Hacking Hacking with 3DS Save DeEncrypter

[Immortal_no1]

If you can compile the information that you have into a document and post it to blite it'll be looked over and maybe it'll help.

Otherwise at the moment, only some of the CRC's have been found for some of the games, however the 'Master CRC' is not known and will stop attempts to modify the saves until this is found.

The master CRC must check bits throughout the file to check for alterations. So in effect, it must be a checksum of parts of the checksums. - Annoying

 

[how_do_i_do_that]

If a save editor is going to be made for zelda, it would have to searched by using the name used in the save slot.

I'll write up whatever I got when I get back home later today, so something might get upped tonight.

 

[chyyran]

So, does this mean the possibility of save-game based hacks for the 3DS?

 

[Ericthegreat]

Nice at least something is going on.

 

[overlord00]

very interesting. bookmark'd

 

[geenlung]

I have heard elsewhere that uploading someone else's save onto your card does work. If someone has a RE-Mercenaries, SF IV, Zelda; save they can post a link to in here, i can try that tonight. and confirm. Don't post any specifics about the save other than name of the save file and link. and i'll post back with confirmation. Preference goes to RE-Mercenaries as i love the game.

This is a ZooT save. When I first tried to extract my save, my save got corrupted. It seeems to work properly now. Please let me know if transfering saves between carts works. I'm interested in transfering a DoAD save over.

http://www.megaupload.com/?d=EWSGC18X

 

[Immortal_no1]

It doesn't work on my one, so i would be guessing that yours is a USA version of the game? as mine is a UK version.

 

[how_do_i_do_that]

Still writting and formatting what I know about the zelda save.


The save is mostly region locked via the header info. The individual saves slots are organized as bin files that are part of the save dump. Those are not region locked. So if a save dump can be managed as a container, extracting and inserting save bins would allow you to use someone else's game save reguardless of the region, except maybe Japan, Korea, and China.

 

[vdoggie]

I keep getting an error about the .ocx file

anyone know what's up?

I'm running windows 7 64bit

 

[how_do_i_do_that]

Try an older version.

 

[Immortal_no1]

Shouldn't be a problem with it, depends where you downloaded the ocx file from. if it came from v1.4 of the 3DS Save De/Encrypter downloaded from hotfile then it's the dated about 1998 i think. So just make sure that the OCX file is in your system32 directory

 

[geenlung]

I found it helpful to put those ocx files in the same directory as the DeEncrypter.

 

[Immortal_no1]

Found some checksums but just changing those areas to relate to the changed data isn't good enough, 3DS Save De/Encrypter v1.5 will be released in the next few days

 

[Matyapiro31]

Good work,thank you.
I didn't know CRC is used.

 

[how_do_i_do_that]

Some of what I know about a zelda save is up.

http://gbatemp.net/t304345-anatomy-of-the-zelda-save

 

[CollosalPokemon]

I found something cool in my Samurai Warriors Chronicals save file (after using this tool) :

Something to do with loading a sound from the ROM (actually, there are around 3 more of these I was just too lazy to screencap them all)

I love how this is in plaintext. I doubt it's exploitable though, I'm sure KT is smarter than that simple text, still, it's pretty cool but there's no way for us to tell 100% for sure yet because modifying that means the CRC would change =P But I really doubt an exploit would come this early so I'm not expecting anything.

 

[Arisotura]

Those dots every 8 characters in the string look like some LZ77-type compression is used there.

Also, an exploit right now would be useless. Once you get in, what would you do? Display some text, you'd tell me? We know zero about the PICA200 or any other hardware in the 3DS, so it can't be done.

 

[Immortal_no1]

how_do_i_do_that, some good investigative work there, i've had a look over the gamesave for 006 and can see that the filesystem partitions change around and i can see the gamedata move too, i beleive that the whole data may 'shift' as part of a flash-wear protection so the EEPROM doesn't get bad blocks as easily. There must be a lookup table somewhere which points to the location, i've found something that looks promising but don't get your hopes up. 3DS Save De/Encrypter v1.5 may be a little while longer, i'm adding in a 'VERY experimental' search function (more to be revealed at a later date).

I can release a 1.5.1 version which has some CRC (Checksum) information, at this point though it's nice to have but you can't really use it for anything. You may be able to use it to get Offsets to various locations of the Save information, but that'll come in time.

I'm working on an internal game save Export/Import feature to do exactly what it says to in effect replace the contents of the save with another from another country and re CRC it to see if i can get a US gam esave working on a UK cartridge, Slow progress on that, i need to find the starting offsets for the files, i think i have a way of getting there but once again it's slow progress.

CollosalPokemon can you upload the original Encrypted save you got your screenshot from and i'll have a look over it.

 

[Arisotura]

Info on savegames

The wearleveling scheme is described there. Though, idk if it's quite right-- I'm not sure to have gotten it right...

