Tutorial  Updated

Patching CIA Executable

I will show you how to patch a CIA's executable, this will allow you to do things like install SaltySD without NTR.

Requirements:
  • Ctrtool (in tools.zip)
  • 3dstool (Also in tools.zip)
  • makerom (guess where?)
  • Hex editor
  • CIA you want to patch
  • CFW
  • Decrypt9WIP

Step 1: Decrypt the CIA
You may skip this if your CIA is decrypted already!

Copy your the CIA that you want to decrypt into D9game on the root of your SD card.
h6nKMjU.png


Then go into Decrypt9, Game Decryptor Options->CIA Decrypter (deep) and wait.
a7hn7Jp.jpg

lFCyn0u.jpg


Now copy that back to your PC, it is now decrypted!

Step 2: Extract the CIA
Execute "ctrtool --contents=contents [CIA].cia", with [CIA].cia replaced with the proper file.
gi4kaAX.png


Take note of the content file names, this will be important while remaking the CIA.

Next we need to extract the primary content file, this should be called contents.0000.XXXXXXXX, like the Smash 1.1.5 update it is called contents.0000.00000014. Execute "3dstool -xvtf cxi [CONTENTS] --header ncch.header --exh exheader.bin --exefs exefs.bin --romfs romfs.bin --plain plain.bin" with [CONTENTS] replaced with the contents file. This should generate a warning about "logoregion", it is safe to ignore this.
Y5IBJ7D.png


Next we need to extract the exefs, execute "3dstool -xvtf exefs exefs.bin --exefs-dir exefs --header exefs.header".
w4d7Q9V.png


The final extraction step is to decompress the code, execute "3dstool -uvf exefs/code.bin --compress-type blz --compress-out code-orig.bin"
FlqU0WS.png

Step 3: Modify the code
Copy the code-orig.bin file wherever you need it, modify it, and copy it back as
code-patched.bin.

Step 4: Repack the CIA
First we need to compress the modified code, execute "3dstool -zvf code-patched.bin --compress-type blz --compress-out exefs/code.bin"
ijVispo.png


Then we need to create the exefs. Execute "3dstool -cvtf exefs exefs2.bin --exefs-dir exefs --header exefs.header"
C36eh76.png


We need to make the modified CXI, execute "3dstool -cvtf cxi patched.cxi --header ncch.header --exh exheader.bin --exefs exefs2.bin --romfs romfs.bin --plain plain.bin"
70eTIGx.png


Finally we need to create the CIA file, this is where the name of the content files is needed. Execute "makerom -f cia -o [PATCHED].cia -content patched.cxi:0" with all the content files appended to it with "-content contents.xxxx.yyyyyyyy:x" EXCEPT for contents.0000.yyyyyyyy. For my SaltySD patch it would be "makerom -f cia -o SmashUpdate.NaCl.decrypted.cia -content patched.cxi:0 -content contents.0001.0000000f:1"

Step 5: Fix Versions (optional, but recommended)
Open the decrypted CIA in a hex editor, and locate the two bytes at offset 0x00002F9C and copy those.
gdr3K2g.png

Copy that to the modified CIA at 0x00002F9C.
XMaKeV3.png

Step 6: Encrypt The CIA
Now that the cia has been modified, we need to encrypt it; some things will break if the CIA is not encrypted. Copy the modified CIA to D9game again, launch Decrypt9WIP and goto Game Decryptor Options->CIA Encryptor (NCCH) and wait.
a7hn7Jp.jpg

R1TLjZy.jpg

Step 7: Profit
Dtlm9vp.jpg


If someone has a capture device, I would love some screenshots of D9!
 

Attachments

  • tools.zip
    418.4 KB · Views: 448
Last edited by gudenau,
  • Like
Reactions: NakedFaerie, I pwned U!, shinyquagsire23 and 5 others
Click to expand...
Yudowat

Yudowat

That one guy that shows up occasionally
Member
Level 3
Joined
Jun 12, 2015
Messages
552
Trophies
0
XP
341
Country
Australia
Anybody else getting
Code: 
[CIA ERROR] Content 0 Is Corrupt (res = -11)
[RESULT] Failed to build CIA
when trying to build the CIA at the end of step 4? I get it every single time I try to build a EUR SaltySD and its driving me insane
 
Last edited by Yudowat,
Red9419

Red9419

Well-Known Member
Member
Level 6
Joined
Apr 17, 2014
Messages
526
Trophies
0
XP
795
Country
Where exactly do i get code-orig.bin? The only file closest to it is code.bin in the exefs folder. On a side note how would i modify it? Hex editor or any dedicated programs?
 
Red9419

Red9419

Well-Known Member
Member
Level 6
Joined
Apr 17, 2014
Messages
526
Trophies
0
XP
795
Country
Yes. It takes about 2 seconds to input a new command afterwards so im certain it went through, but im not seeing any output.
Edit: I will restart the whole process and see if it fixes anything.

--------------------- MERGED ---------------------------

gudenaurock said:
Did you execute "3dstool -uvf exefs/code.bin --compress-type blz --compress-out code-orig.bin"?
Click to expand...
I re-extracted everything and it seems like i got it now. How would i edit this file now?
EDIT: Just opened it up in a hex editor. Do i just swap out a characters name hex code with the modified hex?
 
Last edited by Red9419,
gudenau

gudenau

Largely ignored
OP
Member
Level 16
Joined
Jul 7, 2010
Messages
3,882
Trophies
2
Location
/dev/random
Website
www.gudenau.net
XP
5,364
Country
United States
Red2 A.K.A. Noob said:
Yes. It takes about 2 seconds to input a new command afterwards so im certain it went through, but im not seeing any output.
Edit: I will restart the whole process and see if it fixes anything.

--------------------- MERGED ---------------------------


I re-extracted everything and it seems like i got it now. How would i edit this file now?
EDIT: Just opened it up in a hex editor. Do i just swap out a characters name hex code with the modified hex?
Click to expand...
No idea, depends on the game.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Homebrew  A new way to experience StreetPass

Is it possible...?

After the 8th of April, will it still be possible to create a new NNID (Nintendo Network ID) and/or transfer a NNID from one console to another?

Hacking Homebrew  how to link pnid to 3ds/how to use juxtaposition?

Hacking  New 2ds Refuses to boot

Hacking Misc  VCRUNTIME140.dll UCRTBASED.dll Master Thread

Translation Project  DQM2SP translation

3DS won't boot into DS Mode, Extended Memory Mode and more

General chit-chat
Help Users
    Xdqwerty @ Xdqwerty: yawn