- game engine
- game's server API
- telemetry server API
- format of files, scripts used by the game
- interesting functions/snippets from CE or IDA
If you have info that meets any of the above - post it! I don't have all the answers and I'm pretty bad at reversing so..the more the merrier!
For starters, links to previous discussions:
- SunBeam - engine goodies, includes in-game console info: viewtopic.php?f=19&t=5146
- seikur0 - CE table for modifying uruks, forcing new spawns as legendary + more. Includes code that handles reading gamedb (maybe stringdb is same way): fearlessrevolution.com/viewtopic.php?f=4&t=5132
- gregkwaste - .arch05 unpacker - used to understand .arch06 format: [Link]
Disclaimer: I'm not skilled at RE, so this may be a painful read/experience to people who actually know what they're doing.
--------------------------------
Section: game engine
Game seems to use a modified LithTech engine. I expected to find some references to certain things that older games have used. The only thing that seems common is GameClientShell. DeadlineHF did some reversing of one of the engines back in 2012: https://www.fearlessrevolution.com/forum/gene ... ersal.html
In the code (offline disassembly), I've found a bunch of functions that are from Apache Avro. Also have found references to Google's protobuf in-memory when the game is running (but not found anywhere offline). Probably need to dump the EXE while it's running to get a better picture.
--------------------------------
Section: game's server API
This is where I've spent most of my time. Client (game) sends the server requests, gets responses. Simple enough.
The content-type of these requests is "x-ag-binary", which is fairly simple most of the time:
Code: Select all
type_string = 0x30
type_date_uint32 = 0x40
type_date_uint64 = 0x17
type_map = 0x60
type_array = 0x50
type_unknown_int = 0x11 // single byte
type_unknown_int32 = 0x14 // probably uint32
type_unknown_int32_2 = 0x15 // probably uint32
type_unknown_2byte = 0x13
type_unknown_8byte = 0x21 // probably an in-game hash, can't remember where it's used
type_null = 0x01
type_bool_true = 0x02
type_bool_false = 0x03The part where the game knows how many "items" to allocate from this response, dumped to be readable:
Code: Select all
"server_data": {
"contents": {
"2": {
"item": "con-depl",
"amount": {
00000000 01 |.|
},
"content_type": "item"
},
"1": {
"content_type": "uruk",
"level_relative": true,
"rarity": "common",
"builder_record": "None",
"unique_id": "XXXX",
"element": "undefined",
"tribe": "undefined",
"level": {
00000000 ff |.|
},
"trait": "None",
"advance_class": "undefined",
"type": "undefined",
"friend": true
},
"0": {
"trait": "None",
"unique_id": "XXXX",
"type": "undefined",
"friend": true,
"level_relative": true,
"tribe": "undefined",
"advance_class": "undefined",
"rarity": "epic",
"builder_record": "None",
"content_type": "uruk",
"element": "undefined",
"level": {
00000000 fe |.|
}
}
}
}Note that there _are_ some responses that include, say, "tribe". I did a test buy of one of the specials, and as it was a terror-only box, that's what was in the field rather than undefined.
Decoding the requests/responses is easy enough, just start at the beginning of the response. Read a byte, then read the value. May need to recurse (in the case of MAP or ARRAY). My code is extremely ugly so I haven't put it up yet. When encountering a single-byte type (eg null/bool), treat the type as the value and skip to the next.
There are an absolute ton of requests/responses to go through, but I have most of the useful ones mapped out.
One response in particular that is not understood is the one that comes back after an online invasion is complete. It does not match the spec above but still advertises x-ag-binary. I believe this is encrypted or encoded in a way that's not obvious, but seikur0 and I weren't able to figure this out yet.
---------------------
Section: game archives / format / script
I don't understand _all_ of this just yet, so bear with me. It _is_ possible to unpack .ARCH06 files, and I have a few unpacked. Within you will find some subfolders with unpacked textures/materials/etc. Some files are still packed, named ".embb". This is basically another archive.
Most times I find scripts are in .embb files.
The ".script" files you can find have a few bytes as a header - but they are plain text. Delete the bytes before the initial comment ("--") and save as a new file.
I will fill this section in more later when I have the files in front of me, but it appears that the game uses lua with some custom modifications; I see references to, say, setmetatable but also a weird keyword/func "hmake" that I am not familiar with.
Seems that these ".script" files have gone through some pre-processing step to concatenate them together, as well. There are references in comments to paths that don't seem to exist anywhere in archives, right before code, so I'm guessing their preprocessor just inserts code where it's used.
-------------
Section: Random
This will take a while to piece everything together, but if you have found anything neat, post it here, and I'll keep this thread updated with stuff as I go along.
TODO: release decoder/encoder/file unpacker
