Hacking GBA injection

[eco95]

@ajd4096

Dear ajd4096,

I really love this GBA Injector so so much!! It's easy and very useful!

Could you please make a "SFC Injector" just like this one?? Please~~~~

Thank you so so much in advance~

 

[fiveighteen]

I'm getting "option -z not recognized"

I have the alldata.bin (Zelda - Minish Cap) and rom.gba (Pokemon FireRed) in the same folder as inject_gba.py and then running:
python inject_gba.py -z alldata.bin rom.gba

What stupid little thing am I doing wrong? lol

EDIT: @pedro702 provided the answer:

that was a very old version that used -z the latest gba injector works with -a now and uses md5 to search for the bin file

this is what the guy sended me.

I removed the -m/-z stuff, just use -a & it will use md5 of the adb to get the right settings

 

[GHostds]

.

 

[ScarletDreamz]

I'm getting "option -z not recognized"

I have the alldata.bin (Zelda - Minish Cap) and rom.gba (Pokemon FireRed) in the same folder as inject_gba.py and then running:
python inject_gba.py -z alldata.bin rom.gba

What stupid little thing am I doing wrong? lol

If you read the new version file, it does not include the -z option, now you need to use:
[Removed the various --name options, you must use -a or --adb]
+Usage: inject_gba.py [-h] [-l] [-a path/to/alldata.bin] [-e] [romfile] [romfile]

where -e = -e --extract Extract rom from the base game alldata.bin file to alldata.bin.gba

Edit: Dammit, pedro beat me to it, lol.

 

[fiveighteen]

If you read the new version file, it does not include the -z option, now you need to use:
[Removed the various --name options, you must use -a or --adb]
+Usage: inject_gba.py [-h] [-l] [-a path/to/alldata.bin] [-e] [romfile] [romfile]

where -e = -e --extract Extract rom from the base game alldata.bin file to alldata.bin.gba

Edit: Dammit, pedro beat me to it, lol.

I downloaded the newest one off of GitHub; must have missed something. Those are nice improvements to the injector though! Thanks for replying anyways haha.

 

[ScarletDreamz]

I downloaded the newest one off of GitHub; must have missed something. Those are nice improvements to the injector though! Thanks for replying anyways haha.

No problem, glad to help!

 

[ajd4096]

@ajd4096

Dear ajd4096,

I really love this GBA Injector so so much!! It's easy and very useful!

Could you please make a "SFC Injector" just like this one?? Please~~~~

Thank you so so much in advance~

I haven't looked at SFC yet, but I see on 91wii there is a thread by Solid_Snake about it.

 

[eco95]

I haven't looked at SFC yet, but I see on 91wii there is a thread by Solid_Snake about it.

Thank you so much for your reply~ I just checked 91wii and the thread has some converted sfc games for download.

I was hoping you could create something like this tool~ Super easy , Super useful , super awesome!

No rush, if you have free time, please look into it~

 

[GHostds]

Thank you @ajd4096

 

[piratesephiroth]

Is there a way to make it so injected roms that use 128K flash will work? (Maybe there's some sort of configuration data inside alldata.bin?)

I tried SMA4 and only got the corrupted save error message.

The main problem might be finding the key for the other files..

 

[ajd4096]

Is there a way to make it so injected roms that use 128K flash will work? (Maybe there's some sort of configuration data inside alldata.bin?)

I tried SMA4 and only got the corrupted save error message.

The main problem might be finding the key for the other files..

I honestly don't know, it would depend on the engine.

I haven't been able to decrypt the rest of the file, I haven't really looked because it isn't (or wasn't) needed.

The short story is:
N use a not-really secure means to generate a single key which is then used in a very insecure way to obfuscate the ROM. I didn't need to reverse the rest because I could trivially find the 2nd key.

 

[piratesephiroth]

I honestly don't know, it would depend on the engine.

I haven't been able to decrypt the rest of the file, I haven't really looked because it isn't (or wasn't) needed.

