Path: news.tcd.ie!news.heanet.ie!server5.netnews.ja.net!nntp.news.xara.net!xara.net!gxn.net!news-lond.gip.net!news-peer.gip.net!news.gsl.net!gip.net!howland.erols.net!newshub2.home.com!news.home.com!news1.frmt1.sfba.home.com.POSTED!not-for-mail
From: Loren Petrich <petrich@netcom.com>
Newsgroups: alt.games.marathon
Subject: Pathways into Darkness Encryption?
Message-ID: <141220001926092035%petrich@netcom.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-transfer-encoding: 8bit
User-Agent: YA-NewsWatcher/4.2.6
Lines: 22
Date: Fri, 15 Dec 2000 03:26:08 GMT
NNTP-Posting-Host: 24.1.102.83
X-Complaints-To: abuse@home.net
X-Trace: news1.frmt1.sfba.home.com 976850768 24.1.102.83 (Thu, 14 Dec 2000 19:26:08 PST)
NNTP-Posting-Date: Thu, 14 Dec 2000 19:26:08 PST
Organization: Excite@Home - The Leader in Broadband http://home.com/faster
Xref: news.tcd.ie alt.games.marathon:63781

   In a TEXT resource in the M1 app, there is a little note to the
effect that the Bungie folx had not had the time to encrypt any of the
game's content, as had been done with earlier games.

   This means that there might be some encryption in Pathways into
Darkness, and I tried to test that hypothesis by doing a byte-frequency
test on some of its contents. In particular, I tried on all the 'scri'
resources, and came out with an even distribution, with all values
nearly equally probable.

   This rules out the simpler forms of encryption, such as xoring. I
note that the text contents of the Tomb Raider games have xor
encryption on them; that has been relatively easy to crack.

   It may not be possible to proceed much further without a fancy
debugger :-(

-- 
Loren Petrich
petrich@netcom.com
Happiness is a fast Macintosh
And a fast train



Path: news.tcd.ie!news.heanet.ie!server5.netnews.ja.net!nntp.news.xara.net!xara.net!gxn.net!dispose.news.demon.net!demon!newspeer.monmouth.com!cpk-news-hub1.bbnplanet.com!news.gtei.net!newsfeed.cs.utexas.edu!geraldo.cc.utexas.edu!santiago
From: Santiago <santiago@nastyPinkCannedMeat.cs.utexas.edu>
Newsgroups: alt.games.marathon
Subject: Re: Pathways into Darkness Encryption?
Date: Fri, 15 Dec 2000 16:46:52 -0600
Organization: The University of Texas at Austin; Austin, Texas
Message-ID: <santiago-4558B0.16465215122000@newshost.cc.utexas.edu>
References: <141220001926092035%petrich@netcom.com>
NNTP-Posting-Host: dial-83-9.ots.utexas.edu
X-Trace: geraldo.cc.utexas.edu 976920406 5568 128.83.219.57 (15 Dec 2000 22:46:46 GMT)
X-Complaints-To: abuse@cc.utexas.edu
NNTP-Posting-Date: 15 Dec 2000 22:46:46 GMT
User-Agent: MT-NewsWatcher/3.0 (PPC)
Lines: 25
Xref: news.tcd.ie alt.games.marathon:63786

In article <141220001926092035%petrich@netcom.com>, Loren Petrich 
<petrich@netcom.com> wrote:

>   This means that there might be some encryption in Pathways into
>Darkness, and I tried to test that hypothesis by doing a byte-frequency
>test on some of its contents. In particular, I tried on all the 'scri'
>resources, and came out with an even distribution, with all values
>nearly equally probable.
>
>   This rules out the simpler forms of encryption, such as xoring. I
>note that the text contents of the Tomb Raider games have xor
>encryption on them; that has been relatively easy to crack.

     I fail to see how that rules out xoring.  It would seem to rule out 
xoring with a short key that is repeated, but not one generated by a 
complex pseudorandom algorithm with a very long period.  (If your key is 
truly random, xoring it with anything that has no correlation to it will 
give a flat byte-frequency distribution.)  Of course, such an algorithm 
would be buried somewhere in the PiD code, and could be found...

