Hacking Hacking with 3DS Save DeEncrypter

[CollosalPokemon]

Can you add a function to modify the checksums found in the experimental menu from that menu? They're really tricky to find in FRHED and it'd make it easier to modify them to test them out and see what they do if they were moddable from the experimental menu.

btw I found the CRC for LoZ OoT save file (well, mine anyways, others are probably different)

CRC32 : 89684758
MD5 : 3d80fa0b0bdf03da0ade1caa8361b65e

This was using a file tweak tool that calculates the CRC info for files. There's also info on SHA1 and SHA256 but I don't know how useful those will be =P

 

[Immortal_no1]

Can you add a function to modify the checksums found in the experimental menu from that menu? They're really tricky to find in FRHED and it'd make it easier to modify them to test them out and see what they do if they were moddable from the experimental menu.

btw I found the CRC for LoZ OoT save file (well, mine anyways, others are probably different)

CRC32 : 89684758
MD5 : 3d80fa0b0bdf03da0ade1caa8361b65e

This was using a file tweak tool that calculates the CRC info for files. There's also info on SHA1 and SHA256 but I don't know how useful those will be =P

At a guess, you've just taken the complete file as the data and run the CRC on that to get the values 89684758 and 3d80fa0b0bdf03da0ade1caa8361b65e, or did you find those values within your game save?

If they were found within the save you've onto something, however i don't think that's the case is it?

 

[CollosalPokemon]

I just took the whole file's CRCs

But doesn't it compare the file's CRCs to some type of offset CRC, like if the file is the same CRC as in the offset inside the file it's OK? Maybe I've been thinking of it wrong or missing something about it.

edit:

I'm sure many people must've noticed this but there are reoccurring words in save files. I know Ridge Racer, LoZ OoT 3D, and Samurai Warriors Chronicles share them but those are the only 3DS games (all US) I have atm still it's interesting that they all share these words.

- DIFI
- DPFS
- DISA

They're probably nothing but still, I thought I'd note something I didn't see in the past 6 pages.

 

[Immortal_no1]

I just took the whole file's CRCs

But doesn't it compare the file's CRCs to some type of offset CRC, like if the file is the same CRC as in the offset inside the file it's OK? Maybe I've been thinking of it wrong or missing something about it.

edit:

I'm sure many people must've noticed this but there are reoccurring words in save files. I know Ridge Racer, LoZ OoT 3D, and Samurai Warriors Chronicles share them but those are the only 3DS games (all US) I have atm still it's interesting that they all share these words.

- DIFI
- DPFS
- DISA

They're probably nothing but still, I thought I'd note something I didn't see in the past 6 pages.

I'll try and answer all these in this one message so people can get an understanding of the game structure.

If the whole file is CRC'd.... you WON'T see the CRC OF the whole file IN the file. That's like you taking a picture of yourself infront of your house. but in the picture you're holding the camera that took the picture. It can't be done unless it's digitally manipulated to place the camera in the picture afterwards. So a CRC of the save can't be put into the save as the CRC of the file will always change when the CRC is put (edited) back into the file... I hope that wasn't too much of a mind bender....

Moving on... The DIFI DISA and DPFS messages are part of the Partition structure. Starting with the DISA block.
From what i understand is that DISA block is a EEPROM Save block
the DIFI block encompasses the DPFS and IVFC blocks, The DIFI block is the partition block which holds information about the partition, dur.. You will usually have 2 or more of these as the number of these one after the other should directly relate to the number of partitions you have in the game. as you should be able to see in the file info section of the Save De/Encrypter.

I've been trying to process the partition data to see if there's anything useful that could help with the modification of the saves, but i haven't seen anything yet that can help.

I modified Super Monkeyball 3D and re-encrypted the data and the game didn't say it was corrupt however my change didn't appear in the game, but the re-crc and re-encrypt worked. I believe there must be a CRC of the CRC data, or a Hash table that matches parts of the data which isn't being changed. If only i had a 3DS development cartridge Datasheet or even better a memory map document. Surely game developers have these, just have to wait for one to be leaked, otherwise it's hit and miss and recently it's been mostly misses.

 

[CollosalPokemon]

I just took the whole file's CRCs

But doesn't it compare the file's CRCs to some type of offset CRC, like if the file is the same CRC as in the offset inside the file it's OK? Maybe I've been thinking of it wrong or missing something about it.

edit:

I'm sure many people must've noticed this but there are reoccurring words in save files. I know Ridge Racer, LoZ OoT 3D, and Samurai Warriors Chronicles share them but those are the only 3DS games (all US) I have atm still it's interesting that they all share these words.

