And we have bones ;)

Posted on January 10, 2015 by admin

Chico says hi!

Bones

Kojima productions seems to store bone data like so

        [DebuggerDisplay("idx = {idx} name = {name}")]
        public class foxBone
        {
            public int16  idx; //name of string also
            public int16 parent;

            public Vector4 bonePos;
            public Quaternion boneRot;
        };

[DebuggerDisplay("idx = {idx} name = {name}")]

public class foxBone

{

public int16 idx; //name of string also

public int16 parent;

public Vector4 bonePos;

public Quaternion boneRot;

};

Now I don’t exactly know whats going on here because my first attempt didn’t work using that quaternion so I re-wrote my matrix class in C# which was originally written in VB.NET and ancient as hell.

I ended up zeroing out the bone rotations (for now) since I have no clue what format they are storing the quat in.

After messing around with bones with the help of chrrox and jayk I was able to get skinning working and exported to SMD.

Posted in Main | Tagged bone, mgs, skin | Leave a comment

Fox Engine (Metal Gear Solid 5 GZ)

Posted on January 3, 2015 by admin

Fox Engine

There has been many advancements from last time I posted both by Sergeanur and the others making it possible to extract assets from Kojima Production’s Metal Gear Solid Ground Zeros. The Foxengine’s superb image quality is made possible by physically-Based Rendering (PBR). It can make a low polygon model look photo-realistic and it can do it well, researching the file format along with JayK, Chrrox and Volfin I’ve discovered that in fact most the models used in game are pretty standard and have a low poly count.

Modding

Anyhow there has been many people in the modding scene playing around with the engine. Mostly its been model swapping which surprisingly works without breaking the game.

Here are some to check out if you haven’t seen them already.

There has even been texture modding

Fox Engine Model Studio

So you may be wondering why I’m talking about all this? Well I’d like to personally contribute to this by making it possible to import/replace actual geometry, thats where my new tool comes into play. The Fox Engine Model Studio I’m dubbing will allow the extraction of the game models and also (yet to be implemented) the ability to replace models in the game.

What is left to do??

The FMDL format by Kojima Productions isn’t overly complex however there are still unknown structures and data in there we have yet to reverse engineer and understand what they exactly do. If model importing is going to be a reality then those structures need to be parsed and understood to a degree. I will post more about that as more research is done.

Thanks to JayK, Chrrox and Volfin with their format research help heres some WIP shots of whats to come.

Posted in Main | Tagged 3d, engine, fox, geom, mod, snake, tool | Leave a comment

Metal Gear Solid 5 GZ (Fox Engine)

Posted on December 26, 2014 by admin

I played this game briefly before leaving for my Christmas holidays, when I got back I saw that someone had already managed to figure out the package format they use. “g0s” Extracting the files it seems they have used zlib chunks on textures .ftex. Heres something funny, on top of the encryption the package archives use they xor encrypt their shader files… It’s a dead giveaway when you open the shader binary up in a hex editor.

For example GrModelShaders_dx11.fsop you notice the 0x9c repeated and repeated.

Lets Xor that selection of bytes by 0x9C see what happens.

Easy right?

Heres an overview of what their model format looks like (FMDL). Pretty straight forward..

Posted in Main | Tagged decrypt, engine, fox, gz, mgs | Leave a comment

Circumvent (Themida/Hackshield/Etc..) Ultimate Memory Dump Tutorial

Posted on December 2, 2014 by admin

Backstory & Information

This tutorial was made possible by Nexon’s Counter-Strike Online 2 that nasty piece of shit left me no choice but to resort to this brutal nasty method.

