From a22e4dfb0dfb042c80da9c44a3e5178f06cfc4d6 Mon Sep 17 00:00:00 2001
From: striven-prevailed <sg.striven@cutecat.club>
Date: Thu, 06 Nov 2025 13:54:47 +0000
Subject: [PATCH] Describe UPlay R1, Spring

---
 01_general_information/02_game_settings.md  |    0 
 05_scapegoat/02_build_scapegoat.md          |    1 +
 /dev/null                                   |    1 -
 02_internals_of_hyperscape/01_entrypoint.md |   26 +++++++++++++++++++++-----
 02_internals_of_hyperscape/02_uplay_r1.md   |   11 +++++++++++
 05_scapegoat/04_using_scapegoat.md          |   14 ++++++++++++++
 05_scapegoat/03_install_scapegoat.md        |    1 +
 7 files changed, 48 insertions(+), 6 deletions(-)

diff --git a/02_internals_of_hyperscape/02_game_settings.md b/01_general_information/02_game_settings.md
similarity index 100%
rename from 02_internals_of_hyperscape/02_game_settings.md
rename to 01_general_information/02_game_settings.md
diff --git a/02_internals_of_hyperscape/01_game_files.md b/02_internals_of_hyperscape/01_entrypoint.md
similarity index 64%
rename from 02_internals_of_hyperscape/01_game_files.md
rename to 02_internals_of_hyperscape/01_entrypoint.md
index 27de547..abca818 100644
--- a/02_internals_of_hyperscape/01_game_files.md
+++ b/02_internals_of_hyperscape/01_entrypoint.md
@@ -1,4 +1,14 @@
-# Internals of Hyperscape: Game Files
+# Internals of Hyperscape: Entrypoint
+
+## Information String
+
+|  Property  |                     Value                    |
+|------------|----------------------------------------------|
+| Version    | `tucert_Y01S03_C6101049_D1004780_S6167_123`  |
+| Built      | `Mon Mar 29 20:20:36 2021 UTC`               |
+| Exeuctable | `scimitar_engine_win64_2017_flto_vulkan.exe` |
+
+The information for this wiki concerns this version of HyperScape.
 
 ## `Hyperscape.exe`
 
@@ -21,15 +31,21 @@
 | Certificate      | `WinAuth(2.0)[PKCS #7]`                                                                                                                          |
 
 ### Launching the Game
-Because the game is normally distributed with BattlEye, the following game flags are required to pass into the executable: `-eac_launcher /belaunch -be` in order to mod the game.
+Because the game is normally distributed with [BattlEye](https://www.battleye.com/), the following game flags are required to pass into the executable: `-eac_launcher /belaunch -be` in order to disable the anti-cheat in the game.
 
-Currently, the only known way of launching the game and being able to attach debuggers and inject dynamic libraries is to use **LumaPlay**, which hijacks [UbiServices](../03_ubisoft_services/03_rest_endpoints.md) APIs to prevent usual restrictions like owning the game from preventing the launch.
+The game also handles game license checks through [Ubisoft Connect](https://www.ubisoft.com/en-us/ubisoft-connect) (Formerly known as, and in the game files as, 'UPlay'). Check out the [uplay_r1](./02_uplay_r1.md) page for more information on how this works and how to bypass this restriction.
 
 ### Dumping Imports
+The game executable is obfuscated with [VMProtect](https://vmpsoft.com/) v3.20-v3.5.0, but critical game functions are not.
+
 A tool like [VMP3 Import Fix](https://github.com/KuNgia09/vmp3-import-fix) can be used to dynamically fix imports and export a much more manageable executable for reverse-engineering with a decompiler like IDA or Ghidra.
 
+Note that many lower level functions and especially IO-related procedures remain obfuscated.
+
 ### Debug Builds
 No debug builds are currently known of the game itself, however debug builds and PDBs of libraries like RendezVous have been leaked and have been instrumental in further understanding the game.
 