---------------------------------------------------------------------
santiago@@cs..utexas..edu    http://www.cs.utexas.edu/users/santiago/
---------------------------------------------------------------------
If you think mathematics is the universal language, try using a 
differential equation to tell an Eskimo his pants are on fire...



Path: news.tcd.ie!news.heanet.ie!server5.netnews.ja.net!nntp.news.xara.net!xara.net!gxn.net!dispose.news.demon.net!demon!diablo.theplanet.net!europa.netcrusader.net!205.252.116.205!howland.erols.net!nntp.flash.net!news.flash.net!not-for-mail
From: hnsngr@sirius.com (Ron Hunsinger)
Newsgroups: alt.games.marathon
Subject: Re: Pathways into Darkness Encryption?
Message-ID: <hnsngr-ya023180001612000036060001@news.flash.net>
References: <141220001926092035%petrich@netcom.com> <santiago-4558B0.16465215122000@newshost.cc.utexas.edu>
Organization: ErsteSoft
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-transfer-encoding: 8bit
X-Newsreader: Yet Another NewsWatcher 2.3.1
Date: Sat, 16 Dec 2000 08:36:02 GMT
NNTP-Posting-Host: 216.103.86.8
X-Complaints-To: abuse@flash.net
X-Trace: news.flash.net 976955762 216.103.86.8 (Sat, 16 Dec 2000 02:36:02 CST)
NNTP-Posting-Date: Sat, 16 Dec 2000 02:36:02 CST
Lines: 46
Xref: news.tcd.ie alt.games.marathon:63791

In article <santiago-4558B0.16465215122000@newshost.cc.utexas.edu>,
Santiago <santiago@nastyPinkCannedMeat.cs.utexas.edu> wrote:

> In article <141220001926092035%petrich@netcom.com>, Loren Petrich 
> <petrich@netcom.com> wrote:
> 
> >   This means that there might be some encryption in Pathways into
> >Darkness, and I tried to test that hypothesis by doing a byte-frequency
> >test on some of its contents. In particular, I tried on all the 'scri'
> >resources, and came out with an even distribution, with all values
> >nearly equally probable.
> >
> >   This rules out the simpler forms of encryption, such as xoring. I
> >note that the text contents of the Tomb Raider games have xor
> >encryption on them; that has been relatively easy to crack.
> 
>      I fail to see how that rules out xoring.  It would seem to rule out 
> xoring with a short key that is repeated, but not one generated by a 
> complex pseudorandom algorithm with a very long period.  (If your key is 
> truly random, xoring it with anything that has no correlation to it will 
> give a flat byte-frequency distribution.)  Of course, such an algorithm 
> would be buried somewhere in the PiD code, and could be found...

It doesn't even have to be a very good pseudo-random generator. In fact, it
can be just about as bad as they come, as long as it has a long period. It
could, in fact, be as simple as an increment...

The code to encrypt/decrypt a scri resource is:

    void EncodeScript (Handle h) {
        int len = **(short**) h;
        Ptr p = *h + 2;
        for (int i = 0; i < len; ++i) {
            *p++ ^= i; }
        }

Of course, there's still a little more to it than that, since the decrypted
scri resource is not pure text. It contains a sequence of variable-length
instructions, each consisting of a 1-byte opcode followed by parameters
appropriate to that opcode. Some of those parameters are indexes into the
text part, which is a sequence of N c-style strings starting at offset X,
where N and X are the second and third short of the decrypted resource.
Some of the strings are words to listen for, and some are the responses to
those words.

