DCFFVII Research Thread

Difficulty modes in English:
- Normal
- Hard
- Ex Hard

In the Japanese International version the difficulty modes are the same except written in all capitals. Playing the PAL version in Japanese shows the JORG difficulties EASY, NORMAL and HARD. These options don't represent the game reverting to the JORG difficulty modes and level designs however. They actually mean...
 EASY = Normal
 NORMAL = Hard
 *HARD = Ex Hard

*HARD is only available here if you have unlocked Ex Hard mode by clearing one playthrough of Dirge


I'm fascinated by the renaming of Ex Hard mode for the non-English European languages.

French:
- Normal
- Difficile
- Cerbère [Cerberus]


Spanish:
- Normal
- Difícil
- Pesadilla [Nightmare]


German:
- Normal
- Schwer [Hard/Difficult]
- Spezial [Special]


Italian:
- Normale
- Difficile
- Difficile+ [Difficult +]


Now I almost wish the difficulty modes in the English game had names like Cerberus and Nightmare. :monster: "Nightmare" is certainly in line with Vincent's character and the game's dark tone.


Name of Extra Mission #42
EN: Two-Handed
JP: ツーハンドレッドホーン [Two-Hand Red Horn]
FR: Les 200 cornes [The 200 Horns]
SP: A dos manos [With the two hands] (Likely equivalent to "Two-Handed")
GR: Hundert Gehörnte [Hundred-Horned]
IT: Con due mani [With two hands] (Likely equivalent to "Two-Handed")

In this mission you have to defeat 100 Dual Horns. Ergo, 200 horns. I do not know for certain if "Two-Hundred Horn(s)" is a valid translation of the Japanese mission name.
 

JBedford

Pro Adventurer
AKA
JBed
ツー Two, ハンドレッド Hundred, ホーン Horn(s). It could say "Two-Hand Red Horn", but it's likely a mistranslation unless the mission specifically involves something two-handed and it is a pun.
 

Strangelove

AI Researcher
AKA
hitoshura
i spent a few minutes wondering if 'ハンド' might be short for 'hundred' even though i couldn't think of any example of that but then i remembered the next word was レッド and literally put the two together and felt a little dumb
 
Scene from before Rio gets kidnapped and separated from her mother.


English & Japanese


Civilian
Gender: Female
Blood Type: B
   Analysis

Geostigma Detected
Clean

French


Civil
Sexe: Féminin
Groupe sanguin: B
   Analyse

Géostigmates dépistés
Organisme sain

Spanish


Civil
Sexo: Mujer
Grupo sanguíneo: B
   Análisis

Geoestigma detectado
Limpio

German


Zivilist
Geschlecht: Weiblich
Blutgruppe: B
   Analyse

Geostigma entdeckt
Sauber

Italian


Civile
Sesso: F
Gruppo sanguigno: B
   Analisi

Identificato geostigma
Individuo sano

As some of you may recall, the monocolored models used for the point-of-view shot from the Deepground visors are separate from the normal-colored models.

If you pause the game at the right moment during jumps in camera perspective, the screen may pause at angles and moments you are not meant to see. You may also end up causing some sound effects to be played out even though the game is paused, such as the cutscene sound of the helicopter's missile barrage against Vincent.

These effects are easily triggered on both console and emulator.





Knowing the strings used to reference character models, it is easy to replace Vincent's purple/pink model with his normal one. As such:




As you can see, the purple gun is also its own separate model. Relevant models and their strings below.


g013 = Cerberus
g071 = Purple Cerberus

p000 = Vincent (Player Model)
p014 = Purple Vincent, used for Ch1-1 scene before gameplay starts
p015 = Purple Vincent, used in Ch1-3 scene before the first helicopter battle

n026 = Rio's mother
n028 = Rio
n059 = Rio's mother, red version
n060 = Rio, green version

g001 = Moogle doll
g072 = Moogle doll, green version
 
Last edited:
g030 = Metal Door 1 (for Shalua's goodbye, right door from Shalua's perspective)
g031 = Metal Door 2 (for Shalua's goodbye, left door from Shalua's perspective)

Let's remove these, for the lulz.




The funny part is that now the scene is only *marginally* more stupid. :monster:
 

Strangelove

AI Researcher
AKA
hitoshura
god shalua's outfit

i actually kind of like the two colour scheme but just. where did 70% of the fabric go. did you make that dress yourself with off cuts

also the mickey mouse glove she's got going on
 
There are a ton of zone values that will send you to this area, so I'm not sure whether the area is assigned to dozens of zone values or if it's in fact some "null value" zone area.



*Re-uploaded video because the volume was too low in the first upload.

Video description said:
The area has no music. I inserted the track from the original FFVII because it felt appropriate and made the video less boring.

The only sound effects are those from toggling through menus and from getting a killchain.

Vincent's gun models will not load and Vincent's melee attacks are locked away.

Vincent will be stuck in place, which is why at 0:50 I activate a cheat to roam freely. Unfortunately this cheat also removes all lighting from Vincent.

Using the Limit Breaker doesn't transform Vincent. Instead it creates the same limit break effect you have if you use a Limit Breaker during the fight against Weiss the Empowered. The effect lasts for 43.5 seconds.

The two invisible objects you can destroy each have 1000 HP.

Some areas hold similarities to those used in the final game, but this exact area is not seen in a normal playthrough. The 2D textures are more primitive and clean compared to the final game.

The area has no menu map and no location name.
 
Last edited:
Roaming a version of the Deepground Lobby that might reveal NPC dialogue remains out of reach. However, by doing the following, I am now able to explore more unused/hidden/multiplayer-only areas of Dirge than I could before.

The Tempsave Teleportation Trick

Steps:
- Enter an area where a tempsave can be created
- Find the address for the "Menu Map Zone" value.
- Change the "Menu Map Zone" value to where you want to go.
- Create a tempsave.
- Load the tempsave and you will end up at the zone you picked.

The degree to which the area and its models load depends on where you created the tempsave, since the tempsave data will be different depending on where you created it.

I was quite surprised that it was the "Menu Map Zone" address that was key to making this cheat work. The typical address I use for teleportation, the straight-up "Zone Value", does not assist at all in this "Tempsave Teleportation" trick. What matters is that you change the "Menu Map Zone" value, which determines the area map that is shown in the menu.



The Multiplayer-version of Weiss's Throne Room, previously exclusive to cutscenes and two missions for those who played the online mode all those years ago. In some areas, like this one, I am left to roaming the area with an invisible player character. I am quite happy to finally be allowed to explore this area.

