Hacking Crashmo QR data research thread

elisherer

I ♥ 3DS
OP
Member
Joined
Dec 16, 2009
Messages
778
Trophies
0
Location
3dbrew.org
Website
www.sherer.co.il
XP
392
Country
Iceland
nope.. 0x0008 - 0x2CC , regular CCITT...lol

the editor works..just need a bit fixing

UPDATE:

I published the editor in the 'Games' forum.
Also, I've updated Crashmo's Wiki page in the application's hosting site.
 

Immortal_no1

Well-Known Member
Member
Joined
Jul 17, 2003
Messages
266
Trophies
0
XP
292
Country
Good job m8, - Verified

My app still had roughly 4½ days before it would have reached those values, perhaps i need to convert it to a dll and import it into C for faster code...
 

elisherer

I ♥ 3DS
OP
Member
Joined
Dec 16, 2009
Messages
778
Trophies
0
Location
3dbrew.org
Website
www.sherer.co.il
XP
392
Country
Iceland
Brute forcing CRC32 is very slow. (CRC16 is more feasable)

What I did:

I made 4 files of the same crashmo level changing only one letter in the name: 'o', 'k', 'm', 'n'
o = 0x6F = 0110 1111 - (the base file)
n = 0x6E = 0110 1110
m = 0x6D = 0110 1101
k - 0x6B = 0110 1011
so every file is different from the 'o' file only by one bit (which are adjacent)

I made 3 new files
o xor n - on the same place of the letter it said: 0000 0001
o xor m - on the same place of the letter it said: 0000 0010
o xor k - on the same place of the letter it said: 0000 0100
* all the file was zeros but that bit and the full crc32.

That way i've got 3 CRCs with a bit that got shifted.
The CRC algorithm for every bit shifts the crc value and alternately xors it with the polynomial.
You just need to find that bit that got shifted with the polynomial. (that's why I collect two bit shift and not only one)

You do this by rotating left the value and xor it with the next crc value, then you get the polynomial from the crc.

*all the 'o xor #' files are xorin and xorout canceled, and the crc is homogenus (using 0 as both values)

So after I got the polynomial which was the regular one >:(

I tried getting the xorout value but it didn't work. So I got suspicious that the data we are trying to checksum isn't the right one.
So I tried without the last 3 bytes and then without the last 4 bytes and then it worked :)

*Meaning: the lock is not in the checksum, so you can unlock a level without even touching the crc...lol

This might be a good method to crack any crc32 algorithm (using the 4 letters I thought of)
Source: http://www.cosc.canterbury.ac.nz/greg.ewing/essays/CRC-Reverse-Engineering.html
 

elisherer

I ♥ 3DS
OP
Member
Joined
Dec 16, 2009
Messages
778
Trophies
0
Location
3dbrew.org
Website
www.sherer.co.il
XP
392
Country
Iceland
If Crashmo is used as a 3ds exploit, it would be soo punny!
I'm afraid crashmo checks the level for errors before accepting it.
For instance, if you create a level where the flag is not on a block then it will say that the level is not ok.
or put a manhole on a block that in between two blocks (no opening) it will also get rejected.

It might be fun to find the kind of checks crashmo doesn't do and try to make a "crashing" level (sorry for the pun)
 

elisherer

I ♥ 3DS
OP
Member
Joined
Dec 16, 2009
Messages
778
Trophies
0
Location
3dbrew.org
Website
www.sherer.co.il
XP
392
Country
Iceland
Eli, if you feel like jumping on the Mii QR code bandwaggon any help if welcomed :)

Once again, good job!
Mii QR are encrypted using AES CTR.. no hope there... You can see my tryouts in the thread about it and what I found.
The IV of the encryption is the date so you can't get the key unless you make two miis on the same day with a feature changed.
then you will see that feature on the byte array change, and accordingly you will see where the crc is because it will also change.

If I remember correctly it isn't crc32 but an HMAC which is a lot more difficult.. Nintendo learned from their mistakes...
 

Immortal_no1

Well-Known Member
Member
Joined
Jul 17, 2003
Messages
266
Trophies
0
XP
292
Country
Mii QR are encrypted using AES CTR.. no hope there... You can see my tryouts in the thread about it and what I found.
The IV of the encryption is the date so you can't get the key unless you make two miis on the same day with a feature changed.
then you will see that feature on the byte array change, and accordingly you will see where the crc is because it will also change.

If I remember correctly it isn't crc32 but an HMAC which is a lot more difficult.. Nintendo learned from their mistakes...
I already have such information:

PM me your e-mail
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
  • Sicklyboy @ Sicklyboy:
    maaaaan that's so awesome but I also don't want to fork over a hundo for it
  • Veho @ Veho:
    The fuuuuu---
  • Veho @ Veho:
    I thought it was an actual xBox at that price.
  • Sicklyboy @ Sicklyboy:
    I wanna grab a 360 Slim and a 360 E one of these days. Missed the boat of getting them at their lowest though, once they were discontinued. Could've got them for cheap back when I was a broke 20 something working at Target, but then again, I was a broke 20 something working at Target
  • Veho @ Veho:
    Being broke is no fun.
  • K3Nv2 @ K3Nv2:
    @Sicklyboy, $150 isn't that bad for a jtag slim on ebay
  • Veho @ Veho:
    I only wish it was actually playable.
  • Veho @ Veho:
    There's a guy on the Tube of You that makes playable mechanical arcade games out of Lego. This could work on the same principle.
  • Veho @ Veho:
    Just a couple of guys taking their manatee out for some fresh air, why you have to molest them?
  • Veho @ Veho:
    Stupid Chinese shop switched their shipping company and this one is slooooooow.
  • LeoTCK @ LeoTCK:
    STOP BUYING CHINESE CRAP THEN
  • LeoTCK @ LeoTCK:
    SUPPORT LOCAL PRODUCTS, MAKE REVOLUTION
  • LeoTCK @ LeoTCK:
    THEY KEEP REMOVING LOCAL SHIt AND REPLACING WItH INFERIOR CHINESE CRAP
  • LeoTCK @ LeoTCK:
    THATS WHY MY PARTNER CANT GET A GOOTWEAR HIS SIZE ANYMORE
  • LeoTCK @ LeoTCK:
    HE HAS BIG FOOT AND BIG DUCK
  • LeoTCK @ LeoTCK:
    d*ck i mean*
  • LeoTCK @ LeoTCK:
    lol
  • Veho @ Veho:
    Mkay.
  • Veho @ Veho:
    I just ordered another package from China just to spite you.
  • SylverReZ @ SylverReZ:
    Leo could not withstand communism.
  • SylverReZ @ SylverReZ:
    Its OUR products to begin with lol.
    SylverReZ @ SylverReZ: Its OUR products to begin with lol.