-Ron Hunsinger



Path: news.tcd.ie!news.heanet.ie!server5.netnews.ja.net!server6.netnews.ja.net!nntp.news.xara.net!xara.net!gxn.net!blue.nl.gxn.net!transit.news.xs4all.nl!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!newshub2.home.com!news.home.com!news1.frmt1.sfba.home.com.POSTED!not-for-mail
From: Loren Petrich <petrich@netcom.com>
Newsgroups: alt.games.marathon
Subject: Re: Pathways into Darkness Encryption?
Message-ID: <161220001000247019%petrich@netcom.com>
References: <141220001926092035%petrich@netcom.com> <santiago-4558B0.16465215122000@newshost.cc.utexas.edu> <hnsngr-ya023180001612000036060001@news.flash.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-transfer-encoding: 8bit
User-Agent: YA-NewsWatcher/4.2.6
Lines: 22
Date: Sat, 16 Dec 2000 18:00:23 GMT
NNTP-Posting-Host: 24.1.102.83
X-Complaints-To: abuse@home.net
X-Trace: news1.frmt1.sfba.home.com 976989623 24.1.102.83 (Sat, 16 Dec 2000 10:00:23 PST)
NNTP-Posting-Date: Sat, 16 Dec 2000 10:00:23 PST
Organization: Excite@Home - The Leader in Broadband http://home.com/faster
Xref: news.tcd.ie alt.games.marathon:63797

In article <hnsngr-ya023180001612000036060001@news.flash.net>, Ron
Hunsinger <hnsngr@sirius.com> wrote:
> The code to encrypt/decrypt a scri resource is:
> 
>     void EncodeScript (Handle h) {
>         int len = **(short**) h;
>         Ptr p = *h + 2;
>         for (int i = 0; i < len; ++i) {
>             *p++ ^= i; }
>         }
> 
> Of course, there's still a little more to it than that, ...

   Thanx. I've gotten some intelligible text out of that, and I think I
have a clue as to those opcodes. My guess at the moment is that they
are 2-byte instead of 1-byte ones.

-- 
Loren Petrich
petrich@netcom.com
Happiness is a fast Macintosh
And a fast train




Path: news.tcd.ie!news.heanet.ie!server5.netnews.ja.net!nntp.news.xara.net!xara.net!gxn.net!news.lattis.xara.net!ayres.ftech.net!news.ftech.net!newspeer.clara.net!news.clara.net!news.algonet.se!algonet!newsfeed.rt.ru!newsfeed.mesh.ad.jp!sjc-peer.news.verio.net!ord-feed.news.verio.net!news.verio.net!newsmaster.cc.columbia.edu!aaron
From: aaron@avalon.eyep.net (Aaron Davies)
Newsgroups: alt.games.marathon
Subject: Re: Pathways into Darkness Encryption?
Date: Sat, 16 Dec 2000 17:34:17 -0500
Organization: Columbia University
Lines: 28
Message-ID: <1elqu0l.dbrmyr1tru46N%aaron@avalon.eyep.net>
References: <141220001926092035%petrich@netcom.com>
NNTP-Posting-Host: marathon.mcb.rhno.columbia.edu
X-Trace: newsmaster.cc.columbia.edu 977006130 5377 160.39.168.47 (16 Dec 2000 22:35:30 GMT)
X-Complaints-To: postmaster@columbia.edu
NNTP-Posting-Date: 16 Dec 2000 22:35:30 GMT
User-Agent: MacSOUP/2.4.6
Xref: news.tcd.ie alt.games.marathon:63800

Loren Petrich <petrich@netcom.com> wrote:

>    In a TEXT resource in the M1 app, there is a little note to the
> effect that the Bungie folx had not had the time to encrypt any of the
> game's content, as had been done with earlier games.
> 
>    This means that there might be some encryption in Pathways into
> Darkness, and I tried to test that hypothesis by doing a byte-frequency
> test on some of its contents. In particular, I tried on all the 'scri'
> resources, and came out with an even distribution, with all values
> nearly equally probable.
> 
>    This rules out the simpler forms of encryption, such as xoring. I
> note that the text contents of the Tomb Raider games have xor
> encryption on them; that has been relatively easy to crack.
> 
>    It may not be possible to proceed much further without a fancy
> debugger :-(