To my additional joy, the memory capsule from the online mode is left in the data. This is the tenth memory capsule from the online mode, present in the mission Lightning Trick. You can destroy the capsule here but it will have respawned every time you revisit. However, only on your first time destroying the capsule will the memory card icon appear in the top right to indicate that something is being saved.

Destroying the memory capsule does not unlock any cutscenes in the event viewer. In the online mode this capsule unlocked "Scene 10", but now it does nothing at all.


I have confirmed the majority of memory capsules from the online mode to be present on the game disc. However, two capsules existed in areas that so far appear to have been deleted for the retail release of Dirge: The City map and the Snowy Mountain map. Thusly we can't confirm those capsules.

What we have is quite exciting though, especially since this lets us see memory capsules that nobody shared screenshots for back when the multiplayer was still active.


With tempsave teleportation yet another dream has come true: I am now allowed to freely roam the Valley map. Just like the "clean" version of Weiss's Throne Room, this area has normally been exclusive to cutscene and players of the online mode.












Zone 217, known from the on-disc registry document as "Multi - Visual Lobby 2", is a spot I really want to visit but the game won't allow me. The area contains the menu maps for the Deepground Lobby, as well as interesting strings of data. If there is any part of the game that holds NPC dialogue, complete shop lists etc, it would be this place.

Zone 242 is used for a cutscene version of the lobby, but I am unable to roam that one as well. Currently there are only two variations we can roam: Zone 84 (Extra Mission "Cait Versus the Empowered") and Zone 89 (Extra Mission "Deepground"). By using tempsave teleportation to get to these two zones, the map was loaded in a different state...



The action prompts now load! You essentially get nothing by clicking on the action buttons, but I am quite excited to see these appear at all! I had assumed that these prompts were deleted from both missions.


Empty message when you try check your ranking:



These messages are just as empty in Japanese.











The shop has no items listed for Buy, Sell and Modify.







Although no NPC models are loaded, the Talk prompt appears at exactly the places where you'd expect them to. Pressing Talk will only result in your player character jumping. No text is triggered.

Argento's location:


Cataract's location:


While inside this altered zone for mission-version of the lobby, I did the tempsave teleportation trick to try and enter "Visual Lobby 2". It only kinda succeeded.

The tempsave showed that hidden text I had previously observed in the RAM.
"Deepground - Sector 1"



The tempsave loads the area you see previewed above, but in less than a second the game forces you back to the start menu. You are never allowed to move or change the camera angle in this zone. The only thing you can do is enter the menu which has not loaded anything out of the ordinary.



All this does is confirm that YES, there is actual 3D map data in zone 217. :monster: It isn't just a placeholder for the actual area.
 
All 11 memory capsules that can be confirmed in the multiplayer-maps have been confirmed to still be on the disc. As I mentioned in my previous post, the two remaining capsules will likely never be observed since the maps they belonged to (City & Snowy Mountain) appear absent from the game disc.



^The memory capsule that was originally found in the DG General mission "Active Jamming". This is one out of five examples that we previously had no screenshots for but can now observe in the offline game.



The majority of these multiplayer areas are littered with EM barricades, boxes, drum cans, along with invisible objects that are revealed by their collision and sometimes by being targetable. It becomes immediately apparent, along with the already observed memory capsules, that these areas hold the blueprints for the online missions- and modes.



The multiplayer version of "Major Fault" has boxes and barricades set up for the Boxemon/'Monster Box' mission. Roaming the area shows that barricades are also set up for other online missions like Panic Matador, Rains of Gehenna, Fifth Ring Battle and Green Carnival. Barricades are also set up for some of the online mode's special matches.

When you shoot a box and/or drum can, it will eventually be registered as a kill but nothing will happen to the object. Just like with the boxes I found when going out-of-bounds in the bridge map for the Extra Missions.

Reading the game's memory reveals references to enemies used for the aforementioned missions. You will also find references to the standard multiplayer-exclusive models: Mako capsule, flags, flag stations and bases (grey, red and blue). The small- and giant Medals familiar from the Extra Missions pop up in memory too. These references occur for every multiplayer map that is loaded, even though the models themselves are invisible or replaced by boxes and drum cans.

Some invisible models are placed in positions you'd expect the flag stations and red/blue bases to be, plus they make the sound of metal when you shoot them so these are pretty undoubtedly the stations/bases.

The multiplayer maps have been PACKED with the data for a great number of online missions and online modes. For now we can't tell how complete and organized all this setup data is. Is the enemy AI as it was in the online mode? Can the setup and instructions for each mission be clearly distinguished from one another or is it just a hodge-podge mess, like it appears when we tempsave-teleport to the locations? Hopefully the online missions can be modded back in without us having to rely solely on documentation from when the multiplayer was still online.


Much to my excitement, the multiplayer maps that included the Tsviets and the Restrictor will load references to these character models when you enter said areas. Hopefully the boss AI and their animations are complete. Imagine if we could unlock the multiplayer versions of these boss fights! We have recordings for the Shelke, Restrictor and Weiss battles but no recordings for the other big bosses.



^Barricades set up on the roof in the multiplayer-version of the Warehouse map, same as they were set up in the fight against Nero.

*EDIT: Forgot to mention that the multiplayer version of the "Huge Facility" map includes extra references in memory to the Galian Beast model. This indicates that the place holds data for the online battle against Galian Beast.*

Memory includes an extra reference to the "Fuzzy Seed" quest item if you teleport to the multiplayer version of the Kalm Church map, so that has me excited about the possibility of unlocking and acquiring quest items the "normal" way. :D

Holy crap. How do you do it, man?
[SPOILER='Tis a very refined process that goes something like this ]



:monster:
[/spoiler]
 
Last edited:
The memory viewer reveals to me which items can be dropped onto the field to be picked up and which enemy drops it. By reading the game's memory after teleporting to the multiplayer maps, thus loading the mission data for those fields, I can match the knowledge I've accrued from player reports and guides with what I'm now seeing among the game's addresses.

The quest items on the game disc read the names from the beta/2005 phase. Since the online mission data I'm now reading with the help of Cheat Engine clearly represents the 2006 era, I can spot which item names that are *actually* meant to be present.


Beta Names → *2006 Era Names (*Translated from Japanese reports)

Power Kit
Speed Kit Plain Earrings
Weight Kit
Handgun Kit EX Eden's Notes or Mako Candy**
Handgun Kit ULT
SC Frame Kit
Rifle Kit EX
Rifle Kit ULT
Machine Gun Kit EX
Machine Gun Kit ULT Old-Type Mako Storage Battery
N Barrel Kit
L Barrel Kit Dirty Investigation Memo
S Barrel Kit Mako-soaked Investigation Memo
Materia Booster Kit Miracle Memo?
Auto Scope Kit Oil-soaked Investigation Memo
Control Ticket Broken Investigation Memo
Research Ticket
Junk Ticket
Mako Ticket
Crimson Ticket
Verdant Ticket Energetic Bonus Ticket
QI21
QI22
QI23
QI24
QI25
QI26
Fuzzy Seed Fuzzy Seed
Dandelion
QI29
QI30
QI31
QI32
QI33 Garbage Data
QI34

**Player reports are not always clear on which items are dropped on the field versus which ones are given via a reward menu after clearing a mission. Whichever one the Handgun Kit EX became, this item wasn't dropped by an enemy, same as Fuzzy Seed. It existed by default on the field or hiding in a box.



