> As first spotted by VX-Underground, a group of developers have already compiled Witcher 3 from the leaked source code, sharing screenshots and videos of development builds.
> One representative of the group compiling Witcher 3 known as 'sventek' told BleepingComputer that the leaked CD Projekt data is 450 GB uncompressed and contains source code for Witcher 3, Gwent, Cyberpunk, various console SDK (PS4/PS5 XBOX NINTENDO), and some build logs.
> Sventek told BleepingComputer that they were previously able to compile Cyberpunk 2077 from the CD Projekt's leak...
Is 450gb really that big enough? Games are individually often close to a hundred gb, and I'd assume the source code has more things.
Uncompressed audio? Why the fuck would anyone even want to do that? Even computers 20 years ago could handle Vorbis or if they were fancy enough to buy a decoder MP3 audio. Today's multicore monsters can easily handle dedicating an entire core to sound effects only.
you check in the uncompressed audio, and then fmod, wwise or whatever other middleware you're using will compress to a different format and compression ratios on a per-platform basis during the build process (i.e. vorbis on PC, AT9 on PS4, FADPCM on mobile, etc.)
I was looking for a good reason why this might be and all I could find was an old HN thread suggesting that uncompressing audio takes CPU cycles so leaving it uncompressed helps to avoid CPU bottlenecks when you have a game that might be playing a lot of sfx at once
PC gamers (especially those with SSDs) were puzzled to find out that Titanfall had a gargantuan 48 GB file size, despite the lack of a single player campaign and the fact that it was running on a modified source engine. Some digging around in the files revealed that a huge portion of that size was due to a whopping 35 GB of completely uncompressed audio. Respawn has now explained that the reason the audio was not compressed was so they could dedicate more system resources to running the game, and less to unpacking audio files.
...
He did, however, admit that most PC gamers probably wouldn’t even notice the difference. “On a higher PC it wouldn’t be an issue. On a medium or moderate PC, it wouldn’t be an issue, it’s that on a two-core [machine] with where our min spec is, we couldn’t dedicate those resources to audio.”
> Assets are not part of the source code, so this is huge.
Aah thanks, that helps clarifying it. Yep, without media I could see that that many lines of code would be a lot. But how would they make the game without textures? I guess just ripping them from the published version, or just going "it compiles!" and calling it quits?
Assuming the code is complete enough to be compiled, I would guess that it has no problem reading any content assets from the commercial version (even if they are packed into custom packaging files) with the major concern being versioning related (maybe the most recent source code branch references to various assets might not match up exactly with what is on disc for a specific retail build).
But also it isn't that uncommon at game studios for assets to be checked in alongside the code, so I wouldn't be shocked if these source code dumps and the associated sizes being reported also include the assets.
450GB is ~450•10^9 B (~ to handle the fact that it might be GiB), which is 450 billion bytes in the short scale (450 thousand million/450 milliard in the long scale).
1B may or may not equal 1 character depending on your encoding, but 1000 characters per byte is unlikely.
> Assets are not part of the source code, so this is huge.
Depends how linguistically precise the hackers are being. I could see them calling the contents of a repository the source code, and to my understanding, especially around the time of witcher 3's development, a lot of game dev studios used Perforce specifically because they were checking assets in and Perforce handled that better.
I'm afraid to burst your bubble but assets are definitely part of that 450GB as they are routinely stored in Perforce. They are considered part of the source of the game.
Here's some more math for you: you've used 204 characters to write "Javascript bad", which is 15 characters. That's almost 14 times more characters than what you could've used!
If you see an application with 1% of 450gb worth of code, run as far as you possibly can.
That's a Lovecraftian horror. Also, it also almost certainly does not exist. The largest codebases would be lucky if they hit a 200MBs-2GB of straight code. And they're far an away the exceptions, not the norm.
