I've tried to Hex Edit my Multiplayer SaveFile for Crysis 2 but couldn't find my XP Value in the SaveFile. I'm pretty sure all my Multiplayer Stats are saved on the SaveFile because i've deleted it off my Harddrive and made a new SaveFile and had to Re-earn everything again.

If you Guys need anymore Info on the SaveFile then just let me know.

SaveFile:
http://www.mediafire.com/?28npd2g467ajp1j

http://i53.tinypic.com/24bvh2e.jpg

Did you compare with many gamesaves?

It Could Be In Gpd?

Did you compare with many gamesaves?

Only with a New Save Game that i've made and a Save File my friend had.


It Could Be In Gpd?

I Don't think so, it seems more linked with the Save File like for an example... My Old Save File i've got has everything Maxed out as you can see in the Picture and i've deleted that Save File and created a new one and was back to Level 1 and had to redo everything. I've also asked a friend to give me his Save File and it loaded up on my Game with his Level and Stats.

I've decompressed Crysis2 and it gave me 89 Extracted files and i've tried searching for my XP and couldn't find a thing even reversing it. (0001527A>7A520100) Then i've decided to open up Crysis2 with Le Fluffie and Extract what Data i can from it, which ended up me with profil.xml and ~~xenon~filemap~~.

I'm going to toy around with the SaveFile a little bit more later but thanks for trying to help out. :)

Lol, kinda figurs that this would be a pain to hex since it's an EA Game.

i posted this weeks ago --> http://www.360haven.com/forums/showthread.php?t=1212

i posted this weeks ago --> http://www.360haven.com/forums/showthread.php?t=1212

Sorry, i didn't even knew you Posted something related to this.

Hopefully this game can be modded, I took a look at that save you posted Raven, but couldn't find any value :(

Hopefully this game can be modded, I took a look at that save you posted Raven, but couldn't find any value :(

thats because the xml file in encrypted.

did he ever send you the encryption method dualla? if so are you going to make a public tool?

did he ever send you the encryption method dualla? if so are you going to make a public tool?

yes :)

that would be awesome. this game is pretty fun. liking the demo already.

pics ^^ -->

http://img194.imageshack.us/img194/9694/screenshot0903201116111.th.jpg (http://img194.imageshack.us/i/screenshot0903201116111.jpg/)

http://img851.imageshack.us/img851/9813/screenshot0903201116141.th.jpg (http://img851.imageshack.us/i/screenshot0903201116141.jpg/)

pics ^^ -->

http://img194.imageshack.us/img194/9694/screenshot0903201116111.th.jpg (http://img194.imageshack.us/i/screenshot0903201116111.jpg/)

http://img851.imageshack.us/img851/9813/screenshot0903201116141.th.jpg (http://img851.imageshack.us/i/screenshot0903201116141.jpg/)

looks great. Can't wait to see this in action. great work.

lol i hate aes >_<

When a savegame has been properly decrypted and unpacked it's a normal xml document..

example:


<SaveGame>
<Timer curTime="1421886927" ticksPerSecond="1948261"/>
<TerrainState m_bOcean="1" m_moonRotationLatitude="240" m_moonRotationLongitude="45" time="10.5" AdvInfoStart="10.5" AdvInfoEnd="10.5">
<TerrainState>
<TerrainMods />
</TerrainState>
<StaticDecals />
<ParticleEmitters />
<VariableValues>
<HDR_dynamic_power_factor Val0="1.5" Val1="-4" Val2="4"/>
<HDR_contrast Val0="1.5" Val1="1" Val2="2"/>
<HDR_blueshift Val0="0.79691702" Val1="0.907547" Val2="1"/>
<Sky_brightening__terrain_occlusion_ Val0="1" Val2="1"/>
<SSAO_amount_multiplier Val0="1.5" Val2="2.5"/>
<SSAO_contrast_multiplier Val0="1.5" Val1="1" Val2="2"/>
<Global_illumination_multiplier Val0="1" Val2="100"/>
...

@ fairchild you mean the key works for you ?

I got that from the memory right before encryption...

So far this is how i think the save process goes:

GameData -> XML -> ?Encryption? -> Compressed + MD5 checksum

This might be wrong but i have been watching the data in the memory today and At first the data is saved in a buffert as XML document, this is then (Maybe) encrypted or Serialized. After this the data is being Compressed (Maybe ZLib or custom) and a MD5 checksum is added.

mhh might be harder then we think :( one thing i know is that crysis 2 use a custom zlib version and x.509.