Now to give a little info first in case anyone reading this has no idea what I’m talking about or doesn’t understand the concept of memory. Games & Applications that run on your system all use RAM. Sometimes they store sensitive information or valuable data there that shouldn’t be accessed by the end-user, for example an AES encryption key or maybe game assets like models/textures/scripts. This data isn’t usually protected as you can force a dump of an application’s memory, however some software/game developers like to restrict user access to this data usually to stop cheaters or people exploiting their software (like myself ). Now I won’t go into detail on what the kernel is nor what userland means but I will say that these developers use methods of protecting memory data which can be circumvented with a simple trick. The example case I will be using in this tutorial is the game Counter-Strike Online 2. Nexon the developers of this game are utilizing a technique to elevate the game process into kernel level. This means trying to access the game process or memory isn’t possible by the user anymore, normally achieved via a driver installed on the system. In CS Online2’s case Hackshields EagleNT.SYS elevates the process CounterStrikeOnline2.exe and access is not possible anymore.

So how do we circumvent this?

Since the user can’t access the process and process memory there are two ways around this. The first won’t be covered in this tutorial but requires you to write a driver of your own which has kernel level access. The Second will be to force the system into a BSOD (Blue Screen Of Death), normally this occurring would be a bad thing (faulty hardware/bad drivers) but we are using it to our advantage as you can force the system to dump all of it’s memory to a single file before rebooting.

Prepare for the BSOD memory dump

The first thing that needs to be done and you can read more about this over at this Microsoft site is to configure the system to capture a “complete dump”. A complete dump as stated by MS is:

A memory dump that records all the contents of the system memory when your computer stops unexpectedly.
A complete memory dump may contain data from processes that were running when the memory dump was collected.

This is what we want, a full capture of the system’s memory. The steps are below:

1. Open the Control Panel and double-click on System (alternate method: right-click on My Computer)

2. Select the Advanced tab

3. Under “Startup and Recovery” click the Settings button

4. Under “Write debugging information” select “Complete memory dump” from the drop down list box.

5. Check the box “Overwrite any existing file“

6. Click OK

7. A message about pagefile requirements may be displayed — if so, click Yes

8. Click OK

If there is no option for Complete memory dump you can manually enable it through the registry. Firstly exit the Startup and Recovery window then:

1. Open up the Registry Editor regedit (click start & type “regedit” hit enter)

2. Navigate to HKLM\System\CurrentControlSet\Control\CrashControl

3. Change CrashDumpEnabled to 1

4. This should now enable the complete memory dump option

A word of warning, if you own a Solid State Drive (SSD) I would recommend you set the dump location to another disk drive as this will degrade your SSDs life if it was to dump a whole 16GB file onto the disk. Make sure you have enough disk space!

save_dmp_ex

Registry key method didn’t work?

You can try using the html application I have packed here to do it in case the above method didn’t work

http://cra0kalo.com/public/BSOD_MemoryDumpTools.zip

Causing the BSOD

Now there are many ways to trigger a BSOD but the “safest” would be to use a manual interrupt which can be done by pressing a few keyboard shortcuts. Once again you need to enable this feature in the registry. More on that here: http://support.microsoft.com/kb/244139

I have packed up a zip file with the required registry keys to enable this here. Now depending on your keyboard (PS/2 or USB) Run the required key files. Some times you will need to run both the PS/2 one and the USB one

Once you have activated the keyboard shortcut for manual interrupt which is defaulted to:

CTRL+SCROLL LOCK+SCROLL LOCK

Prepare your computer by exiting all other applications that you wish not to capture from, for example your antivirus protection and your Internet browser. Exit as many applications as you can except of course the application you wish to capture from. Once this is done hit those keys and your system should now BSOD, here is a picture from when I did it on my Asus laptop.

The dump process

You will now need to wait a while (depending on the size of your RAM) for the dump to take place. Once this has completed your system should reboot.

Analysis and Gold panning!

Alright now navigate to the folder you had set for the dump file

Have fun digging through it with a hex editor

Reference & Sources

http://blogs.technet.com/b/askperf/archive/2008/01/08/understanding-crash-dump-files.aspx

http://support.microsoft.com/kb/244139

Alternative way

Visit the following Microsoft Web site to download the NotMyFault tool:
http://download.sysinternals.com/files/NotMyFault.zip
Click Start, and then click Command Prompt.
At the command line, type NotMyfault.exe /crash, and then press ENTER.

