We recently reported on the fact that the encryption on Forza Horizon 3 and Halo 5: Forge on PC had their DRM decrypted very quickly. However, the whole situation, along with reports of bad performance on Forza Horizon 3, raised more questions, so we sought out Atari1337, the person who shared the decryption of Forza Horizon 3, and talked with him about it.

There are some technical things here we get into and I’ve cleaned up some of our conversation for ease of reading, but we hope that this provides some interesting information. A few key things that particularly stood out to me: - The File name Renaming on Forza Horizon 3 is the same in all versions, not randomized on each PC - There is no anti-cheat in Forza Horizon 3 - There were already hacks out there for Forza Horizon 3 before he decrypted it - The top speed on leaderboards on PC for Forza Horizon 3 is 9999 mph - The Program he used to dump the decryption was made by Infogram, which hooks into UWP applications and forces them to share information. It was made for Halo 5: Forge and there are mods in the works for that.

TechRaptor: So on the Encryption there - from what you've said the Forza Horizon 3 set up was a further evolution on what they had done with Halo 5: Forge right?

Atari1337: More or less, yes. The encryption method was all the same EFS (encrypting file system), however, Forza further scrambled files by renaming them to a pattern of strings. For example. the media folder was renamed "gq6$l". Every file and folder inside the game is renamed in this way.

TechRaptor: And I imagine it puts them through a different string each time to come up with new names and such ?

Atari1337: They all follow the same pattern: {'l', 'a'}, {'`', 'b'}, {'^', 'c'}, {'6', 'd'}, {'q', 'e'}, {'v', 'f'}, {'{', 'g' }, {'@', 'h'}, {'$', 'i'}, {'7', 'j'}, {'s', 'k'}, {'b', 'l'}, {'g', 'm'}, {'8', 'n'}, {'h', 'o'}, {'u', 'p'}, {'f', 'q'}, {'4', 'r'}, {'~', 's'}, {'1', 't'}, {'=', 'u'}, {''', 'v' }, {'m', 'w' }, {']', 'x'}, {'!', 'y' }, {',', 'z'}, {'y', '_'}, {'_', '-' }, { '[', '0' }, { '0', '1' }, { 'w', '2' }, { 'k', '3' }, { '(', '4' }, { '2', '5' }, { 'j', '6' }, { '}', '7' }, { ';', '8' }, { '+', '9' },

so from that we can get the real names: gq6ml\[email protected]!~$^~\~=~uq8~$h8\6myv4h81q86i0.]gb = media\physics\suspension\dw_frontend{{i}}1.xml gq6ml\[email protected]!~$^~\~=~uq8~$h8\6myv4h81q86ik.]gb = media\physics\suspension\dw_frontend{{i}}3.xml gq6ml\[email protected]!~$^~\~=~uq8~$h8\6myv4h81q86iw.]gb = media\physics\suspension\dw_frontend{{i}}2.xml

TechRaptor: Does it rename the files each time it runs? Or does it rely on just giving them a different name on each PC ?

Atari1337: They are baked into the app, everyone has the same structure, and it never changes. Not sure why they went this route honestly. It is extremely easy to reverse engineer and poses no real block to cracking.

TechRaptor: That... makes no sense. I mean all it means is you tell people "media is gq6$!" *Don Shakes head*

Atari1337: Truly a strange tactic. My guess is this was implemented by turn10, not Microsoft, as they are new to the PC gaming scene and were naive in their assumptions about modders and crackers.

TechRaptor: You said that it connects when in the main menu to get the decryption key from the server. Have you been able to find out if there is any sort of file check on it when it does that as well ?

Atari1337: Allow me to explain how the certification works. It's quite dumb in all honesty. Microsoft decided that rather than creating a new method for encryption they would use EFS, bad move. EFS relies on user accounts and certification files stored as .pfx. This is normally fine, one account has access to the pfx file and you cannot access the files without it. If the pfx file is't stored on the system, you will never crack the EFS. But this comes with two issues, 1) they can ONLY be decrypted by a user account with the pfx file 2) granting a user that pfx means they can do whatever they want with the files. So to get around this Forza creates a fake user account that is hidden and recognized as a network user, and attaches the .pfx to that user. Then when the game is run it asks that user to give the app permission to view its own files. So in this way the app has access to the non-EFS files. It would have been smarter to avoid using EFS altogether because by its very nature the files are exposed at some point in the process.

There is no file check from what I've observed. I believe it is trying to use the old file structure, (the renamed one) and crashes because it cannot find it. Furthermore, it tries to decrypt files that are already decrypted. I've never been good at software cracking so I'm not quite sure how to get around that, but I can only guess someone is already working on it.