 

[CollosalPokemon]

how_do_i_do_that, some good investigative work there, i've had a look over the gamesave for 006 and can see that the filesystem partitions change around and i can see the gamedata move too, i beleive that the whole data may 'shift' as part of a flash-wear protection so the EEPROM doesn't get bad blocks as easily. There must be a lookup table somewhere which points to the location, i've found something that looks promising but don't get your hopes up. 3DS Save De/Encrypter v1.5 may be a little while longer, i'm adding in a 'VERY experimental' search function (more to be revealed at a later date).

I can release a 1.5.1 version which has some CRC (Checksum) information, at this point though it's nice to have but you can't really use it for anything. You may be able to use it to get Offsets to various locations of the Save information, but that'll come in time.

I'm working on an internal game save Export/Import feature to do exactly what it says to in effect replace the contents of the save with another from another country and re CRC it to see if i can get a US gam esave working on a UK cartridge, Slow progress on that, i need to find the starting offsets for the files, i think i have a way of getting there but once again it's slow progress.

CollosalPokemon can you upload the original Encrypted save you got your screenshot from and i'll have a look over it.

Sure, I don't think having it will do you any better with the save De/Encryptor though

I just thought it looked cool.

http://www.mediafire.com/?jbsev2a8e94m4f0



EDIT: I dumped some databases and typeinfos for Legend Of Zelda OoT (US) using IDA Pro 6.1. I don't think they'll be useful but just in case:


static main(void)
{
// set 'loading idc file' mode
SetCharPrm(INF_GENFLAGS, INFFL_LOADIDC|GetCharPrm(INF_GENFLAGS));
GenInfo(); // various settings
Segments(); // segmentation
Enums(); // enumerations
Structures(); // structure types
Patches(); // manual patches
SegRegs(); // segment register values
Bytes(); // individual bytes (code,data)
Functions(); // function definitions
// clear 'loading idc file' mode
SetCharPrm(INF_GENFLAGS, ~INFFL_LOADIDC&GetCharPrm(INF_GENFLAGS));
}

//------------------------------------------------------------------------
// General information

static GenInfo(void) {

DeleteAll(); // purge database
SetPrcsr("metapc");
SetCharPrm(INF_COMPILER, 0);
StringStp(0xA);
Tabs(1);
Comments(0);
Voids(0);
XrefShow(2);
AutoShow(1);
Indent(16);
CmtIndent(40);
TailDepth(0x10);
}

//------------------------------------------------------------------------
// Information about segmentation

static Segments(void) {
SetSelector(0X1,0);
;
SegCreate(0,0X20000,0X1,0,1,2);
SegRename(0,"seg000");
SegClass (0,"CODE");
SegDefReg(0x0,"es",0x0);
SegDefReg(0x0,"ss",0x0);
SegDefReg(0x0,"ds",0x0);
SegDefReg(0x0,"fs",0x0);
SegDefReg(0x0,"gs",0x0);
SetSegmentType(0,2);
LowVoids(0x20);
HighVoids(0x20000);
}

//------------------------------------------------------------------------
// Information about enum types

static Enums(void) {
auto id;
BeginTypeUpdating(UTP_ENUM);
}

//------------------------------------------------------------------------
// Information about structure types

static Structures(void) {
auto id;
BeginTypeUpdating(UTP_STRUCT);}

//------------------------------------------------------------------------
// Information about bytes

static Bytes_0(void) {
auto x;
#define id x

ExtLinA (0, 1, "; Format : Binary file");
ExtLinA (0, 2, "; Base Address: 0000h Range: 0000h - 20000h Loaded length: 20000h");
}

//------------------------------------------------------------------------
// Information about functions

static Functions(void) {

}

//------------------------------------------------------------------------
// Information about segment registers

static SegRegs(void) {
SetRegEx(0,"es",0,3);
SetRegEx(0,"ss",0,3);
SetRegEx(0,"ds",0,3);
SetRegEx(0,"fs",0,3);
SetRegEx(0,"gs",0,3);
}

//------------------------------------------------------------------------
// Information about all patched bytes:

static Patches(void) {
}

//------------------------------------------------------------------------
// Call all byte feature functions:

static Bytes(void) {
Bytes_0();
EndTypeUpdating(UTP_STRUCT);
}

static main(void)
{
Enums(); // enumerations
Structures(); // structure types
LowVoids(0x20);
HighVoids(0x20000);
}

//------------------------------------------------------------------------
// Information about enum types

static Enums(void) {
auto id;
BeginTypeUpdating(UTP_ENUM);
}

//------------------------------------------------------------------------
// Information about structure types

static Structures(void) {
auto id;
BeginTypeUpdating(UTP_STRUCT); EndTypeUpdating(UTP_STRUCT);
}



Again, I don't see these as useful but I figured as long as I had them I might as well show them.