Posted in Main | Tagged Circumvent, DMP, Dump, hack, Hackshield, Kernel, Memory, Memory Dump Tutorial, Ram, Themida | Leave a comment

Alien Isolation (Omodel) WIP (Vertex Format)

Posted on December 1, 2014 by admin

We have figured out the pak tree currently working on each vertex format structure the game throws at us! Up next rigged models

Posted in Main | Tagged alien, geom, isolation, omodel, pak | Leave a comment

Alien Isolation (Omodel) Progress (Vertices/UVs/Textures)

Posted on November 26, 2014 by admin

General Progress Info

Progress has been slow for Alien Isolation since I’ve been busy with other things however a friend of mine volfin has been helping out with this project. We have been working on the model pak files which store the level geometry props and characters. The devs seem to love storing data in separate files as the paks themselves only contain the vertices and faces for each model. Omodels as I like to call them store a piece of a model mesh though sometimes they just contain the entire model itself like in the example mesh I’m about to talk about below.

Vertices/UVs/Textures

As evident from the ninjaripper mesh rips the vertices seem to be at a very small scale which could only mean one thing, they are packing them. Turns out this was in fact what was happening, same goes for the UVs. The only problem right now that needs to be fixed to automate the extraction process is to figure out where they are storing the information that determines the size for the dynamic vertex buffers. Since DX11 doesnt have a FVF (Flexible Vertex Format) structure there must be something else denoting this which is what we are working on..

Example Mesh (Sumo.obj) Omodel4874

AlienIsolation\DATA\ENV\PRODUCTION\BSP_TORRENS\RENDERABLE\LEVEL_MODELS.PAK

1	AlienIsolation\DATA\ENV\PRODUCTION\BSP_TORRENS\RENDERABLE\LEVEL_MODELS.PAK

3DS Max

In-game

Posted in Main | Tagged 3d, alien, cgi, extract, isolation, models, omodel, pak | Leave a comment

Tutorial: Intel GPA – Ripping geometry from 3D applications

Posted on November 20, 2014 by admin

Background Information

Intel GPA wasn’t initially designed to be used to rip assets from 3D applications but basically what we are doing here is hooking into the GPA application and dumping the vertex buffer and index buffer for the (ergs/drawcalls) it captured.

Lets start by gathering our ingredients

What you will need:

Setup and Capture

Once you have setup Intel GPA begin by running the gpamonitor. Browse to your desired 3D application and hit Run. (In this example I have TitanFall)

Oh, it crashed

Thats fine Intel GPA 2014 doesn’t work well with 3rd party 3D applications so disabling tracing remedies this issue. Right-click the tray icon and hit preferences. Then tick the box to disable tracing and hit OK.

Once you re-launch the 3D application it should show the Intel GPA overlay. Now if you don’t see all these graphs and options hit CTRL+F1 and it should toggle through all the modes. Now find yourself a nice place and hit the Frame Capture hotkeys that should be CTRL+SHIFT+C (you can change these in the graphic monitor settings if you wish)

The game will now hang or freeze give it a moment to capture the current frame. Once it has captured the frame it should notify you. Alt-tab out and fire up the patched FrameAnalyzer selecting your captured frame from the capture list.

Open it and you should be presented with the main window of the Frame Analyzer. From here sort the Erg list by the primitive count and select one of the groups or all its entirely up to you.

Ok now click over to the geometry tab and you will be presented with all the drawcalls/ergs rendered for this frame.

Find the mesh piece you desire to rip, rightclick the 3D viewport and click Save Geometry. You should be now presented with a popup window displaying the export formats supported for export. (along with master131’s mpgh avatar Roxas looking at the Intel logo ) Select an export format and hit save!

