PDA

View Full Version : Borderlands 2 profile.bin modificaton toolkit


Psy-Crow
10-13-2012, 07:28 PM
Borderlands 2 profile.bin modification toolkit: Download link (https://sites.google.com/site/stuffthatimind/borderlands2/BL2_profile_modification_toolkit.zip?attredirects= 0)

I've created some shell-glue script to make profile.bin modifications easer. Please read the description below.

==================================================

UPD. John_Dong (http://forums.steampowered.com/forums/member.php?u=1407421) created his own version of the tool. It's one executable, no batch scripts:

Download (https://www.johndong.net/Uploads/BL2/BL2_Rehasher.rar) | Virus Scan (https://www.virustotal.com/file/09337b854f3e4d6a4b83dec2c06b9bc881cedea43a138c33c7 5698671aa6d460/analysis/1350459854/)

I thought I should make this just to make things even easier:

This is a little program I made real quick to calculate and append the sha1 hash to the profile.bin or savegame.sav

Compatibility:

Xbox 360 Extracted Saves
PC saves
PC profile.bin's


Note: The save and/or profiles need to be in the same directory as the application!

To run use in command prompt:
BL2_Rehasher.exe (filename)
or just run from the application.

==================================================

1. What is this?

This is a set of a tools combined with the batch file to allow you hex-edit BL2 profile.bin file. BL2 profile.bin is protected from modification by SHA1 hash (checksum) which is stored in the first 20 bytes of the file. You need to recalculate and update it after editing profile, or BL2 will reject profile and load default settings.

2. How to use this?


Unpack to the folder of your choice.
Put your BL2 profile.bin to "source" folder, hex-edit it with your favorite editor.
Run Rebuild_Profile.cmd either from command-line or by double-clicking it.
Your updated profile.bin is now in "rebuilt" folder.


Also, every time you run Rebuild_Profile.cmd, backup of your profile.bin from "source" folder is created in "backup" folder with random number added after its extension. I.e "profile.bin.5234".

3. Practical usage: BADASS TOKENS

Badass tokens are good unique value, that can be easily located and modified in the profile.bin. Here is detailed step-by-step tutorial:


Launch BL2 and look how much Badass tokens you have. Memorize or write it somewhere. Exit BL2.
Open Windows' Calculator and switch it to the "scientific" mode (or "programmer" in Win7). Enter number of your Badass tokens and click "Hex". It will convert decimal number to hexadecimal, which we will later search in the profile.bin.
Copy your profile.bin from BL2 SaveData folder: c:\Users\USERNAME\Documents\My Games\Borderlands 2\WillowGame\SaveData\XXXXXXXXXXXXXXXXX\ to the "source" folder of this toolkit.
Open profile.bin with any hex-editor ( this one is free and portable: http://mh-nexus.de/downloads/HxDen.zip )
Search for Hex-value you converted in Calculator earlier. If you're lucky, there will be only one occurrence of this value. If not, you will have to make more than one try. Don't edit all values at one time, this increases chances that you'll break something and BL2 wouldn’t load your profile.
When you found your Badass tokens value, change it to the any number you like (FF will give you 255). Save profile.bin.
Launch Rebuild_Profile.cmd either from command-line or by double-clicking it.
Copy your updated profile.bin from the "rebuilt" folder to the BL2 SaveData folder, overwrite the original file.
Launch BL2, check your Badass tokens. If BL2 is loading default profile, it means that you probably edited wrong value. Restore from backup and try again.


4. Credits.

kthx from Gearbox forums, for figuring out about the SHA1 checksum: http://forums.gearboxsoftware.com/showpost.php?p=2903167&postcount=10
Egoroff, for command-line SHA1 calculator: http://www.egoroff.spb.ru/portfolio/download/
StahlWorks Technologies, for providing great file manipulation tool: http://stahlworks.com/dev/swiss-file-knife.html

l4d2hunter
10-13-2012, 07:39 PM
Thank you so much! Just earlier I was looking up how to edit .bin files.

EDIT: All righty, so my badass tokens are 0, and there are tons of 00s out there.
Is there a specific location?

Psy-Crow
10-13-2012, 07:56 PM
Thank you so much! Just earlier I was looking up how to edit .bin files.

You're welcome, hope it works for you. Post your results, I'd like to hear some feedback :).

