", I don't understand why your demo was
incorrectly named and/or misplaced.
Post by Skybuck Flying
I searched the internet for reasons, idea's and hacks and cracks, so far
unsuccessfull.
I don't think you need any...
Post by Skybuck Flying
1. Quake 3 Arena Demo can probably only play recordings which are located
inside the Pak0.PK3 file.
I've got no problems recording and replaying, but I updated from a legal
version of Q3A. Is that the difference?
Post by Skybuck Flying
2. Pak0.PK3 file can be opened with WinRar.
That's because .PK3 's are just PKZIP's with the .ZIP extension changed to
.PK3. (Hint: Does this clarify your CRC32 issue any?...)

[overkill removed...]
Post by Skybuck Flying
Which leads me to the following recommendations to hackers/crackers trying
to crack Quake 3 Arena Demo so that it will start up with modified pak
file and so that it can play demos inside pak files or alternatively maybe
These settings are to allow modified dll's. I'm not sure about modified
.pk3's. They should be entered into the console or q3config.cfg file (in
baseq3 directory):

com_blindlyLoadDLLs "1"
seta vm_ui "0"
seta vm_cgame "0"
seta vm_game "0"


I'm not sure why you're having problems. It might be they restricted the
demo. Or, it might be that you've got a bad install.


Rod Pemberton
Rudy Velthuis
2009-01-30 12:15:32 UTC
Permalink
Post by Rod Pemberton
I'm not sure why you keep posting to NG's that are unrelated to your
questions...
Because this is Usenet, and some people, er... "think" they better have
a few groups too many than one too few.
--
Rudy Velthuis http://rvelthuis.de

"Ever notice that anyone going slower than you is an idiot, but
anyone going faster is a maniac?" -- George Carlin
Skybuck Flying
2009-01-30 14:34:11 UTC
Permalink
Yeah Demo is too restricted it needs to be cracked so it can play externally
stored demos and not just the demos stored in the pk3 file ! ;)

Bye,
Skybuck.
Paul
2009-01-31 06:00:24 UTC
Permalink
What you do is set up your Phone Movie camera, (You'll need good
memory though,) and record it to your phone. Then Bluetooth it over or
serial cable or infra red it to computer. As a 3gp or mpg or mov file,
you can download it to U-Tube that way. I'm not sure if it will accept
3gp file though so check what formats it can do B4 going down that
path and if a converter is available if it doesn't.

I took a movie from U-Tube on my phone which turned out pretty good so
is same but in reverse. Hope this helps as may be a way to do easily
if nothing else works ok?
Paul.
Post by Skybuck Flying
Yeah Demo is too restricted it needs to be cracked so it can play externally
stored demos and not just the demos stored in the pk3 file ! ;)
Bye,
Skybuck.
Skybuck Flying
2009-01-31 08:11:54 UTC
Permalink
Not ok lol,

Thanks for tip, but I want this demo to be played lol :)

It's ok... if it's not cracked then I could get quake full... and convert
the demo.

But it's more fun/interesting to crack the demo.

Bye,
Skybuck.

Loading...