Finding Item Text within a PC Game

[ZeikTheGeek]

I am currently trying to translate a PC game and so far we have managed to translate the script and cutscene data. However, the text for the Items, documents and some other non-storyline related text within the files has so far not been found. A majority of the text is just plain-text within the files and can be found with tools like GREP, but when we look for the text for the Items, it cannot find it anywhere within the program's files. The files for the map's scripts are plain-text and can even be opened and modified with a simple Notepad, however the data for the cutscenes is actually offset and cannot be found with GREP as well, though we located it manually and have been translating it just fine using Stirling Binary Editor. We've tried manually searching through the various files that might hold some kind of script data for the Items, but have been unsuccessful in even finding one of them thus far.

We are open to suggestions on programs and methods to try to find this text and are also willing to offer some sample files for the cutscenes and plain-text map files so that you can get an idea of what we're dealing with. Please PM me if you're interested in a sample file.

Thank you in advance!

[Xalphenos]

I've seen a lot of pc games store the Item text within the main exe itself.  I would try opening up the main exe in a hex editor capable of displaying various text encodings, such as madedit, and searching for the text.  Just set your encoding before you start searching.

[ZeikTheGeek]

Thank you for the suggestion. I tried searching within the main executable file but to no avail. Any other ideas where they might have stored it?

[Xalphenos]

It could be anywhere then, it could be compressed or right in front of your eyes hidden by a bit wise operation.  Since the simple method didn't work you either need to manually check every file or attack it with a debugger. No mater how its stored in files it should at some point exist as text in memory. Set break points to find out when and how it got there.

[weissvulf]

You might have better luck if you mentioned the name of the game since someone might have already looked it over, or the game's developer might use a known technique. Otherwise, like Xalphenos says, it could be anywhere in any of the game's files and in any format.

It's even possible the text you cant find could be stored as graphics.

[Jorpho]

Or the text might be stored with a non-ASCII endcoding, in which case no amount of GREP'ing would help.  You'd need a tool capable of doing a relative search.

[ZeikTheGeek]

Alright, first let me answer what game it is: It's Corpse Party 2: Dead Patient, and we're currently at about 70% of the game translated, which is why we're getting a little worried that we can't find the menu/item text as we'd like to release the game 100% translated with no Japanese 'artifacts' left within.

First, let me say that I'm by no means a hacker. I know some basics of how computers work and can find my way around HEX scripts, text pointers, headers and basic archives, but anything more advanced than that generally flies past my head. I tried attaching Cheat Engine and some process monitors to see what CorpseParty2.exe was calling, but nothing too helpful revealed itself. The Process Monitor does show CorpseParty2.exe calling upon the map and event scripts, but when I check the files I see it call, none of them have the Item/Menu text that we're searching for. I then check CorpseParty2.exe's memory and I CAN see the menu and item text, and can even change it, but I cannot tell where it's really loading it from, I am not proficient in assembly language, but to me it looks like it's loading it from the EXE itself, as it's calling various parts of CorpseParty2.exe with functions that look like CorpseParty2.exe+A7501 (etc.).

However, I'm not 100% confident that the text is embedded within CorpseParty2.exe, although I do believe it's certainly a possibility at this point, especially since all the scripts I've combed through don't seem like they could contain the item text as a lot of them are dummy-esque files with a lot of 0s and, at most, have a random 020 or something similar randomly in a three megabyte file filled completely with 0s. However, I do think it's also possible that maybe they are hidden somewhere within those scripts as the first thing CorpseParty2 does when it launches is load up all of its files and cache some of the data.

Hopefully some of this information may be helpful in finding out what could potentially be going on.

Thanks for your help!

[Jorpho]

I then check CorpseParty2.exe's memory and I CAN see the menu and item text, and can even change it

Well, I guess that means it's a standard encoding, then.  If all else fails, you could perhaps get someone to write up some kind of launcher for the game that will patch up the memory once the program is loaded, but that is of course a rather kludgy way of doing things.

Mr. Xalphenos may have the right idea.

[STARWIN]

Did you try something like OllyDbg? http://www.ollydbg.de/

While it probably goes over your head, it is probably the type of tool you would want to use in this case. (note that i haven't used this tool, but i have a hunch that its feature set (especially tracing) helps)

[Xalphenos]

What starwin says.  Olly is what I use and suggest.

How big is the exe file?  This game is pretty new so you could be running into some type of copy protection.  The main exe could be packed or encrypted.  In either case you wouldn't find anything relevant in it with just a hex editor.  Since you said you found it in the main exes memory I'm leaning toward this scenario.

[enigmaopoeia]

How big is the exe file?

The game's executable file is 661 KB large.

