| File was renamed from 02_internals_of_hyperscape/01_game_files.md |
| | |
|---|
| | | # Internals of Hyperscape: Game Files |
|---|
| | | # Internals of Hyperscape: Entrypoint |
|---|
| | | |
|---|
| | | ## Information String |
|---|
| | | |
|---|
| | | | Property | Value | |
|---|
| | | |------------|----------------------------------------------| |
|---|
| | | | Version | `tucert_Y01S03_C6101049_D1004780_S6167_123` | |
|---|
| | | | Built | `Mon Mar 29 20:20:36 2021 UTC` | |
|---|
| | | | Exeuctable | `scimitar_engine_win64_2017_flto_vulkan.exe` | |
|---|
| | | |
|---|
| | | The information for this wiki concerns this version of HyperScape. |
|---|
| | | |
|---|
| | | ## `Hyperscape.exe` |
|---|
| | | |
|---|
| | |
|---|
| | | | Certificate | `WinAuth(2.0)[PKCS #7]` | |
|---|
| | | |
|---|
| | | ### Launching the Game |
|---|
| | | Because the game is normally distributed with BattlEye, the following game flags are required to pass into the executable: `-eac_launcher /belaunch -be` in order to mod the game. |
|---|
| | | Because the game is normally distributed with [BattlEye](https://www.battleye.com/), the following game flags are required to pass into the executable: `-eac_launcher /belaunch -be` in order to disable the anti-cheat in the game. |
|---|
| | | |
|---|
| | | Currently, the only known way of launching the game and being able to attach debuggers and inject dynamic libraries is to use **LumaPlay**, which hijacks [UbiServices](../03_ubisoft_services/03_rest_endpoints.md) APIs to prevent usual restrictions like owning the game from preventing the launch. |
|---|
| | | The game also handles game license checks through [Ubisoft Connect](https://www.ubisoft.com/en-us/ubisoft-connect) (Formerly known as, and in the game files as, 'UPlay'). Check out the [uplay_r1](./02_uplay_r1.md) page for more information on how this works and how to bypass this restriction. |
|---|
| | | |
|---|
| | | ### Dumping Imports |
|---|
| | | The game executable is obfuscated with [VMProtect](https://vmpsoft.com/) v3.20-v3.5.0, but critical game functions are not. |
|---|
| | | |
|---|
| | | A tool like [VMP3 Import Fix](https://github.com/KuNgia09/vmp3-import-fix) can be used to dynamically fix imports and export a much more manageable executable for reverse-engineering with a decompiler like IDA or Ghidra. |
|---|
| | | |
|---|
| | | Note that many lower level functions and especially IO-related procedures remain obfuscated. |
|---|
| | | |
|---|
| | | ### Debug Builds |
|---|
| | | No debug builds are currently known of the game itself, however debug builds and PDBs of libraries like RendezVous have been leaked and have been instrumental in further understanding the game. |
|---|
| | | |
|---|
| | | > [!NOTE] |
|---|
| | | > TODO: Explain further |
|---|
| | | ### Client Modifications |
|---|
| | | The game has additional protections against using [`VirtualProtect`](https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect) (Although, earlier versions of the game, for example from Season 1, appear to have this protection removed). |
|---|
| | | |
|---|
| | | Bypassing this restriction either involves using `VirtualProtect` from an external process to mark all pages as writable and executable, or removing this protection entirely by running code before the game starts. |
|---|