Psy-Crow
10-13-2012, 08:20 PM
EDIT: All righty, so my badass tokens are 0, and there are tons of 00s out there.
Is there a specific location?

Oh, you've got a boundary case here :confused:. No specific locations, AFAIK. Try somewhere around 0x148, but it not 100% guaranteed. Or just play a little and get some tokens ;).

l4d2hunter
10-13-2012, 08:26 PM
Oh, you've got a boundary case here :confused:. No specific locations, AFAIK. Try somewhere around 0x148, but it not 100% guaranteed. Or just play a little and get some tokens ;).

Also, with things like XX XX 00 00, are the two pairs of 0's together, or do they both stand for different things?
I'm not sure how to explain in honestly, so please bare with me.

XX XX = not important, other numbers

Zekiran
10-13-2012, 08:34 PM
I like to earn my badassery.

I would, however, love to be able to toggle into 3rd Person mode. When you've got that figured out, I'll happily download this.

Psy-Crow
10-13-2012, 08:34 PM
Also, with things like XX XX 00 00, are the two pairs of 0's together, or do they both stand for different things?
I'm not sure how to explain in honestly, so please bare with me.

XX XX = not important, other numbers

Just to be clear, I didn't reversed profile.bin internal structure, I just merely made a tool to make such research a little bit easier. Bear this in mind :).

Considering your question, I suppose that they are different things (mostly), so try to change them separately.

Psy-Crow
10-13-2012, 08:40 PM
I like to earn my badassery.

Well, same for me. It's just an example.

I would, however, love to be able to toggle into 3rd Person mode. When you've got that figured out, I'll happily download this.

Me to, but I've just have started. I hope that the community will join me in this quest.

Latharion
10-13-2012, 10:45 PM
I like to earn my badassery.

I would, however, love to be able to toggle into 3rd Person mode. When you've got that figured out, I'll happily download this.

Basically, this tool is just a simple script file with a file re-hasher included. The .bin file isn't necessarily "encrypted" as it is simply raw data stored in an SHA1 secured file. Forcing the game to read the willow*.ini files for keyboard commands doesn't even seem to be within the scope of the player.bin file. Interesting little tid-bit though, if you want, you can change your keyboard config using a hex editor and the OP's script (to re-hash the file afterward). The keyboard commands are plainly visible within the file.

Zekiran
10-13-2012, 11:07 PM
Yes, I've altered my ini file plenty (and downloading the dlc appeared to re-write it so I had to re-insert the ~ and \ commands), but the issue with 3rd person is that it's *not useable by anyone* because the command isn't written into the files we CAN alter with any ease.

I don't know enough or operate with enough confidence with hex to go in and just fiddle, I'm gonna leave that to anyone with more guts and more experience than me on it. :)

Latharion
10-13-2012, 11:12 PM
I do see your point. Also I think it was kind of silly of the devs to remove the capability to read the .ini files for basic keyboard commands, 3rd person view, and other non-hack related basic settings stuff. It leaves me scratching my head on that one.

Jareef
10-14-2012, 12:11 AM
I had lost all of my badass points about two-thirds through the game. I would be great to gain those points back.

Psy-Crow
10-14-2012, 05:02 AM
I had lost all of my badass points about two-thirds through the game. I would be great to gain those points back.

After a quick glance into the profile.bin, I couldn't find points, only tokens. Maybe points are calculated somehow against other base values, or just stored in non-plain format. As I've said try lurking somewhere around 0x148 to find tokens.

Jareef
10-16-2012, 12:48 AM
I tried using this and all of my badass points were reset. Any advice?

Zekiran
10-16-2012, 12:54 AM
Never alter files without having first made copies so you can replace them?

Jareef
10-16-2012, 12:56 AM
I made copies. I was able to replace the file without any trouble. But the alteration failed. Im not sure what went wrong.

Nite69
10-16-2012, 03:57 AM
Is thier a way to edit that Profile.bin to get more golden keys?

gearbox doesn't seem to be giving them out anymore.

Psy-Crow
10-16-2012, 04:28 AM
I tried using this and all of my badass points were reset. Any advice?

Well, it means that you're probably edited wrong value. Describe what you did, I need more info to help you. Also you can upload your profile.bin somewhere, so I could look into it.


Is thier a way to edit that Profile.bin to get more golden keys?

gearbox doesn't seem to be giving them out anymore.