[Xalphenos]

Let me preface this by saying I have absolutely zero knowledge of this game. I only vaguely recognize the name.

661KB seems a little small for a modern pc game executable.  So my best guess is that the exe is packed or is just a loader and the actual game exe is masquerading as some other file.    So you are going to need someone well versed in cracking modern copy protections or start doing lots of research. 

Honestly being so new it seems like there could be a good chance the game gets localized.  Then all that work was wasted.

[ZeikTheGeek]

At this point, we're already almost done regardless, and the chances of it getting localized are somewhat up in the air. (XSEED localized Corpse Party and Corpse Party: Book of Shadows, both PSP games by .5PB. They have no current working relationship with GrindHouse, who is the small indie company who made Dead Patient... add to that that the last title, Book of Shadows, was a commercial failure...)

Although, even in the event that XSEED does build a working relationship with GrindHouse and localizes the title, I still feel that I learn from every title I translate, so I would never call it a 'waste'.

Thanks for your help, if it's copy-protected like you suspect, I'm beginning to think we might need to somehow write to the memory automatically upon game launch, as previously suggested. Although I haven't the foggiest on how to do this. I may need to find someone to help with that...

[Xalphenos]

Like I said I have no knowledge of the game.  I recognized the name and knew xseed was some how connected to corpse party.

That seems like a functional idea.  Basically you would write a trainer that over writes the text strings in memory.  They may end up at different memory locations on subsequent runs so the program will need to search for the strings then write over them.

I don't have the game so really this is all theoretical.  Those item names could still be editable in a file somewhere.

[Jorpho]

Unpacking an executable with OllyDebug can be quite straightforward.  Or so it seems.
http://securityxploded.com/unpackingupx.php

I used a similar tool once long, long ago.

[ZeikTheGeek]

I gave unpacking the EXE a shot following those instructions to the best of my ability and couldn't manage to find the OEP in the EXE in order to extract and repackage the EXE in its uncompressed format, if it is, in fact, compressed. (PEID shows that the program was made in Visual C++ 7.0 (Overlay).)

Still trying to figure out the best approach to translating the Item/Menu text. Thanks for all your guys' help!

[RetroHelix]

You could give exestringz from http://aluigi.altervista.org/mytoolz.htm a try. Good luck.

[ZeikTheGeek]

Thanks! I ran it through and the text dump it gave out sadly only resulted in the program's error strings and DLLs.

I.E.:
________________________________________________________________________________1-0000cc3d___0002c4b0/0042c4b0
Atl.dll
________________________________________________________________________________1-0000cc5d___0002c494/0042c494
AtlAxWinInit
________________________________________________________________________________1-0000cc6f___0002c484/0042c484
AtlAxGetControl
________________________________________________________________________________1-0000f2db___0002c4d4/0042c4d4
deque<T> too long
________________________________________________________________________________1-0000f88b___0002c504/0042c504
No FUNC:%s
________________________________________________________________________________1-0000f798___0002c4f8/0042c4f8
No DLL:%s

Etc.

Makes me wonder if the game's text is within the EXE at all?

[Xalphenos]

Ok this EXE is not packed, and the text for items and menu text are in it.  Though it really is a different file.  At offset 0x39000 of corpsparty2.exe you will find the string "DPMX0" then some header stuff.  This basically marks the start of a new file within the exe.  At 0x3902C you have the length of the file in bytes.  In this case it is 0x6C66C which actually is the end of the whole exe.  The data starts at 0x39030.  For every byte you need to xor with 0x73 then subtract 0x72 then add that to the previous converted byte, first time it's 0.

Here is the relevant code from the exe.

Code Select Expand


AL = 72 CL = 73 DL = previous converted byte (0 the first time) ESI = pointer (different each time you run the exe) EBP = counter 0x6C66C to begin with
CPU Disasm
Address   Hex dump          Command                                  Comments
00401247  |> /8A1E          /MOV BL,BYTE PTR DS:[ESI]
00401249  |. |32D9          |XOR BL,CL
0040124B  |. |2AD8          |SUB BL,AL
0040124D  |. |02D3          |ADD DL,BL
0040124F  |. |8816          |MOV BYTE PTR DS:[ESI],DL
00401251  |. |46            |INC ESI
00401252  |. |4D            |DEC EBP
00401253  |.^\75 F2         \JNZ SHORT 00401247


I think I've explained it well and the code is really simple so someone should be able to write a program that will do that for you.  If no one writes you a program I'll try to do it tomorrow after work.  I've got to do my Japanese reviews and go to bed. 

[ZeikTheGeek]

Oh wow! This helps us out big time! Thank you so much! The programming is beyond us, so thank you in advance for trying to write one for us. We really appreciate the work you're putting into this!