Typhoon

[mikew]

Going off topic on the very first post...

For a change of scenery, I thought I'd take a another look at Typhoon. Last time the game was <10 years old, so felt a bit guilty trying to take it apart to see if it contains any F22 heritage.
While the game has been available on Steam since 2014, nothing has been done to improve the game as far as I can tell, and the data file is identical to that of the original game.
The exe is a bit different though.
From my original install CD, the game exe was built in March 2001 according to its header info.
The Steam exe has a date of 1970, so has been manipulated in some way. It is also smaller, and from what I see using 'CFF Explorer's Dependency Walker', that difference could be explained by some Windows statically linked libraries being removed.

So, I'm wondering if there is some 'steamification tool' which takes an old game exe and 'relinks' it to maybe perform better on later Windows.

typh_dll.PNG (64.29 KiB) Viewed 1716 times

That's the only explanation I can think of. If somebody spent the time to do it manually, they'd might as well improve the game at the same time.

[Krishty]

Great stuff 👍

Just 4048 bytes into the original EXE, you’ll find this:

00 00 00 00 42 6F 47 5F 20 2A 39 30 2E 30 26 21   ....BoG_.*90.0&!
21 20 20 59 79 3E 00 00 00 00 00 00 00 00 00 00   !  Yy>..........
00 00 00 00 02 00 00 00 0A 00 00 00 1E 00 00 00   ................

Search for BoG_ reveals a copy protection named SafeCast 2.4 and an article on how to crack it: http://www.reversing.be/article.php?sto ... mode=print

So the original EXE is encrypted. Starting it extracts the payload to TEMP after some DRM shit, and this payload is the actual game.

I suppose they removed the copy protection for Steam and shipped the payload directly. There should be warez out there to circumvent the copy protection, but I trust my intuition that it’s probably identical …

[Krishty]

If you start Visual Studio > Continue without code > File > Open > File …, then you’ll see three dialog resources coded into the EXE:

image.png (3.04 KiB) Viewed 1707 times

image.png (2.65 KiB) Viewed 1707 times

image.png (2.48 KiB) Viewed 1707 times

This technique has also been used in ADF/TAW, albeit with a single, almost empty dialog. Looks like fantastic surprises waiting!

[Krishty]

Out of interest, I searched for strings containing .c.

.\didlemul\didlemul.c(26)
ADF/TAW contains the string didlib in a few places, because that seems to be the internal name of the 3D engine used back then. didlemul could be a didlib emulator …

\f22code\afterf22.c(341)
f22code also appears in the ADF/TAW EXE because f22 was the codename for ADF/TAW, and afterf22 could mean “the game after f22”.

\f22code\aid.c
This path can also be found in the ADF/TAW EXE and to my knowledge implements SmartView – aid for AI Director.

campaign\coll.dat […] \f22code\coll.c(183) […] Fatal Error […] Cannot open %s
We all remember the error code that ADF & TAW spit out when they are started from the wrong directory, don’t we? It’s exactly that.

\f22code\avbuffer.c
\f22code\bases.c
\f22code\callsign.c
\f22code\cg_targ.c
\f22code\collev.c
\f22code\f22veclib.c
\f22code\genview.c
\f22code\initgam.c
\f22code\kots.c
\f22code\message.c
\f22code\para.c
\f22code\waypoint.c
\f22code\wpalien.c
\f22code\wptasks.c
\f22code\zone.c
\hudlib\hudint.c
\hudlib\ladders.c
\hudlib\tokenise.c
\f22code\flights.c
\f22code\taxiing.c
\f22code\groupai.c
\f22code\turret.c
\f22code\turtype.c
\mission\newmiss.c(119)
I don’t bother looking it up, but I feel like having seen almost all of those source file names in the ADF/TAW EXE before.

Typhoon is definitely built on TAW source code. No way of denying this.

[Krishty]

The Steam exe has a date of 1970, so has been manipulated in some way.

This made me curious.

For one, the dateTimeStamp is no longer used as a timestamp nowadays. But the EXE is from 2000, so this should not be a concern.

If we look at the timestamp, it has the hex value 31313931. This is definitely manipulated.

If we express the four bytes as ASCII codes, we get 1191. This is weird, to say the least. It can’t mean 1.1.9.1 because the version information resource says 1.0.4.4 …

Furthermore, the header contains the string nofear inside of a padding region. It’s enclosed in spaces instead of zeros, so it hasn’t landed there by accident. I’m beginning to think that this version has been cracked by a warez group; nofear may be the cracker’s signature, and the version string may be an easter egg …?!

(This is not the first time a cracked executable is distributed officially; half of the games on GoG come in cracked executables for the very reason we know so well: Developer has filed for bancruptcy or has lost the source code, but the publisher needs to get rid of the copy protection somehow.)

[mikew]

Aha, so what I thought was some smart 'steamification tool' is likely an ugly 'warez hack'.
If I do a quick search for 31313931, it's mentioned a couple of times as being in the header of 'Heroes of Might and Magic' and 'Command & Conquer', so maybe the same operator. I don't really want to look into this further.

Come to think of it, years ago I couldn't run the game in the IDA debugger, so it must have been SafeCast stopping that So, this should be helpful but it's not much better now, as the PC locks up totally if I try to set a breakpoint.

