Race wtcc research

aluigi · **Posted:** 14 Jan 2009 01:13

here I have no problems, but I have found what is yours.
seems that yours extractor for the file MAS is wrong, in fact it has "eated" the first 16 bytes of that dds.
I can confirm this hyphotesis because I have deleted the first 16 bytes of the same file and I see the same signature in your error.
so please check your mas2files tool first.

mario · **Joined:** 30 Nov 2008 06:15 **Posts:** 16

weird

i use the official mas.exe from ISI

aluigi · **Posted:** 15 Jan 2009 22:27

offtopic: just for fun I tested the old critical vulnerabilities I found in the 2007 in the rfactor/gmotor engine and ARCA Sim Racing 1.138 (the latest version exist, relaesed the 30 december 2008) is vulnerable too: rfactorx.exe 1 t 127.0.0.1
http://aluigi.org/adv/gmotor2-adv.txt
http://aluigi.org/adv/rfactorx-adv.txt

6ecko · **Joined:** 29 Aug 2008 05:20 **Posts:** 2

Hello all,
It's possible, to make the "same" great decrypter but for "Simulador turismo carretera", very good cars and tracks but impossible to convert for other ISI motor.
Thanks in advance, if it's possible.

Bye

aluigi · **Posted:** 16 Jan 2009 18:34

upload somewhere a couple of the encrypted files of that game and I will take a look at it to see if it's a common format

JBob · **Joined:** 17 Jan 2009 01:04 **Posts:** 7

Hi, when running the rfactordec it always skips 4bytes of data when trying to decrypt files. I unpacked the mas files using Mas2File tool (dos version).

Attachment:

rfactordec.JPG [ 46.09 KiB | Viewed 3513 times ]

Using the rfacordec version from 16/01/2009.

Below is a mas file i have been using.
http://postdownload.filefront.com/12996 ... a5769a1abc

aluigi · **Posted:** 17 Jan 2009 01:33

argh, a bug introduced in the last version affecting the GMT (the first 4 bytes of the output file were the first 4 of the input), solved immediately in 0.1.2a.
thanx

aluigi · **Posted:** 17 Jan 2009 01:42

and released also version 0.1.2b with the signature of Turismo Carrettera, luckily it was based on the same gMotor2 engine :)

JBob · **Joined:** 17 Jan 2009 01:04 **Posts:** 7

great news about Turismo Carrettera, a game i bought but being in europe nobody plays so finally can have it on rFactor as a mod and make life simple.

I still appear to have problems writing new files, all i've done is used the find.exe and altered the wtcced_all.bat file to suit the rfactordec, with the lines below but it seems to fail to write the new files to the decrypt directory.

Code:

md c:\rfactored\decrypt
c:\rfactored\find GameData -exec c:\rfactored\rfactordec.exe "{}" "c:\rfactored\decrypt\{}" ;

aluigi · **Posted:** 17 Jan 2009 13:27

ok, released version 0.1.2c which automatically creates the output folder if doesn't exist

6ecko · **Joined:** 29 Aug 2008 05:20 **Posts:** 2

this new version work perfectly, thanks luigi U are a BOSS

Max

JBob · **Joined:** 17 Jan 2009 01:04 **Posts:** 7

Hi, was wondering is it possible to decrypt an F1C file, currently the rfactor dec doesn't do it, due to possible file format difference, rfactor uses .gmt where as f1c uses .mts. Both use the gMotor2 engine though.

Attached are 2 .mts files, one that is unlocked, and one that was encrypted using zmodeler 1.07 that has been used to encrypt other .mts files.

Attachment:

v8.zip [84.99 KiB]
Downloaded 234 times

Thanks for all the help :)

aluigi · **Posted:** 18 Jan 2009 15:05

it's not an encryption, it's only a byte at offset 0xd74 of the file which if is not zero (or another specific positive value) means that the file is locked.
so if you put a zero at that offset with a hex editor you can open the file without problems.

JBob · **Joined:** 17 Jan 2009 01:04 **Posts:** 7

ok thanks :) have no idea about the encryption/locking, just modding the games.

JBob · **Joined:** 17 Jan 2009 01:04 **Posts:** 7

hate to be a pain, but i haven't got a clue where the offset 0xd74 is in the hex. offset letters only range from A to E.

aluigi · **Posted:** 18 Jan 2009 21:26

*EDIT* removed attachment

JBob · **Joined:** 17 Jan 2009 01:04 **Posts:** 7

works on the file i sent, but doesn't work on other .mts locked files, can't work out why as they were locked using zmodeler. Perhaps should of sent more file first time so you could check.