Google has billions of lines of code in one repo. I don’t have hard numbers on file sizes, but a billion bytes is a gigabyte. A billion lines taking tens of gigabytes does not seem unreasonable.
But you see, now we know that GP knows how big Google's repo is, a detail from which we are perhaps to conclude I suspect, falsely, but who knows) they are or were employed as an engineer there, despite making an argument that seems well below the common sense threshold even to a non-engineer, Google or otherwise.
> Google has billions of lines of code in one repo.
That repo has over a hundred apps.
> I don’t have hard numbers on file sizes, but a billion bytes is a gigabyte. A billion lines taking tens of gigabytes does not seem unreasonable.
Again, multiple apps/projects. But even so, I said the low GBs was possible and represents an extreme exception. Even with you stretching to find that exception, we're still far away from 450GB as a "normal" amount.
So what is your point? My napkin math was off by a few GB? Congrats, got me.
I’ve worked on a bunch of AAA game projects and the “MAIN” stream is usually somewhat small because people often want to have multiple checkouts on one drive.
On the project I'm currently working on, we use filters to disable syncing groups of art assets we don't need, so a checkout for an engineer is usually quite reasonable. Probably also around 400GB though it includes the engine. With all filters disabled I'd end up downloading multiple terabytes of stuff for the main branch.
Ah yeah, we keep things like blender/maya models on a separate stream completely.
Usually the main stream can compile the entire game so it has all the required assets, but not everything that is used to make the assets for the game in the first place.
Have almost the same thing been leaked before, but now decryption keys are released?
Edit
Found it, previously they released a magnet link called funnytorrent that was over 800gb, but all files are 7z encrypted and no password was available. There are still seeds :O
So I'm guessing the new thing is the new TW3 version CDP confirmed this week they are working on.
Edit 2
The "new magnet" link is the same hash, so no new files in there.
Probably not much danger that players will end up with pirated copies of the games, especially those with an online component, but having the source code will make finding cheats and security vulnerabilities easier.
Don't get why you've been downvoted to grey, you make a very valid point particularly regarding security issues given the recent Apex Legends hack [1].
Indirectly: the source-code will include third-party licensed libraries, stuff like audio and video decoding/rendering and other middleware - so they could be sued by the original devs/licensors for not keeping that protected.
I'm not aware of it ever happening after a hack/leak - but years-gone-by I did ask people I knew who worked in the games industry specifically why they didn't release their games as open-source and I noticed that I kept on getting the same answer from people who worked at different companies: Activision, MS Game Studios, Westwood, Electronic Arts, etc etc.
And we see the results of those concerns even when games do get open-sourced - for example, last week Descent 3's engine was released as open-source, and it was released without those parts (c.f.: https://github.com/DescentDevelopers/Descent3/blob/61bb9a337... )
-------
When a software company licenses a third-party library in source-form, invariably the license agreement includes a stipulation that the licensee take all reasonable precautions to prevent the release of the source-code - so if it can be shown that CD Projekt Red was negligent in keeping their source secure such that it was leaked by HelloKitty, then they're open to civil liability here. Obviously the onus is on the plaintiffs to prove that CD Projekt Red was negligent here.
I'm not accusing CD Projekt Red of being organizationally negligent myself; but I assume that most of their devs had a copy of their entire source-tree on their machines (just like I have all of my org's source on my machines) - and it only takes 1 person to disable their antivirus for something like this to happen. What I am saying is that it's possible that CD Projekt Red was negligent in keeping any licensed source-code reasonably secure, and that HelloKitty was aware of this fact, and used that as leverage in their extortion attempt: i.e. "we know you didn't secure your source-tree - and MIDDLEWARE_PROVIDER won't be happy about that and we estimate you'll owe MIDDLEWARE_PROVIDER about $500k if they find out, so if you pay us $250k we'll keep quiet about this, if not, we'll leak everything".
Again, I'm just positing by connecting-the-dots here - I'm not making any assertions.
