Game Save Re-CRC (Checksum re-hashing)
Required tools:
3DS Save De/Encrypter v1.5a
HXD or Hash Calc
NDS Adapter plus with firmware updated to v3.02
Load up 3DS Save De/Encrypter v1.5a
Click on the Experimental Button
Load the decrypted game save and the Checksums will be visable.
Our Score Data for Super MonkeyBall 3D is between the values:
0x8000 -> 0x8FFF
The Scores 75292 which is for "World 1" is at the location: 0x813C - 0x813E
If you look in the Experimental section of the application you can see the Checksum for this is =
098E0450538E9EDDB618729102712CC0F61C035F2CA48BB4B5BE9F04CE2A4115
The Location of the CRC is at: 0x1C060
So, first of all confirm the CRC value.
Load up the game save in HXD
Press CTRL+E to bring up the Goto window
Enter the Start-offset value as 8000
Enter the Length value as 1000
Make sure the hex 'radio button' is checked.
We should now see the End-offset value change to 8FFF
Press OK
Click on Analysis in the middle of the menu bar, and click on "Checksums..."
Select SHA-256 from the Available algorithms list and click on the OK button.
At the bottom of the HXD screen you will now see the SHA-256 checksum for the address 0x8000 - 0x8FFF
This appears as: 098E0450538E9EDDB618729102712CC0F61C035F2CA48BB4B5BE9F04CE2A4115 and matches the one from 3DS Save De/Encrypter.
Now press CTRL+G to bring up the Goto window.
Enter the CRC-offset value as 1C060 with the hex 'radio button' checked and the offset relative set to begin.
Press Enter
What we now see is the location of the CRC, and we can read the CRC off as:
09 8E 04 50 53 8E 9E DD B6 18 72 91 02 71 2C C0 F6 1C 03 5F 2C A4 8B B4 B5 BE 9F 04 CE 2A 41 15
Which is the same as the CRC we have from the area 0x8000-0x8FFF
So now we can find the CRC and we know how to make/check the CRC, so to modify the score...
At address 0x813C you will see "1C 26 01" This is the Reverse Endian of the score, e.g ("01 26 1C" in hex and "75292" in decimal) This is our score for World 1. If we change that to 80500 it would be "01 3A 74" in hex and "74 3A 01" with the Endian flipped. So if we replace "1C 26 01" with "74 3A 01". We then have to recalculate the checksum for 0x8000-0x8FFF.
Once again:
Press CTRL+E to bring up the Goto window
Enter the Start-offset value as 8000
Enter the Length value as 1000
Make sure the hex 'radio button' is checked.
We should now see the End-offset value change to 8FFF
Press OK
Click on Analysis in the middle of the menu bar, and click on "Checksums..."
Select SHA-256 from the Available algorithms list (it should still be selected) and click on the OK button.
Our SHA-256 Checksum will now replace the old one at the bottom of the screen. The checksum now reads: 23130E7CCE222C23E3CD54257CB1DA41B76B7406255EC193DE921722FF681101
So the next thing to do is go back to the location of the original checksum.
Press CTRL+G to bring up the Goto window.
Enter the CRC-offset value as 1C060 with the hex 'radio button' checked and the offset relative set to begin.
Press Enter
Right click on the checksum at the bottom of the screen in the Checksum window and click on copy.
Then Highlight the 0x20 byte checksum in the Hex window, right click on it and click on paste-insert.
Save the file out as a different name so you don't overwrite your original.
At this point in time in most cases the re-CRC of an area will result in a corrupted game save as there must be another check which is performed on the save. This is being looked into.
This same process can be used on the other areas found in the Experimental section.
There are Backup areas which we can seem to modify and the save will work afterwards however the change doesn't appear to do anything, this would be because it's a backup area and it's not in use.
Let's just hope and pray someone will find an exploit really really soon or perhaps before x-mas when Nintendo will probably release some nice titles for the holidays lol. Thanks for the explain!