Currently no. That was my original intent, because I accidentally used my key (don't play tired ;)). But they are definitely stored in profile.bin, so there is a chance that I will find how to get them.

DIMREEPER
10-16-2012, 09:51 AM
If you have at least 1 key you can back up your profile.bin, then use your key, then exit and just copy your profile.bin back to have your key back.

Odins Raven
10-16-2012, 12:13 PM
If you have at least 1 key you can back up your profile.bin, then use your key, then exit and just copy your profile.bin back to have your key back.

that is a really really good workaround that requires like no effort.

ON topic how the hell did you get away with making this topic? I stopped asking about the .bin file weeks ago because I kept getting infractions for asking if anyone made an editor yet :(

Psy-Crow
10-16-2012, 06:54 PM
that is a really really good workaround that requires like no effort.

Given, that you have one :) I don't.

ON topic how the hell did you get away with making this topic? I stopped asking about the .bin file weeks ago because I kept getting infractions for asking if anyone made an editor yet :(

I saw a topic about editing profile.bin at Gearbox forums (mentioned in credits), so I decided that it's not against the general rules here too. No one proved me wrong (yet).

Nite69
10-16-2012, 07:13 PM
If you have at least 1 key you can back up your profile.bin, then use your key, then exit and just copy your profile.bin back to have your key back.

Do'h :( thats a cool idea but unfortunately I don't have one, I used them all up already.

I hope they give out more keycodes, I will use that idea next time.

MEMANIA
10-16-2012, 08:16 PM
What else is saved to profile.bin that you'd need to worry about, is it just badass rank, skins/heads, shared loot locker, and the chest keys?

Psy-Crow
10-17-2012, 04:09 AM
What else is saved to profile.bin that you'd need to worry about, is it just badass rank, skins/heads, shared loot locker, and the chest keys?

I think, you named it :). In additional, Key bindings are stored there , that's why we don't have 3rd person view mode yet.

Odins Raven
10-17-2012, 10:27 AM
Hey guys if you want a profile.bin with a key in it just give me a PM and I'll upload mine to mediafire or something for you. I might even have 2 gold keys on there. Not sure.

John_Dong
10-17-2012, 10:47 AM
I thought I should make this just to make things even easier:

This is a little program I made real quick to calculate and append the sha1 hash to the profile.bin or savegame.sav

Compatibility:
-Xbox 360 Extracted Saves
-PC saves
-PC profile.bin's

Note: The save and/or profiles need to be in the same directory as the application!

To run use in command prompt:

BL2_Rehasher.exe (filename)

or just run from the application.

Download (https://www.johndong.net/Uploads/BL2/BL2_Rehasher.rar)
Virus Scan (https://www.virustotal.com/file/09337b854f3e4d6a4b83dec2c06b9bc881cedea43a138c33c7 5698671aa6d460/analysis/1350459854/)

Psy-Crow
10-17-2012, 01:23 PM
I thought I should make this just to make things even easier:

This is a little program I made real quick to calculate and append the sha1 hash to the profile.bin or savegame.sav


Works like a champ, thanks a lot! I've updated first post to include it.

John_Dong
10-17-2012, 03:04 PM
Works like a champ, thanks a lot! I've updated first post to include it.No problem, thanks for your release too :)

BTW if you wanna look into it I am 90% sure the profile is compressed with a huffman tree and lzo so you might be able to decompress it down to the unicode and player data.

Psy-Crow
10-18-2012, 03:05 AM
BTW if you wanna look into it I am 90% sure the profile is compressed with a huffman tree and lzo so you might be able to decompress it down to the unicode and player data.

Damn! That explains a lot, I've been looking into it yesterday, digging bindings and couldn't understand, why they are plaintext, but get scrambled sometimes. And probably that's why rest of the file changes, if I modify bindings. Thanks, mate!

John_Dong
10-18-2012, 03:19 AM
Damn! That explains a lot, I've been looking into it yesterday, digging bindings and couldn't understand, why they are plaintext, but get scrambled sometimes. And probably that's why rest of the file changes, if I modify bindings. Thanks, mate! Yup ;) First 20 elements (40 bytes) of the byte array when you read from the file to byte array is the SHA1 hash and the rest is the (in order) unicoded, reverse xor'd, huffman'd, and lzo1x compressed player data and it's all thanks to Gearbox for being awesome (Cryptographically and Game wise) ;)

Psy-Crow
10-18-2012, 04:14 AM
Yup ;) First 20 elements (40 bytes) of the byte array when you read from the file to byte array is the SHA1 hash and the rest is the (in order) unicoded, reverse xor'd, huffman'd, and lzo1x compressed player data and it's all thanks to Gearbox for being awesome (Cryptographically and Game wise) ;)

Ach, mein Gott! :eek: I'm not sure if I could handle this with shell-glue. Thanks for sharing, I'd never even get this far (quadruple-encoded, d'oh).

exit button
10-18-2012, 10:28 AM
Anything interested in the encrypted data, key bindings perhaps?

