In my last article I described the details of the ATTRIBUTEZ.TXT file. Now it’s time to tackle the internals of the mysterious CHEATZ.TXT file. Since these two files have a lot in common I highly recommend you read the previous article about ATTRIBUTEZ.TXT file beforehand – it’ll definitely help you understand what’s going on in this one.

The CHEATZ.TXT file was quite important for me. First the encryption algorithm used in the ATTRIBUTEZ.TXT file was discovered during my absence – back then I was on a hiatus from Gruntz and when I came back I was presented with a fait accompli. I felt really uncomfortable that such a discovery missed me by a mile. Second it turned out the ATTRIBUTEZ.TXT file contains some very important information, including – the cheat codes. From 148KB which the file takes up, almost 5.5KB are cheat codes (70 of them to be more exact). And here we have the CHEATZ.TXT file, which doesn’t even have 1KB – it’s over six times smaller than the cheat codes from the ATTRIBUTEZ.TXT file alone! This provokes a few questions – what is it that’s inside this file? Is it really cheat codes like the file name would suggest? Well considering the file size it wouldn’t be many cheat codes anyways, a few of them tops. And simply look at the localization of the file – its full path is STATEZ\CREDITZ\PALETTEZ\CHEATZ.TXT. Is it any indication of what we might find in the file?

1. The recon

I brewed myself a cup of coffee, sat at my desk and started thinking where should I begin. Naturally the first order of business would be trying to decrypt the file with the same algorithm and the key used in the ATTRIBUTEZ.TXT file. However if it was that easy the contents of this file would be already decrypted by now, right?

The decryption algorithm for the ATTRIBUTEZ.TXT file (along with the key) was retrieved from the game executable itself by disassembling it. This topic is complex enough that it deserves yet another article of a decent length so I won’t even bother trying to explain it here. I’ll just say that there are a few applications which help with the process of disassembling a binary file and analyzing it. My weapon of choice in that regard is IDA (Interactive Disassembler). While it’s definitely not cheap – the most basic version as of October 2018 costs over 700$ – one of the older versions is available for free without any limitations. After some time spent on analyzing Gruntz.exe file with IDA I eventually found a function responsible for decrypting a single block of data as well as the encryption key for the ATTRIBUTEZ.TXT file. Believing I was onto something I started looking for the encryption key used to decrypt the CHEATZ.TXT file. To no avail unfortunately as I came to a nearly devastating conclusion – the Gruntz executable does not decrypt the CHEATZ.TXT file nor use it in any way. At that moment everything became clear. Remember the XeNTaX forum thread in which the user named Friedslick6 asked how to decrypt the ATTRIBUTEZ.TXT and CHEATZ.TXT files? The response he received dealt only with the former and that’s the sole reason why – there was simply no other encryption key to be reversed.

Obviously the discovery made my face fell. Although I didn’t hope for too much I decided to continue my endeavors. The fact that the file is not used by the game might indicate that it’s a relic from the game’s development stage which was not removed from the final version. In such circumstances the contents of the CHEATZ.TXT file become a collector’s item! Just like the attack animations of Gruntz yielding a Wand or a Warpstone piece. I just need it!

2. The investigation

First things first and so I opened the CHEATZ.TXT file in the HEX editor. Even though the file is relatively small one thing drew my attention immediately: the repeating block of 8 bytes at the very beginning of the file. As you might already remember the same pattern can be spotted in the ATTRIBUTEZ.TXT file, where that block turned out to be the sequence of eight asterisks (“********“). Almost identical distribution of those blocks looks very promising as it would suggest that the decrypted contents of the CHEATZ.TXT file also contain the analogous block comment with multiple asterisks.

At this point it was quite reasonable to assume that I was also dealing with the Blowfish encryption algorithm, as it was with the ATTRIBUTEZ.TXT file. All that’s left is figuring out the encryption key used. In the case of the ATTRIBUTEZ.TXT file it was the characters “1212”. I came to a conclusion that the only way to discover the key is to write a brute force algorithm, which would test every possible combination of the key against the encrypted data and this … is where the plot thickens. I can’t simply test every possible combination, since the number of all possibilities grows exponentially with the increasing key size. It’s disturbingly easy to come up with a key size for which the program testing all combinations would not make it in time before the heat death of the universe. So here’s the thing – either the key was small enough so that I will be able to crack it … or after some time I just acknowledge the defeat and give up on trying.