Tutorial End

Posted in Main | Tagged 3d, cg, cgi, cra0kalo, directx, dx, geom, GPA, intel, master131, openGL, rip, Titanfall | Leave a comment

TitanFall BSPInspect

Posted on November 10, 2014 by admin

Like I said months ago I would be looking into the BSP map format for titanfall. Well I’m calling the subtool BSPInspect. In the process of making some fancy UI for it currently and actually parsing the file format.

bspinspect02

Like ata4 described on the V alve Developers Wiki the BSP fileformat for Titanfall differs as the core lumps usually used in source engine titles are now unused and depreciated. This is made evident in the bsppack dll provided in titanfall.

Heres a list of all the current lumps I have discovered in titanfall

        public enum lumpType : int
        {
            LUMP_UNKNOWN            = -1,
            LUMP_ENTITIES           = 0,    //Deprecated
            LUMP_PLANES             = 1,
            LUMP_TEXDATA            = 2,
            LUMP_VERTEXES           = 3,
            LUMP_DEPRECATED_4       = 4,
            LUMP_DEPRECATED_5       = 5,
            LUMP_DEPRECATED_10      = 10,
            LUMP_MODELS             = 14,
            LUMP_DEPRECATED_16      = 16,
            LUMP_DEPRECATED_20      = 20,
            LUMP_DEPRECATED_21      = 21,
            LUMP_DEPRECATED_22      = 22,
            LUMP_DEPRECATED_23      = 23,
            LUMP_ENTITYPARTITIONS   = 24,
            LUMP_PHYSCOLLIDE        = 29,
            LUMP_VERTNORMALS        = 30,
            LUMP_GAME_LUMP          = 35,
            LUMP_LEAFWATERDATA      = 36,
            LUMP_PAKFILE            = 40,
            LUMP_DEPRECATED_41      = 41,
            LUMP_CUBEMAPS           = 42,
            LUMP_TEXDATA_STRING_DATA    = 43,
            LUMP_TEXDATA_STRING_TABLE   = 44,
            LUMP_DEPRECATED_46      = 45,
            LUMP_DEPRECATED_53      = 53,
            LUMP_WORLDLIGHTS_HDR    = 54,
            LUMP_DEPRECATED_59      = 59,
            LUMP_PHYSLEVEL          = 62,
            LUMP_TRICOLL_TRIS       = 66,
            LUMP_TRICOLL_NODES      = 68,
            LUMP_TRICOLL_HEADERS    = 69,
            LUMP_PHYSTRIS           = 70,
            LUMP_VERTS_UNLIT        = 71,
            LUMP_VERTS_LIT_FLAT     = 72,
            LUMP_VERTS_LIT_BUMP     = 73,
            LUMP_VERTS_UNLIT_TS     = 74,
            LUMP_VERTS_BLINN_PHONG  = 75,
            LUMP_VERTS_RESERVED_5   = 76,
            LUMP_VERTS_RESERVED_6   = 77,
            LUMP_VERTS_RESERVED_7   = 78,
            LUMP_MESH_INDICES       = 79,
            LUMP_MESHES             = 80,
            LUMP_MESH_BOUNDS        = 81,
            LUMP_MATERIAL_SORT      = 82,
            LUMP_LIGHTMAP_HEADERS   = 83,
            LUMP_LIGHTMAP_DATA_DXT5 = 84,
            LUMP_CM_GRID            = 85,
            LUMP_CM_GRIDCELLS       = 86,
            LUMP_CM_GEO_SETS        = 87,
            LUMP_CM_GEO_SET_BOUNDS  = 88,
            LUMP_CM_PRIMS           = 89,
            LUMP_CM_PRIM_BOUNDS     = 90,
            LUMP_CM_UNIQUE_CONTENTS = 91,
            LUMP_CM_BRUSHES         = 92,
            LUMP_CM_BRUSH_SIDE_PLANE_OFFSETS = 93,
            LUMP_CM_BRUSH_SIDE_PROPS         = 94,
            LUMP_CM_BRUSH_TEX_VECS           = 95,
            LUMP_TRICOLL_BEVEL_STARTS        = 96,
            LUMP_TRICOLL_BEVEL_INDEXES       = 97,
            LUMP_LIGHTMAP_DATA_SKY           =98,
            LUMP_CSM_AABB_NODES              =99,
            LUMP_CSM_OBJ_REFS                =100,
            LUMP_LIGHTPROBES                 =101,
            LUMP_STATIC_PROP_LIGHTPROBE_INDEX    =102,
            LUMP_LIGHTPROBETREE                  =103,
            LUMP_LIGHTPROBEREFS                  =104,
            LUMP_LIGHTMAP_DATA_REAL_TIME_LIGHTS  =105,
            LUMP_CELL_BSP_NODES                  =106,
            LUMP_CELLS                           =107,
            LUMP_PORTALS                         =108,
            LUMP_PORTAL_VERTS                    =109,
            LUMP_PORTAL_EDGES                    =110,
            LUMP_PORTAL_VERT_EDGES               =111,
            LUMP_PORTAL_VERT_REFS                =112,
            LUMP_PORTAL_EDGE_REFS                =113,
            LUMP_PORTAL_EDGE_ISECT_EDGE          =114,
            LUMP_PORTAL_EDGE_ISECT_AT_VERT       =115,
            LUMP_PORTAL_EDGE_ISECT_HEADER        =116,
            LUMP_OCCLUSIONMESH_VERTS             =117,
            LUMP_OCCLUSIONMESH_INDICES           =118,
            LUMP_CELL_AABB_NODES                 =119,
            LUMP_OBJ_REFS                        =120,
            LUMP_OBJ_REF_BOUNDS                  =121,
            LUMP_DEPRECATED_122                  =122,
            LUMP_LEVEL_INFO                      =123,
            LUMP_SHADOW_MESH_OPAQUE_VERTS        =124,
            LUMP_SHADOW_MESH_ALPHA_VERTS         =125,
            LUMP_SHADOW_MESH_INDICES             =126,
            LUMP_SHADOW_MESH_MESHES              =127
        }

