Monday, October 17, 2011

Getting Book 2 of the Uplink Game Bible

Spoiler alert - these posts tell how to decrypt the books of the Uplink Game Bible. Be advised that all the books of the Uplink Game Bible are available in unencrypted form in the Uplink Developer CD which can be downloaded via BitTorrent. I use the Vuze BitTorrent client on a Mac and the website

A word of warning - the challenge of getting the Uplink Game Bible was mostly intended for other Software Developers or hard-core computer enthusiasts.

It is not necessary to hack the Game Bible in order to play the game. The Game Bible only contains design notes and sketches the Introversion developers made while developing Uplink, it does not contain any strategy hints, tactics, or secrets necessary to complete the game(AFAIK).

Book 2 is found on the Uplink Bonus CD. A link to the Bonus CD is at . The direct link is .  Book 2 is in the "book2" folder on the CD.

This folder contains the following:
  • 1 encrypted readme.txt file
  • 52 encrypted image files - these are the pages of book 2 of the Uplink Game Bible
  • a "book2.html" file with the message, "Book II is located on this CD in the book2 directory. You'll also find a readme.txt file, detailing how to find Book III. You didn't think it was going to be easy did you?" Basically the author throws down the gauntlet.

When you use a hex editor to look inside the readme.txt file and the image files, you see that all the files begin with the same 16 bytes:

I used HexEdit for Mac by SoftTonic which is available at .

The encrypted readme.txt file and the 52 encrypted image files all begin with 15 bytes which spell "ONETIMEREDSHIRT" followed by a 0 byte (a null). This 16 byte header is a hint that the file is somehow encrypted using both one-time-pad encryption and REDSHIRT encryption.

After reading lots and lots of posts in the Introversion Uplink forum, forcing one to wade through lots of posts from douche-bags taking way too much enjoyment out of being in the know, the answer becomes clear. What the "ONETIMEREDSHIRT" header actually means is, "This file was one-time-pad encrypted using the bytes in a key file. The key file is itself encrypted with REDSHIRT encryption."

You can read about one-time pad encryption at In the case of Uplink Game Bible book 2 it means that the original file had each byte XOR'ed with some of the bytes inside another file. This other file is the one-time-pad, also known as the key file. The key file is used for both encrypting the original unencrypted plaintext message and for decrypting the encrypted ciphertext message.

XOR is a reversible operation. For encryption, you XOR the plaintext file bytes (the original unencrypted bytes) with some of the bytes in the one-time-pad key file. To reverse the process and decrypt the encrypted text (the ciphertext) you XOR the encrypted bytes with the same bytes in the key file to get the unencrypted plaintext.

The "world.dat" file is the one-time-pad key file used to both encrypt and decrypt the "Readme.txt" file and the encrypted Book 2 image files. The "world.dat" file itself comes encrypted using "Redshirt" encryption. You must first decrypt the "world.dat" file before you can use it as a key file to decrypt the  "Readme.txt" file and the image files.

The "world.dat" file is installed to the "C:\Program Files\Uplink" folder when you install Uplink on Windows. AFAIK, the file is not included if you install Uplink on a Mac via download from Steam (as I did) instead of installing from an Uplink CD or CD image.

I got my original copy of the "world.dat" file by creating a virtual Windows machine on my Mac (using Sun VirtualBox), downloading an Uplink Version 1.51 CD ISO image from BTJunkie using the Vuze BitTorrent client, and extracting the Uplink CD ISO image with IsoBuster. Please don't pirate a copy of Uplink, support Introversion by buying the game. Supporting Introversion is in your best interest because we want them to make more awesome games.

Regarding the REDSHIRT encryption that's used to encrypt the world.dat file, here is the best description I found of it:
REDSHIRT is an encryption system whereby every byte is XOR'd by 128 (0x80).  It is used on various files in the game Uplink by Introversion Software, to prevent people from hacking the game too easily. The name itself is a Trekkie joke, referring to the red-shirted crew members who inevitably die within the episode. Obviously this encryption was intended to be broken ;)
When you XOR a byte by 128, you flip the highest bit of the byte. This makes the encrypted text look like gibberish when viewed in a HEX editor.

When you encrypt a file using Redshirt encryption, first you XOR each byte in the file with 128, then you add a 9 byte header to the file. The 9 byte header consists of the bytes for the word "REDSHIRT" followed by a 0 byte (a null).

When you decrypt a file that has been encrypted with Redshirt encryption,  you remove the first 9 bytes of the file, then you XOR each byte in the file with 128 (since XOR is reversible).

Introversion has a Redshirt encryption / decryption utility for Mac which will do redshirt encryption / decryption for you. The Redshirt utility is available for download in the Uplink addons page at - use the "RedshirtX.sit" link. The direct link is To unzip the ".sit" file, I used a Mac app called "The Unarchiver" which I downloaded for free from the Internet (just Google for it).

It turns out the decrypted "world.dat" key file is actually an encrypted MP3 file. After you use the Redshirt utility to decrypt the "world.dat" file, you can rename the file to "world.mp3" and then actually play the file using any MP3 player. You should hear lots of slowly modulating electric guitar feedback. It definitely sounds like someone goofing around with an electric guitar, it does not sound like random white noise. If you hear something that sounds like what I describe, you know you're on the right track.

