Hacking Hacking with 3DS Save DeEncrypter

Status
Not open for further replies.
Immortal_no1

Immortal_no1

Well-Known Member
OP
Member
Level 3
Joined
Jul 17, 2003
Messages
266
Trophies
0
XP
292
Country
Yeah, i'm not sure how useful that will be. At the moment, if people want to help out, see if you can find the starting locations of the files that you can see using "File Info" from the software's File Menu. once one of those is found, we can see where the locations are and then extraction of the files can begin.
 
L

loco365

Well-Known Member
Member
Level 12
Joined
Sep 1, 2010
Messages
5,457
Trophies
0
XP
2,927
CollosalPokemon said:
I found something cool in my Samurai Warriors Chronicals save file (after using this tool) :

swccool.png


Something to do with loading a sound from the ROM (actually, there are around 3 more of these I was just too lazy to screencap them all)
yaynds.gif
I love how this is in plaintext. I doubt it's exploitable though, I'm sure KT is smarter than that simple text, still, it's pretty cool but there's no way for us to tell 100% for sure yet because modifying that means the CRC would change =P But I really doubt an exploit would come this early so I'm not expecting anything.
Click to expand...
I think I know exactly what that is. I think it's referring to a file within the game, like the standard DS file format. So therefore, I have reason to believe that 3DS games run on a file format system like it's predecessors.
 
CollosalPokemon

CollosalPokemon

ばん。。。かい
Member
Level 9
Joined
Oct 18, 2009
Messages
682
Trophies
0
XP
1,724
Country
United States
Team Fail said:
CollosalPokemon said:
I found something cool in my Samurai Warriors Chronicals save file (after using this tool) :

swccool.png


Something to do with loading a sound from the ROM (actually, there are around 3 more of these I was just too lazy to screencap them all)
yaynds.gif
I love how this is in plaintext. I doubt it's exploitable though, I'm sure KT is smarter than that simple text, still, it's pretty cool but there's no way for us to tell 100% for sure yet because modifying that means the CRC would change =P But I really doubt an exploit would come this early so I'm not expecting anything.
Click to expand...
I think I know exactly what that is. I think it's referring to a file within the game, like the standard DS file format. So therefore, I have reason to believe that 3DS games run on a file format system like it's predecessors.
Click to expand...

herp.

It's a sound file. My question: Why is a ROM instruction like that even in the save? (I know it has to instruct the ROM in some ways, so the game knows where you're at in the game, score, etc...)\
Sound should be handled by the ROM already knowing "After battle X, play sound Y." (or anywhere in the game it should know when to play sounds without instructions from the save file) I'm more confused as to why it's even in plaintext. I wonder if replacing it with something like "sd: /.files/xyz.3ds" would work instead of playing the sound =P That would be really funny, but I doubt developers that stupid in today's world.
 
H

hergipotter

Well-Known Member
Member
Level 2
Joined
Aug 28, 2007
Messages
100
Trophies
0
XP
123
Country
Gambia, The
Perhaps in this game you can choose a certain sound for a certain action (e.g. the sound that is played when you win a fight or something...) and this information has to be saved. But i don't know why it's in plain text.
 
CollosalPokemon

CollosalPokemon

ばん。。。かい
Member
Level 9
Joined
Oct 18, 2009
Messages
682
Trophies
0
XP
1,724
Country
United States
hergipotter said:
Perhaps in this game you can choose a certain sound for a certain action (e.g. the sound that is played when you win a fight or something...) and this information has to be saved. But i don't know why it's in plain text.
Click to expand...

There are actually like 3-4 plaintext sound commands, but they're not changeable in-game. I have the game and there's no option for changing the sounds. (there's options for changing volume for bgs and etc but not the actual sounds)
I don't understand why it would reference something like that to the ROM, much less why it's saved in plaintext either, and even lesser why Koei Tecmo didn't catch it. Maybe they assumed everything was OK just because of the XOR encryption put on the saves ?
I've been finding XOR is a really crappy encryption everywhere I go.

EDIT: Other pics like the one I posted previously

3dsrominstr3.png


^ I dunno but it seems this one is encrypted, so why didn't the other 3 end up encrypted? Was KT lazy/assumed the others were encrypted/safe?

3dsrominstr2.png


3dsrominstr.png
 
Immortal_no1

Immortal_no1

Well-Known Member
OP
Member
Level 3
Joined
Jul 17, 2003
Messages
266
Trophies
0
XP
292
Country
3DS Save De/Encrypter v1.5a is now available

v1.5a -Checksum data for all checksums found so far, load decrypted save from Experimental menu.

Download
 
P

pachura

Well-Known Member
Member
Level 3
Joined
Dec 9, 2006
Messages
566
Trophies
0
XP
240
Country
CollosalPokemon said:
It's a sound file. My question: Why is a ROM instruction like that even in the save?
Click to expand...

I bet it is some junk leftover that happened to be in the memory area allocated for the savegame before it was written to the SD card. This happens quite often when you allocate memory for a structure but do not clear it.
 
Immortal_no1

Immortal_no1

Well-Known Member
OP
Member
Level 3
Joined
Jul 17, 2003
Messages
266
Trophies
0
XP
292
Country
pachura said:
CollosalPokemon said:
It's a sound file. My question: Why is a ROM instruction like that even in the save?
Click to expand...

I bet it is some junk leftover that happened to be in the memory area allocated for the savegame before it was written to the SD card. This happens quite often when you allocate memory for a structure but do not clear it.
Click to expand...


I quite agree.