public enum lumpType : int

{

LUMP_UNKNOWN = -1,

LUMP_ENTITIES = 0, //Deprecated

LUMP_PLANES = 1,

LUMP_TEXDATA = 2,

LUMP_VERTEXES = 3,

LUMP_DEPRECATED_4 = 4,

LUMP_DEPRECATED_5 = 5,

LUMP_DEPRECATED_10 = 10,

LUMP_MODELS = 14,

LUMP_DEPRECATED_16 = 16,

LUMP_DEPRECATED_20 = 20,

LUMP_DEPRECATED_21 = 21,

LUMP_DEPRECATED_22 = 22,

LUMP_DEPRECATED_23 = 23,

LUMP_ENTITYPARTITIONS = 24,

LUMP_PHYSCOLLIDE = 29,

LUMP_VERTNORMALS = 30,

LUMP_GAME_LUMP = 35,

LUMP_LEAFWATERDATA = 36,

LUMP_PAKFILE = 40,

LUMP_DEPRECATED_41 = 41,

LUMP_CUBEMAPS = 42,

LUMP_TEXDATA_STRING_DATA = 43,

LUMP_TEXDATA_STRING_TABLE = 44,

LUMP_DEPRECATED_46 = 45,

LUMP_DEPRECATED_53 = 53,

LUMP_WORLDLIGHTS_HDR = 54,

LUMP_DEPRECATED_59 = 59,

LUMP_PHYSLEVEL = 62,

LUMP_TRICOLL_TRIS = 66,

LUMP_TRICOLL_NODES = 68,

LUMP_TRICOLL_HEADERS = 69,

LUMP_PHYSTRIS = 70,

LUMP_VERTS_UNLIT = 71,

LUMP_VERTS_LIT_FLAT = 72,

LUMP_VERTS_LIT_BUMP = 73,

LUMP_VERTS_UNLIT_TS = 74,

LUMP_VERTS_BLINN_PHONG = 75,

LUMP_VERTS_RESERVED_5 = 76,

LUMP_VERTS_RESERVED_6 = 77,

LUMP_VERTS_RESERVED_7 = 78,

LUMP_MESH_INDICES = 79,

LUMP_MESHES = 80,

LUMP_MESH_BOUNDS = 81,

LUMP_MATERIAL_SORT = 82,

LUMP_LIGHTMAP_HEADERS = 83,

LUMP_LIGHTMAP_DATA_DXT5 = 84,

LUMP_CM_GRID = 85,

LUMP_CM_GRIDCELLS = 86,

LUMP_CM_GEO_SETS = 87,

LUMP_CM_GEO_SET_BOUNDS = 88,

LUMP_CM_PRIMS = 89,

LUMP_CM_PRIM_BOUNDS = 90,

LUMP_CM_UNIQUE_CONTENTS = 91,

LUMP_CM_BRUSHES = 92,

LUMP_CM_BRUSH_SIDE_PLANE_OFFSETS = 93,

LUMP_CM_BRUSH_SIDE_PROPS = 94,

LUMP_CM_BRUSH_TEX_VECS = 95,

LUMP_TRICOLL_BEVEL_STARTS = 96,

LUMP_TRICOLL_BEVEL_INDEXES = 97,

LUMP_LIGHTMAP_DATA_SKY =98,

LUMP_CSM_AABB_NODES =99,

LUMP_CSM_OBJ_REFS =100,

LUMP_LIGHTPROBES =101,

LUMP_STATIC_PROP_LIGHTPROBE_INDEX =102,

LUMP_LIGHTPROBETREE =103,

LUMP_LIGHTPROBEREFS =104,

LUMP_LIGHTMAP_DATA_REAL_TIME_LIGHTS =105,

LUMP_CELL_BSP_NODES =106,

LUMP_CELLS =107,