I was quite surprised to actually find references to Garbage Data, which are dropped by Red Saucers, Cactuars and Turk Training Robots...during the online battle against Turk Vincent!

Yes indeed, the multiplayer version of the Train Graveyard does also reference p013, aka Turk Vincent! :D This is yet another boss battle that we have zero video recordings for so it would be quite exciting if the battle could be unlocked.

Players could collect three (or four, I'm a bit unclear on this) types of Data Fragments in the online missions while the Turk Vincent event was happening. So far I haven't found any references to these data fragments though. Presumably they were deleted.


The Jungle also contains an extra reference to the "DG Soldier Mask F" which became the "Nouvelle Mask" in the 2006 era. The mask was dropped by DGSC Hiren when you defeated her in the Iron ☆ Soul mission.



What quest items remain to be matched up with the beta- and placeholder names?

- Eden's Notes OR Mako Candy
- Data Fragments (Three or four types)
- Wooden Moogle Doll (Unclear if quest item or not)
- Gold-plated Moogle Doll (Unclear if quest item or not)
- Waldo's Final Notes
- High Concentration Mako Capsule
- Moogle Nose
- Moogle Head
- Mako Powder
- How to make Mako 10 times more fun
- Cerulean Bullet
- Pocket Tissue
- Apology letter issued by the Supervisory Committee
- Distorted Terashima (Unclear if quest item or broken machine gun)


Confirmation of this kind also remains for some of the game's equipment, the DG masks/caps in particular. Most of the masks on the disc have names that match the beta or even pre-beta phase!

Getting the item names right is important if the 2006 online mode is ever restored, be it in Japanese or English. The quest item descriptions are probably forever lost, but even just knowing the item names is a victory.
 
Last edited:
Only six of the multiplayer maps still retain their location name. *EDIT: Not counting the location names in "Visual Lobby 2".* All the rest revert to what is probably the first location name ID: "Kalm". Even in Japanese the location name ends up being spelled "Kalm" with English letters (but Japanese font). :wacky:

zone 201
- Jungle
- ジャングル

zone 203
- Kalm
- カームの街 [City of Kalm]

zone 204
- Wastelands
- 荒野

zone 205
- Shinra Manor Sewers
- 下水道 [Sewer System]




zone 206
- Laboratory
- 研究所




zone 208
- Church
- 教会



Version difference in hidden content: In the US/NA version, the memory capsules are not present in the multiplayer versions of the Throne Room and the Huge Facility. This is most certainly because the US version has data based on an earlier version of the online mode. These two memory capsules were added along with the August 17 update in 2006, with the North American version having been released two days before that.

However, one memory capsule that was added to the online mode with the August 17 update still made its way to the NA version. That capsule was found in the Warehouse map, in the mission "Quick to Achieve Eager Rewards".
 
Last edited:
Vincent's running speed has been increased to cut down travel time. Apologies for any motion sickness you might experience while watching these videos. It is always a struggle to make these recordings since the game will be running at roughly 20fps while the recording is happening.

Background music was added in editing, as you probably realize.











I vaguely recall Japanese bloggers talking about how overwhelmingly huge this map was and I most certainly agree. Getting a grip on which paths lead where was frustrating enough even with my added running speed. While I personally think the map *looks* interesting, I am happy I had the cheat to run at greater speed than normal. The menu map is also unhelpful when you are at the areas closer to the centre, because you can't tell where the paths will lead and on which elevation you are.

The player character is able to casually walk up platform steps, despite the steps being quite tall. This is convenient for the player but looks a bit awkward.

Typically you can fall down where it looks possible to do so, but for the waterfall and some other places there are invisible walls.


My headcanon interpretation of the area itself
"Valley" is clearly meant to be the remnants of an ancient civilization. While I do think it is an excavation site, I think that some of the open spaces and tunnels have been carved out by the waterfall over a long period of time.



Shinra has marked the place with their logo and some of (presumably) their own metallic tunnels for the excavators to use. With the metallic tunnels leading from the bottom of the valley to its very top, I picture that the diggers transport dirt and stones up through these tunnels as they continue to carve out the secrets in the earth.

No doubt a primary goal for Shinra's archeologists has been to find clues to the location of the Promised Land...because that is ALWAYS what Shinra is looking for. :wacky:

The glowing cubes create a sci-fi contrast with the "ancient temple/shrine" atmosphere emanating from that which does not shine. The glowing cubes aren't connected to any wires (that we can see), so are they powered by their own batteries or by some ambient energy?

It is my headcanon that this site is a remnant of the Spiran settlers, possibly a site where Spirans and Cetrans lived together (assuming here that Spirans aren't just the ancestors of the Cetrans). Given the direction of the canon in Dirge of Cerberus, I picture that this site or one similar to it is where Cid found the Shera and its "mysterious ancient power".


Frustrating though the area may be to roam for the first hour or so, I really like the style and atmosphere. I think it's a waste that it hasn't been referenced or used elsewhere in FFVII lore.

Blogger daijinn's snapshot of the player character being, supposedly, frustrated and lost in this maze of a map.









There is a spot (I run past it at 0:39 in exploration video #2) where the player character will be standing in mid-air.



To be frank it never stops being a relief to have these multiplayer maps with more freedom of movement rather than the constant invisible walls of the single player. Even the odd collision choice seen above makes me comparatively happy. :wacky:
 
Last edited:


I have found on-disc remnants of NPC text from the online Deepground Lobby. No guarantee that a more complete script exists in the game files, but it is certainly possible!

The files observed were extracted from the Japanese International version. Google translate gives awkward results, so clean-up translations are appreciated. :monster:


--
file18130.raw

強制転送するぜ ……オ、$t1200$オエェェェエエエーーーーーッ!! $o0019$……オ、オエェェェエエエーーーーーッ!!
Google Translate said:
Force transfer...oh, bleeeaaaaarrrgghhhh!!
B-bleeeaaaaarrrgghhhh!!
My guess is that this is the sound of Black-J accepting garbage data, as I interpret "force transfer" as a robotic statement. Jingi was a mako addict who would continuously throw up. When half his brain was transferred to a Black Widow mecha, thus forming Black-J, even this robot would supposedly make the same throwing-up exclamation. See NPCs of Deepground for all references you might need.