I remember the original leak was announced at the beginning (?) of December 2021 – and that Cyberpunk 2077 at that point was far from fully functional, even after release.
I’d love to see the source-code comments over-time as they tweaked the balancing rules in SC… but are these leaks just a snapshot of the file system or does it include the full source-control history?
If you haven't seen it before, you might enjoy Patrick Wyatt's (a lead dev for a time at Blizzard) blog. It is a treasure trove of anecdotes and war stories.
Ah yes - I remember reading his article about the origins of StarCraft way-back-when - when StarCraft was still a low-effort "Orcs in space" re-skin of Warcraft 2, but they went to E3 or CES and got spooked by Ion Storm's demo of their visually impressive, isometric, RTS game - and reinvented SC - released SC - and the rest is history - while it turned out Ion Storm's demo was a prerendered video fake. That's a story right there.
Extremely cool read, thank you for sharing this. The author's other posts are interesting too. I learned they disabled collision for resource harvesting units so they could smoothly fly through each other on the way to/from the base and resources.
One of the key insurance claims clearinghouses in America's hilariously privatised health care system was hacked – and they paid $22 million to one ransomware group (which is chump change to their corporate parent, United Health, robber capitalism incarnate.) What they didn't anticipate was that the same data was _hacked twice_. [1]
It's like to be another survivorship bias. The paying ones aren't talked about in media because their business isn't obstructed that much. Pay, get data back, no harm to the reputation, maybe we never even hear about it.
I got a panic phone call from one of of the companies I used to do contract work for, "Do you know how to buy bitcoin? We got hacked and the website isn't working and we're trying to pay so we can use our computers again."
I stopped what I was doing and drove over there. Luckily someone DDoS'd the pay site so they couldn't pay. I asked them what they were thinking. They told me that they were going to pay with their super prestigious credit card and refute the charge as fraud because in their words, "Technically, this is fraud."
I shook my head and cleaned it up and restored the backups. I asked them a week later how much data was lost. They asked me what I was talking about. Apparently they didn't have anything important they did since the backup ran the night before. They switched to a SaaS shortly afterwards. Then raided by the government & shut down a couple years later. Good times.
57 comments
[ 5.3 ms ] story [ 128 ms ] thread> One representative of the group compiling Witcher 3 known as 'sventek' told BleepingComputer that the leaked CD Projekt data is 450 GB uncompressed and contains source code for Witcher 3, Gwent, Cyberpunk, various console SDK (PS4/PS5 XBOX NINTENDO), and some build logs.
> Sventek told BleepingComputer that they were previously able to compile Cyberpunk 2077 from the CD Projekt's leak...
Is 450gb really that big enough? Games are individually often close to a hundred gb, and I'd assume the source code has more things.
Raw assets like textures, I'd guess? These often get downscaled and compressed as part of build.
The only scenario I can think of is games supporting surround sound which can't afford the extra cycles of decompression.
Assets are not part of the source code, so this is huge.
That's almost 20,000 times all of Wikipedia, or 2 whole single page applications using a JavaScript framework!
Aah thanks, that helps clarifying it. Yep, without media I could see that that many lines of code would be a lot. But how would they make the game without textures? I guess just ripping them from the published version, or just going "it compiles!" and calling it quits?
But also it isn't that uncommon at game studios for assets to be checked in alongside the code, so I wouldn't be shocked if these source code dumps and the associated sizes being reported also include the assets.
450GB is ~450•10^9 B (~ to handle the fact that it might be GiB), which is 450 billion bytes in the short scale (450 thousand million/450 milliard in the long scale).
1B may or may not equal 1 character depending on your encoding, but 1000 characters per byte is unlikely.
Depends how linguistically precise the hackers are being. I could see them calling the contents of a repository the source code, and to my understanding, especially around the time of witcher 3's development, a lot of game dev studios used Perforce specifically because they were checking assets in and Perforce handled that better.
