TTMagic | TTGames Universal Anti-Anti-DAT Check Patch

[Masquerade]

TTMagic | TTGames Universal Anti-Anti-DAT Check Patch

All findings below are part of an investigation by acidicoala, so thank you very much for your time!

In order to make repacks of LEGO games made by TTGames, you need to unpack the DAT archives because the developers use proprietary compression algorithms such as LZ2K in their archives. It is necessary to unpack and decompress these files in order to compress them smaller with tools like LOLZ.

There is also another purpose for unpacking the DAT archives, and this is modding purposes. TTGames developers decided that they did not like this and implemented a function in their game code which checks if the game is running in an unpacked state and if it is, then a FatalExit function is triggered (game crash).

The developer m0xf first figured out how to patch around this check and this is how FitGirl was able to receive patched executables for her repacks which were unpacked and decompressed.

By speaking to acidicoala, we took a look into those patched executables and determined what was changed. There were two bytes changed in the executable header, but we believe this was a watermark more than anything else since this did not affect code execution but would be a great way to check anyone using "FitGirl's" executables in their own repacks.

The next patched byte is most interesting, which was a change from a "74" byte to an "EB" at a seemingly random point in the game's code.

This byte change is significant because "EB" is hexadecimal for JMP opcode (unconditional jump), while 74 is hexadecimal for JE opcode (jump if equal).

So, it can be determined that at some point in the game code, it will jump if something is equal to something else and allow the game to run, but if the game is unpacked and no DAT archives are present, it will not jump and the FatalExit will be triggered. Now, by switching this to an unconditional jump, the game will always jump at this specific point and will always run.

What exactly the game is checking for here we are unsure about, which is why that above paragraph is ever so slightly vague.

The developers used the same function in all of the games that require an EXE patch, as can be seen by the below screenshot:



Because of this, we can construct a pattern.

ALL of the TTGames that have this DAT check will have the same pattern at some point in the EXE file visible in HxD:

Code:

74 ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? CC

The "??" bytes are different across each executable, but the B9, E8 and CC bytes are always in the same position after the 74.

This makes it rather easy to determine whereabouts your game executable needs patching!

However, an even better solution has emerged thanks to acidicoala - Koalyptus framework.

Composed of two binaries, Koalyptus is a framework that can be used to dynamically patch executables in memory. Such runtime patches have the advantage of keeping executables unmodified. The first binary is Koaloader, which hooks into the game process, and Lyptus binary is responsible for patching the executable at runtime.

Project pages:
https://github.com/acidicoala/Koaloader
https://github.com/acidicoala/Lyptus

All of the games load xinput9_1_0.dll, so we'll use this build of Koaloader as our proxy library. This means that all functions that the game would need from the actual xinput9_1_0.dll will still work since Koaloader can pass them to the actual DLL inside System32.

Next, we need to configure Koaloader to load Lyptus64.dll, so we paste this config into Koaloader.json:

Code:

{
  "logging": false,
  "modules": [
    {
      "path": "Lyptus64.dll"
    }
  ]
}

Next, we configure Lyptus64.dll library with the following patch information:

Code:

{
  "logging": false,
  "patches": [
    {
      "name": "TTMagic",
      "pattern": "74 ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? CC",
      "offset": 0,
      "replacement": "EB"
    }
  ]
}

This instructs Lyptus to find that specific pattern and swap the 74 byte for an EB, which will allow our game to run.

Now, you should have four files:

• xinput9_1_0.dll
• Koaloader.json
• Lyptus64.dll
• Lyptus.json

And these four files go into your unpacked LEGO game folder. Run the DX11 executable and be amazed that the game now loads just fine! Please note that the DX9 executables present in some LEGO games are NOT patched via this method as they are in a different architecture compared to the DX11 executables.

I have included a ready-made zip file below which has everything you need ready to drop into the game folder.

To unpack the games, you will need to use QuickBMS and then one of the below scripts:

[Script 1] - By Aluigi, use this one first.

[Script 2] - Modified script, use this if you get errors with the first script.

Credits

• m0xf - for the original method for patching the LEGO game executables
• acidicoala - for spending their time working to make the Koaloader + Lyptus solution and seeing what made the original patches work
• Aluigi - QuickBMS and script to decompress TTGames proprietary algorithms