Psy-Crow
10-18-2012, 10:47 AM
Anything interested in the encrypted data, key bindings perhaps?

Key bindings are kinda plaintext, I was able to modify them with limited success. But they are stored in really ridiculous way. E.g. if you bind "forward" to "F10", it will be stored as "W,F10". So it's looks like original key bindings are used as reference. So I tried to hex-edit as "S,F10" and it worked, "backwards" was bind to "F10". I wasn't able to bind non-listed in game's menu actions yet.

formn
10-18-2012, 10:57 AM
Key bindings are kinda plaintext, I was able to modify them with limited success. But they are stored in really ridiculous way. E.g. if you bind "forward" to "F10", it will be stored as "W,F10". So it's looks like original key bindings are used as reference. So I tried to hex-edit as "S,F10" and it worked, "backwards" was bind to "F10". I wasn't able to bind non-listed in game's menu actions yet.

Would you please paste what the decrypted data looks like?

John_Dong
10-18-2012, 04:27 PM
Anything interested in the encrypted data, key bindings perhaps?
No but you can just create key bindings or edit them with ida pro.

John_Dong
10-18-2012, 04:28 PM
Would you please paste what the decrypted data looks like?
Unicode and willow format items

SKiLLY2
10-18-2012, 05:04 PM
Any easy way to lower mouse sensitivity? In-game options only allow it to go down to "10." And that's still about 2x as high as I'd like.

Psy-Crow
10-18-2012, 06:06 PM
John_Dong, as I see, your skills are way above mine. Even with your description, I can't even decompress lzo, not mentioning going further. And you've already done that. So may I ask you to code a tool that will be able unwind all layers of profile.bin compression\encryption scheme and roll it back? No fancy editing stuff, just bin->plaintext->bin. I don't like begging, as you may see, but this is just not my area of expertise.

If you don't feel like doing this, maybe you just could dump plaintext of profile.bin here? It would be very interesting.

BTW, you mentioned IDA, any highlights of where to look for the profile.bin reading\writing code?

Odins Raven
10-18-2012, 11:28 PM
i just want to say you guys are awesome and keep it up till some one gets a proper "new" willow editor tool for all of us laymen

Psy-Crow
10-19-2012, 04:50 PM
Hooked the http://lzohelper.codeplex.com/ to PowerShell: works fine alone (able to comp\decomp files), but wouldn't decompress profile.bin. :mad:

Here is my POSH script, that tries to unpack profile.bin from any offset. Any ideas, why it fails?

$WorkDir = "X:\Test"
Set-Location $WorkDir

Add-Type -Path LZOHelper.dll

$ProfileBin = Read-FileByte profile.bin
$i = $ProfileBin.Count

while ($i -ne 0) {
Write-Host Offset: $i
$TempBin = $ProfileBin | Select-Object -last $i
$ProfileBinUnpacked = [LZOHelper.LZOCompressor]::Decompress($TempBin)
if ($ProfileBinUnpacked) {Convert-ByteArrayToHexString $ProfileBinUnpacked | Write-Host}
$i--
}

File read\write\hex-formatting functions are from here (http://www.sans.org/windows-security/2010/02/11/powershell-byte-array-hex-convert)

Found other tool (http://www.360haven.com/forums/showthread=17795-%5Bwip%5D-borderlands-2-compression-tool.html), that should be able to decompress profile (uses MiniLZO lib), but it's throwing some cryptic erros to me. Check, maybe it will fork for you, guys: DL Link (http://www.mediafire.com/?wtghbiwz8jl526i).

This guy (http://www.se7ensins.com/forums/threads/decoding-the-files.786723/#post-5773751) is able to decompress profile too. Gosh, what am I doing wrong?

exit button
10-20-2012, 06:14 PM
Any more luck with this?