Okey, i have spent quite some time with this now, and it turned out that i was looking at the wrong encryption all along....

Now i have turned around and just about now i have found the loading routine for the profile.xml file.

I will try to solve this before i go away for the weekend, else i will continue when i get back unless someone else figures this out.

ok then take your time^^

I thought i would give some heads up on this project.

As of now i can encrypt and decrypt files written by the PC version (Magic header: CRYePC1), although the Xbox 360 version uses a different key and different API than the PC version, i can attach encrypted and decrypted file if someone's interested.

As i don't have my XDK here with me where i live currently this might take a little longer for me to finish this, but as i got more and more into this i am facinated by the number of ciphers and protection this game has i will continue as much as i can. I already know the encryption scheme for extracting the data files from the demo and the online connection + storing online profiles.

So down to some technical information to drool on:

Savegames:

They are encrypted and has the magic header "CRYe<platform>", and when decrypted the savegame contains a number of zlib compressed blocks.

The decompressed blocks are XMLSerialized so no plain xml here, but values and so on should still be visible for editing.

The files are also protected by a MD5 checksum to prevent tampering.

Demo datafile

The demo data file named "Nigel" in the demo is a xxtea encrypted zip archive, and aluigi has done a quickbms script for unpacking this.


If someone is interested in what encryptions the different parts are using let me know and i can give you some insights.

me playing tomorrow --> Crysis 2 ( AT Uncut Promocopy thx to someone special ) ^^

@ fairchild do you want my source files ? :)

@ fairchild do you want my source files ? :)

Would be great :)

I've been playing Crysis 2 today for abit and gotta say the Graphic's on the Single-Player are beautiful and the Multiplayer seems to look abit better too compared to the Demo.

It's funny that i havn't playes the game yet once... But still i know much about the inside of the game :)

So would it be possible then to have a single player save editor?
I wont be playing the game till tomorrow.

lol they crypted all system files/savegames ( CryXml/CryeXB/PC ) >_> (game.pak,defaultprofile.xml,config files etc. )

http://www.youtube.com/watch?v=WuBOYoxxVRg&hd=1

I don't think the game looks all that good on the console, on PC yes :).
This game has a funky save files :S (xml)

I don't think the game looks all that good on the console, on PC yes :).
This game has a funky save files :S (xml)

True but for a Console Version it's pretty good looking and it's running without killing the Console itself.

added check boxes -->

http://img62.imageshack.us/img62/9435/cry2decryptencrypt.jpg (http://img62.imageshack.us/i/cry2decryptencrypt.jpg/)



the only thing that is missing is the decrypt/encrypt code ^^

added check boxes -->

http://img62.imageshack.us/img62/9435/cry2decryptencrypt.jpg (http://img62.imageshack.us/i/cry2decryptencrypt.jpg/)


the only thing that is missing is the decrypt/encrypt code ^^

Nice, can't wait for this Baby to be cracked. :)

look like it will be long time before we see editor for this game

added check boxes -->

http://img62.imageshack.us/img62/9435/cry2decryptencrypt.jpg (http://img62.imageshack.us/i/cry2decryptencrypt.jpg/)



the only thing that is missing is the decrypt/encrypt code ^^

Keep us updated ok?

Cant waite for this been looking all over for this type of program......Kep us updated

i dont have the code for de/encryption

Renegade made a SaveEditor for the Game, you could ask him if he knows/has the de/encrption.

nice april fool ^^

so where is tool? i need it to fix corrupted SP savefile. Stupid Crytek did stupid checkpoints... i hate them for this, i dont want to spend another hour replaying same level.

Crysis 2 is freakin awsum! Tho I do admit it'd be even better with Unlimited Ammo ;)

I don't know if you can edit the savegame to have unlimited ammo, this is how the shotgun entity looks like within a savegame:



<Entity id="2965">
<EntityProxies>
<RenderProxy />
<GameObject numExtensions="1">
<Extension name="Marshall" accAmmoAvail="1" m_serializeRigidPhysics="1" m_deferPhysicalization="3">
<ItemStats dropped="1" brandnew="1" first_selection="1" pickable="1"/>
<WeaponAmmo AmmoAmount="1" BonusAmmoAmount="1" minDropAmmoAvail="1">
<Ammo AmmoName="shotgunshell" Bullets="10"/>
<Ammo AmmoName="shotgunshell" Bullets="10"/>
</WeaponAmmo>
<WeaponStats />
</Extension>
</GameObject>
<PhysicsProxy pos="246.60635,90.448433,46.862675" rot="-0.18809304,0.68163115,-0.18809304,-0.68163115"/>
</EntityProxies>
</Entity>


