Hacking Crashmo QR data research thread

[elisherer]

Hello there,

As we did when pushmo was out, now we have the mission of figuring out how crashmo works to enable the pc level editor (and by that enable importing images and stuff to the game).

Official level editor: INTELLIGENT level editor (this will work as an all around editor for these games)

I'll present here what we know and hope to keep it updated:

Endianess: Little Endian (Intel, lowest byte first)

QR Data

0x00000AAD - Magic (like pushmo had 0x068D)
0x00000001 - uint32 (always 1, probably version) (was zero on pushmo)
0x???????? - uint32 size of the compressed data
[Data] - 720 bytes compressed with LZ10 (starts with 0x10)

Data

{
    char[4] Magic        // MTUA
    byte[4] CustomCrc32
    uint32 Unknown1        // always = 7
    byte[16] Zeros0
    byte[22] Author        // UTF-16 string
    byte[34] LevelName    // UTF-16 string
    byte Zero1        // ??
    uint32 Difficulty
    byte[7] Unknown3    // = 042C0920010000
    byte[10] PaletteData
    byte[6] Zeros2
    uint32 Flags
    CrashmoPosition FlagPosition
    CrashmoPosition[21] Utilities
    byte[0x200] LevelData
    byte Protection        // 4-locked, 3-open
    byte[3] Footer        // = FAFF0F
} //4+4+4+16+22+34+1+4+7+10+6+4+4+21*4+0x200+1+3 = 720 bytes

CrashmoPosition {
    uint16 Pos  // x = bits 12..16 , y = bits 7..11 *negated*
    byte Type    // 1 = flag, 2 = manhole, 3 = shiftswitches, 4 = doors, 5 = cloud
    byte Flags
    // for manholes & doors it's the color 0=red, 1=yellow...
    // for shiftswitches it's the color (1st nibble) from the palette, 2nd nibble = direction (push, pull, left, right).
    // for flag & clouds it's nothing
}

You can find the files i worked on here

Open questions:

[Answered: 5] 1. (Clouds) How many clouds can be put on a map?
2. (Clouds) on the crashmo studio, what happens when you put a cloud on an empty space?
3. (Switches) On Crashmo studio, how switches are used, do they have a color, do you rotate it?
[Answered: 4 one for each direction] 4. (Switches) How many can be put on the map?
[Answered: 3 & 3] 5. (Doors+Manholes) How many colors are there?

 

[celcodioc]

Didn't you say it wasn't lz10?
Anyway, I don't have anything data-related to add here, but interestingly setting the difficulty byte to certain values in Pushmo would display strings such as "Excellent" and even messages that are too long to fit in the difficulty text box (which, IIRC, is 60x240 px) suggesting that it actually is a string identifier (or some kind of overflow but I highly doubt it is).

 

[elisherer]

Yeah I thought it wasn't lz10 because it didn't start with 0x10 like the pyramids qr codes did. but then noticed the 0x10 was at offset 0xC so after trying to decompress it from there it worked.. (with some help from #3dsdev i might add)

 

[elisherer]

Apperantly, cloud blocks (floating blocks) are like a pin, meaning that one cloud affects the entire one colored block it stands on,
I would have to make a flood fill for the visible effect.

p.s. the crc32 position is verified

 

[elisherer]

Can someone help figure out how they encode the x,y position of the utilities:

This is a picture of link with the utilities positions written in the middle.

Blue - Flag
Red - Red Ladder
Yellow - Yellow Ladder
Grey - Clouds

on the right is the decoded information from the qr code.
the right column is readable, 0x1 , 0x2, 0x5 means the type of utility and the 0x1 on the manhole is the color (probably yellow, not sure)

To encode the position you'll need 10 bits, 5 for x, 5 for y so a byte isn't enough (8 bits) , so they need 2 more bits, hence the extra byte which uses only
the 2 lsb (values=0,1,2,3) but i can't figure how they did it...

thanks for the helpers...