Around 45gb src for a 5gb game (pc, android, ios)
Here's some more math for you: you've used 204 characters to write "Javascript bad", which is 15 characters. That's almost 14 times more characters than what you could've used!
That's a Lovecraftian horror. Also, it also almost certainly does not exist. The largest codebases would be lucky if they hit a 200MBs-2GB of straight code. And they're far an away the exceptions, not the norm.
> Games are individually often close to a hundred gb, and I'd assume the source code has more things
They acknowledge they were mistaken about code size in a sister comment.
Google has billions of lines of code in one repo. I don’t have hard numbers on file sizes, but a billion bytes is a gigabyte. A billion lines taking tens of gigabytes does not seem unreasonable.
https://cacm.acm.org/research/why-google-stores-billions-of-...
> That's a Lovecraftian horror
Perhaps.
That repo has over a hundred apps.
> I don’t have hard numbers on file sizes, but a billion bytes is a gigabyte. A billion lines taking tens of gigabytes does not seem unreasonable.
Again, multiple apps/projects. But even so, I said the low GBs was possible and represents an extreme exception. Even with you stretching to find that exception, we're still far away from 450GB as a "normal" amount.
So what is your point? My napkin math was off by a few GB? Congrats, got me.
I’ve worked on a bunch of AAA game projects and the “MAIN” stream is usually somewhat small because people often want to have multiple checkouts on one drive.
Usually the main stream can compile the entire game so it has all the required assets, but not everything that is used to make the assets for the game in the first place.
Edit
Found it, previously they released a magnet link called funnytorrent that was over 800gb, but all files are 7z encrypted and no password was available. There are still seeds :O
So I'm guessing the new thing is the new TW3 version CDP confirmed this week they are working on.
Edit 2
The "new magnet" link is the same hash, so no new files in there.
[1] https://www.tweaktown.com/news/96928/apex-legends-pro-player...
And we see the results of those concerns even when games do get open-sourced - for example, last week Descent 3's engine was released as open-source, and it was released without those parts (c.f.: https://github.com/DescentDevelopers/Descent3/blob/61bb9a337... )
-------
When a software company licenses a third-party library in source-form, invariably the license agreement includes a stipulation that the licensee take all reasonable precautions to prevent the release of the source-code - so if it can be shown that CD Projekt Red was negligent in keeping their source secure such that it was leaked by HelloKitty, then they're open to civil liability here. Obviously the onus is on the plaintiffs to prove that CD Projekt Red was negligent here.
I'm not accusing CD Projekt Red of being organizationally negligent myself; but I assume that most of their devs had a copy of their entire source-tree on their machines (just like I have all of my org's source on my machines) - and it only takes 1 person to disable their antivirus for something like this to happen. What I am saying is that it's possible that CD Projekt Red was negligent in keeping any licensed source-code reasonably secure, and that HelloKitty was aware of this fact, and used that as leverage in their extortion attempt: i.e. "we know you didn't secure your source-tree - and MIDDLEWARE_PROVIDER won't be happy about that and we estimate you'll owe MIDDLEWARE_PROVIDER about $500k if they find out, so if you pay us $250k we'll keep quiet about this, if not, we'll leak everything".
Again, I'm just positing by connecting-the-dots here - I'm not making any assertions.
https://www.codeofhonor.com/blog/
[1] https://www.wired.com/story/change-healthcare-ransomhub-thre...
I stopped what I was doing and drove over there. Luckily someone DDoS'd the pay site so they couldn't pay. I asked them what they were thinking. They told me that they were going to pay with their super prestigious credit card and refute the charge as fraud because in their words, "Technically, this is fraud."
I shook my head and cleaned it up and restored the backups. I asked them a week later how much data was lost. They asked me what I was talking about. Apparently they didn't have anything important they did since the backup ran the night before. They switched to a SaaS shortly afterwards. Then raided by the government & shut down a couple years later. Good times.