[mikew]

So, leaving the exe for a moment to look at the big data archive 'typhoon.dat'...
The files from the Steam release and original are exactly the same size, and while I haven't done a byte comparison, I expect them to be identical.
Some time ago, there was a discussion on Discord about this file, and while there are a lot of unknowns about its structure, the payload of 13920 files can be extracted and partially categorized by the following Python script:

Code: Select all

import numpy as np

def MightBeAChar(c):
    if c >= 9 and c <= 13 or c >= 32 and c <= 126 or c == 255:
        return True
    return False

raw=open("typhoon.dat","rb").read()
numfiles=0x3660 # start at 0x50
i=0x50
e=0
while e<numfiles:
    size=raw[i]+raw[i+1] * 256+raw[i+2] * 256 * 256+raw[i+3] * 256 * 256 * 256
    outbuffer=np.zeros(size,dtype=np.ubyte)
    f=0
    is_text = True
    while f<size:
        outbuffer[f]=raw[i+8+f]
        if f < 64 and not MightBeAChar( outbuffer[f] ):
            is_text = False
        f+=1
    ext = ".dat"
    w_filter = True
    if size >= 4:
        if is_text:
            ext = ".txt"
        if outbuffer[0] == ord('B') and outbuffer[1] == ord('M'):
            ext = ".bmp"
        elif outbuffer[0] == ord('R') and outbuffer[1] == ord('I') and outbuffer[2] == ord('F') and outbuffer[3] == ord('F'):
            ext = ".wav"
        elif outbuffer[0] == ord('D') and outbuffer[1] == ord('D') and outbuffer[2] == ord('S'):
            ext = ".dds"
    if w_filter:
        outbuffer.tofile("unknown\\unk"+"{0:04x}".format(e)+ext)
    print("Completed: {0:04x}".format(e))
    i+=size+8
    e+=1 

Thanks to duc_ttm for tidying up my initial script.

I've only just started looking at the extracted files, but we see some interesting things already:

Code: Select all

;	Copyright   : Digital Image Design Ltd
;	File        : gbvtypes.txt
;	Author      : tim preece
;	Date        : April 1997
;	Format      : PC
;	Description : gbased, ships, tanks etc.. data
;
;	$Revision: 1.1.1.1 $
;	$Log: gbvtypes.txt,v $
;	Revision 1.1.1.1  1998/10/21 11:11:20  russ
;	copied over from TAW code
;

So, some evidence m'lud that Typhoon is reusing at least some TAW code.

[mikew]

'typhoon.dat' has certain similarities to the 'did.dat' of earlier games, but a couple of notable differences.
The file can be considered to contain a 'header', the 'payload' files, then 3 blocks of data with each one starting at an address given by 3 pointers in the 'header'.
The first block is just 16 bytes, and contains the number of files (13920) plus some padding.
The second block is ~250kB in size, and seems compressed apart from the first 4 bytes giving the size of the block.
For the earlier 'did.dat's, this area would be occupied by the lists of folders and file extensions, so this data block may have something to do with that.
Finally, the third block contains a list of what looks like filename hashes and start addresses for each file in the archive with 4 bytes each for the hash and address. The 'did.dat's had 4 bytes in this list for the size of each file, but in 'typhoon.dat' the first 8 bytes addressed by the destination given in the list contains each file size.

I suspect the hash algorithm will be something similar to TAW's, and since I think we know some file names, it might be worth trying some guessing to see if we get a match. Even if it is exactly the same algorithm, we don't know the bytes used by the folders and extensions (if used at all) and that 'magic number' that differs for EF2000 V2.0, ADF and TAW. Plenty of permutations to try...

[mikew]

I suspect the hash algorithm will be something similar to TAW's...

Well, I don't suspect that anymore.

The hashes are arranged in the dat file in a similar order, ie those starting with 0x80 first, but for EF/ADF/TAW the first 4 bits gives the length of the filename being hashed. So, in practice, that means the lowest first number will be 2 assuming a one character filename plus extension. With the DOS limit of 8 chars plus extension and folder symbols, the largest hash might be 10(0xA) and that's what we see for TAW's hash list at the point where we go from the largest to the smallest:
affeb949 3\ctscnl_3.3
affeed49 3\ctscnl_4.3
201a9b00 UNK\noname10820.UNK
300bb001 fonts\MICRO\8.fnt

but at the corresponding transition in typhoon.dat, we have:
ee6304de
ee64f367
0001f2a9
000324aa

So, the hash function is definitely different.

[mikew]

Back to typhoon.exe, and surfing for strings, we see a lot of things like this:

tawinty.PNG (17.28 KiB) Viewed 1671 times

Those names don't look very Icelandic.

I was led to believe that Typhoon was based on the amazing 3dream engine, but maybe it's just a re-skinned TAW but a bit dumbed down.

[mikew]

If I run the game with a -menu command line option, one of the dialogs posted earlier gets activated:

tmenu.PNG (5.78 KiB) Viewed 1665 times

...it crashes if I select anything though.

There's a whole bunch of command line options, although -nointro is the only useful one I've seen so far.

[Krishty]

FANTASTIC! 🚀