 

[celcodioc]

Can someone help figure out how they encode the x,y position of the utilities:


This is a picture of link with the utilities positions written in the middle.

Blue - Flag
Red - Red Ladder
Yellow - Yellow Ladder
Grey - Clouds

on the right is the decoded information from the qr code.
the right column is readable, 0x1 , 0x2, 0x5 means the type of utility and the 0x1 on the manhole is the color (probably yellow, not sure)

To encode the position you'll need 10 bits, 5 for x, 5 for y so a byte isn't enough (8 bits) , so they need 2 more bits, hence the extra byte which uses only
the 2 lsb (values=0,1,2,3) but i can't figure how they did it...

thanks for the helpers...

The method or the code they used to do it?

 

[elisherer]

Nevermind...figured it out...

uint16 = 0000 00zz zzzx xxxx (binary representation)

x is just clear x
z is y negated...

sneaky nintendo

EDIT:

in the example above:
 
Flag = 0x0353 = 0b0000 0011 0101 0011
 
0b0000 0011 0101 0011
0b0000 00zz zzzx xxxx
 
x = 0b10011 = 19
z = 0b11010 = 26
y = neg(z) = 0b00101 = 5

 

[elisherer]

Helpers / Beta testers needed for help creating a level editor...

Requirements: have (or getting) the game!

 

[elisherer]

The level editor is almost done. It can read crashmo levels already and edit them but not save them because i need the crc32 method.

Anybody cares to help?

 

[celcodioc]

Helpers / Beta testers needed for help creating a level editor...

Requirements: have (or getting) the game!

Sure, but I don't have access to gadgets in the studio, I'm on puzzle #25.

 

[Immortal_no1]

I'll give it a go. have you determined whether or not the CRC just covers the Data partition of the QR code? seems like it's almost complete, and there i was just starting out.

 

[elisherer]

I'll give it a go. have you determined whether or not the CRC just covers the Data partition of the QR code? seems like it's almost complete, and there i was just starting out.

judging from pushmo it covers all the data after crc32.. but i could be wrong..
it isn't the same crc from pushmo from the tryouts i made...
I could easily make a hacked qr code by xor'ing 2 bin files and compress them back... maybe we could start from that..
because if for DATA1 there is CRC1 and for DATA2 there is CRC2 then for DATA1(xor)DATA2 there is CRC1(xor)CRC2.

 

[elisherer]

Tried to make a hack.

Try at your own risk. It should crash the game...

 

[ground]

Tried to make a hack.

Try at your own risk. It should crash the game...

View attachment 1054

it think a hack isn't going to work, according the attemps with pushmo

 

[elisherer]

it think a hack isn't going to work, according the attemps with pushmo

Yeah, I think so too, this is just for fun

 

[celcodioc]

Tried to make a hack.

Try at your own risk. It should crash the game...

"Something is wrong with this QR code, I can't read it" when reading the QR. But yeah, it shouldn't work anyway. It would be funny if Crashmo could be exploited even though Pushmo wasn't exploitable.

 

[morphius]

hey eli .. got your msg on swapnote. I can't get this game yet .. not available till nov22 in the usa. PM me , maybe i can help w/o it.

 

[Immortal_no1]

Working on reproducing the CRC now, it appears to be a CRC32, but what the polynomials are i don't know i'm leaving my pc to figure that out. after this run i'll let it do a alder32 CRC and see if that's of anyu use. if none of those work than i'll change the endian of the data and the CRC and read from the end first to the begining. try to cover all the bases, or at least as many as i can.

 

[elisherer]

I moved all the information about Pushmo and Crashmo to the wiki of the editor: https://code.google.com/p/intelligent-level-editor/wiki/Overview?tm=6
This way it will be more organized and not on a thread that can be pushed away...

 

[elisherer]

Got some breakthrough... I got the polynomial of the crc... now to figure out the xor values...