LUMP_PORTALS =108,

LUMP_PORTAL_VERTS =109,

LUMP_PORTAL_EDGES =110,

LUMP_PORTAL_VERT_EDGES =111,

LUMP_PORTAL_VERT_REFS =112,

LUMP_PORTAL_EDGE_REFS =113,

LUMP_PORTAL_EDGE_ISECT_EDGE =114,

LUMP_PORTAL_EDGE_ISECT_AT_VERT =115,

LUMP_PORTAL_EDGE_ISECT_HEADER =116,

LUMP_OCCLUSIONMESH_VERTS =117,

LUMP_OCCLUSIONMESH_INDICES =118,

LUMP_CELL_AABB_NODES =119,

LUMP_OBJ_REFS =120,

LUMP_OBJ_REF_BOUNDS =121,

LUMP_DEPRECATED_122 =122,

LUMP_LEVEL_INFO =123,

LUMP_SHADOW_MESH_OPAQUE_VERTS =124,

LUMP_SHADOW_MESH_ALPHA_VERTS =125,

LUMP_SHADOW_MESH_INDICES =126,

LUMP_SHADOW_MESH_MESHES =127

}

Posted in Main | Tagged BSP, bspinspect, map, QUAKE, Titanfall | Leave a comment

Call of Duty Advance Warfare Sound (.pak) FLAC dumper

Posted on November 6, 2014 by admin

Same as ghosts the sound pak files are just mushed flac audio.

CODAW_FlacDumper_x64_3.0.zip

CODAW_FlacDumper_2.0.zip (don’t use this)

Posted in Main | Tagged advance, AW, call of duty, pak, Sound, tool, warfare | Leave a comment

Alien Isolation Generic PAK Unpacker (.PAK)

Posted on October 19, 2014 by admin

Alien Isolation PAK files have slight variants, there was the texture ones which I previously made a tool on and now looking into the model I’ve figured out that they share a common structure. When they mean package they seem to store only the core data inside them. Lets take textures for example, you got your package file full of just compressed texture data then a linking header file containing the filenames and texture headers. Same sort of deal with the models packages except they store all sorts of strings in the accompanying file like bone names and such.

Anyway for now here is a generic unpacker that should work on most things (getting ready for 3D models )

AIPAKTool_0.1.zip

Posted in Main | Tagged alien, assets, data, isolation, pak | Leave a comment

Developments