--
file18343.raw & file18355.raw & file18356.raw

You are already familiar with this one from my earlier posts, as it is the only case of observed NPC dialogue from the online mode having been translated to English. Posting it again for the sake of completion.

er have a battletable reserved or be in a group, respectively.

If you have a keyboard, you can press Ctrl+R to respond to someone who has talked to you directly through the tell channel.

Lastly, by entering special commands during chat, you can execute a variety of actions. These are called emotes. I just saluted you using the /salute emote. There are many different commands. Try them out for yourself.

Request briefing on auto scope.
The auto scope is a useful part that will automatically target the enemy for you.
On the other hand, attaching one to your weapon will dec

--
file18345.raw

も、他に聞きたいことがあるのか? $o0007$貴公の初期能力を測定するには、$r3回以上、バトルに参加してもらわねばならん $o0007$なにも、好成績を出す必要はない。$rやり方を覚え、無事に戻って$rこれればそれでいい $o0007$さて、他に聞きたいことはあるか? $o0007$無事、バトルをこなしてきたようだな。$r初期能力データも採取させてもらった $o0007$特に問題はない。初めは皆こんなものだ。$r予定どおり、先へ進むことにする $o0007$貴公に、DGドローン2ndの昇進試験を認めよう DGドローン2nd昇進試験 がミッションに追加されました $o0007$バトルエントリーでミッションを$r選択してみるといい $o0007$ミッションを達成できれば、$r実力が認められ、昇進できる $o0007$他に何か、聞いておきたいことはあるか? $o0007$報告は聞いている。$rDGドローン2nd、昇進おめでとう $o0007$初昇進祝いだ。これを持っていくがいい。$r装備・
Google Translate said:
Do you have anything else you want to ask?

In order to measure your initial ability, you have to participate in the battle for at least $ r 3 times
$o0007$ There is no need to make a good result. $ r Learn how to do, return safely $ r If that is the case
$o0007$ Now, do you have anything else you would like to ask?
$o0007$ It's safe to have a battle. $ r Initial capability data was also collected
$o0007$ There is no particular problem. Everyone at the beginning is like this. $ r let's move on as expected
$o0007$ allow you to accept DG Drones 2nd Promotion Test DG Drone 2nd Promotion Test added to the mission
$o0007$ Mission selected $ r with battle entry Try looking at
$o0007$ If you can accomplish the mission, you can recognize $ r ability and be promoted
$o0007$ Do you have anything else you'd like to ask?
$o0007$ The report is being heard. $ rDG Drone 2nd, Congratulations on your promotion
$o0007$ It's a first promotion celebration. You should take this. $ r Equipment
Before being allowed to try out the Promotion Exam to reach DG Drone 2nd, you had to do three battles. After getting promoted to DG Drone 2nd, you would receive the standard DG Soldier Mask.

The script above doesn't match the translated lines by Officer East. The difference might be due to this being a different part of their dialogue tree, a different NPC or even the beta version of this text.


--
file18346.raw
r選択すればいいと見る $o0010$指示通りこなせば、昇進だが、$r……? まだ何か? $o0008$ふむ、試験に向けてきっちり$r仕上げてきたな。よかろう。$rDGトルーパー3rdへの昇進試験を許可しよう DGトルーパー3rd昇進試験 がミッションに追加されました $o0008$バトルエントリーでミッションを$r選択してみるといい $o0008$ミッションを無事達成できれば昇進だ。$r他に何か聞きたいことはあるか? $o0009$ふーん。足りてるみたい、ポイント。$rいいよ、昇進試験、DGトルーパー3rdの DGトルーパー3rd昇進試験 がミッションに追加されました $o0009$選択すれば? ミッション、$rバトルエントリーで $o0009$昇進だし。クリアすればね、ミッション。$r何かある? 聞きたいこと、他に $o0010$ランキングポイントは基準を$r満たしていると見るので、$r昇進試験を許可出来る DGトルーパー3rd昇進試験 がミッションに追加されました $o0010$…
Google Translate said:
See if you can choose $
o0010$ If you do follow the instructions, promotion, but $ r ......? Still what?

$o0008$ Hmm, I have finished $ r exactly for the exam. Well.
$ rDG Let's Promotion Test to Trooper 3rd DG Trooper 3rd Promotion Test Added to Mission
$o0008$ Try selecting $ r for Mission with Battle Entry
$o0008$ Promotion if you can successfully achieve mission. $ r Is there anything else you would like to ask?

$o0009$ um. Looks like it's enough, a point. $ r OK, Promotion Test, DG Trooper 3rd's DG Trooper 3rd Promotion Test Added to the Mission
$o0009$ If you choose? Mission, $ r Battle entry,
$o0009$ promotion. If you clear it, mission. $ r Is there something? Things I want to hear, others

$o0010$ The ranking point sees the criteria $ r satisfied, so the DG Trooper 3rd Promotion Exam that can allow $ r promotion test has been added to the mission
$o0010$ ...
With the exception of the Drone 2nd Promotion Exam, players had to acquire enough Ranking Points before they could apply for an exam. The text above shows an Officer NPC acknowledging you have high enough RP to apply for the Trooper 3rd Promotion Exam.


--
file18347.raw
$r$c03★《攻守拠点戦》$c07$……攻守に分かれて行う拠点戦。$r攻め側は、制限時間内に拠点を破壊し、一定時間$r占拠すると勝利、制限時間が過ぎた場合は敗 北となる。$r1ラウンド終了後に攻守を入れ替え、再度バトルを行う。$r  $r $r $r $r$c03★《攻守フラッグ戦》$c07$……攻守に分かれて行うフラッグ戦。$r攻め側は、制限時間内に相手チームのフラッグを奪い、$r自チー ムのスタンドに持ち帰ると勝利、制限時間が$r過ぎた場合は敗北となる。1ラウンド終了後に攻守を$r入れ替え、再度バトルを行う。$r $r$c03★《個人撃破戦》$ c07$……チーム撃破戦や部隊撃破戦と異なり、$rすべてのキャラクターが敵同士となり、撃破数を競い合う。$r敵を倒すとポイントが加算されていき、規定のポイントを $r最も早く入手したキャラクターが優勝となる。 $o0011$私は$c03《生き残り戦》$c07$が好きですね。$r敵を皆殺しにできたときの感動が$r大きいですから。ムフ…… $o0011$私は$c03《生き残り戦》$c07$が、す、好きですね。$r皆殺しは我々のゲブォッ……ですから、ね? $o0012$いちばん燃えるのは個人撃破戦
Google Translate said:
★ "Offensive base battle"
... Base battle to be divided into offensive. $ r Trombone side, to destroy the bases within the time limit, victory and a certain period of time $ r occupied, a defeat if the time limit has passed. After replacing the $ r1 round, change the offense and battle again.