Before you put a lot of work into this, I suggest you talk to Hamish. He
knows someone who at least partially cracked the scri encryption,
producing the "Conversations with the Dead" pages available at
pid.bungie.org.
-- 
    __                        __
   /  )                      /  )
  /--/ __.  __  ________    /  / __. , __o  _  _
 /  (_(_/|_/ (_(_) / / <_  /__/_(_/|_\/ <__</_/_)_
 
 
 
 
 Path: news.tcd.ie!news.heanet.ie!server5.netnews.ja.net!nntp.news.xara.net!xara.net!gxn.net!news.lattis.xara.net!ayres.ftech.net!news.ftech.net!peer.news.zetnet.net!newsfeed.icl.net!colt.net!news.maxwell.syr.edu!newshub2.home.com!news.home.com!news1.frmt1.sfba.home.com.POSTED!not-for-mail
From: Loren Petrich <petrich@netcom.com>
Newsgroups: alt.games.marathon
Subject: Re: Pathways into Darkness Encryption?
Message-ID: <161220001956074312%petrich@netcom.com>
References: <141220001926092035%petrich@netcom.com> <1elqu0l.dbrmyr1tru46N%aaron@avalon.eyep.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-transfer-encoding: 8bit
User-Agent: YA-NewsWatcher/4.2.6
Lines: 17
Date: Sun, 17 Dec 2000 03:56:07 GMT
NNTP-Posting-Host: 24.1.102.83
X-Complaints-To: abuse@home.net
X-Trace: news1.frmt1.sfba.home.com 977025367 24.1.102.83 (Sat, 16 Dec 2000 19:56:07 PST)
NNTP-Posting-Date: Sat, 16 Dec 2000 19:56:07 PST
Organization: Excite@Home - The Leader in Broadband http://home.com/faster
Xref: news.tcd.ie alt.games.marathon:63809

In article <1elqu0l.dbrmyr1tru46N%aaron@avalon.eyep.net>, Aaron Davies
<aaron@avalon.eyep.net> wrote:

> Before you put a lot of work into this, I suggest you talk to Hamish. He
> knows someone who at least partially cracked the scri encryption,
> producing the "Conversations with the Dead" pages available at
> pid.bungie.org.

   I checked, and what I found there represents about as far as I've
gotten in interpreting those resources -- I can get the text, but the
stuff before it is mostly unintelligible to me.

-- 
Loren Petrich
petrich@netcom.com
Happiness is a fast Macintosh
And a fast train



Path: news.tcd.ie!news.heanet.ie!server5.netnews.ja.net!server3.netnews.ja.net!newspeer.clara.net!news.clara.net!feed2.onemain.com!feed1.onemain.com!xfer13.netnews.com!netnews.com!howland.erols.net!nntp.flash.net!news.flash.net!not-for-mail
From: hnsngr@sirius.com (Ron Hunsinger)
Newsgroups: alt.games.marathon
Subject: Re: Pathways into Darkness Encryption?
Message-ID: <hnsngr-ya023180001712000227320001@news.flash.net>
References: <141220001926092035%petrich@netcom.com> <santiago-4558B0.16465215122000@newshost.cc.utexas.edu> <hnsngr-ya023180001612000036060001@news.flash.net> <161220001000247019%petrich@netcom.com>
Organization: ErsteSoft
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-transfer-encoding: 8bit
X-Newsreader: Yet Another NewsWatcher 2.3.1
Lines: 186
Date: Sun, 17 Dec 2000 10:27:26 GMT
NNTP-Posting-Host: 216.103.86.8
X-Complaints-To: abuse@flash.net
X-Trace: news.flash.net 977048846 216.103.86.8 (Sun, 17 Dec 2000 04:27:26 CST)
NNTP-Posting-Date: Sun, 17 Dec 2000 04:27:26 CST
Xref: news.tcd.ie alt.games.marathon:63816

In article <161220001000247019%petrich@netcom.com>, Loren Petrich
<petrich@netcom.com> wrote:

> In article <hnsngr-ya023180001612000036060001@news.flash.net>, Ron
> Hunsinger <hnsngr@sirius.com> wrote:
> > The code to encrypt/decrypt a scri resource is:
> > 
> >     void EncodeScript (Handle h) {
> >         int len = **(short**) h;
> >         Ptr p = *h + 2;
> >         for (int i = 0; i < len; ++i) {
> >             *p++ ^= i; }
> >         }
> > 
> > Of course, there's still a little more to it than that, ...
> 
>    Thanx. I've gotten some intelligible text out of that, and I think I
> have a clue as to those opcodes. My guess at the moment is that they
> are 2-byte instead of 1-byte ones.

I can give you some more information. First off, I want to correct an error
in the above code. The length word at the beginning of the resource counts
itself as part of the length. The above code assumes it doesn't, so it
translates two bytes beyond the end of the resource. To correct it, the
initial value for len should be:

    int len = **(short**) h - 2;
                            ^^^

Oddly, the code I posted is exactly the code I used to decrypt the
resources lo these many moons ago. I guess I was just lucky it didn't
crash.

You can partially DeRez the decrypted resource using this definition:

    type 'scri' {
        unsigned integer = StringEnd / 8;
        unsigned integer = $$Countof (StringArray);
        unsigned integer = StringStart / 8;
        unsigned integer = 1;   /* I don't know what this is */
        unsigned integer = 10;  /* I don't know what this is */
        literal longint;        /* Type of corpse */
    CodeStart:
        hex string [StringStart / 8 - CodeStart / 8];
    StringStart:
        array StringArray {
            cstring; };
    StringEnd:
        };

That hex string starting at CodeStart is the program. The instructions set
is the following. (I've made up the names, and I'm a little unclear on the
finer nuances of some of them. I think I knew the details at one time, but
my notes are incomplete in places.)

    a (byte) is 8 bits
    a (word) is 16 bits
    an (OSType) is 32 bits containing 4 printable characters

    branch instructions contain a 16-bit signed delta which, if added to
        the address of the *beginning* of the current instruction, gives
        the address of the beginning of the instruction being branched to
    a filler is always ignored, and usually contains garbage
    strings are referenced by index, not offset, starting at zero

    Test Environment
        opcode = 0      (byte)
        filler          (byte)
        what to check   (OSType)
        delta           (word)

        Tests the indicated condition in the environment, and branches
        if the condition is true. (For example, 'dark' is true if you
        do not have a turned-on flashlight. See scri#138.)

    Test Variable
        opcode = 1      (byte)
        filler          (byte)
        mask            (word)
        value           (word)
        delta           (word)
   
        There is a word-size variable associated with each corpse. The
        value is retained across uses of the yellow crystal. The condition
        being tested is ((variable & mask) == value).

        An unconditional branch is obtained by setting mask = value = 0.

    Speak
        opcode = 2      (byte)
        variations      (byte)
        first string    (word)

        Speaks a randomly selected string from among the <variations>
        strings starting with indicated <first string>. For example,
        the instruction 02030007 randomly selects one of string #7,
        string #8, or string #9 for output.

    Listen
        opcode = 3      (byte)
        prompted        (byte)
        hidden          (byte)
        filler          (byte)
        first word      (word)
        deltas          (array of words)

        Waits for input from the user, then scans it looking for one
        of the known words. <prompted> is the number of words that are
        given to the user (in a popup menu, perhaps?). This is always
        zero in PiD. <hidden> is the number of words that the user has
        to stumble across by guesswork.

        The words themselves appear as strings, starting with string
        #<first word>. The array of deltas contains one element for
        each word; the instruction does a conditional branch using the
        delta from the best match found. If none of the words are found
        in the input, execution falls through to the next instruction.

    Set Variable
        opcode = 4      (byte)
        filler          (byte)
        mask            (word)
        value           (word)

        Sets the indicated portion of the variable associated with the
        current corpse. I believe the calculation is:

            variable = (variable & ~mask) | (value & mask);

        but that's one of the things I didn't put in my notes.

