MASSIVE SECURITY HAZARD in Spore!
wes_h:
Quote from: lordrichter on 2008 June 20, 00:11:45
What is the preferred method of extracting the creature data from the PNG file so that it can be examined?
The PNG file is just a picture, so the CC has to be using the filename to trigger a download.
As for extracting things, I have enough information gathered to split the DBPF V2 package files into component parts with a commandline tool. Ugly but effective. I am trying to leverage the dead Dizzy's decompression code in the dead "simpemustbedestroyed" tools to complete my file splitter.
Then I can try to determine what these part pieces are used for (except the PNG parts, I already know what they are). My findings are posted at my place.
And no Spore Creature Creator programs have been, or need be, reverse engineered to determine the .package file layout.
lordrichter:
Got it. The only reason that we know that the user account name is being stored in the creature data inside the PNG file is that CC displays this information when showing the saved creatures. However, we don't know what other data may be tucked away in the PNG file that might identify the system that it came from because we really don't have a good way to extract and decode the data... yet. Although, it looks like people are working on the extraction tools already.
Edit: I can see why EA would not want the creatures edited. Already, I am seeing people talking about crafting creature files that have a picture that is entirely different from the creature contained in it. Looking at what they likely store in these creature files, I am not certain that editing them would be useful anyway. There is not enough room in the creature PNG file to do more than store building block reference and connection information. The creatures have to be built from a known library of parts. That, in itself, sounds like something that could well be unfriendly to third party creations.
J. M. Pescado:
It looks like the creature data is stored inside custom blocks accepted as part of the PNG spec, thus allowing foreign data to be bundled inside a PNG which will be ignored (and possibly shredded) by other graphics-editor tools. However, the data appears to be unreadable as a cursory glance in a hex editor reveals nothing, not even the strings, so it looks like it's encrypted in some way to prevent modification.
BastDawn:
The file name of the png is meaningless. I've changed the name of every creature png file I've downloaded to a "creator name-creature name" format, and they still work. I've heard the information is stored in the alpha channel, and if you look at a spore creature on a colored background, you can see how pixelated it is. Presumably you could "hack" a png file to have the data for one creature while showing the picture of a completely different creature, just by replacing the right part of the image. I could probably do it in less than two minutes in Paintshop Pro.
J. M. Pescado:
Quote from: BastDawn on 2008 June 20, 03:51:07
Presumably you could "hack" a png file to have the data for one creature while showing the picture of a completely different creature, just by replacing the right part of the image. I could probably do it in less than two minutes in Paintshop Pro.
The utility of such an act seems somewhat limited, though.
Navigation
[0] Message Index
[#] Next page
[*] Previous page