About checksum

Discussion in 'NDS - ROM Hacking and Translations' started by st4rk, May 11, 2014.

  1. st4rk
    OP

    st4rk nah

    Member
    545
    672
    Feb 11, 2014
    Brazil
    Hello everyone, i'm studying about exploit(buffer overflow to be exact), i'm trying edit a save file from DS Game(Fifa Street 2), but the checksum is a *big problem* to me.

    The checksum have two bytes(i try CRC16 and Checksum 16 and doesn't work :c).

    Anyone can help me ?



    Regards, St4rk.
     
  2. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,865
    9,778
    Nov 21, 2005
    United Kingdom
    You have two options in your case, for various cheats you have a third but let us not go there right now.

    Figure out the checksum. I have seen everything from MD5/SHA1 grade stuff right down to basic parity and bytesums. You can fiddle and try to figure out what sections are summed for the checksum but in the end it is probably something you have to figure out through disassembly.

    Prevent the checksum from doing anything. Very rarely are save games vetted that well so it probably boils down to a simple check. You are the hacker so you have the options.
    Most common is probably just to break the check function
    In the original code it would probably look something like
    IF [checksum good] proceed with program
    ELSE trigger bad checksum routine

    In assembly this is more likely to be a BNE (break if not equal), you change this to a standard break that will always jump to the good function, or NOP something so it always does the good function, and things are good (though you may wish to reset the CPU flag.

    Less common is you break the check function. In C you would have a return but many checksums fit nicely in the registers (they are 32 bit after all) so that might be the issue. I see this more if hackers want to prevent original game saves from being used with their hack.

    In short if you are breaking the check you just want the game to always take the "checksum is good" path.
     
    st4rk and GHANMI like this.
  3. st4rk
    OP

    st4rk nah

    Member
    545
    672
    Feb 11, 2014
    Brazil
    Oh nice answer FAST6191, thank you so much, i will use it if i can't find a way to calculate the Checksum.

    A Good debugger from NDS is NO$GBA, right ?
     
  4. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,865
    9,778
    Nov 21, 2005
    United Kingdom
    The three choices for emulators with any debug capability are

    desmume. Very nice cheat search, ram viewers, tile viewers, disassembly viewers..... technically it has full debug capabilities but you will get to fiddle with lua or more likely GDB which is very annoying.

    iDeaS ( http://ciacin.site90.com/ideas.php ) Kind of basic but the run to line option means it beats desmume in some ways. I have used this a few times in preference to no$gba as well.

    no$gba. This is basically the full debugger suite, all the breakpoints, all the niceties. You get to pay for this though. Back on the GBA I could have also pointed you at VBA-SDL-h but for the DS this probably still wins, though for actual commercial game ease of running desmume has this beat.

    All this said some static disassembly and fiddling there can get you a long way.
     
    cearp and st4rk like this.
  5. Kelebek

    Kelebek GBAtemp Regular

    Member
    165
    62
    May 25, 2012
    I'd say they're all abysmal and not helpful at all. Desmume doesn't even have RAM searching, and neither Desmume nor no$ have memory breakpointing, making them pretty much useless in practice. Debuggers should be one of the most important things for an emulator, but, for NDS at least, they're all so incredibly lacking in basic features.

    Honestly in a lot of ways it's actually easier and more productive to just load the emulator in a proper debugger like OllyDBG, and that's a real shame. At least for *finding* the code section that's relevant to what you want, since finding the right code section is really what the emulator debuggers lack.
     
  6. st4rk
    OP

    st4rk nah

    Member
    545
    672
    Feb 11, 2014
    Brazil

    Oh, it's biggest problem then... OllyDBG + Emulator = All instruction x86_64 right ? it's very more complex than ARM(CISK/RISK), well.. maybe i find another way to find the checksum..

    About the checksum from Fifa Street 2/Fifa 08 NDS:

    [​IMG]
    These two byte are the checksum, i try sum all bytes in the file and doesn't work <__>, well.. i don't have good idea to it :/
     
  7. YoshiInAVoid

    YoshiInAVoid GBAtemp Advanced Fan

    Banned
    560
    337
    Jan 10, 2011
    I've exploited this game, checksum isn't that hard:

    Code:
    unsigned int i = 0;
        save->calculatedChecksum = initialChecksum;
        for(i = start; i <= end; i++) {
            save->calculatedChecksum += (save->data[i] * (((end + 1) - (((i / 0x00000010) * 0x00000010))) - (((i / 4) * 4) - ((i / 0x00000010) * 0x00000010))));
        }
    Once you've done FIFA Street 2, try FIFA 08, that's exploitable too.

    I should also mention, initialChecksum = -9649843, start = 0x00000010, end = 4051.

    EDIT: That's for US version at least.

    Also if you need the return addresses for FIFA 08 or FIFA Street 2, I'm your man.
     
    cearp and st4rk like this.
  8. st4rk
    OP

    st4rk nah

    Member
    545
    672
    Feb 11, 2014
    Brazil
    Ç__Ç it's so epic, thank you =]

    Ps: do you use NO$GBA ?
     
    YoshiInAVoid likes this.
  9. YoshiInAVoid

    YoshiInAVoid GBAtemp Advanced Fan

    Banned
    560
    337
    Jan 10, 2011
    No problem. If you're still having trouble I can provide sample SAV files and compiled binaries that correct the CRC for you.

    EDIT: Ah, screw it here you go:

    http://filetrip.net/dl?xym3SqLGsa

    I'm using Desmume to test. Load up FIFA 08.nds and then just go Import Backup Memory -> FIFA08 TINYRED.SAV -> Size is auto from advance database

    I can't find my FIFA Street 2 exploit files though.
     
    st4rk likes this.
  10. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,865
    9,778
    Nov 21, 2005
    United Kingdom
    Firstly nice one YoshiInAVoid.

    RAM searching and cheat searching are functionally the same thing, desmume has a pretty nice one of the latter.
    Memory breakpointing, as in halt on write/read memory region? no$ should have that, or at least it did when I last looked, I am not sure if the options are quite as nice as some ("break if write and value < ?" sort of thing). Similarly you can attach one of the cheat making tools (artmoney, emuhaste.....) and have something similar happen if you want.

    Debuggers as "one of the most important things for an emulator", I would certainly find that situation very agreeable but I dare say hackers, programmers, cheat makers and game modders do not make up the bulk of the emulator users.
     
  11. st4rk
    OP

    st4rk nah

    Member
    545
    672
    Feb 11, 2014
    Brazil

    Oh Man ! I will try it now, really thank you =]

    All code in payload are write in ARM7/ARM9, right ?
     
  12. YoshiInAVoid

    YoshiInAVoid GBAtemp Advanced Fan

    Banned
    560
    337
    Jan 10, 2011
    The trigger is My Fifa 08 -> My Profile. You should see a red screen.

    The code is executed on ARM 9. You could write a loader to get code to run on ARM 7 as well, but there's so little space it's barely worth it.

    Also, there's https://github.com/smealum/bangai-o-sploit if you're looking for something more difficult.
     
    st4rk likes this.
  13. Kelebek

    Kelebek GBAtemp Regular

    Member
    165
    62
    May 25, 2012
    No, but they're very important for developers, and since they're the ones making the emulator, you'd expect it to be there.