Hiding data like a one-time-pad inside a .MP3 file in such a way that the .MP3 file is still usable as a music file is an example of Steganography - very cool. My guess is that the Uplink designers just recorded some electric guitar sound to an MP3 file and used whatever bytes happened to result as the key file. AFAIK, they didn't encode anything else into the MP3 using full-bore steganography software like that found at, but who knows, maybe there's something else in that "world.mp3" file.

Once you get the "world.dat" file decrypted and renamed to "world.mp3" and verify that the "world.mp3" file plays in an MP3 player, the next step is to use the bytes of the "world.mp3" file as a key to do one-time-pad decryption on the "Readme.txt" file and the image files of Book 2.

It might be tempting to think that for each file to be decrypted you can just XOR byte 0 of the file with byte 0 of "world.mp3", then XOR byte 1 of the file with byte 1 of "world.mp3",  etc. Unfortunately it turns out that you can only start at byte 0 in the "world.mp3" file when decrypting the "Readme.txt" file, not when decrypting the image files.

The key bytes for each image file are indeed inside the "world.mp3" file, but for each image file the key bytes start at a different offset within the "world.mp3" file.

The way to find the offset within "world.mp3" where the key bytes for an image file start is to take advantage of the fact that all unencrypted .jpg image files start with the bytes "FF D8 FF" - see For each encrypted image file, if you XOR the first 3 bytes of the encrypted file with the bytes "FF D8 FF", you get the first three key bytes. You can search inside the "world.mp3" file for these three key bytes using a good Hex Editor. I used HexEdit for Mac by SoftTonic which is available at The offset within the "world.mp3" file where you find those 3 key bytes is the offset within "world.mp3" where the key bytes needed to decrypt the image file begin.

Here is the C++ code to XOR the bytes of the encrypted files with bytes starting at an offset within the "world.mp3" file:

#include <iostream>
#include <fstream>
#include <stdlib.h>
int main( int argc, char *argv[] )
// there are no error handling because this program
    // are only used in one way:
    // otp <in_file> <key_file> <offset> <out_file>
//std::cout << "Hello, World!\n";

int offset = atoi(argv[3]);
char ic = 0, kc = 0;
std::ifstream I(argv[1]);
std::ifstream K(argv[2]);
std::ofstream O(argv[4]);
for(int i = 0;i<offset;i++)
O << (char)(ic^kc);
return 0;

I used Xcode to turn the above C++ code into an executable application to decrypt the files. Xcode is included on the OS X Snow Leopard DVD. When installing Xcode, select the option to include
"UNIX Dev Support". The Xcode application is installed at "/Developer/Applications/". In Xcode, from the main menu select "File > New project". In the New Project dialog select category "Application", select the type "Command Line Tool", and in the Type drop-down select "C++ stdc++". In the file browser dialog name the project "otp" (one-time-pad) and create a folder for it. In the project window, double-click the main.cpp file and overwrite the contents with the above code. From the main menu select Build > Build. In the project window, right-click the project node and select Reveal in Finder. In the "Build/Debug" folder copy the executable and paste into the folder containing the encrypted "Readme.txt" and image files.

So the process to decrypt the "Readme.txt" file and each image file of Book 2 is:

Use the Redshirt utility to de-redshirt the "world.dat" file.

Rename the "world.dat" file to "world.mp3". Copy the "world.mp3" file to the folder containing the encrypted "Readme.txt" file and the encrypted image files.

Listen to the "world.mp3" file in an MP3 player. If the file plays and you hear lots of slowly modulating electric guitar feedback you know you decrypted the "world.dat" file correctly.

For the encrypted "Readme.txt" file and for each encrypted image file, do the following:

Strip the 16-byte header from each file. The header contains the bytes to spell "ONETIMEREDSHIRT" and a trailing 0 byte (null). All 16 bytes, including the trailing null byte, must be stripped. I used HexEdit to do this.

Use HexEdit to see the first 3 bytes of the file to be decrypted. If you have a shortcut to the HexEdit application in the dock, you can just drag a file from a Finder window to the shortcut in the dock to open the file with that application.

XOR the first 3 bytes of the file to be decrypted with the bytes "FF D8 FF" to get the first 3 key bytes. To XOR the first 3 bytes of the file with "FF D8 FF", I used the Calculator app that comes with OS X. From the Calculator main menu select View > Programmer. Click the "16" button in the upper-right corner to select Hexadecimal mode. Use the XOR button to XOR the numbers. Or just do the XOR in your head for fun.

Use HexEdit to search for the first 3 key bytes  within the "world.mp3" file. Write the offset of the 3 key bytes down. For example, the offset for the encrypted "Readme.txt" file will be 0, the offset for the encrypted RIMG0001.JPG file will be 3511.

From a shell window, cd to the folder containing the encrypted files and the "otp" program. Run the command "chmod +x otp" to make the "otp" file executable (you only need to do this once). Run the "otp" program with the following command-line arguments: ./otp <in_file> <key_file> <offset> <out_file>

md decrypted (you only need to do this once)
./otp Readme.txt World.mp3 0 decrypted/Readme.txt
./otp RIMG0001.JPG World.mp3 3511 decrypted/RIMG0001.JPG

The ciphers used for Book 2 are a substitution cipher (Redshirt) and one-time pad encryption.