Log in

View Full Version : Gears of War 3 XP and Trophys Checksum?



Philymaster
09-28-2011, 04:08 PM
Hey guys.
I've found in the PlayerStorage.dat all values.
I think there is a kind of checksum in that file. If i change anything, it will always reset the stats.
I believe the checksum is 160 bit (20 Bytes) long and at the start of file.

Eventually it's SHA-1, RIPEMD or it's a variant checksum from epic. I don't know.
I've tried both checksum but without the knowen length it's a hopeless search.

It's possible to find the checksum in xex files or whatever. I don't know which options there are for.

Can somebody help me out or have a idea?

thanks in advance.

pureIso
09-28-2011, 04:13 PM
should it now show corrupt instead of reseting you? Reseting I believe usually means it didn't match up with a total value stored somewhere.

Philymaster
09-28-2011, 07:02 PM
No, it's definitely a checksum.
I search in the GPD of the game and there is no matched value. The values are only in the PlayerStorage.dat.

I've saved 3 times with and the first 20 bytes changed. If i change anything the game ignore my modded save and create a new one.
For example my experience, i've changed it from 230 to 231, start the game and all stats are 0.

As i said, i think it's a SHA-1 or RIPEMD, but without the exact lenght hopeless.
Is there no other option?

pureIso
09-28-2011, 08:06 PM
No, it's definitely a checksum.
I search in the GPD of the game and there is no matched value. The values are only in the PlayerStorage.dat.

I've saved 3 times with and the first 20 bytes changed. If i change anything the game ignore my modded save and create a new one.
For example my experience, i've changed it from 230 to 231, start the game and all stats are 0.

As i said, i think it's a SHA-1 or RIPEMD, but without the exact lenght hopeless.
Is there no other option?

Bruteforce it?

xxXENOPIRATExx
09-29-2011, 08:41 PM
if you mod the multiplayer of GoW 3, you will get banned

godzcheater
09-29-2011, 08:51 PM
Just to add,
It does use the GPD. and I think it has the same 20 bytes at the bigging of each setting.
dont think its a SHA1, but i think its more todo with the cryprion

Philymaster
09-29-2011, 09:59 PM
@xxXENOPIRATExx:
Not exactly. You can earn xp and all medals in private matches (offline). So there is no problem.

I've now bruteforce all files with ALL checksums. But have no match.
So i guess it's a custom check by epic. Have anyone a other idea to discover the checksum?
I will try XOR and other things.

absurdlyobfuscated
04-22-2012, 10:03 PM
I've been looking into figuring this out myself. What I've found so far from the disassembly of the GoW3 default.xex is that it definitely implements/uses a standard-looking SHA-1 hashing algorithm at some point. So I'm 99% sure that's what it uses for the TitleSpecific and PlayerStorage.dat checksums. My guesses as to why it's different are that it either adds something onto the data before it hashes it, or it does some kind of transformation on the hash once it's calculated. Just speculating, though. I am not well versed in PPC assembly enough to understand everything that's going on :(

Constants used in the SHA-1 hashing algorithm are found at these offsets/subs (from disassembly in IDA):
.text:822E9018 sub_822E9018 (initial values - 0x67452301, etc.)
.text:822F9EB0 sub_822F9EB0 (values used in algorithm's main loop - 0x5A827999, etc.)
.text:822FB800 sub_822FB800 (initial values - branches to sub_822F9EB0 via sub_822FB590, probably the 'main' hash implementation)
.text:8231330C loc_8231330C (initial values)
.text:8297B5B8 (initial values)
.text:8297B5C8 (initial values)
.text:8297B70C (initial values)

.text:823FE558 sub_823FE558 looks like it could be processing the data to be stored, before it's hashed.

Anyone else want to take a crack at it?

Buddah
04-22-2012, 10:21 PM
all games implement a sha1, since thats what the hashes on the whole container are. maybe thats what you are looking at. i always felt it was a sha1 with a salt of some sort.

Philymaster
04-22-2012, 10:46 PM
I think the checksum is based on a few things from the gamer profile.
But i don't know.

If you mod the game with horizon, it requires the profile.

More i can't say.

Good luck

absurdlyobfuscated
04-23-2012, 12:20 AM
Yeah, after tracing through a bit more it does look like at least a few places that call the SHA-1 functions are related to scripting or engine related stuff. So I probably got my hopes up for nothing -_-

And I haven't had any luck disassembling Horizon as an alternate way of finding how it's done, either. Short of getting a Horizon dev to divulge their secrets, I don't see an easy way of figuring this out D:

Edit: Another way might be to trace through the sub that saves PlayerStorage.dat - sub_82989AF8.

Buddah
04-23-2012, 10:01 PM
I think the checksum is based on a few things from the gamer profile.
But i don't know.

If you mod the game with horizon, it requires the profile.

More i can't say.

Good luck

thats because the stats are stored in the gamesave file as well as the gpd.

Buddah
04-23-2012, 10:02 PM
Yeah, after tracing through a bit more it does look like at least a few places that call the SHA-1 functions are related to scripting or engine related stuff. So I probably got my hopes up for nothing -_-

And I haven't had any luck disassembling Horizon as an alternate way of finding how it's done, either. Short of getting a Horizon dev to divulge their secrets, I don't see an easy way of figuring this out D:

Edit: Another way might be to trace through the sub that saves PlayerStorage.dat - sub_82989AF8.

follow the error message back. i dont know if there is a corrupt message but its worth a try.