Hacking the tribe log

Ark: Survival evolved is a nice and sweet game and I love to play it. I even run my own dedicated server for my friends. But to be honest, since the notification functionality was introduced in patch 243.0, I heard some rumors of the tribe log to get merged into that. At the point of writing this article we’re at 264.53 and nothing changed. So I decided to have a look into the whole thing without writing a mod.

So when we leave the server for more than a day, we usually shut it down to prevent Dinos starving. As the tribe log still persists, I conclude it’s saved somewhere – on disk. Being on Linux it’s fairly easy to find files by its contents using grep. Looking at the tribe-log I found out that I already caused some havoc by rebuilding the base, as the tribe log says “Rei demolished a ‘Vertical Metal Water Pipe’!”

grep -r “Rei demolished” revealed some file hidden in the depth of the ~/ShooterGame/Saved/SavedArks/ folder named 1255828861.arktribe.

^A^@^@^@^A^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^P^@^@^@PrimalTribeData^@^@^@^@^@^E^@^@^@^S^@^@^@PrimalTribeData_14^@^L^@^@^@ArkGameMode^@^P^@^@^@PersistentLevel^@
^@^@^@TheIsland^@&^@^@^@/Game/Maps/TheIslandSubMaps/TheIsland^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@TribeData^@^O^@^@^@StructProperty^@^H<90>^@^@^@^@^@^@
^@^@^@TribeData^@
^@^@^@TribeName^@^L^@^@^@StrProperty^@^O^@^@^@^@^@^@^@^K^@^@^@Stargazers^@^R^@^@^@OwnerPlayerDataID^@^O^@^@^@UInt32Property^@^D^@^@^@^@^@^@^@/^B^C^H^@^@^@TribeID^@^L^@^@^@IntProperty^@^D^@^@^@^@^@^@^@}mJ^R^@^@^@MembersPlayerName
^@^N^@^@^@ArrayProperty^@^U^@^@^@^@^@^@^@^L^@^@^@StrProperty^@^B^@^@^@^E^@^@^@Savi^@^D^@^@^@Rei^@^T^@^@^@MembersPlayerDataID^@^N^@^@^@ArrayProperty^@^L^@^@^@^@^@^@^@^O^@^@^@UInt32Property^@^B^@^@^@^^<99>(*/^B^C^L^@^@^@TribeAdmins^@^N^@^@^@ArrayProperty^@^L^@^@^@^@^@^@^@^O^@^@^@UInt32Property^@^B^@^@^@/^B^C^^<99>(* ^@^@^@TribeLog^@^N^@^@^@ArrayProperty^@^^<8E>^@^@^@^@^@^@^L^@^@^@StrProperty^@<90>^A^@^@Y^@^@^@Day 810, 22:08:46: Rei demolished a 'Stone Foundation'!</>^@Y^@^@^@Day 810, 22:11:03: Rei demolished a 'Stone Foundation'!</>^@V^@^@^@Day 810, 22:17:23: Rei demolished a 'Stone Ceiling'!</>^@U^@^@^@Day 810, 22:19:05: Rei demolished a 'Stone Pillar'!</>^@V^

Using file magic numbers (trying to determine the file type by its contents) I found out that this is just ‘data’. Nothing helpful at all – so I’m pretty much on my own there. Back then when I was doing much more malware analysis, the string-program was my best friend. Employing it here, we got

# strings 1255828861.arktribe
PrimalTribeData
PrimalTribeData_14
ArkGameMode
PersistentLevel
TheIsland
/Game/Maps/TheIslandSubMaps/TheIsland
TribeData
StructProperty
TribeData
TribeName
StrProperty
Stargazers
OwnerPlayerDataID
UInt32Property
TribeID
IntProperty
MembersPlayerName
ArrayProperty
StrProperty
Savi
MembersPlayerDataID
ArrayProperty
UInt32Property
TribeAdmins
ArrayProperty
UInt32Property
TribeLog
ArrayProperty
StrProperty
Day 810, 22:08:46: Rei demolished a 'Stone Foundation'!</>
Day 810, 22:11:03: Rei demolished a 'Stone Foundation'!</>
Day 810, 22:17:23: Rei demolished a 'Stone Ceiling'!</>
Day 810, 22:19:05: Rei demolished a 'Stone Pillar'!</>
Day 810, 22:23:04: Rei demolished a 'Stone Ceiling'!</>
Day 810, 22:24:34: Rei demolished a 'Stone Pillar'!</>
Day 810, 22:29:12: Rei demolished a 'Stone Wall'!</>
....
LogIndex
IntProperty
None
None

… quite something we may use. tail and head did the rest while sed cleans out that wannabe markup. Piping things in shape we finally got a clean line of the last log entry:

strings ${thefile} | tail -n 5 | head -n 1 | sed 's/<[^>]*>//g'

Taking it further, I used inotify to trigger my script on file changes using curl to hook into the notification system already in place:


#!/bin/sh

thefile=/path/to/your/tribenumber.arktribe
 key=secret-webnotifypass
 title=TribeLog
 notifyURL=https://my.super.cool/ark.php

while inotifywait -e modify -e attrib "${thefile}" ; do
 message=`strings ${thefile} | tail -n 5 | head -n 1 | sed 's/<[^>]*>//g'`
 curl --data "key=${key}&notetitle={$title}&steamid=foo&message=${message}" ${notifyURL}
 done

Variables used:

  • thefile is your arktribe file. Full path preferred
  • key is the secret key you used in AlarmPostCredentials.txt
  • title is the push notifications title
  • notifyURL is the push url used in AlarmPostCredentials.txt

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.