- DIFI
- DPFS
- DISA

They're probably nothing but still, I thought I'd note something I didn't see in the past 6 pages.

I'll try and answer all these in this one message so people can get an understanding of the game structure.

If the whole file is CRC'd.... you WON'T see the CRC OF the whole file IN the file. That's like you taking a picture of yourself infront of your house. but in the picture you're holding the camera that took the picture. It can't be done unless it's digitally manipulated to place the camera in the picture afterwards. So a CRC of the save can't be put into the save as the CRC of the file will always change when the CRC is put (edited) back into the file... I hope that wasn't too much of a mind bender....

Moving on... The DIFI DISA and DPFS messages are part of the Partition structure. Starting with the DISA block.
From what i understand is that DISA block is a EEPROM Save block
the DIFI block encompasses the DPFS and IVFC blocks, The DIFI block is the partition block which holds information about the partition, dur.. You will usually have 2 or more of these as the number of these one after the other should directly relate to the number of partitions you have in the game. as you should be able to see in the file info section of the Save De/Encrypter.

I've been trying to process the partition data to see if there's anything useful that could help with the modification of the saves, but i haven't seen anything yet that can help.

I modified Super Monkeyball 3D and re-encrypted the data and the game didn't say it was corrupt however my change didn't appear in the game, but the re-crc and re-encrypt worked. I believe there must be a CRC of the CRC data, or a Hash table that matches parts of the data which isn't being changed. If only i had a 3DS development cartridge Datasheet or even better a memory map document. Surely game developers have these, just have to wait for one to be leaked, otherwise it's hit and miss and recently it's been mostly misses.

ha mind telling us how you managed to re-crc it? Maybe the part you changed as some sort of protection so it defaults back to something else. I dunno what you changed but that's a guess.

Also MBAM detected the new 3D Save De/Encryptor as a virus Worm, just letting you know. (using v1.5a)

 

[Immortal_no1]

Detected v1.5a as a worm?...... Not sure how that can be. The checksum search function could be confusing it (possibly) but highly doubt it. i'll run a scan here too to make sure, but i always scan before uploading. It may be the packer compression... If you got it from my drop box then it's clean. I'll add a MD5 hash to the next release to ensure nobody's sending out modified versions with worms in.

As for the RE-CRCing i'll have to write a tutorial or better yet a video... For the moment, download HXD it's a freeware hex editor, it's what i've been using as it has Checksum data functions built into the application.

I think it worked when i originally did it because the area i changed had a checksum on it, but there wasn't anything checking the area where the checksum was, i most likely changed the "Backup" partition ,hense none of my changes were seen but the save still played.

 

[CollosalPokemon]

The other versions were OK. I trust your not trying to infect computers though after seeing what this can do to save files, but MBAM might be a little overprotective. I used the one from your drop box.
It could have been that there was another minor virus that spread to that file, but I have not had any problems with my PC. (never bsod's, freezes, or crashes)

I see. I could understand that; LoZ OoT has more than 4 names of my character even though I only have 2 saves (one in normal mode, and 1 in master quest). I'm assuming some of those must be backup names.

 

[Immortal_no1]

Sounds like they're backup partitions for your characters data.

I did a scan on the release archive and found no problems with the contents...

 

[Immortal_no1]

[OFF-TOPIC]
Got my stuff yesterday,

2x Thermal Mug
1x (L) T-Shirt (Wearing Now)
1x Mouse Mat
$10 donated to Orc

Showing my support, Maybe now programming the 3DS Save De/Encrypter will be a little easier..... HA

 

[omega59]

I really don't see the point in this application. sorry just my opinion

:-)

 

[doyama]

I really don't see the point in this application. sorry just my opinion

:-)

It's something that has no 'practical' use for most users. It's a debugging tool mostly at this point. Being able to see what's inside the sav files and such. As the thread so far has shown, sometimes interesting things are in there. What will come of this is anyone's guess, but more tools are better than less.

 

[earny]

I really don't see the point in this application. sorry just my opinion

:-)

it could lead to working modified save game for cheating (and maybe if there is flaw in savegame/game perhaps maybe a possible hypothetical hack for the 3ds itself for homebrew/back up game)

 

[Immortal_no1]

I really don't see the point in this application. sorry just my opinion

:-)

Everyone's welcome to their own opinion... just as i'm also entitled to say that i'm going to ignore your post as it doesn't add anything to the project and just boosts up your post count.
If you can't see a point doesn't mean that there isn't one. Can you see the point of Air? or the smell that they add to natural gas so you know it's there? if the answer is yes then it's because you've been educated in why it's there.

