jagged-jimmy
Prophet
I was tinkering with the underrail files for a while. So i wanted to share and summarize the findings...
What we (seem to) know:
Underrail save files and data are "packed" and obfuscated. You need to "unpack" it, then you can analyze the obfuscated data.
There is a file unpacker/packer. People used it to modify fucked up quest flags.
See here https://underrail.com/forums/index.php?topic=1700.0
Tool: https://github.com/MichaelBurge/underrail-unpacker/releases
What triggered me to start my analysis:
I googled a bit and found the data format of underrail data. Not sure it was known before, could not find any info on this.
See here https://stackoverflow.com/questions/3052202/how-to-analyse-contents-of-binary-serialization-stream
Approach:
First i tried to parse the whole file acording to the identified format specification. But, unfortunately, either the spec i found
does not fully match the actual format (slightly different version) or the obfuscation fucks the data here and there randomly, preventing my parser to work reliably.
Then i searched for records of the format anywhere in the file. Values and stuff must be stored in classes and so finding all classes and their values would be enough to find the right things to modify. This works, classes and values can be found, but their relationship (the structure) remains unknown.
Findings:
Tools and analysis loop:
So yeah, in theory, one could analyse the complete data structure (manually and by custom written tools) and it might lead to something.
This is a modified "The Claw" with 75-150 Bio damage, instead of 1-3. This works in game.
Notice the "Little Endian" notation. I just searched for original Bio damage 1-3 and modified, repacked.
Original was 01 00 00 00 03 00 00 00
What we (seem to) know:
Underrail save files and data are "packed" and obfuscated. You need to "unpack" it, then you can analyze the obfuscated data.
There is a file unpacker/packer. People used it to modify fucked up quest flags.
See here https://underrail.com/forums/index.php?topic=1700.0
Tool: https://github.com/MichaelBurge/underrail-unpacker/releases
Any underrail file is just 24 bytes + Gzipped obfuscated data. So you can write your own program in your favourite language to unpack it. Just google gzip/unzip files...
Coding wise: Ignore/remove first 24 bytes, then unzip the rest. I did it with java...
Packing however is tricky. I assume Gzip implementation might be different for C# and java or i fucked up somehow.
But packing works with the tool above. It is written in C# as Underrail.
Coding wise: Ignore/remove first 24 bytes, then unzip the rest. I did it with java...
Packing however is tricky. I assume Gzip implementation might be different for C# and java or i fucked up somehow.
But packing works with the tool above. It is written in C# as Underrail.
What triggered me to start my analysis:
I googled a bit and found the data format of underrail data. Not sure it was known before, could not find any info on this.
See here https://stackoverflow.com/questions/3052202/how-to-analyse-contents-of-binary-serialization-stream
Basically for programmers among us: Styg just probably serializes the data structures (classes) using Micrisoft .NET formatter
with some kind of obfuscation on. But only class and variable names are obfuscated. The overall structure and values are readable.
with some kind of obfuscation on. But only class and variable names are obfuscated. The overall structure and values are readable.
Approach:
First i tried to parse the whole file acording to the identified format specification. But, unfortunately, either the spec i found
does not fully match the actual format (slightly different version) or the obfuscation fucks the data here and there randomly, preventing my parser to work reliably.
Then i searched for records of the format anywhere in the file. Values and stuff must be stored in classes and so finding all classes and their values would be enough to find the right things to modify. This works, classes and values can be found, but their relationship (the structure) remains unknown.
Findings:
- I identified the place where stats and skills are in the file. They are saved as "value" / "effective value" and are easily modifiable.
- I could find the quality of a component in the inventory and change it to my liking. So any unique values such as money, stack sizes are probably easy to find. Finding such values is not just luck, if you know the format spec and can exclude values, which cannot be "data"/"value".
- I could modify a unique item (damage). This is also easy, as unique items have set values and their files can be unpacked and read the same way. Then just modify and replace (back up, of course)
Tools and analysis loop:
- Unpack using the tool. For me it worked without any additional SW installation.
- Use a hex editor to check out the data. I use https://mh-nexus.de/en/hxd/
- Find and modify value with the editor.
- Pack using the tool. This is important. If you modify values, i recommend using the tool to unpack/pack. For analysis only you can unpack using your own tool.
- Load up the char and check in game
- Search & Guess: create multiple saves (1 item in inventory, 4 items, etc.) and DIFF the binary output with Beyond Compare (https://www.scootersoftware.com/download.php?zz=dl3_en) or similar tools.
So yeah, in theory, one could analyse the complete data structure (manually and by custom written tools) and it might lead to something.
This is a modified "The Claw" with 75-150 Bio damage, instead of 1-3. This works in game.
Original was 01 00 00 00 03 00 00 00