I will also attach all profile files (profile.xml, attributes.xml etc...) decrypted.
636

I don't know if you can edit the savegame to have unlimited ammo, this is how the shotgun entity looks like within a savegame:



<Entity id="2965">
<EntityProxies>
<RenderProxy />
<GameObject numExtensions="1">
<Extension name="Marshall" accAmmoAvail="1" m_serializeRigidPhysics="1" m_deferPhysicalization="3">
<ItemStats dropped="1" brandnew="1" first_selection="1" pickable="1"/>
<WeaponAmmo AmmoAmount="1" BonusAmmoAmount="1" minDropAmmoAvail="1">
<Ammo AmmoName="shotgunshell" Bullets="10"/>
<Ammo AmmoName="shotgunshell" Bullets="10"/>
</WeaponAmmo>
<WeaponStats />
</Extension>
</GameObject>
<PhysicsProxy pos="246.60635,90.448433,46.862675" rot="-0.18809304,0.68163115,-0.18809304,-0.68163115"/>
</EntityProxies>
</Entity>


I will also attach all profile files (profile.xml, attributes.xml etc...) decrypted.
636


WOW! Thats good progress, so basically its 0 or 1 value to mod the save file.

So can someone update me on what is going on?

i would only need the crypto code than hopefully i could finish the tool ( x360 ). or i send fairchild my source and he can finish it :)

i would only need the crypto code than hopefully i could finish the tool ( x360 ). or i send fairchild my source and he can finish it :)


Thank you great work

It's amazing how much Crytek has been working on making this game secure, i have spent quite some time on this but not only on the CRYe files but also on the .pak encryption and the online security.

If nobody else is releasing a tool to decrypt / encrypt CRYe packages i will, but as of now i still need to fix some bugs and make sure my routine is correct for creating the real key from the raw key (yes, the raw key is encrypted aswell using a nifty scheme).

I need to get the key for PS3 version, does anyone have the game excutables?

Update:

My tool is starting take shape, this is what has been done so far:

* Key generation routine has been 100% reversed, now i can generate decryption keys from the key found in the executables, still missing the key from the PS3 version (and if updates)
* Decryption routine is 90% complete, it can decrypt but sometimes spits out strange characters, easy to fix.
* Encryption routine is 0% complete, i need to decrypt before encrypt ;)
* Added the following keys to the application:
- CRYePC1
- CRYeXB1


Output from one of my tests, aaah, nice strange characters...


38, 2nd: (ecx): 2f, (204h): 2f (S), (ecx): 45, (20Ch): 3c (S), (bl): 45 (G), (cl): 3b (G), (key[3c]: 45 (S), (key[2f]: 3b (S), (return: 5f)

22, 2nd: (ecx): 30, (204h): 30 (S), (ecx): 26, (20Ch): 62 (S), (bl): 26 (G), (cl): 4d (G), (key[62]: 26 (S), (key[30]: 4d (S), (return: 85)

2f, 2nd: (ecx): 31, (204h): 31 (S), (ecx): ae, (20Ch): 10 (S), (bl): ae (G), (cl): c0 (G), (key[10]: ae (S), (key[31]: c0 (S), (return: 57)

3e, 2nd: (ecx): 32, (204h): 32 (S), (ecx): 95, (20Ch): a5 (S), (bl): 95 (G), (cl): c1 (G), (key[a5]: 95 (S), (key[32]: c1 (S), (return: a3)

a,

Decrypted: <Profile Name="default" LastPlayed="1298999688"/>
┬├─┼ãÃ╚╔╩╦╠═╬¤ðÐÊËÈıÍÎÉ☺


PoC for XB1 profiles:



Initializing crypto key... Done.

Decrypted length: 21163, 52ab
Decrypted: <Profile Name="Duellkiller">
<Attributes Version="23">
<Attr name="Brightness" value="0.65"/>
<Attr name="DialogueVolume" value="1"/>
<Attr name="Gamma" value="1"/>
<Attr name="MP/DogTagProgression/DogTagSkinId" value="20"/>
<Attr name="MP/DogTagProgression/DogTagSkinStyle" value="1"/>
<Attr name="MP/LastSubmitPermissions" value="47"/>

oh man everyone is wrong ...its in the profile. GPD. anyways i found a super cool editor...it does all teh unlock for attachments and weapons and level and suit level XP all of it.