★ "Offense and defense flag war"
Flag war to carry out divided into ...... offense and defense. Trombone side, took the flag of the opposing team within the time limit, victory and bring in own team of the stand, a defeat if the time limit has passed. Replace for offense after the first round and battle again.

★ "Individual killing fight" ... Unlike team killing and unit fighting, all characters compete against each other for enemies. Defeat the enemy and points will be added, the character you obtain the point of provision most quickly becomes the winner.

$o0011$ I like "survival fight". The impression when you can kill an enemy is big. Muhu......
$o0011$ I "survival game" is, I, I like. The killing is our getaway ... So, is not it?

$o0012$ The one that burns the most is an individual shootout
Different PvP battle modes described here.


--
file18348.raw
ニアの必読本なんだぜ!
$o0043$はッ!? まさか!$r最近噂の怪盗バンバンジーか!?
$o0043$あんにゃろッ!$r今すぐ取り返してや・
Google Translate said:
near's must-read book!
$o0043$ Hah!? No way! Recently rumored thief Banban-G!?
$o0043$ Hello! Take me back now.
This is DGSC Jingi lamenting over his book "How to make Mako 10 times more fun" having been stolen by Banban-G. You retrieved the book by defeating Banban-G in the mission The Stolen Secret.

--
file18349.raw
でアタイの武器$r持ってんだよ? よこしなッ! ゆがんだテラシマ を 1つ 強引に奪われた! $o0018ダボがッ! 弾倉のゆがみが$r半端になってんじゃねぇかよ!! $w0037クソッだらぁぁああああーーー!!!! ゆがんだテラシマ が更にゆがんだ…… $o0018へ、これでシャバくなくなったぜ。$rん!?― $o0018$w0165…………………………… $o0018あ、あら? どうして私がこれを?$rあなたにあげたはずよ マキシマ を 1つ 受けとった $o0018試し撃ちするなら、私が行ってた$r丸秘スポットを教えてあげる マキシマム・リローデッド がミッションに追加さ
Google Translate said:
Do you have a weapon in Ati? Worst case! I was robbed of a Distorted Terashima by one!
$o0018 Dubboff! The distortion of the magazine has become half full!! $w0037 When it's fucking ah ah ah!!!! The Distorted Terashima got even more distorted...... to $o0018, this is not going to shabby. Hmm!? - $o0018$w0165 .................................
$o0018 Oh, oh? Why should I do this? I should have told you that you got one Maxima
$o0018 If you shoot it try, I will tell you the secret spot I was doing Maximum Reloaded added to the mission
The player acquired the Distorted Terashima by defeating Banban-G in the Tsviet mission "Stolen Rare Gun". Terashima was a machine gun in the online mode and seemingly it was stolen from DGC Maki. Somehow the machine gun got damaged and turned into the Distorted/broken Terashima, which Maki then upgraded to the Maxima machine gun.

At the same time this unlocked the Tsviet mission Maximum Reloaded where the Maxima is your default equipment.

While DGD Soar is the NPC usually associated with broken equipment, all of my sources point towards DGC Maki being the speaker above.


--
file18350.raw
芭っぴり心が豊かになっていくような、$rそんな気がします $o0036$またタネを持ってきていただけたら、$rきっと咲かせてみせますよ♪ $o0036$いろいろ手は尽くしたのですけれど…… $o0036$枯らしてしまいました…… $o0036$ごめんなさい……。$rできればもう一度チャンスをください! $o0036$タネを持ってきていただければ、$rよりいっそう、愛情を込めて育ててみせますので $o0036$ごめんなさいッ!$rまた枯らしてしまいました…… $o0036$でもあの、タネさえ持ってきていただければ、$r何度でも挑戦しますから! $o0036$あの花を育てたことで、$r私の中の何かが変わったような気がするんです $o0036$それが何かはうまく言えないんですけれど $o0036$あ、またタネを拾ってこられたんですね? 綿毛のついたタネを $o1036$ に預けました $o003
Google Translate said:
I feel like I'm getting rich and rich.
If you bring me some seeds, I will surely be able to bloom ♪

I did a lot of hands….
I have run down……
I'm sorry……. If possible please give me another chance!
If you bring me some seeds, I will grow more lovingly
I am sorry! I've run down again……
But you know, even if you bring even some seeds, I will challenge as many times as you want!
I feel that something in me has changed by raising that flower
Although it can not say something well though it is
Oh, you could also pick up your money? The Fuzzy Seeds
I entrusted it to you.
DGSC Hiren (DGD Hiren in the beta) is the one who can grow a Dandelion for you if you bring them some Fuzzy Seeds. However there is a likelihood that Hiren will fail to grow a flower from it, so you'll just have to repeatedly pick up a Fuzzy Seed in the Collector's Mind mission and hand it over to DGSC Hiren until she gets it right.


--
file18351.raw
されました $o0031$あれと遭遇して戻る者は希少だ。$r好きなだけ殺し合え $o0031$下郎、そろそろ次へ進め 蒼き目覚め がミッションに追
Google Translate said:
it was done
Those who come back and encounter that are rare. Kill as many as you like
Shiro, go ahead and add the Cerulean Awakening mission
I entrust it to you.
Once you became a Trooper, speaking to the Restrictor in Area/Sector 1 would unlock the mission "The Blue Roar", where you battle Azul. Clearing this mission would reward you with the Cerulean Bullet, which was an item necessary to battle Arch Azul in the Commander mission "Cerulean Awakening".

I do not know who the speaker above is since it is not clear who it is that adds the Cerulean Awakening to the MS list.


--
file18352.raw
もう戻ってこねぇのかと$r思っちまったじゃねぇか! $o0006$い、いや、復活してくれたんなら$rそれでいい! 何も文・
Google Translate said:
I guess I thought I'd come back anymore!
$ o0006 $ No, no, it's okay if you resurrected! Nothing sentence

--
file18353.raw
あの戦闘データも、$rいつオジャンになるかわかんねぇし $o0019今のうち、やれるだけやっておくのも$rアリなんじゃね・
Google Translate said:
I do not know when that battle data will become Ojang
$o0019 Of the time now, it is ants to do as much as we can

--
file18354.raw
キンを……添えてね…………$r$w0075それから……オ……オエェェー…… $o0022……フ、フゴッ!? い、いかんッ!$rもっと味わって食
Google Translate said:
Take the kin…… Please…………
$r$w0075 Then……b……bleeeaaaaar……
$o0022…… Fufu!? How old! Taste more and eat
The typical throwing-up sound by Jingi, though the context is unclear. When half of Jingi's brain was inserted into the Black Widow robot, it is possible that the other half was placed inside the moogle doll that is left in Jingi's original spot. I do not know if the moogle doll also made the throwing-up sound.