-> [!NOTE]
-> TODO: Explain further
\ No newline at end of file
+### Client Modifications
+The game has additional protections against using [`VirtualProtect`](https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect) (Although, earlier versions of the game, for example from Season 1, appear to have this protection removed).
+
+Bypassing this restriction either involves using `VirtualProtect` from an external process to mark all pages as writable and executable, or removing this protection entirely by running code before the game starts.
diff --git a/02_internals_of_hyperscape/02_uplay_r1.md b/02_internals_of_hyperscape/02_uplay_r1.md
new file mode 100644
index 0000000..975aa79
--- /dev/null
+++ b/02_internals_of_hyperscape/02_uplay_r1.md
@@ -0,0 +1,11 @@
+# Internals of Hyperscape: UPlay R1
+
+UPlay R1 is Ubisoft's own legacy license checker and interface for Ubisoft's friend, party and chat services.
+
+The game loads a library called `uplay_r1_loader.dll`, which finds `uplay_r1.dll` in the user's local installation of Ubisoft Connect (formerly UPlay). If this DLL cannot be found, the game exits and suggests for the user to ensure that UPlay is installed.
+
+> [!IMPORTANT] For `64-bit` devices, `uplay_r164_loader.dll` is loaded instead, and searches for `uplay_r164.dll`!
+
+## Bypassing UPlay R1
+- [Spring](../05_scapegoat/04_using_scapegoat.md) - Scapegoat's own UPlay R1 launcher and plugin loader, specifically for Hyperscape.
+- [LumaPlay](https://cs.rin.ru/forum/viewtopic.php?f=29&t=67197)
diff --git a/05_scapegoat/02_build_and_use_scapegoat.md b/05_scapegoat/02_build_and_use_scapegoat.md
deleted file mode 100644
index 1e73435..0000000
--- a/05_scapegoat/02_build_and_use_scapegoat.md
+++ /dev/null
@@ -1 +0,0 @@
-# Scapegoat: Build and Use Scapegoat
\ No newline at end of file
diff --git a/05_scapegoat/02_build_scapegoat.md b/05_scapegoat/02_build_scapegoat.md
new file mode 100644
index 0000000..aa3a058
--- /dev/null
+++ b/05_scapegoat/02_build_scapegoat.md
@@ -0,0 +1 @@
+# Scapegoat: Build Scapegoat
diff --git a/05_scapegoat/03_install_and_use_scapegoat.md b/05_scapegoat/03_install_and_use_scapegoat.md
deleted file mode 100644
index 017c383..0000000
--- a/05_scapegoat/03_install_and_use_scapegoat.md
+++ /dev/null
@@ -1 +0,0 @@
-# Scapegoat: Install and Use Scapegoat
\ No newline at end of file
diff --git a/05_scapegoat/03_install_scapegoat.md b/05_scapegoat/03_install_scapegoat.md
new file mode 100644
index 0000000..1c56255
--- /dev/null
+++ b/05_scapegoat/03_install_scapegoat.md
@@ -0,0 +1 @@
+# Scapegoat: Install Scapegoat
diff --git a/05_scapegoat/04_using_scapegoat.md b/05_scapegoat/04_using_scapegoat.md
new file mode 100644
index 0000000..91f32c3
--- /dev/null
+++ b/05_scapegoat/04_using_scapegoat.md
@@ -0,0 +1,14 @@
+# Scapegoat: Using Scapegoat
+
+Scapegoat can be installed by using the Spring launcher, which should be placed alongside the game executable:
+
+- `Hyperscape.exe`
+- `SpringLauncher.exe`
+- `Spring/`
+  - `Spring.dll`
+  - `Plugins/`
+    - `Patsy.dll`
+
+> [!NOTE] _Patsy_ is Scapegoat's client modification.
+
+Then, running `SpringLauncher` should launch the game and connect to Scapegoat's servers.

--
Gitblit v1.10.0