Path: news.tcd.ie!news.heanet.ie!server5.netnews.ja.net!nntp.news.xara.net!xara.net!gxn.net!news-lond.gip.net!news-peer.gip.net!news.gsl.net!gip.net!howland.erols.net!newshub2.home.com!news.home.com!news1.frmt1.sfba.home.com.POSTED!not-for-mail From: Loren Petrich <petrich@netcom.com> Newsgroups: alt.games.marathon Subject: Pathways into Darkness Encryption? Message-ID: <141220001926092035%petrich@netcom.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 8bit User-Agent: YA-NewsWatcher/4.2.6 Lines: 22 Date: Fri, 15 Dec 2000 03:26:08 GMT NNTP-Posting-Host: 24.1.102.83 X-Complaints-To: abuse@home.net X-Trace: news1.frmt1.sfba.home.com 976850768 24.1.102.83 (Thu, 14 Dec 2000 19:26:08 PST) NNTP-Posting-Date: Thu, 14 Dec 2000 19:26:08 PST Organization: Excite@Home - The Leader in Broadband http://home.com/faster Xref: news.tcd.ie alt.games.marathon:63781 In a TEXT resource in the M1 app, there is a little note to the effect that the Bungie folx had not had the time to encrypt any of the game's content, as had been done with earlier games. This means that there might be some encryption in Pathways into Darkness, and I tried to test that hypothesis by doing a byte-frequency test on some of its contents. In particular, I tried on all the 'scri' resources, and came out with an even distribution, with all values nearly equally probable. This rules out the simpler forms of encryption, such as xoring. I note that the text contents of the Tomb Raider games have xor encryption on them; that has been relatively easy to crack. It may not be possible to proceed much further without a fancy debugger :-( -- Loren Petrich petrich@netcom.com Happiness is a fast Macintosh And a fast train Path: news.tcd.ie!news.heanet.ie!server5.netnews.ja.net!nntp.news.xara.net!xara.net!gxn.net!dispose.news.demon.net!demon!newspeer.monmouth.com!cpk-news-hub1.bbnplanet.com!news.gtei.net!newsfeed.cs.utexas.edu!geraldo.cc.utexas.edu!santiago From: Santiago <santiago@nastyPinkCannedMeat.cs.utexas.edu> Newsgroups: alt.games.marathon Subject: Re: Pathways into Darkness Encryption? Date: Fri, 15 Dec 2000 16:46:52 -0600 Organization: The University of Texas at Austin; Austin, Texas Message-ID: <santiago-4558B0.16465215122000@newshost.cc.utexas.edu> References: <141220001926092035%petrich@netcom.com> NNTP-Posting-Host: dial-83-9.ots.utexas.edu X-Trace: geraldo.cc.utexas.edu 976920406 5568 128.83.219.57 (15 Dec 2000 22:46:46 GMT) X-Complaints-To: abuse@cc.utexas.edu NNTP-Posting-Date: 15 Dec 2000 22:46:46 GMT User-Agent: MT-NewsWatcher/3.0 (PPC) Lines: 25 Xref: news.tcd.ie alt.games.marathon:63786 In article <141220001926092035%petrich@netcom.com>, Loren Petrich <petrich@netcom.com> wrote: > This means that there might be some encryption in Pathways into >Darkness, and I tried to test that hypothesis by doing a byte-frequency >test on some of its contents. In particular, I tried on all the 'scri' >resources, and came out with an even distribution, with all values >nearly equally probable. > > This rules out the simpler forms of encryption, such as xoring. I >note that the text contents of the Tomb Raider games have xor >encryption on them; that has been relatively easy to crack. I fail to see how that rules out xoring. It would seem to rule out xoring with a short key that is repeated, but not one generated by a complex pseudorandom algorithm with a very long period. (If your key is truly random, xoring it with anything that has no correlation to it will give a flat byte-frequency distribution.) Of course, such an algorithm would be buried somewhere in the PiD code, and could be found... --------------------------------------------------------------------- santiago@@cs..utexas..edu http://www.cs.utexas.edu/users/santiago/ --------------------------------------------------------------------- If you think mathematics is the universal language, try using a differential equation to tell an Eskimo his pants are on fire... Path: news.tcd.ie!news.heanet.ie!server5.netnews.ja.net!nntp.news.xara.net!xara.net!gxn.net!dispose.news.demon.net!demon!diablo.theplanet.net!europa.netcrusader.net!205.252.116.205!howland.erols.net!nntp.flash.net!news.flash.net!not-for-mail