These .raw files exist in the "misc" folder after performing an extraction using Noesis. Those that hold game text display these snippets at the end of each file after opening it in Notepad++ or in a hex editor.

Far as I can tell, the entirety of the game's script can't be viewed by simply opening the correct .raw files. I think you have to further unpack the proper files to get the whole game script. So why do these snippets of text appear at all? I do not know. Maybe the text was an identifier to remind the developer "oh right, this is the part of the game I'm working on". Maybe it's just a coding accident.
 
Last edited:
I found a byte value that, when frozen, prevents you from being teleported back to the start menu once you enter "Visual Lobby 2" (the Deepground Lobby, zone 217). This allowed me to freely open and view the menu maps and location names for the areas within. I confirmed the location names for both English and Japanese.

Still no free exploration of the lobby however, since there is clearly plenty of data that won't load. Notice how there is no HP bar to the top left.


Deepground - Sector 1
ディープグラウンド・エリア1



Deepground - Sector 2
ディープグラウンド・エリア2



Deepground - Sector 3
ディープグラウンド・エリア3



Deepground - Sector 4
ディープグラウンド・エリア4



Briefing Room
ブリーフィングルーム



"Character Selection/Creation Room"
Briefing Room
ブリーフィングルーム


The player was never meant to open the menu map for this area, ergo why the location name from the Briefing Room is copied. Or who knows, maybe at one point this area *was* the Briefing Room that one entered in-between missions and battles?

Snippets of the above text can be viewed in the following files in misc folder of the International version:
JP
file8336.raw
エリア4 ディープグラウンド・エリア1 ディープ​
ENG
file8326.raw, file8337.raw - file8342.raw
- Sector 4.Deepground - Sector 1.Deepground - S​

Confirming in-game that all these location names exists in full, and not just as the fragments above, makes me confident that more exciting discoveries await us as these files are analyzed.


Easter egg among the files: Although the JP International release of Dirge only allows you to play in English or Japanese, there are still plenty of files that contain game text in Italian, Spanish, French and German. This further confirms that the release is based on the PAL version.
 
Last edited:
The Art Gallery has one unused, more-or-less superfluous artwork. I could only "unlock" this artwork by pasting the data over an artwork piece that was already being displayed. Because I went with the first picture of Vincent Valentine as the base, the unused artwork adopted a red palette. The palette is meant to be towards the grey side.



Because the art gallery already displays two artworks for the "Heavy Armored Soldier" boss, who uses both the bazooka and the sword, the lower-level Heavy Armored Soldier B and Heavy Armored Soldier S essentially only show more of the same. I wouldn't be surprised if this artwork was intentionally neglected.


In-game, as read via Cheat Engine, the above artwork is found via the following path:

data/event/scene/ev2012/tex043.rfd

However, because Noesis isn't strictly speaking built to extract the Dirge of Cerberus files, the folder "ev2012" isn't even created when I extract KEL.DAT. Instead the file gets relocated to the "misc" folder, along with thousands of other files that aren't spawned where they should.

In the International version, the miscellaneous folder holds 14095 objects. The unused artwork is file17987.raw.

I am super-busy analyzing these 14095 objects. :wacky: Will post some of my conclusions eventually.
 
One step closer to uncovering the mystery of the game text and it is leaning towards the text being compressed and requiring a dictionary to be unpacked properly.


Every text entry is called for by a string. For example the first text entry in the ending credits for the online mode is called ID_CREDIT_01 and it calls the following text:
Code:
PRODUCER
北瀬 佳範

DIRECTOR
中里 尚義

CHARACTER DESIGNER
野村 哲也

MAIN PROGRAMMER
柏谷 佳樹

SCENARIO & EVENT PLANNING DIRECTOR
千葉 広樹
In the files extracted via Noesis you won't find any string reading "ID_CREDIT_01". That is because the string is compressed in a file type that always begins with this array of bytes:
54 54 54 54 00 00 2E 00 62 36

Represented in text these array of bytes can read "TTTT....b6" which is why I typically call these the "TTTT" files.

When you teleport to the ending credits for the online mode, the game quickly calls for the appropriate TTTT file. From the extraction done by Noesis, I know it as file18379.raw.

The file is called and is almost instantly decompressed, revealing the text entry strings "ID_CREDIT_01" all the way to the final entry "ID_CREDIT_62".

If you change the byte values of the TTTT before the game's unpacking dictionary is applied the end result will be jibberish for these and many more surrounding bytes. This is what proves that a compressed file is being unpacked/decompressed. When files are just being moved and or pasted to certain addresses, you won't change a thing by changing those address values before the file/data migration happens. 'Tis a different story when a key/dictionary is being applied to the area.


Adjacent to the TTTT files are typically the "Text Preview" files, like those that showed us NPC text from the Deepground Lobby. These always start with the following set of bytes:
45 90 AF F9 B7 47 F6 94

Or "E.¯ù·Gö”" in text... Yeah, let's just call them Text Preview files. :lol:

I believe that these Text Preview files hold the actual script, like the text that ID_CREDIT_01 refers to. The problem is that I haven't been able to observe the decompression live and thus change the final text. This might be because the process is happening too fast, memory is moving from region to region in a way I can't follow, or I am simply wrong in my conclusion.


Regardless, my observation with the TTTT files and the text entry ID strings is important. Two other files extracted via Noesis, going by their file names, could hold the keys to unlocking the text.

In the dataetc folder...
- entryz.dic
- KerberosIntermissionCalc.class

The first file is obvious. A possible "dictionary" to unpack "text entries". However opening the file reveals only jibberish. Whatever truths are in there remain hidden for now.

The second one is equally attractive. It is a TTTT file (!) and the namesake of it having to do with intermediary calculations triggers the imagination. About the .class extension:
A CLASS file is a compiled .JAVA file created by the Java compiler. It contains bytecode, which is binary program code that is executable when run by a Java Virtual Machine (JVM). CLASS files are commonly bundled into .JAR files, which are included in the $CLASSPATH environment variable for execution.
Java is referenced constantly in the RAM when you play Dirge, so the presence of this .class file makes sense.


I have no idea how to further test my theories. Recently discovered that hackers made a Russian fan translation of Dirge, but I haven't gotten any replies from them. Undoubtedly they have all the knowledge we are looking for.
 
