Content: Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
Background: Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
Pattern: Blank Waves Notes Sharp Wood Rockface Leather Honey Vertical Triangles
Welcome to Xbox Chaos: Modding Evolved

Register now to gain access to all of our features. Once registered and logged in, you will be able to contribute to this site by submitting your own content or replying to existing content. You'll be able to customize your profile, receive reputation points as a reward for submitting content, while also communicating with other members via your own private inbox, plus much more! This message will be removed once you have signed in.

Sign In Sign Up
Nobody

Modding
Modding Information Collection

Started by Nobody,

13 posts in this topic

Posted

I've started this thread as a way we can share information on what we find for Halo 4 modding. Through the XEX, I've found that the campaign is using a SHA hash again, and also that they have resorted to using AES encryption for some mode. I cannot look more into it since my JTAG is broke, but I'll see what I can get with this.

Share this post

Link to post
Share on other sites

Posted

is aes possible to decrypt or are we going to have to name all the dang stuff like we did in reach lol

AES is not possible to brute-force unless you don't mind waiting over one billion years for the operation to finish. We'll be stuck using taglists like in Reach, unfortunately.

The main thing that 343 uses AES for is language data in .map files. The passphrase for the key is "BungieHaloReach!" because 343 was too lazy to change it. XOR each byte in that ASCII passphrase string with 0xA5 to get the AES key, and XOR each byte in that key with 0x3C to get the IV. Reach also used AES for generating SneakerNet keys, with the passphrase "SneakerNetReigns".

Campaign saves are salted with the same salt as in Reach, which is EDD43009666D5C4A5C3657FAB40E022F535AC6C9EE471F01F1A44756B7714F1C36EC. Fill the hash area with 0x00, prepend the salt to the file, and hash it.

GPDs are also hashed in the same way as in Reach - fill the hash area with 0x99, hash the file with SHA-1, and store it.

Literally, nothing has changed related to security between Reach and H4 - don't bother looking into that. Even the basics of the map format only changed by around 16 bytes or so (excluding the various meta formats).

Share this post

Link to post
Share on other sites

Posted

wow ! one billion years to brute force AES :( and how can i help with getting ascension to work with h4 maps so i can help every one find tags lol. but if you want me to find vehicle tags for h4 i need help getting vehicle to spawn useing fireing efect lol so i dont freeze up the game :P

Share this post

Link to post
Share on other sites

Posted (edited)

AES is not possible to brute-force unless you don't mind waiting over one billion years for the operation to finish. We'll be stuck using taglists like in Reach, unfortunately.

The main thing that 343 uses AES for is language data in .map files. The passphrase for the key is "BungieHaloReach!" because 343 was too lazy to change it. XOR each byte in that ASCII passphrase string with 0xA5 to get the AES key, and XOR each byte in that key with 0x3C to get the IV. Reach also used AES for generating SneakerNet keys, with the passphrase "SneakerNetReigns".

Campaign saves are salted with the same salt as in Reach, which is EDD43009666D5C4A5C3657FAB40E022F535AC6C9EE471F01F1A44756B7714F1C36EC. Fill the hash area with 0x00, prepend the salt to the file, and hash it.

GPDs are also hashed in the same way as in Reach - fill the hash area with 0x99, hash the file with SHA-1, and store it.

Literally, nothing has changed related to security between Reach and H4 - don't bother looking into that. Even the basics of the map format only changed by around 16 bytes or so (excluding the various meta formats).

Of course. I'm more interested in campaign, unless the offset hasn't changed? If it hasn't, I'll just look into how it saves general stuff in the GPDs, campaign saves, and film formats. Thanks for all that stuff though, haven't really got into Reach modding so I never knew.

Edited by Nobody

Share this post

Link to post
Share on other sites

Posted (edited)

GPD has 3 title-specific settings.

Spartan XP is at 0x180 in the first setting, and 0x310 in the second. It's 0x4 long in each.

Clan tag is at 0x12B in the first setting, it's unicode for some reason.

To rehash, paste settings 1, 2, and 3 in order, change the SHA1 hash at 0x258 in setting 3 to 0x99, take a SHA1 hash, then paste that into the original third setting. Old news there.

Classes are in the third setting. Not sure where armor or spartan points are saved.

(paraphrased and edited a bit from http://www.xboxchaos...-xp/#entry20683)

Edited by ShadeTH

Share this post

Link to post
Share on other sites

Posted

Of course. I'm more interested in campaign, unless the offset hasn't changed?

I'm not sure about the campaign offsets - chances are they've changed, but I haven't looked into it since I've mostly been concerned with H4 .map modding. Maybe Xerax could shed some light here... :rolleyes:

Share this post

Link to post
Share on other sites

Posted

I'm not sure about the campaign offsets - chances are they've changed, but I haven't looked into it since I've mostly been concerned with H4 .map modding. Maybe Xerax could shed some light here... :rolleyes:

I actually made a "check-sum finder", basing the information of Reach. The program went through every 0x14 bytes possible and compares that to the SHA-1 hash of the file if that byte array was nulled. I can't use it though since it never appears to finish responding.

Share this post

Link to post
Share on other sites

Posted

dang it lol i hope it gets working some day im dieng to .map mod h4 but im relatively patient if it takes uber long time then i guess ill have ti wait but i hope modding program for h4 gets released though :)

Share this post

Link to post
Share on other sites

Posted (edited)

Just throwing this out there since it isn't in any threads yet.

To remove RSA checks: in an unencrypted, uncompressed XEX, change the value at 0x33192C from 0x48FBFBE1 to 0x3860001.

Or just poke 0x8233392C with 0x3860001, same diff.

Edited by ShadeTH

Share this post

Link to post
Share on other sites

Posted

Just throwing this out there since it isn't in any threads yet.

To remove RSA checks: in an unencrypted, uncompressed XEX, change the value at 0x33192C from 0x48FBFBE1 to 0x3860001.

Or just poke 0x8233392C with 0x3860001, same diff.

Thanks! :D

Share this post

Link to post
Share on other sites

Posted

I'm not sure about the campaign offsets - chances are they've changed, but I haven't looked into it since I've mostly been concerned with H4 .map modding. Maybe Xerax could shed some light here... :rolleyes:

Yeah, the offset it stores the hash in has changed. This is from memory, so it might be wrong, but I think it stores the hash at 0x2D25C in the mmiof.bmf.

Share this post

Link to post
Share on other sites

Posted

Yeah, the offset it stores the hash in has changed. This is from memory, so it might be wrong, but I think it stores the hash at 0x2D25C in the mmiof.bmf.

Yes it does. I found it out just by comparing a Reach and 4 save a while ago, took 20 minutes. Never knew if it was right or not though.

Share this post

Link to post
Share on other sites
Go To Topic Listing Halo 4