ROM Hack About checksum

st4rk

nah
OP
Member
Joined
Feb 11, 2014
Messages
542
Trophies
0
Website
st4rk.net
XP
815
Country
Brazil
Hello everyone, i'm studying about exploit(buffer overflow to be exact), i'm trying edit a save file from DS Game(Fifa Street 2), but the checksum is a *big problem* to me.

The checksum have two bytes(i try CRC16 and Checksum 16 and doesn't work :c).

Anyone can help me ?



Regards, St4rk.
 

FAST6191

Techromancer
Editorial Team
Joined
Nov 21, 2005
Messages
36,798
Trophies
3
XP
28,284
Country
United Kingdom
You have two options in your case, for various cheats you have a third but let us not go there right now.

Figure out the checksum. I have seen everything from MD5/SHA1 grade stuff right down to basic parity and bytesums. You can fiddle and try to figure out what sections are summed for the checksum but in the end it is probably something you have to figure out through disassembly.

Prevent the checksum from doing anything. Very rarely are save games vetted that well so it probably boils down to a simple check. You are the hacker so you have the options.
Most common is probably just to break the check function
In the original code it would probably look something like
IF [checksum good] proceed with program
ELSE trigger bad checksum routine

In assembly this is more likely to be a BNE (break if not equal), you change this to a standard break that will always jump to the good function, or NOP something so it always does the good function, and things are good (though you may wish to reset the CPU flag.

Less common is you break the check function. In C you would have a return but many checksums fit nicely in the registers (they are 32 bit after all) so that might be the issue. I see this more if hackers want to prevent original game saves from being used with their hack.

In short if you are breaking the check you just want the game to always take the "checksum is good" path.
 
  • Like
Reactions: st4rk and GHANMI

FAST6191

Techromancer
Editorial Team
Joined
Nov 21, 2005
Messages
36,798
Trophies
3
XP
28,284
Country
United Kingdom
The three choices for emulators with any debug capability are

desmume. Very nice cheat search, ram viewers, tile viewers, disassembly viewers..... technically it has full debug capabilities but you will get to fiddle with lua or more likely GDB which is very annoying.

iDeaS ( http://ciacin.site90.com/ideas.php ) Kind of basic but the run to line option means it beats desmume in some ways. I have used this a few times in preference to no$gba as well.

no$gba. This is basically the full debugger suite, all the breakpoints, all the niceties. You get to pay for this though. Back on the GBA I could have also pointed you at VBA-SDL-h but for the DS this probably still wins, though for actual commercial game ease of running desmume has this beat.

All this said some static disassembly and fiddling there can get you a long way.
 
  • Like
Reactions: cearp and st4rk

Kelebek

Well-Known Member
Member
Joined
May 25, 2012
Messages
165
Trophies
0
XP
156
Country
I'd say they're all abysmal and not helpful at all. Desmume doesn't even have RAM searching, and neither Desmume nor no$ have memory breakpointing, making them pretty much useless in practice. Debuggers should be one of the most important things for an emulator, but, for NDS at least, they're all so incredibly lacking in basic features.

Honestly in a lot of ways it's actually easier and more productive to just load the emulator in a proper debugger like OllyDBG, and that's a real shame. At least for *finding* the code section that's relevant to what you want, since finding the right code section is really what the emulator debuggers lack.
 

st4rk

nah
OP
Member
Joined
Feb 11, 2014
Messages
542
Trophies
0
Website
st4rk.net
XP
815
Country
Brazil
I'd say they're all abysmal and not helpful at all. Desmume doesn't even have RAM searching, and neither Desmume nor no$ have memory breakpointing, making them pretty much useless in practice. Debuggers should be one of the most important things for an emulator, but, for NDS at least, they're all so incredibly lacking in basic features.

Honestly in a lot of ways it's actually easier and more productive to just load the emulator in a proper debugger like OllyDBG, and that's a real shame. At least for *finding* the code section that's relevant to what you want, since finding the right code section is really what the emulator debuggers lack.


Oh, it's biggest problem then... OllyDBG + Emulator = All instruction x86_64 right ? it's very more complex than ARM(CISK/RISK), well.. maybe i find another way to find the checksum..

