Heroes of Hammerwatch asset.bin Structure
I month or so ago I started looking into the Heroes of Hammerwatch file structures trying to see how easy it would be to create custom campaigns or mods. When I first got the game and started playing with it there were very little in-memory protections, but now the game seems to have quite a few protections in place. Both while running and in the assets themselves.
Do note though this post is being written because I'm putting this project on hiatus for some other projects and just wanted to dump what little bits and pieces I remember for future me if I pick this up again.
Right now all I've succeeded in doing is a basic understanding of the assets.bin, there was plans to figure out the town.bsa and character .savs but didn't have the time.
The tools I ended up using to aid in reversing are: Radare2, Okteta, and Kaitai Struct.
So using radare to debug the game and kaitai to template out the assets.bin with ksv I was able to brute force figure out some of the structure. There are still some parts I don't understand like what the asset_type field is used for. It seems that only 0x01 and 0x03 are used for everything. The packedsize and unpacked size to have another use since assets that aren't packed still process the packedsize field and vice-versa. Also how the data is 'packed' is still a mystery to me.
As for how the game itself loads / checks validity of the assets.bin it uses two checks. During startup the game itself has the current versions MD5 hash compiled into the game. It will compare that hash with the hash found in the file, so you can easily bypass this check just by changing the MD5 field in the assets.bin. The other check is every asset has its full/path/name.ext + data hashed with MD5* and then compared against the same compiled in hash. This can only be bypassed by NOP-ing out the check, or potentially finding a MD5 collision / padding attack if you wanted to put the time into it.
There are also some quirks that I don't understand yet about how the game is using MurmurHash3 for assets. If the assets are required to be alphabetically sorted before 'packing'. Why some assets can't be packed like .inc files.
The important bit is If you would like to just unpack the files and see whats in there you can purchase their other game 'Serious Sams Bogus Detour' which comes with a PACKAGER binary that also works on HoH assets.bin as long as you change the assets.bin magic header from HWRR to BDRP. You can also re-package with the same PACKAGER binary and change the magic back to HWRR. Then you can hexedit the MD5 to the compiled in version and NOP out the second check mentioned above to load a modified assets.bin
My kaitai struct files and other notes can be found below:
https://gitlab.com/mcd1992/heroes-of-hammerwatch-tools
*MD5 Notes:
They seem to use a modified MD5 library created by Mordechai T. Abzug
ftp://pipeline.gps.caltech.edu/pub/source/sharc/sharc-1.00b2/src/md5.cpp
Do note though this post is being written because I'm putting this project on hiatus for some other projects and just wanted to dump what little bits and pieces I remember for future me if I pick this up again.
Right now all I've succeeded in doing is a basic understanding of the assets.bin, there was plans to figure out the town.bsa and character .savs but didn't have the time.
The tools I ended up using to aid in reversing are: Radare2, Okteta, and Kaitai Struct.
So using radare to debug the game and kaitai to template out the assets.bin with ksv I was able to brute force figure out some of the structure. There are still some parts I don't understand like what the asset_type field is used for. It seems that only 0x01 and 0x03 are used for everything. The packedsize and unpacked size to have another use since assets that aren't packed still process the packedsize field and vice-versa. Also how the data is 'packed' is still a mystery to me.
As for how the game itself loads / checks validity of the assets.bin it uses two checks. During startup the game itself has the current versions MD5 hash compiled into the game. It will compare that hash with the hash found in the file, so you can easily bypass this check just by changing the MD5 field in the assets.bin. The other check is every asset has its full/path/name.ext + data hashed with MD5* and then compared against the same compiled in hash. This can only be bypassed by NOP-ing out the check, or potentially finding a MD5 collision / padding attack if you wanted to put the time into it.
There are also some quirks that I don't understand yet about how the game is using MurmurHash3 for assets. If the assets are required to be alphabetically sorted before 'packing'. Why some assets can't be packed like .inc files.
The important bit is If you would like to just unpack the files and see whats in there you can purchase their other game 'Serious Sams Bogus Detour' which comes with a PACKAGER binary that also works on HoH assets.bin as long as you change the assets.bin magic header from HWRR to BDRP. You can also re-package with the same PACKAGER binary and change the magic back to HWRR. Then you can hexedit the MD5 to the compiled in version and NOP out the second check mentioned above to load a modified assets.bin
My kaitai struct files and other notes can be found below:
https://gitlab.com/mcd1992/heroes-of-hammerwatch-tools
*MD5 Notes:
They seem to use a modified MD5 library created by Mordechai T. Abzug
ftp://pipeline.gps.caltech.edu/pub/source/sharc/sharc-1.00b2/src/md5.cpp
Comments
Post a Comment