Attachment:

v8_vy.zip [161.96 KiB]
Downloaded 214 times

aluigi · **Posted:** 18 Jan 2009 22:27

in this case patching the filters is the best solution.

the filters are mts01.zmf and mts02.zmf which are packed with UPX so after decompressing them (upx -d file.zmf) it's enough to modify them as follows:

Code:

Filters\mts01.zmf
0000165F   0F       90
00001660   84       E9

Filters\mts02.zmf
00001795   0F       90
00001796   84       E9

in case of problems I have attached the files already patched to this thread.

JBob · **Joined:** 17 Jan 2009 01:04 **Posts:** 7

thanks for all your help

mario · **Joined:** 30 Nov 2008 06:15 **Posts:** 16

bad news

arca sim format seems to have changed a bit, again

the files decrypt, but they wont load in rF or in 3dsimedit

fxs · **Joined:** 31 May 2009 17:38 **Posts:** 5

i get som Permission Denied for race07 files... thats ok ?

aluigi · **Posted:** 31 May 2009 17:57

don't worry it's all ok.
practically the "find" program seaches anything inside the specified input folder (GameData) included files and folders so when wtcced is launched using a folder as input it gives the "Permission Denied" error and find continues its scanning.
so it's all perfectly normal

P.S.: is possible to avoid the executing of wtcced on the folders simply specifying "-type f" in the find command like in the following example:

Code:

md c:\wtcced\decrypt
c:\wtcced\find GameData -type f -exec c:\wtcced\wtcced.exe "{}" "c:\wtcced\decrypt\{}" ;

fxs · **Joined:** 31 May 2009 17:38 **Posts:** 5

Hi aluigi

can u add a support for Top Race 2009 ? is the same gmotor2 engine by Turismo Carretera with some updates.

see the attach, pls.

thx

aluigi · **Posted:** 11 Sep 2009 15:20

I have already added the signature of Top Race 2009 in both rfactordec and rfactorgmdec:
http://aluigi.org/papers.htm#rfactordec
http://aluigi.org/papers.htm#rfactorgmdec

fxs · **Joined:** 31 May 2009 17:38 **Posts:** 5

wow, great aluigi... ;)

fxs · **Joined:** 31 May 2009 17:38 **Posts:** 5

well, i cant decrypt this file in attach... :\
here is my bat

md c:\gmt\decrypt
c:\gmt\find GameData -exec c:\gmt\rfactordec.exe "{}" "c:\gmt\decrypt\{}" ;

aluigi · **Posted:** 11 Sep 2009 17:31

that file can't be decrypted because it's not a file encrypted using the algorithms of the rfactor-engine.

*edit, it's not a activemark file*

anyway at the moment I don't know what algorithm (and key) is used to encrypt those particular GMT files

aluigi · **Posted:** 12 Sep 2009 15:21

I have just updated the rfactordec tool: http://aluigi.org/papers.htm#rfactordec
practically thes files have an additional 7bytes header and the bytes decreased of one, but for the rest are exactly like the others and so decryptable without problems.

an interesting thing I have noticed during my tests:
TopRace2009 uses a "horrible" way to decrypt these "CHTN1R1" files, practically it:
- copies the content of the whole file decreased of one in Resource\temp.tmp
- check the BGSM0Q0 header
- copies the new content without the first 7 headers in the old file

this method is horrible not only for the performances (uses fgetc for all the operations and a new file) but also for the integrity of the files because if there is a loss of energy just in the moment of these operations you lose one or more files... imho bad

KampferAs · **Joined:** 30 Sep 2009 04:49 **Posts:** 16

aluigi wrote:

it's not an encryption, it's only a byte at offset 0xd74 of the file which if is not zero (or another specific positive value) means that the file is locked.
so if you put a zero at that offset with a hex editor you can open the file without problems.

Sorry, I have the same issue and am unable to locate 0xd74 in my hexeditor. as it is displaying all in the 0-f range....

Thanks in advance

aluigi · **Posted:** 30 Sep 2009 11:53

uffff, in attachment there is a simple lpatch file:
- download lpatch: http://aluigi.org/mytoolz.htm#lpatch
- launch lpatch.exe
- select mtsunlock.lpatch
- select the mts file to unlock
- you should see a success message

remember that I don't know the exact format of the mts files so 0xd74 could be the wrong offset for some of them.

*edit* check the patch in my next post

Luigi Auriemma

Race wtcc research