There is also a possibility that it could be used to determine different sound themes for title sequences, i don't know if there is anything like that on the game, but it's a possibility.
It's most likely though a log file stored to EEPROM of recent actions. I wouldn't be surprised.
 
FireGrey

FireGrey

Undercover Admin
Member
Level 8
Joined
Apr 13, 2010
Messages
3,921
Trophies
1
Website
www.youtube.com
XP
1,281
Country
CollosalPokemon said:
Team Fail said:
CollosalPokemon said:
I found something cool in my Samurai Warriors Chronicals save file (after using this tool) :

swccool.png


Something to do with loading a sound from the ROM (actually, there are around 3 more of these I was just too lazy to screencap them all)
yaynds.gif
I love how this is in plaintext. I doubt it's exploitable though, I'm sure KT is smarter than that simple text, still, it's pretty cool but there's no way for us to tell 100% for sure yet because modifying that means the CRC would change =P But I really doubt an exploit would come this early so I'm not expecting anything.
Click to expand...
I think I know exactly what that is. I think it's referring to a file within the game, like the standard DS file format. So therefore, I have reason to believe that 3DS games run on a file format system like it's predecessors.
Click to expand...

herp.

It's a sound file. My question: Why is a ROM instruction like that even in the save? (I know it has to instruct the ROM in some ways, so the game knows where you're at in the game, score, etc...)\
Sound should be handled by the ROM already knowing "After battle X, play sound Y." (or anywhere in the game it should know when to play sounds without instructions from the save file) I'm more confused as to why it's even in plaintext. I wonder if replacing it with something like "sd: /.files/xyz.3ds" would work instead of playing the sound =P That would be really funny, but I doubt developers that stupid in today's world.
Click to expand...
Someone should test that out.
Although i bet that you would have to patch xyz.3ds with the common key..
 
Shuji1987

Shuji1987

~
Member
Level 2
Joined
Jul 20, 2011
Messages
381
Trophies
0
XP
204
Country
Netherlands
FireGrey said:
Someone should test that out.
Although i bet that you would have to patch xyz.3ds with the common key..
Click to expand...

I'm not sure if that's neccessary. Just try to figure out what triggers the rom to execute that file from the save and possibly replace that with a simple hello world by standards of the NDS format (or heck, even replace it with all sort of things, pictures, MPO's, music or a similair file to check if it can actually run off SD). We have no idea how the 3DS works in that aspect we still have a lot to figure out and everything is comming in small little steps.

Though with limited coding experience I'm not sure if it works that way either let alone if Nintendo would allow NDS code to run in 3DS mode (or if you can access the SD card at all with that game).

Actually, I'm not sure where to begin, but if I would have a copy of that game I'd try a thing or two.

Maybe I'll look into getting one.
 
ichichfly

ichichfly

Well-Known Member
Member
Level 7
Joined
Sep 23, 2009
Messages
619
Trophies
1
XP
1,076
Country
Gambia, The
CollosalPokemon said:
hergipotter said:
Perhaps in this game you can choose a certain sound for a certain action (e.g. the sound that is played when you win a fight or something...) and this information has to be saved. But i don't know why it's in plain text.
Click to expand...

There are actually like 3-4 plaintext sound commands, but they're not changeable in-game. I have the game and there's no option for changing the sounds. (there's options for changing volume for bgs and etc but not the actual sounds)
I don't understand why it would reference something like that to the ROM, much less why it's saved in plaintext either, and even lesser why Koei Tecmo didn't catch it. Maybe they assumed everything was OK just because of the XOR encryption put on the saves ?
I've been finding XOR is a really crappy encryption everywhere I go.

EDIT: Other pics like the one I posted previously

3dsrominstr3.png


^ I dunno but it seems this one is encrypted, so why didn't the other 3 end up encrypted? Was KT lazy/assumed the others were encrypted/safe?

3dsrominstr2.png


3dsrominstr.png
Click to expand...

this is only what I think what happend I have/can not check if it is true

easy they allocated some memory lets say 100 byte now they write data to this but only to the first 50 bytes and write the 100 byte to the save than the rest of the buffer is uninited so the data that was written to this before it get allocated and in this case someone has written the path to it before it get allocated or they allocated less than they write to the save.
 
Arisotura

Arisotura

rise of melonism
Member
Level 11
Joined
Dec 5, 2009
Messages
839
Trophies
1
Age
30
Location
center of the Sun
Website
kuribo64.net
XP
2,498
Country
France
One possible reason of the name of a sound file ending up in the save is that the game was playing a certain sfx/music/ambience sound at the time the player saved, and wants to resume said sound when the player resumes their game...
 
Immortal_no1

Immortal_no1

Well-Known Member
OP
Member
Level 3
Joined
Jul 17, 2003
Messages
266
Trophies
0
XP
292
Country
Yu-Gi-Oh 100 said:
ok what im i supposed to do with this?
Click to expand...

You extract your gamesave from your cartridge using a NDS ADAPTER PLUS or something similar, then using this application you decrypt the game save so that it can be interrogated.

Hopefully soon we can re-CRC the data and play with modified gamesaves and swap regions of gamesave
 
Status
Not open for further replies.

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Homebrew  A new way to experience StreetPass

Hacking Hardware  New Nintendo 3DS XL Louvre

Hardware  Why does my 3DS take so long to turn off?

What's the best 3DS emulator (especially after Citra's shutdown)?

Tutorial  How to fix 007-2001

can't download system files on citra because im "not connected to the internet"

gacube emeleter

So what's the current state of hacking and freeshop?

General chit-chat
Help Users
    Psionic Roshambo @ Psionic Roshambo: Prowl was the autobots inside man... lol