Last edited:

Cthulhu

Administrator
AKA
Yop
Weird that a ps2 game would have that much java related shit. If you pass me that .class file I can decompile it and have a look.

Re: the compressed file, I've no clue; I did a googling of those bytes / that hex you mentioned and it didn't come up with anything, IIRC most known compression formats have a header that makes them easy to identify. It's probably a simple compression algorithm anyway, but still not my strong point. Maybe you could ask for help on stackoverflow.com, those people generally know their shit; this is a good resource to begin with, it also links to a wikipedia page about magic numbers in files, e.g. common hex numbers some files start with.
 
kelstr.bin contains the most basic game text: Item names- & descriptions, equipment names & descriptions, command prompts, config menu text etc. The game loads this file while you boot up the game, shortly after the Square Enix logo has appeared. After this it remains in the same place in RAM and is always present. This easy accessibility is what made it so convenient to extract from even the beta version of Dirge.

kelstr.bin always begins with the text "KelStr 1.1" and the time it was last edited. In the case of the English file in the JP International release, the last edit happened in 2006/10/11 18:37. KelStr might stand for Kernel Strings, or Kerberos Strings if we assume the classical switches between L and R that we are familiar with in the context of Japan.

The PCSX2 emulator always load kelstr.bin in the offset 21FE0000 and there it stays. The file is loaded in its encrypted state but after a few seconds, before the Square Enix logo disappears, the key is applied and the text is revealed. This is a very straightforward byte-for-byte conversion. The file is the same size before and after, ergo this is not a case of compression like with the rest of the game text.


The first 32 offsets, above the red line, are not changed after the decryption.


Fortunately, the key/algorithm was easy enough even for me to figure out.

There are 16 keys: One for each offset on a given row as shown above. A specific key is applied to every offset/address that ends with a 0, a different key is applied to every offset/address that ends with a 1 and so on.

Each byte has two digits. The key determines what number the left- and the right digit respectively will be turned into.

EXAMPLE:
In the encrypted KelStr, offset 21FE0120 shows us the byte value "7B". After decryption it becomes "17". How? By applying the key for the offsets that end with 0.

Left digit transformation:​
0 ↔ 6​
1 ↔ 7
2 ↔ 4​
3 ↔ 5​
8 ↔ E​
9 ↔ F​
A ↔ C​
B ↔ D​

If the left digit is a 1 it will be decrypted to a 7. If the left digit is a 7, it will be decrypted to a 1.

Right digit transformation:​
0 ↔ C​
1 ↔ D​
2 ↔ E​
3 ↔ F​
4 ↔ 8​
5 ↔ 9​
6 ↔ A​
7 ↔ B

Here are all 16 keys. The variable "X" is used to represent any value.

Code:
Byte Key: Offset XXXXXXX0
Left digit transformation:
0 ↔ 6
1 ↔ 7
2 ↔ 4
3 ↔ 5
8 ↔ E
9 ↔ F
A ↔ C
B ↔ D

Right digit transformation:
0 ↔ C
1 ↔ D
2 ↔ E
3 ↔ F
4 ↔ 8
5 ↔ 9
6 ↔ A
7 ↔ B

---------
Byte Key: Offset XXXXXXX1
Left digit transformation:
0 ↔ 7
1 ↔ 6
2 ↔ 5
3 ↔ 4
8 ↔ F
9 ↔ E
A ↔ D
B ↔ C

Right digit transformation:
X = X

---------
Byte Key: Offset XXXXXXX2
Left digit transformation:
0 ↔ B
1 ↔ A
2 ↔ 9
3 ↔ 8
4 ↔ F
5 ↔ E
6 ↔ D
7 ↔ C

Right digit transformation:
0 ↔ 4
1 ↔ 5
2 ↔ 6
3 ↔ 7
8 ↔ C
9 ↔ D
A ↔ E
B ↔ F

---------
Byte Key: Offset XXXXXXX3
Left digit transformation:
0 ↔ C
1 ↔ D
2 ↔ E
3 ↔ F
4 ↔ 8
5 ↔ 9
6 ↔ A
7 ↔ B

Right digit transformation:
0 ↔ 3
1 ↔ 2
4 ↔ 7
5 ↔ 6
8 ↔ B
9 ↔ A
C ↔ F
D ↔ E

---------
Byte Key: Offset XXXXXXX4
Left digit transformation:
0 ↔ D
1 ↔ C
2 ↔ F
3 ↔ E
4 ↔ 9
5 ↔ 8
6 ↔ B
7 ↔ A

Right digit transformation:
0 ↔ 3
1 ↔ 2
4 ↔ 7
5 ↔ 6
8 ↔ B
9 ↔ A
C ↔ F
D ↔ E

---------
Byte Key: Offset XXXXXXX5
Left digit transformation:
X = X

Right digit transformation:
0 ↔ D
1 ↔ C
2 ↔ F
3 ↔ E
4 ↔ 9
5 ↔ 8
6 ↔ B
7 ↔ A

---------
Byte Key: Offset XXXXXXX6
Left digit transformation:
0 ↔ 4
1 ↔ 5
2 ↔ 6
3 ↔ 7
8 ↔ C
9 ↔ D
A ↔ E
B ↔ F

Right digit transformation:
0 ↔ F
1 ↔ E
2 ↔ D
3 ↔ C
4 ↔ B
5 ↔ A
6 ↔ 9
7 ↔ 8

---------
Byte Key: Offset XXXXXXX7
Left digit transformation:
0 ↔ B
1 ↔ A
2 ↔ 9
3 ↔ 8
4 ↔ F
5 ↔ E
6 ↔ D
7 ↔ C

Right digit transformation:
0 ↔ 5
1 ↔ 4
2 ↔ 7
3 ↔ 6
8 ↔ D
9 ↔ C
A ↔ F
B ↔ E

---------
Byte Key: Offset XXXXXXX8
Left digit transformation:
0 ↔ 7
1 ↔ 6
2 ↔ 5
3 ↔ 4
8 ↔ F
9 ↔ E
A ↔ D
B ↔ C

Right digit transformation:
0 ↔ 8
1 ↔ 9
2 ↔ A
3 ↔ B
4 ↔ C
5 ↔ D
6 ↔ E
7 ↔ F

---------
Byte Key: Offset XXXXXXX9
Left digit transformation:
0 ↔ 5
1 ↔ 4
2 ↔ 7
3 ↔ 6
8 ↔ D
9 ↔ C
A ↔ F
B ↔ E

Right digit transformation:
0 ↔ 9
1 ↔ 8
2 ↔ B
3 ↔ A
4 ↔ D
5 ↔ C
6 ↔ F
7 ↔ E

---------
Byte Key: Offset XXXXXXXA
Left digit transformation:
0 ↔ 6
1 ↔ 7
2 ↔ 4
3 ↔ 5
8 ↔ E
9 ↔ F
A ↔ C
B ↔ D