From: hnsngr@sirius.com (Ron Hunsinger) Newsgroups: alt.games.marathon Subject: Re: Pathways into Darkness Encryption? Message-ID: <hnsngr-ya023180001612000036060001@news.flash.net> References: <141220001926092035%petrich@netcom.com> <santiago-4558B0.16465215122000@newshost.cc.utexas.edu> Organization: ErsteSoft Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 8bit X-Newsreader: Yet Another NewsWatcher 2.3.1 Date: Sat, 16 Dec 2000 08:36:02 GMT NNTP-Posting-Host: 216.103.86.8 X-Complaints-To: abuse@flash.net X-Trace: news.flash.net 976955762 216.103.86.8 (Sat, 16 Dec 2000 02:36:02 CST) NNTP-Posting-Date: Sat, 16 Dec 2000 02:36:02 CST Lines: 46 Xref: news.tcd.ie alt.games.marathon:63791 In article <santiago-4558B0.16465215122000@newshost.cc.utexas.edu>, Santiago <santiago@nastyPinkCannedMeat.cs.utexas.edu> wrote: > In article <141220001926092035%petrich@netcom.com>, Loren Petrich > <petrich@netcom.com> wrote: > > > This means that there might be some encryption in Pathways into > >Darkness, and I tried to test that hypothesis by doing a byte-frequency > >test on some of its contents. In particular, I tried on all the 'scri' > >resources, and came out with an even distribution, with all values > >nearly equally probable. > > > > This rules out the simpler forms of encryption, such as xoring. I > >note that the text contents of the Tomb Raider games have xor > >encryption on them; that has been relatively easy to crack. > > I fail to see how that rules out xoring. It would seem to rule out > xoring with a short key that is repeated, but not one generated by a > complex pseudorandom algorithm with a very long period. (If your key is > truly random, xoring it with anything that has no correlation to it will > give a flat byte-frequency distribution.) Of course, such an algorithm > would be buried somewhere in the PiD code, and could be found... It doesn't even have to be a very good pseudo-random generator. In fact, it can be just about as bad as they come, as long as it has a long period. It could, in fact, be as simple as an increment... The code to encrypt/decrypt a scri resource is: void EncodeScript (Handle h) { int len = **(short**) h; Ptr p = *h + 2; for (int i = 0; i < len; ++i) { *p++ ^= i; } } Of course, there's still a little more to it than that, since the decrypted scri resource is not pure text. It contains a sequence of variable-length instructions, each consisting of a 1-byte opcode followed by parameters appropriate to that opcode. Some of those parameters are indexes into the text part, which is a sequence of N c-style strings starting at offset X, where N and X are the second and third short of the decrypted resource. Some of the strings are words to listen for, and some are the responses to those words. -Ron Hunsinger Path: news.tcd.ie!news.heanet.ie!server5.netnews.ja.net!server6.netnews.ja.net!nntp.news.xara.net!xara.net!gxn.net!blue.nl.gxn.net!transit.news.xs4all.nl!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!newshub2.home.com!news.home.com!news1.frmt1.sfba.home.com.POSTED!not-for-mail From: Loren Petrich <petrich@netcom.com> Newsgroups: alt.games.marathon Subject: Re: Pathways into Darkness Encryption? Message-ID: <161220001000247019%petrich@netcom.com> References: <141220001926092035%petrich@netcom.com> <santiago-4558B0.16465215122000@newshost.cc.utexas.edu> <hnsngr-ya023180001612000036060001@news.flash.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 8bit User-Agent: YA-NewsWatcher/4.2.6 Lines: 22 Date: Sat, 16 Dec 2000 18:00:23 GMT NNTP-Posting-Host: 24.1.102.83 X-Complaints-To: abuse@home.net X-Trace: news1.frmt1.sfba.home.com 976989623 24.1.102.83 (Sat, 16 Dec 2000 10:00:23 PST) NNTP-Posting-Date: Sat, 16 Dec 2000 10:00:23 PST Organization: Excite@Home - The Leader in Broadband http://home.com/faster Xref: news.tcd.ie alt.games.marathon:63797 In article <hnsngr-ya023180001612000036060001@news.flash.net>, Ron Hunsinger <hnsngr@sirius.com> wrote: > The code to encrypt/decrypt a scri resource is: > > void EncodeScript (Handle h) { > int len = **(short**) h; > Ptr p = *h + 2; > for (int i = 0; i < len; ++i) { > *p++ ^= i; } > } > > Of course, there's still a little more to it than that, ... Thanx. I've gotten some intelligible text out of that, and I think I have a clue as to those opcodes. My guess at the moment is that they are 2-byte instead of 1-byte ones. -- Loren Petrich petrich@netcom.com Happiness is a fast Macintosh And a fast train Path: news.tcd.ie!news.heanet.ie!server5.netnews.ja.net!nntp.news.xara.net!xara.net!gxn.net!news.lattis.xara.net!ayres.ftech.net!news.ftech.net!newspeer.clara.net!news.clara.net!news.algonet.se!algonet!newsfeed.rt.ru!newsfeed.mesh.ad.jp!sjc-peer.news.verio.net!ord-feed.news.verio.net!news.verio.net!newsmaster.cc.columbia.edu!aaron From: aaron@avalon.eyep.net (Aaron Davies) Newsgroups: alt.games.marathon Subject: Re: Pathways into Darkness Encryption? Date: Sat, 16 Dec 2000 17:34:17 -0500 Organization: Columbia University Lines: 28 Message-ID: <1elqu0l.dbrmyr1tru46N%aaron@avalon.eyep.net> References: <141220001926092035%petrich@netcom.com> NNTP-Posting-Host: marathon.mcb.rhno.columbia.edu X-Trace: newsmaster.cc.columbia.edu 977006130 5377 160.39.168.47 (16 Dec 2000 22:35:30 GMT) X-Complaints-To: postmaster@columbia.edu NNTP-Posting-Date: 16 Dec 2000 22:35:30 GMT User-Agent: MacSOUP/2.4.6 Xref: news.tcd.ie alt.games.marathon:63800 Loren Petrich <petrich@netcom.com> wrote: > In a TEXT resource in the M1 app, there is a little note to the > effect that the Bungie folx had not had the time to encrypt any of the > game's content, as had been done with earlier games. > > This means that there might be some encryption in Pathways into > Darkness, and I tried to test that hypothesis by doing a byte-frequency > test on some of its contents. In particular, I tried on all the 'scri' > resources, and came out with an even distribution, with all values > nearly equally probable. > > This rules out the simpler forms of encryption, such as xoring. I > note that the text contents of the Tomb Raider games have xor > encryption on them; that has been relatively easy to crack. > > It may not be possible to proceed much further without a fancy > debugger :-( Before you put a lot of work into this, I suggest you talk to Hamish. He knows someone who at least partially cracked the scri encryption, producing the "Conversations with the Dead" pages available at pid.bungie.org. -- __ __ / ) / ) /--/ __. __ ________ / / __. , __o _ _ / (_(_/|_/ (_(_) / / <_ /__/_(_/|_\/ <__</_/_)_ Path: news.tcd.ie!news.heanet.ie!server5.netnews.ja.net!nntp.news.xara.net!xara.net!gxn.net!news.lattis.xara.net!ayres.ftech.net!news.ftech.net!peer.news.zetnet.net!newsfeed.icl.net!colt.net!news.maxwell.syr.edu!newshub2.home.com!news.home.com!news1.frmt1.sfba.home.com.POSTED!not-for-mail From: Loren Petrich <petrich@netcom.com> Newsgroups: alt.games.marathon Subject: Re: Pathways into Darkness Encryption? Message-ID: <161220001956074312%petrich@netcom.com> References: <141220001926092035%petrich@netcom.com> <1elqu0l.dbrmyr1tru46N%aaron@avalon.eyep.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 8bit User-Agent: YA-NewsWatcher/4.2.6 Lines: 17 Date: Sun, 17 Dec 2000 03:56:07 GMT NNTP-Posting-Host: 24.1.102.83 X-Complaints-To: abuse@home.net X-Trace: news1.frmt1.sfba.home.com 977025367 24.1.102.83 (Sat, 16 Dec 2000 19:56:07 PST) NNTP-Posting-Date: Sat, 16 Dec 2000 19:56:07 PST Organization: Excite@Home - The Leader in Broadband http://home.com/faster Xref: news.tcd.ie alt.games.marathon:63809 In article <1elqu0l.dbrmyr1tru46N%aaron@avalon.eyep.net>, Aaron Davies <aaron@avalon.eyep.net> wrote: > Before you put a lot of work into this, I suggest you talk to Hamish. He > knows someone who at least partially cracked the scri encryption, > producing the "Conversations with the Dead" pages available at > pid.bungie.org. I checked, and what I found there represents about as far as I've gotten in interpreting those resources -- I can get the text, but the stuff before it is mostly unintelligible to me. -- Loren Petrich petrich@netcom.com Happiness is a fast Macintosh And a fast train Path: news.tcd.ie!news.heanet.ie!server5.netnews.ja.net!server3.netnews.ja.net!newspeer.clara.net!news.clara.net!feed2.onemain.com!feed1.onemain.com!xfer13.netnews.com!netnews.com!howland.erols.net!nntp.flash.net!news.flash.net!not-for-mail From: hnsngr@sirius.com (Ron Hunsinger) Newsgroups: alt.games.marathon Subject: Re: Pathways into Darkness Encryption? Message-ID: <hnsngr-ya023180001712000227320001@news.flash.net> References: <141220001926092035%petrich@netcom.com> <santiago-4558B0.16465215122000@newshost.cc.utexas.edu> <hnsngr-ya023180001612000036060001@news.flash.net> <161220001000247019%petrich@netcom.com> Organization: ErsteSoft Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 8bit X-Newsreader: Yet Another NewsWatcher 2.3.1 Lines: 186 Date: Sun, 17 Dec 2000 10:27:26 GMT NNTP-Posting-Host: 216.103.86.8 X-Complaints-To: abuse@flash.net X-Trace: news.flash.net 977048846 216.103.86.8 (Sun, 17 Dec 2000 04:27:26 CST) NNTP-Posting-Date: Sun, 17 Dec 2000 04:27:26 CST Xref: news.tcd.ie alt.games.marathon:63816 In article <161220001000247019%petrich@netcom.com>, Loren Petrich <petrich@netcom.com> wrote: > In article <hnsngr-ya023180001612000036060001@news.flash.net>, Ron > Hunsinger <hnsngr@sirius.com> wrote: > > The code to encrypt/decrypt a scri resource is: > > > > void EncodeScript (Handle h) { > > int len = **(short**) h; > > Ptr p = *h + 2; > > for (int i = 0; i < len; ++i) { > > *p++ ^= i; } > > } > > > > Of course, there's still a little more to it than that, ... > > Thanx. I've gotten some intelligible text out of that, and I think I > have a clue as to those opcodes. My guess at the moment is that they > are 2-byte instead of 1-byte ones. I can give you some more information. First off, I want to correct an error in the above code. The length word at the beginning of the resource counts itself as part of the length. The above code assumes it doesn't, so it translates two bytes beyond the end of the resource. To correct it, the initial value for len should be: int len = **(short**) h - 2; ^^^ Oddly, the code I posted is exactly the code I used to decrypt the resources lo these many moons ago. I guess I was just lucky it didn't crash. You can partially DeRez the decrypted resource using this definition: type 'scri' { unsigned integer = StringEnd / 8; unsigned integer = $$Countof (StringArray); unsigned integer = StringStart / 8; unsigned integer = 1; /* I don't know what this is */ unsigned integer = 10; /* I don't know what this is */ literal longint; /* Type of corpse */ CodeStart: hex string [StringStart / 8 - CodeStart / 8]; StringStart: array StringArray { cstring; }; StringEnd: }; That hex string starting at CodeStart is the program. The instructions set is the following. (I've made up the names, and I'm a little unclear on the finer nuances of some of them. I think I knew the details at one time, but my notes are incomplete in places.) a (byte) is 8 bits a (word) is 16 bits an (OSType) is 32 bits containing 4 printable characters branch instructions contain a 16-bit signed delta which, if added to the address of the *beginning* of the current instruction, gives the address of the beginning of the instruction being branched to a filler is always ignored, and usually contains garbage strings are referenced by index, not offset, starting at zero Test Environment opcode = 0 (byte) filler (byte) what to check (OSType) delta (word) Tests the indicated condition in the environment, and branches if the condition is true. (For example, 'dark' is true if you do not have a turned-on flashlight. See scri#138.) Test Variable opcode = 1 (byte) filler (byte) mask (word) value (word) delta (word) There is a word-size variable associated with each corpse. The value is retained across uses of the yellow crystal. The condition being tested is ((variable & mask) == value). An unconditional branch is obtained by setting mask = value = 0. Speak opcode = 2 (byte) variations (byte) first string (word) Speaks a randomly selected string from among the <variations> strings starting with indicated <first string>. For example, the instruction 02030007 randomly selects one of