        The most common use of this is to remember if you've talked to
        this corpse before, so it can say something different when you
        come back. ("Hello again" instead of "Who are you?")

    Callback
        opcode = 5      (byte)
        filler          (byte)
        action          (OSType)

        Performs the indicated action. (Must be one built into the engine.)
        The only action I know of is 'STOP'. The program for each scri
        resource ends with a callback to this action. (That is, the final
        instruction is always 05xx53544F50, where the xx is garbage.)
        That final instruction is never reachable.

As an example, the program contained in scri#138 (for the corpse on "We Can
See In the Dark, Can You?") begins as follows:

000E:   0000 6461 726B 003A     // if 'dark' goto 0048 (000E+003A)
0016:   0201 0000               // speak 0 ("Get that light away from me!
                                             Get it away!  No lights!
                                             They're coming!")

001A:   0300 045F 0001          // listen for 4 words starting at #1
            0016 0016 0022 0022 // goto, respectively, 
                                //      light       -> 0030 (001A+0016)
                                //      flashlight  -> 0030 (001A+0016)
                                //      they        -> 003C (001A+0022)
                                //      who         -> 003C (001A+0022)

0028:   019B 0000 0000 FFEE     // goto 0016 (0028+FFEE)
        
0030:   0201 0005               // speak 5 ("They're attracted to your
                                             light.  Fool!  Get away
                                             from me!")

0034:   019B 0000 0000 FFE6     // goto 001A (0034+FFE6)
        
003C:   0201 0006               // speak 6 ("Those things, those things!
                                             They're all around, they hide
                                             in the corners until they see
                                             light ...")

0040:   019B 0000 0000 FFDA     // goto 001A (0040+FFDA)
    
    
0048:   0201 0007               // speak 7 ("Are they following you?  You
                                             don't have any lights, do
                                             you?  Stay away ...")

004C:   0300 2365 0008          // listen for 35 words starting at #8
            0070 00D0 ...       // goto, respectively, ...


-Ron Hunsinger




Path: news.tcd.ie!news.heanet.ie!server5.netnews.ja.net!server6.netnews.ja.net!server4.netnews.ja.net!server2.netnews.ja.net!btnet-peer0!btnet-peer!btnet!news.maxwell.syr.edu!newshub2.home.com!news.home.com!news1.frmt1.sfba.home.com.POSTED!not-for-mail
From: Loren Petrich <petrich@netcom.com>
Newsgroups: alt.games.marathon
Subject: Re: Pathways into Darkness Encryption?
Message-ID: <191220000138341211%petrich@netcom.com>
References: <141220001926092035%petrich@netcom.com> <santiago-4558B0.16465215122000@newshost.cc.utexas.edu> <hnsngr-ya023180001612000036060001@news.flash.net> <161220001000247019%petrich@netcom.com> <hnsngr-ya023180001712000227320001@news.flash.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-transfer-encoding: 8bit
User-Agent: YA-NewsWatcher/4.2.6
Lines: 13
Date: Tue, 19 Dec 2000 09:38:34 GMT
NNTP-Posting-Host: 24.1.102.83
X-Complaints-To: abuse@home.net
X-Trace: news1.frmt1.sfba.home.com 977218714 24.1.102.83 (Tue, 19 Dec 2000 01:38:34 PST)
NNTP-Posting-Date: Tue, 19 Dec 2000 01:38:34 PST
Organization: Excite@Home - The Leader in Broadband http://home.com/faster
Xref: news.tcd.ie alt.games.marathon:63844

In article <hnsngr-ya023180001712000227320001@news.flash.net>, Ron
Hunsinger <hnsngr@sirius.com> wrote:

[details of scri-resource code...]

Thanx. I doubt if I could ever have figured that out. I'll see how well
it works by constructing some parsing code.

-- 
Loren Petrich
petrich@netcom.com
Happiness is a fast Macintosh
And a fast train