Right digit transformation:
0 ↔ 7
1 ↔ 6
2 ↔ 5
3 ↔ 4
8 ↔ F
9 ↔ E
A ↔ D
B ↔ C

---------
Byte Key: Offset XXXXXXXB
Left digit transformation:
0 ↔ 2
1 ↔ 3
4 ↔ 6
5 ↔ 7
8 ↔ A
9 ↔ B
C ↔ E
D ↔ F

Right digit transformation:
0 ↔ 4
1 ↔ 5
2 ↔ 6
3 ↔ 7
8 ↔ C
9 ↔ D
A ↔ E
B ↔ F

---------
Byte Key: Offset XXXXXXXC
Left digit transformation:
0 ↔ B
1 ↔ A
2 ↔ 9
3 ↔ 8
4 ↔ F
5 ↔ E
6 ↔ D
7 ↔ C

Right digit transformation:
0 ↔ D
1 ↔ C
2 ↔ F
3 ↔ E
4 ↔ 9
5 ↔ 8
6 ↔ B
7 ↔ A

---------
Byte Key: Offset XXXXXXXD
Left digit transformation:
0 ↔ 8
1 ↔ 9
2 ↔ A
3 ↔ B
4 ↔ C
5 ↔ D
6 ↔ E
7 ↔ F

Right digit transformation:
0 ↔ 1
2 ↔ 3
4 ↔ 5
6 ↔ 7
8 ↔ 9
A ↔ B
C ↔ D
E ↔ F

---------
Byte Key: Offset XXXXXXXE
Left digit transformation:
0 ↔ 7
1 ↔ 6
2 ↔ 5
3 ↔ 4
8 ↔ F
9 ↔ E
A ↔ D
B ↔ C

Right digit transformation:
0 ↔ E
1 ↔ F
2 ↔ C
3 ↔ D
4 ↔ A
5 ↔ B
6 ↔ 8
7 ↔ 9

---------
Byte Key: Offset XXXXXXXF
Left digit transformation:
0 ↔ 4
1 ↔ 5
2 ↔ 6
3 ↔ 7
8 ↔ C
9 ↔ D
A ↔ E
B ↔ F

Right digit transformation:
0 ↔ 3
1 ↔ 2
4 ↔ 7
5 ↔ 6
8 ↔ B
9 ↔ A
C ↔ F
D ↔ E

The keys start being applied with consistency from offset 21FE0120 and downwards to the very bottom. Changing any values before this point may result in the emulator crashing, the keys being corrupted (resulting in jibberish after the decryption) or in some cases the proper byte key is actually applied. As such:



While this doesn't help us unlock the compressed text it does give me courage to revisit the TTTT files and see if I can actually spot the algorithm being used. It might not be that a lengthy dictionary is required to decompress the file.
 
Last edited:

JBedford

Pro Adventurer
AKA
JBed
So what happens is it flips these bits:
Code:
0  0110 1100
1  0111 0000
2  1011 0100
3  1100 0011
4  1101 0011
5  0000 1101
6  0100 1111
7  1011 0101
8  0111 1000
9  0101 1001
A  0110 0111
B  0010 0100
C  1011 1101
D  1000 0001
E  0111 1110
F  0100 0011
0x21FE020 7B = 0111 1011
0x21FE020 17 = 0001 0111

https://jsfiddle.net/3L7Lhcvr/

The game will have to get the bitmask from somewhere, although how it would store it who knows. If you're lucky you'll just find 6c70b4c3d30d4fb578596724bd817e43 somewhere in the data.
 
If you're lucky you'll just find 6c70b4c3d30d4fb578596724bd817e43 somewhere in the data.
kelstr.bin includes
6C 70 B4 C3 D3 0D 4F B5 78 59 67 24 BD 81 7E 43
in a ton of places.



Search through the file for many more instances.

- Download link to English International version of kelstr.bin

I'll be on the lookout for repeating patterns like these in the TTTT files in hope of finding the bitmask.

What I have discovered so far while researching the TTTT file for the Online Mode Ending Credits is that, at least with the section I'm exploring, we are talking about a more advanced encryption key but still zero compression. My assumption that the TTTT- and Text Preview files perform compression may be entirely false.


The encryption in the TTTT file is done for eight-byte length blocks. For example the offsets that end with 00 → 07 constitute one block and the offsets 08 → 0F constitute another. New eight-byte blocks in subsequent offsets.

Any changes done to these offsets before the decryption will ONLY affect that particular block that the offsets belong to, once the decryption happens.
 
Last edited:
Discovered that the bitmask for KelStr also becomes written in the xmm1 register. To be specific, it shows the bitmask for one eight-byte block at a time.

------
Step-by-step what happens

- KelStr address is accessed. Let's say the address accessed is 21FE0200, which means it accesses 21FE0200-21FE0207, the block that will ultimately read "gun Bull" which is part of the sentence "Handgun Bullets". This block constitutes the following array of bytes:
0B 05 DA E3 91 78 23 D9

- The following opcode is applied to the address(es).
movlps xmm0,[ecx] <<
ecx = 21FE0200
The values of the 21FE0200-21FE0207 offsets/addresses are moved into the first eight bytes of the xmm0 register.
(Cheat Engine describes this action as "high to low packed single-fp" where I assume "fp" stands for "floating point")

- The first half of the bitmask, 6C 70 B4 C3 D3 0D 4F B5 78 59 67 24 BD 81 7E 43, is present in the xmm1 register.



The bytes of xmm0 are filtered through xmm1, in the manner described by JBedford, resulting in the array of bytes seen in the xmm2 register:
67 75 6E 20 42 75 6C 6C
"gun Bull"

- The previously accessed addresses 21FE0200-21FE0207 are now written back to with the new values from the xmm2 register.
movlps [ecx],xmm2 <<
(Cheat Engine describes this action as "move low packed single-fp")

/THE END
------


The KelStr file employed three xmm registers in its decryption. The TTTT files seem to employ six registers, xmm0 - xmm5.

What stumps me however is that even though the same operation is performed (movlps xmm0,[ecx] <<) to seemingly bring an array of bytes into the xmm0 register, the final values in xmm0 are VERY different from what was seemingly imported.

For example an array of bytes that should be
C7 E9 6B 07 E0 2D C8 13
is instead written in xmm0 as
5C CB 1F 09 84 6A 82 78

I do not know when and where the operation occurs to give this quite confusing result. However, knowing at last where to view the xmm registers brings us yet another step closer to decrypting the TTTT files.
 
Top Bottom