About the checksum from Fifa Street 2/Fifa 08 NDS:

8FTAQLm.png

These two byte are the checksum, i try sum all bytes in the file and doesn't work <__>, well.. i don't have good idea to it :/
 

YoshiInAVoid

Banned!
Banned
Joined
Jan 10, 2011
Messages
560
Trophies
1
Website
google.com
XP
465
Country
I've exploited this game, checksum isn't that hard:

Code:
unsigned int i = 0;
    save->calculatedChecksum = initialChecksum;
    for(i = start; i <= end; i++) {
        save->calculatedChecksum += (save->data[i] * (((end + 1) - (((i / 0x00000010) * 0x00000010))) - (((i / 4) * 4) - ((i / 0x00000010) * 0x00000010))));
    }

Once you've done FIFA Street 2, try FIFA 08, that's exploitable too.

I should also mention, initialChecksum = -9649843, start = 0x00000010, end = 4051.

EDIT: That's for US version at least.

Also if you need the return addresses for FIFA 08 or FIFA Street 2, I'm your man.
 
  • Like
Reactions: cearp and st4rk

YoshiInAVoid

Banned!
Banned
Joined
Jan 10, 2011
Messages
560
Trophies
1
Website
google.com
XP
465
Country
No problem. If you're still having trouble I can provide sample SAV files and compiled binaries that correct the CRC for you.

EDIT: Ah, screw it here you go:

http://filetrip.net/dl?xym3SqLGsa

I'm using Desmume to test. Load up FIFA 08.nds and then just go Import Backup Memory -> FIFA08 TINYRED.SAV -> Size is auto from advance database

I can't find my FIFA Street 2 exploit files though.
 
  • Like
Reactions: st4rk

FAST6191

Techromancer
Editorial Team
Joined
Nov 21, 2005
Messages
36,798
Trophies
3
XP
28,284
Country
United Kingdom
Firstly nice one YoshiInAVoid.

I'd say they're all abysmal and not helpful at all. Desmume doesn't even have RAM searching, and neither Desmume nor no$ have memory breakpointing, making them pretty much useless in practice. Debuggers should be one of the most important things for an emulator, but, for NDS at least, they're all so incredibly lacking in basic features.

Honestly in a lot of ways it's actually easier and more productive to just load the emulator in a proper debugger like OllyDBG, and that's a real shame. At least for *finding* the code section that's relevant to what you want, since finding the right code section is really what the emulator debuggers lack.

RAM searching and cheat searching are functionally the same thing, desmume has a pretty nice one of the latter.
Memory breakpointing, as in halt on write/read memory region? no$ should have that, or at least it did when I last looked, I am not sure if the options are quite as nice as some ("break if write and value < ?" sort of thing). Similarly you can attach one of the cheat making tools (artmoney, emuhaste.....) and have something similar happen if you want.

Debuggers as "one of the most important things for an emulator", I would certainly find that situation very agreeable but I dare say hackers, programmers, cheat makers and game modders do not make up the bulk of the emulator users.
 

st4rk

nah
OP
Member
Joined
Feb 11, 2014
Messages
542
Trophies
0
Website
st4rk.net
XP
815
Country
Brazil
No problem. If you're still having trouble I can provide sample SAV files and compiled binaries that correct the CRC for you.

EDIT: Ah, screw it here you go:

http://filetrip.net/dl?xym3SqLGsa

I'm using Desmume to test. Load up FIFA 08.nds and then just go Import Backup Memory -> FIFA08 TINYRED.SAV -> Size is auto from advance database

I can't find my FIFA Street 2 exploit files though.


Oh Man ! I will try it now, really thank you =]

All code in payload are write in ARM7/ARM9, right ?
 

Kelebek

Well-Known Member
Member
Joined
May 25, 2012
Messages
165
Trophies
0
XP
156
Country
Debuggers as "one of the most important things for an emulator", I would certainly find that situation very agreeable but I dare say hackers, programmers, cheat makers and game modders do not make up the bulk of the emulator users.

No, but they're very important for developers, and since they're the ones making the emulator, you'd expect it to be there.
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
    LeoTCK @ LeoTCK: yes for nearly a month i was officially a wanted fugitive, until yesterday when it ended