John_Dong
10-21-2012, 06:22 PM
Decompress the contents after the hash and also you might wanna use python or something of the sort for its ability to pack binary data

John_Dong
10-21-2012, 06:28 PM
I would be happy to post but I would rather not because I don't know how Gearbox would respond to binary modifications. I can just tell you that if you know assembly then you are good to go.

Psy-Crow
10-22-2012, 06:12 AM
Decompress the contents after the hash
That's what I've been trying to do for days, literally. I'm stuck. I certainly do miss something obvious. I've tried two .net wrappers:

http://lzohelper.codeplex.com/
http://www.codeproject.com/Articles/16239/Pure-C-MiniLZO-port (use bugmenot (http://www.bugmenot.com/view/codeproject.com) to download source)

and they both wouldn't decompress. Maybe there is something wrong with the way I feed data to them?

I believe, that it has something to do with decompressed block size. E.g. lzohelper assumes it like this:

// Don't include the extra 4 bytes we used to store the uncompressed length
lzo_uint in_len = Source->Length -4;

and that's probably why I'm able to compress\decompress random data by using it, but not profle.

MiniLZO C# works this way:
Compression

byte[] original = File.ReadAllBytes("...");
byte[] destination;
MiniLZO.Compress(original, out destination);

Decompression

byte[] destination = ...; /* Resulting buffer from above */
byte[] original = new byte[x];
MiniLZO.Decompress(destination, original);
and I don't quite understand, what it means by
byte[] destination = ...; /* Resulting buffer from above */
is this size of original data block, or empty buffer to store decompressed data? If this size of original data block, how I can find it?

Or could you tell my what solution you used to unpack profile (lib\language) so I can look into to it to understand how it should be done?


and also you might wanna use python or something of the sort for its ability to pack binary data

Well, if everything else fails, I might dig into Phyton :).

I would be happy to post but I would rather not because I don't know how Gearbox would respond to binary modifications. I can just tell you that if you know assembly then you are good to go.

Sure, I understand your concerns. Maybe you could share it personally in private talk, when I finish unpacking profile.bin :D.

John_Dong
10-22-2012, 07:55 AM
The best wrapper for .NET is here (https://www.johndong.net/Uploads/BL2/lzowrapper.cs)
The 32 and 64 bit latest binaries for the wrapper are here (https://www.johndong.net/Uploads/BL2/lzo_binaries.rar)
Call it using:

byte[] decBytes = LZOCompressor.Decompress(byte[] src);

Psy-Crow
10-22-2012, 08:05 AM
The best wrapper for .NET is here (https://www.johndong.net/Uploads/BL2/lzowrapper.cs)
The 32 and 64 bit latest binaries for the wrapper are here (https://www.johndong.net/Uploads/BL2/lzo_binaries.rar)
Call it using:

byte[] decBytes = LZOCompressor.Decompress(byte[] src);


Hmm, I've tried this one (http://lzo-net.sourceforge.net/ version), but it didn't worked. Can't remember why, I need to get home and look into scripts. I hope I'll get better luck with your build.

Thanks for sharing, I'm really grateful for that.

John_Dong
10-22-2012, 08:07 AM
Hmm, I've tried this one (http://lzo-net.sourceforge.net/ version), but it didn't worked. Can't remember why, I need to get home and look into scripts. I hope I'll get better luck with your build.

Thanks for sharing, I'm really grateful for that.
1) DllImport attributes needed fixing when calling from .NET 4
2) String memory cleanup issue

No problem ;)

arkain7th
10-27-2012, 02:39 PM
Is there a way to fix the No Token Bug glitch with this tool? I am unable to play the game because no matter how much badass challenges I complete I never get any tokens. This happened immediately after the Mechromancer update. And Gearbox doesn't look like they even care about the bug and aren't in a hurry to fix it. A lot of people are having this problem so I am so upset that they claim they are working on a fix but aren't even trying. It shouldnt be that hard since the bug seems to be related to the profile.bin becoming corrupted or whatever. Is there a way to fix it with this?

Jareef
10-28-2012, 10:11 PM
Has anyone gotten this to work reliably? I have tried it a few times and it always resets my tokens and skill points to zero. Anyone got any tips?

Overt.Enemy
10-28-2012, 11:09 PM
I had lost all of my badass points about two-thirds through the game. I would be great to gain those points back.

Lol, you can do that with a utility like Cheat Engine without having to figure anything out yourself.