string #7, string #8, or string #9 for output. Listen opcode = 3 (byte) prompted (byte) hidden (byte) filler (byte) first word (word) deltas (array of words) Waits for input from the user, then scans it looking for one of the known words. <prompted> is the number of words that are given to the user (in a popup menu, perhaps?). This is always zero in PiD. <hidden> is the number of words that the user has to stumble across by guesswork. The words themselves appear as strings, starting with string #<first word>. The array of deltas contains one element for each word; the instruction does a conditional branch using the delta from the best match found. If none of the words are found in the input, execution falls through to the next instruction. Set Variable opcode = 4 (byte) filler (byte) mask (word) value (word) Sets the indicated portion of the variable associated with the current corpse. I believe the calculation is: variable = (variable & ~mask) | (value & mask); but that's one of the things I didn't put in my notes. The most common use of this is to remember if you've talked to this corpse before, so it can say something different when you come back. ("Hello again" instead of "Who are you?") Callback opcode = 5 (byte) filler (byte) action (OSType) Performs the indicated action. (Must be one built into the engine.) The only action I know of is 'STOP'. The program for each scri resource ends with a callback to this action. (That is, the final instruction is always 05xx53544F50, where the xx is garbage.) That final instruction is never reachable. As an example, the program contained in scri#138 (for the corpse on "We Can See In the Dark, Can You?") begins as follows: 000E: 0000 6461 726B 003A // if 'dark' goto 0048 (000E+003A) 0016: 0201 0000 // speak 0 ("Get that light away from me! Get it away! No lights! They're coming!") 001A: 0300 045F 0001 // listen for 4 words starting at #1 0016 0016 0022 0022 // goto, respectively, // light -> 0030 (001A+0016) // flashlight -> 0030 (001A+0016) // they -> 003C (001A+0022) // who -> 003C (001A+0022) 0028: 019B 0000 0000 FFEE // goto 0016 (0028+FFEE) 0030: 0201 0005 // speak 5 ("They're attracted to your light. Fool! Get away from me!") 0034: 019B 0000 0000 FFE6 // goto 001A (0034+FFE6) 003C: 0201 0006 // speak 6 ("Those things, those things! They're all around, they hide in the corners until they see light ...") 0040: 019B 0000 0000 FFDA // goto 001A (0040+FFDA) 0048: 0201 0007 // speak 7 ("Are they following you? You don't have any lights, do you? Stay away ...") 004C: 0300 2365 0008 // listen for 35 words starting at #8 0070 00D0 ... // goto, respectively, ... -Ron Hunsinger Path: news.tcd.ie!news.heanet.ie!server5.netnews.ja.net!server6.netnews.ja.net!server4.netnews.ja.net!server2.netnews.ja.net!btnet-peer0!btnet-peer!btnet!news.maxwell.syr.edu!newshub2.home.com!news.home.com!news1.frmt1.sfba.home.com.POSTED!not-for-mail From: Loren Petrich <petrich@netcom.com> Newsgroups: alt.games.marathon Subject: Re: Pathways into Darkness Encryption? Message-ID: <191220000138341211%petrich@netcom.com> References: <141220001926092035%petrich@netcom.com> <santiago-4558B0.16465215122000@newshost.cc.utexas.edu> <hnsngr-ya023180001612000036060001@news.flash.net> <161220001000247019%petrich@netcom.com> <hnsngr-ya023180001712000227320001@news.flash.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 8bit User-Agent: YA-NewsWatcher/4.2.6 Lines: 13 Date: Tue, 19 Dec 2000 09:38:34 GMT NNTP-Posting-Host: 24.1.102.83 X-Complaints-To: abuse@home.net X-Trace: news1.frmt1.sfba.home.com 977218714 24.1.102.83 (Tue, 19 Dec 2000 01:38:34 PST) NNTP-Posting-Date: Tue, 19 Dec 2000 01:38:34 PST Organization: Excite@Home - The Leader in Broadband http://home.com/faster Xref: news.tcd.ie alt.games.marathon:63844 In article <hnsngr-ya023180001712000227320001@news.flash.net>, Ron Hunsinger <hnsngr@sirius.com> wrote: [details of scri-resource code...] Thanx. I doubt if I could ever have figured that out. I'll see how well it works by constructing some parsing code. -- Loren Petrich petrich@netcom.com Happiness is a fast Macintosh And a fast train