Hello everyone! I've recently got in reverse engineering and I'm actually studying about stack smashing. I picked FIFA06 for the US because it was already exploited and that there's only a EUR version of the exploit but not a US version of it. I'm trying edit a save file of FIFA06 US, but the checksum is a really big problem to me.
I tried making a program to look at a checksum but that didn't work out well for me. I do have some information about the game though.
The checksum is located at the offset of 0x0A or 0x0000000A
I found that out by comparing 2 save files together with VBinDiff
I then made a program to show the saves checksum in C(basically CTurt's example on his website: https://cturt.github.io/DS-exploit-finding.html)
So I made different save files with different names and got each result of the saves.
save1.sav (contains: AAAAAAAAAA) = 0x0000B043
save2.sav (contains: AAAAAAAAAB) = 0x0000B14F
save3.sav (contains: AAAAAAAAAC) = 0x0000B25B
Then I actually did some math to actually calculate the real checksum.
0x0000B14F - 0x0000B043 = 0x10C (save2.sav - save1.sav = 0x10C)
0x0000B25B - 0x0000B14F = 0x10C (save3.sav - save2.sav = 0x10C)
I've noticed that I've found a pattern with this and confirmed that byte 0x4D(which is the end of the profile name) changes the checksum by 0x10C
That was all the information I had on the the checksums.
If anyone can help me point to the next direction to please let me now because I'm stuck on what to do next.
EDIT: I'll provide all the saves I've observed and images of the savefiles to easily look the checksum below
Sincerely, ChampionLeake
I tried making a program to look at a checksum but that didn't work out well for me. I do have some information about the game though.
The checksum is located at the offset of 0x0A or 0x0000000A
I found that out by comparing 2 save files together with VBinDiff
I then made a program to show the saves checksum in C(basically CTurt's example on his website: https://cturt.github.io/DS-exploit-finding.html)
Code:
#include <stdio.h>
int main(int argc, char **argv) {
if(argc < 2) {
printf("FIFA 06 DS (US) save checksum fixer\n");
printf("Usage:\n");
printf("checksumFix [save1.sav] [save2.sav] ...\n");
return 1;
}
int i;
for(i = 1; i < argc; i++) {
FILE *f = fopen(argv[i], "rwb+");
if(!f) {
printf("Failed to open\n");
fclose(f);
return 1;
}
unsigned short checksum;
fseek(f, 0x000000A, SEEK_SET);
fread(&checksum, sizeof(unsigned short), 1, f);
fclose(f);
printf("%s:\n", argv[i]);
printf("%p\n", checksum);
}
return 0;
}
So I made different save files with different names and got each result of the saves.
save1.sav (contains: AAAAAAAAAA) = 0x0000B043
save2.sav (contains: AAAAAAAAAB) = 0x0000B14F
save3.sav (contains: AAAAAAAAAC) = 0x0000B25B
Then I actually did some math to actually calculate the real checksum.
0x0000B14F - 0x0000B043 = 0x10C (save2.sav - save1.sav = 0x10C)
0x0000B25B - 0x0000B14F = 0x10C (save3.sav - save2.sav = 0x10C)
I've noticed that I've found a pattern with this and confirmed that byte 0x4D(which is the end of the profile name) changes the checksum by 0x10C
That was all the information I had on the the checksums.
If anyone can help me point to the next direction to please let me now because I'm stuck on what to do next.
EDIT: I'll provide all the saves I've observed and images of the savefiles to easily look the checksum below
Sincerely, ChampionLeake
Attachments
Last edited by ChampionLeake,