The short story is:
N use a not-really secure means to generate a single key which is then used in a very insecure way to obfuscate the ROM. I didn't need to reverse the rest because I could trivially find the 2nd key.

How are they keys generated?

 

[ajd4096]

How are they keys generated?

Compute a hash of a seed + password (which we know from the rpx).
Use the hash to initialize a PRNG.
Use the PRNG to generate the XOR key.

If you want the gory details of finding a key, look at the source code of find_keys.py
It is python, so it is easy to follow and you don't need a dev environment.

 

[piratesephiroth]

Compute a hash of a seed + password (which we know from the rpx).
Use the hash to initialize a PRNG.
Use the PRNG to generate the XOR key.

If you want the gory details of finding a key, look at the source code of find_keys.py
It is python, so it is easy to follow and you don't need a dev environment.

I had looked at findkeys.py but it seems it pratically bruteforces the key and requires the plaintext file. It's good for finding the rom but maybe not the other files?
So we need the wii u to either generate the other keys or to dump the plaintext files...

 

[ajd4096]

I had looked at findkeys.py but it seems it pratically bruteforces the key and requires the plaintext file. It's good for finding the rom but maybe not the other files?
So we need the wii u to either generate the other keys or to dump the plaintext files...

Pretty much. Note the plain text doesn't have to be an exact match, as long as there is a consecutive 3? x 80 bytes which match.
Some of them match almost anything because the rom had a bunch of 00's or FF's at the end.

Decrypting the rest is fairly straightforward, just tedious and not needed for injection.

 

[piratesephiroth]

So I got the SMA4 VC files and a quick test.
1. Tried to run Minish Cap's files using SMA4's rpx. It worked fine.
2. Tried to run SMA4's files using Minsh Cap's .rpx. It didn't work.
3. Tried to run SMA4 injected into Minish Cap's files using SMA4's rpx. It gave me the same corrupted save error.

So I guess the Flash 128K save type is really defined in a file inside alldata.bin, but it was not implemented in older GBA VCs (I could say it was only done for SMA4 but of course I haven't tested them all)

 

[ajd4096]

I made some progress, I can now extract all the files directly from the alldata.psb.m.
Now I have to put them back together.

The manual pages are plain .jpg files.
The .psb are more archives, mostly menu stuff.
The .nut files are.. interesting, to say the least.

These guys were on some strong drugs.

function _exec_PsnStore() {
    // PS3のみ
    if (confirm_dialog("NoticeMsg__CONFIRM_GO_TO_PLAYSTATION_STORE")) {
      // ネットワーク接続確認
      if (::checkStartNetwork(false) != 0) {
      }
      else {
        ::g_wipe.open(true, 30, 0x00ff);

        local res = false;
        local prof = get_system_prof();
        if (prof) {
          local store_browse_id = prof.root["store_browse_id"][get_package_regionTag()];
          printf("store_browse_id : %s\n", store_browse_id);

          // （暫定）
          res = GameContent.execStoreBrowseByCategoryID(store_browse_id);
        }
        // 成功したらゲーム終了要求イベントが発生しているハズ
        if (res)
          while (1)
            wait(0);    // 無限待ち

        ::g_wipe.close(true, 30, 0x0000);
      }
    }
  }

 

[ajd4096]

https://github.com/ajd4096/inject_gba/blob/master/tools/unpack-psb.py

 

[piratesephiroth]

This is awesome. After a small modification to get the files dumped to folders I can see there's some nice stuff there.
The JPGs have these weird stripes though

Spoiler

What could be done to the other PSB files? Maybe dump them to csv or json?

 

[ajd4096]

I'd messed up whether to decompress some files. The latest should fix the jpgs.

What would you gain by dumping the other PSBs into a different format if there is no meaningful use for any of them yet?
The script can partially parse the sub-PSBs, but I suspect 90% of it is just left over cruft anyway.
A lot of the strings are referring to xbox or playstation stuff.
I'm testing piecing the alldata files back together with the junk files left out, no crashes yet.