TTMagic | TTGames Universal Anti-Anti-DAT Check Patch

[Masquerade]

TTMagic | TTGames Universal Anti-Anti-DAT Check Patch

All findings below are part of an investigation by acidicoala, so thank you very much for your time!

In order to make repacks of LEGO games made by TTGames, you need to unpack the DAT archives because the developers use proprietary compression algorithms such as LZ2K in their archives. It is necessary to unpack and decompress these files in order to compress them smaller with tools like LOLZ.

There is also another purpose for unpacking the DAT archives, and this is modding purposes. TTGames developers decided that they did not like this and implemented a function in their game code which checks if the game is running in an unpacked state and if it is, then a FatalExit function is triggered (game crash).

The developer m0xf first figured out how to patch around this check and this is how FitGirl was able to receive patched executables for her repacks which were unpacked and decompressed.

By speaking to acidicoala, we took a look into those patched executables and determined what was changed. There were two bytes changed in the executable header, but we believe this was a watermark more than anything else since this did not affect code execution but would be a great way to check anyone using "FitGirl's" executables in their own repacks.

The next patched byte is most interesting, which was a change from a "74" byte to an "EB" at a seemingly random point in the game's code.

This byte change is significant because "EB" is hexadecimal for JMP opcode (unconditional jump), while 74 is hexadecimal for JE opcode (jump if equal).

So, it can be determined that at some point in the game code, it will jump if something is equal to something else and allow the game to run, but if the game is unpacked and no DAT archives are present, it will not jump and the FatalExit will be triggered. Now, by switching this to an unconditional jump, the game will always jump at this specific point and will always run.

What exactly the game is checking for here we are unsure about, which is why that above paragraph is ever so slightly vague.

The developers used the same function in all of the games that require an EXE patch, as can be seen by the below screenshot:



Because of this, we can construct a pattern.

ALL of the TTGames that have this DAT check will have the same pattern at some point in the EXE file visible in HxD:

Code:

74 ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? CC

The "??" bytes are different across each executable, but the B9, E8 and CC bytes are always in the same position after the 74.

This makes it rather easy to determine whereabouts your game executable needs patching!

However, an even better solution has emerged thanks to acidicoala - Koalyptus framework.

Composed of two binaries, Koalyptus is a framework that can be used to dynamically patch executables in memory. Such runtime patches have the advantage of keeping executables unmodified. The first binary is Koaloader, which hooks into the game process, and Lyptus binary is responsible for patching the executable at runtime.

Project pages:
https://github.com/acidicoala/Koaloader
https://github.com/acidicoala/Lyptus

All of the games load xinput9_1_0.dll, so we'll use this build of Koaloader as our proxy library. This means that all functions that the game would need from the actual xinput9_1_0.dll will still work since Koaloader can pass them to the actual DLL inside System32.

Next, we need to configure Koaloader to load Lyptus64.dll, so we paste this config into Koaloader.json:

Code:

{
  "logging": false,
  "modules": [
    {
      "path": "Lyptus64.dll"
    }
  ]
}

Next, we configure Lyptus64.dll library with the following patch information:

Code:

{
  "logging": false,
  "patches": [
    {
      "name": "TTMagic",
      "pattern": "74 ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? CC",
      "offset": 0,
      "replacement": "EB"
    }
  ]
}

This instructs Lyptus to find that specific pattern and swap the 74 byte for an EB, which will allow our game to run.

Now, you should have four files:

• xinput9_1_0.dll
• Koaloader.json
• Lyptus64.dll
• Lyptus.json

And these four files go into your unpacked LEGO game folder. Run the DX11 executable and be amazed that the game now loads just fine! Please note that the DX9 executables present in some LEGO games are NOT patched via this method as they are in a different architecture compared to the DX11 executables.

I have included a ready-made zip file below which has everything you need ready to drop into the game folder.

To unpack the games, you will need to use QuickBMS and then one of the below scripts:

[Script 1] - By Aluigi, use this one first.

[Script 2] - Modified script, use this if you get errors with the first script.

Credits

• m0xf - for the original method for patching the LEGO game executables
• acidicoala - for spending their time working to make the Koaloader + Lyptus solution and seeing what made the original patches work
• Aluigi - QuickBMS and script to decompress TTGames proprietary algorithms

[FIFA_LOVER]

@joe
Although you fixes the Lytpus typo but still this remains

[Masquerade]

Sorry for the typos, I wrote this one pretty quickly and didn't fully proof read before clicking submit

[FIFA_LOVER]

no worries
instead thank u for such amazing post

[dixen]

LEGO Jurassic World - this guide no work(((
UPD
With bms v2 - all work fine)

[Masquerade]

Quote:

Originally Posted by dixen

LEGO Jurassic World - this guide no work(((
UPD
With bms v2 - all work fine)

Jurassic World does not need a patched EXE.

[dixen]

Quote:

Originally Posted by Masquerade

Jurassic World does not need a patched EXE.

I just used default bms script for unpack.. with him - crashes on start.

[Masquerade]

Quote:

Originally Posted by dixen

I just used default bms script for unpack.. with him - crashes on start.

Are you using the DX11 or DX9 game executable? I used the DX9 in my repack and it loaded just fine.

If you are using the DX11, then you may need to apply the lyptus patch.

[L33THAK0R]

Wow, what a fascinating read! It's great to see someone finally figured out a consistent methodology to patch these titles! I never even thought to look for a hexadecimal pattern with wildcards outside of the modified bytes. It's great that its now possible for users to finally be able to now release properly updated repacks, heres hoping TT don't make life trickier and switch things up again down the line!

[Scorp-]

will this work with the LEGO Star Wars: The Skywalker Saga?

[Masquerade]

Quote:

Originally Posted by Scorp-

will this work with the LEGO Star Wars: The Skywalker Saga?

You can check, if it doesn't work, I could see if acidicoala is interested in checking the game out.

[Scorp-]

Quote:

Originally Posted by Masquerade

You can check, if it doesn't work, I could see if acidicoala is interested in checking the game out.

that would be great if you guys got it working

[L33THAK0R]

Has anyone tried this method with "LEGO Star Wars: The Force Awakens"? Doesn't seem to work out of the box. Gonna try patching the executable, I'll update this post accordingly with my results.

UPDATE: Seems like the byte replacement did it, for future readers I'd recommend doing the byte change for any titles where the drag-n-drop method fails.

[Masquerade]

https://github.com/AlubJ/TTGamesPatcher/releases

Here's an alternate tool that does the byte patch and has support for Skywalker Saga. Had a bit of a disagreement with the guy who "made" it, but hey, it's another tool that works.

There's a tool on KaOsKrew forum too that the Krew uses to do the byte patch. KiNG made it public after the release of the Koalyptus patch.

[L33THAK0R]

Quote:

Originally Posted by Masquerade

https://github.com/AlubJ/TTGamesPatcher/releases

Here's an alternate tool that does the byte patch and has support for Skywalker Saga. Had a bit of a disagreement with the guy who "made" it, but hey, it's another tool that works.

There's a tool on KaOsKrew forum too that the Krew uses to do the byte patch. KiNG made it public after the release of the Koalyptus patch.

Ah cheers, I've just been using a hex editor with regex/wildcard support but I'll check out the tools you mentioned, can't hurt to have more options! Bit off topic but was it something to do with them not giving you or your mates, that you collaborated with, credit for figuring out a consistent methodology for the byte patch? I rarely keep up with the TT Games LEGO modding scene but they do seem to be fans of claiming discoveries to be their own, regardless of if they are.