TechRaptor: So, essentially the reason this was crackable, is because of how EFS requires there to be a user with the permission that the game had to reach out to run?

Atari1337: In short, yes. The game cannot read encrypted files, so it HAS to decrypt them on the fly.

TechRaptor: How much of a CPU overhead is that type of decryption typically ?

Atari1337: Typically for small files it's negligible. Most processors today support fast encryption methods. However, I am a firm believer that encrypting 40gb of files cannot be an easy task to do in such a fast paced game. And even worse most of the games files are further packed into archives. So the game must decrypt > unpack > and then render the files. On non-hyper-threaded systems this can be pretty taxing.

TechRaptor: How much of the game is compressed into archives?

Atari1337: let me take a look 903 .zip files 425 .bank files 338 .xml files 308 other files 130 .nav files 129 .owt files From what I’ve noticed so far is the zip files are compressed massively. 500mb of zip deflates to around 2gb of data. I'd say well over 70% of this games data is packed into archives.

TechRaptor: So, you'd estimate that unarchived the game would be about 3 times the size

Atari1337: Over 80gb for sure. I haven't extracted it all. I don't think its that big of a deal, most games pack archives to save some space. What worries me is the degree of compression here. I'm not data analyst but you try extracting 40gb of massively compressed files, it takes a while.

TechRaptor: Definitely, especially if you have to decrypt it.

So what interested you into looking into this ?

Atari1337: It's a hobby honestly. As a kid, I was always tearing stuff apart, and i think this is just the evolution of it.

TechRaptor: What are your thoughts on Microsoft using this type of DRM?

Atari1337: Pointless. Look at Denuvo, they are spending millions upon millions of dollars on "uncrackable" DRM . Yet just today another group cracked mirrors edge, a denuvo game. If triple A developers want to succeed on PC they should be investing that money on correctly porting games, rather than "protecting" them. DRM harms the consumer in my view. Look at the Witcher 3, it sold massively. Zero DRM. It's a triumph of showing how good games sell, bad games get DRM

I believe that if a player truly supports the game, and enjoys it, they should purchase it. However most pirates nowadays simply cannot afford it. Locking down your games doesn't mean more people will buy it, it just means those who cannot afford it won't play it.

TechRaptor: Are you concerned some that hackers may use the decrypted information to impact online play?

Atari1337: Yes and no. As a pc gamer, I'm used to seeing small time leaderboards plagued with cheats and mods. But the game already has hacks, I'm not going to mention the seller here, but a website is selling some pretty extensive hacks for Forza Horizon. Legitimate copies. It's a shame to see, perhaps they can filter out the outrageous scores. No one should have 9999 mph on a speed zone, that's impossible.

TechRaptor: Do you think Microsoft relied too much on the encryption as an 'anti-cheat'?

Atari1337: Yes. Definitely. Anti-cheats are far different from DRM. I fully support anti-cheats in online heavy games. Encrypting your game is NOT an effective version of either of these, drm nor anti-cheat.

TechRaptor: With the issues around the Microsoft UWP programs, do you think Mods will be able to address many of them?

Atari1337: Yes, only if the community is determined enough. Shout out to project Osiris for Halo 5: Forge. Pretty awesome modding tools for that game. People are already creating great stuff

TechRaptor: Why do you think there is a common misconception that Forza Horizon 3 has "always online" DRM ?

Atari1337: Because if you start the game without internet, it won't launch. They did this because the decryption key is never stored, you have to fetch it every time. Once you get fully in-game, however, you are free to take the game offline

TechRaptor: You mentioned that there were hacks going around about going 9999 miles per hour - is the game storing the information on the cars speed and such all client side without validating it beyond decryption?

Atari1337: Yes. Since the game can be taken offline (thankfully), all of the information is stored client-side. If you are online and score some amount of whatever, it just pushes that to the server.

I noticed also that anti-debugging measures are only active for the main menu of the game, probably to stop people from grabbing the encryption key so easily. But once in game all anti-debugging and anti-cheat measures are removed. Strange.

TechRaptor: Is there anything you'd like to share with people?

Atari1337: Always strive to do something, even if someone tells you it's not possible. There is always more things to learn and more fun to be had. Keep modding, keep breaking, and keep tinkering. Also as a side note: the creator of the decryption dumper goes by the name of Infogram. I want to give credit where it's due. He's a really smart guy.

I'd like to thank Atari1337 again for talking with us about this, and I hope this helped you understand a bit more about what Microsoft has done with Forza Horizon 3.