Enough Said.

 

[nekoakuma]

haven't checked these forums in a while, but does this add anything?

if the links still work, my original ripped savs are in this thread:
http://gbatemp.net/t283529-nds-adaptor-plu...p;#entry3840241

where we tried to (unsuccessfully) edit and restore save files.

 

[Immortal_no1]

I added posts to the end of that thread a couple of weeks ago, they way that it was being done was completely incorrect. Ridgeracer is slightly different as some of the data was stored on SD card also. But in total the data on the game save is CRC'd and that sata after being changed needs the checksum recalculated. there is another place which checks the checksum which is what i need to find. Once that can be calculated then games should be able to be modified correctly

 

[LAA]

Good luck with it immortal.

Just so I'm clear, if you can find this other place where checksum is checked, this means we can modify saves, which could lead to hacking 3DS and modify game saves (e.g. More money for example)

Also, do you need some special device to extract the game save?

Thanks!
Either way, I wish you the best of luck

 

[Immortal_no1]

Good luck with it immortal.

Just so I'm clear, if you can find this other place where checksum is checked, this means we can modify saves, which could lead to hacking 3DS and modify game saves (e.g. More money for example)

Also, do you need some special device to extract the game save?

Thanks!
Either way, I wish you the best of luck

Yes, Yes, Yes and thanks

Posts merged

if you can find this other place where checksum is checked, this means we can modify saves (Yes)
which could lead to hacking 3DS and modify game saves (e.g. More money for example) (Yes)
do you need some special device to extract the game save? (Yes - an "NDS Adapter Plus" or something similar, i know that one works)

 

[omega59]

Perhaps it may contain some sort of exploit then i would understand that point of view. I don't care for a post count status, have you seen my join date and how many posts I have made LOL.

 

[Immortal_no1]

Ok, I've uploaded an archive containing 3 Gamesaves for Super MonkeyBall 3D (UK).

Save1-AAAAAAAA.sav
Name: AAAAAAAA
Score: 74768

Save2-BBBBBBBB.sav
Name: BBBBBBBB
Score: 75060

Save3-CCCCCCCC.sav
Name: CCCCCCCC
Score: 75292

The archive contains the decrypted versions of these files along with the Reset.sav file to blank the card if anyone wants to give it a shot themselves.

The Saved data is between the values:
0x8000 -> 0x8FFF
The Scores above are at locations: 0x813C - 0x813E
The Checksum for these 4096 bytes is = EC07847ADD802BDDE3EC82AE490AA2D0BDB8FD4AB1C44FB5A5E6957CB02D3B8B
The Location of the CRC is at: 0x1C060
For example in Save3-CCCCCCCC.sav at address 0x813C you will see "1C 26 01" This is the Reverse Endian of the score, e.g ("01 26 1C" in hex and "75292" in decimal)

Can anyone see anything i'm missing? there are some areas that are different and 2 checksums that i can't see where they're calculated from at addresses 0x1C000 & 0x1C020

Download Files Here:

Just Recalculating the CRC after modifying it will result in a corrupted save, can anyone point me in the right direction? or am i the most experienced person here?

 

[Immortal_no1]

Perhaps it may contain some sort of exploit then i would understand that point of view. I don't care for a post count status, have you seen my join date and how many posts I have made LOL.

I see where you're coming from and to tell the truth, we just don't know at this point if it can open the door for any potential exploits... but let me put forward a scenario... you save a game, maybe Zelda, you modify the save to change your name of your character to to "0x00" or "nop" or "0x90" depending on how it works, you save the change and rebuild the checksum. you startup your game and when it gets to a point where a character talks to your character....... they can't use your name anymore and possibly either "just continues" "or crashes" or possibly jump over the instruction to the next one in the game... and the location just happens to be in the gamesave data file. Now say we write an instruction at the address in the game save it jumps to, and tell it to jump to another area of memory. At this point if all were to go well we would then have the system output copious amounts of data to the screen which in effect would be ROM information. If you could redirect that to the SD card port you will have made a ROM dumper for that game. If it would be possible to freeze the game prior to that point you could possibly see about ejecting the cartridge and swapping it for another game and you then have a multi game ROM dumper.

It's all potential and the potential is limitless with the more games that are released.
It's all Hypothetical at this point until the checksums can be cracked and then we'll see what we've got.

Do you see where i'm coming from now?