Let’s now suppose we have generated a key and decrypt the file with it. If all we can see after the decryption is the same gibberish that we have started with – the key was a miss. If we see something interesting on the other hand we shout “bingo” and do a celebratory dance. Here’s the question though – how would the program know that decrypted data makes any sense and thus the generated key is the correct one? Now we recall that repeating block of eight bytes at the beginning of the file I mentioned earlier. Back then I would bet my head that it’s the same sequence of asterisks that can be seen in the ATTRIBUTEZ.TXT file. The ECB (Electronic Codebook) cipher mode is very convenient for crackers as it encrypts each block individually and separately from the rest of data (refer to the previous article for more details). So if we take that very block of eight bytes, decrypt it with the generated key and it turns out to be the sequence of eight asterisks – we’re done.

What if we hadn’t come up with the idea of these blocks of eight asterisks or perhaps hadn’t have such knowledge in the first place? Assuming the original file was an ordinary text document one could always fall back to the statistical analysis and count how many bytes are (printable) ASCII characters. If the percentage of such characters is close to 100% the key is likely to be correct. One could also employ some heuristics that could aid the process. What if the original file had strictly binary data though? Well, without any prior knowledge regarding the structure of the file or any hints on what could be inside … there’s not much you could do really.

So it all boils down to the hunch and assumptions which may or may not work out in the end: what the size of the key is assumed to be, what characters it could possibly be comprised of. We even assumed the repeating block of eight bytes to be a sequence of eight asterisks – nobody said that this assumption must be true! And either these assumptions will be a hit … or a miss. I initially assumed that the key is four bytes long (like the key “1212” in the ATTRIBUTEZ.TXT file). Each byte can be one of 256 values which gives us roughly 4 billion keys to test out. On my machine it would take about 41 hours for the cracking program to test all of them. Believe me, in the world of password cracking it’s a breeze. Nevertheless I assumed the key to be way simpler than that and decided to first rule out the simplest of combinations to get the possible result quicker. My first batch of generated keys consisted solely of four digits 0-9. All 10,000 combinations were tested in a split of a second but unfortunately didn’t yield any results – none of the keys gave us a sequence of eight asterisks in return. The second run consisted of keys built up from all printable ASCII characters: from the ASCII value of 0x20 (the space character) to 0x7E (tilde “~”). 95 characters total, which gives us over 81 million combinations. I launched the program and went for a dinner. The program was running for 47 minutes.

And when I came back … I shouted “bingo”.

3. The grand finale

The program after 20 minutes from the launch found the matching key which yielded the long-wished sequence of eight asterisks. The key turned out to be “K3V1“. Well, what do you know! The file actually did contain some cheat codes like the file name would suggest. There’s six of them and are encoded in the same way as in the ATTRIBUTEZ.TXT file. Here’s the plain decoded version:

• http://pastebin.com/uW6VWvv1 (a preview with syntax highlighting, slower)
• http://pastebin.com/raw/uW6VWvv1 (a preview without syntax highlighting, faster)
• Actual file (download)

Three of the cheat codes can already be found in the ATTRIBUTEZ.TXT file but they’re named differently. These are:

• MPLC – it’s the cheat code MPILOVETHISGAME, which allows remotely creating Gruntz with an “I” key
• MPPD – it’s the cheat code MPIHATETHISGAME, which allows remotely removing Gruntz with a “K” key
• MPFIRE – it’s the cheat code MPLETSBLOWSTUFFUP, which allows remotely spawning an explosion with an “F9” key

The other three cheat codes are however something new:

• MPCLEARCHEATZ – the name of the cheat code is rather self-explanatory. Typically when you use cheat codes the save feature is disabled until you reset the game. The MPCLEARCHEATZ cheat code removes this negative effect and makes you able to save game back again
• MPWARPSTONEZ – perhaps one of the most anticipated cheat codes – it gives you a Warpstone piece
• MPGOOPUDDLE – it allows remotely spawning Goo Puddlez at the cursor with a “P” key

We can only guess what’s the origin of this file. Perhaps the developers planned to place all the cheat codes in a separate, dedicated file but changed their minds after some time and moved them to the ATTRIBUTEZ.TXT file leaving the CHEATZ.TXT file behind (either accidentally or for a future reference). The fact is that these three “new” cheat codes from the CHEATZ.TXT file are really powerful and give you a complete control over the entire level and its completion. Perhaps the developers concluded they allow for too much and removed them from the ATTRIBUTEZ.TXT file. In order to enable those cheat codes back again one would have to modify the ATTRIBUTEZ.TXT file. But … there’s also the other non-invasive way which may allow you for the execution of any cheat code implemented by the game engine (and other arbitrary commands!) without even touching the GRUNTZ.REZ and any other files. But that topic is reserved for another time and another article 🙂

Cheers, Tomalla