Is there a way to edit MH4G Save Data?

Discussion in '3DS - ROM Hacking, Translations and Utilities' started by anthony001, Apr 3, 2015.

  1. anthony001
    OP

    anthony001 GBAtemp Regular

    Member
    299
    5
    Oct 19, 2007
    Im using gateway to play the game so the save file is in the root of 3ds SD card. Do I need to decrypt it? also the save file is in number. is it possible to know which of that is the monster hunter save file?

    Im not using cia im using the .3ds extension
     
  2. didix16

    didix16 Advanced Member

    Newcomer
    82
    43
    Jan 23, 2015
    For the moment is not possible. I'm trying to understand how this save file works but its too hard to understand (almost for me). The save file has (minimum) 2 files: userX and system.

    The userX is the user X data like money, items, weapons, etc, where X is the slot number of your character. The file is encrypted of course... I found a webpage that can modify your hunter's name and palico's name. I tested it and I saw that at the offset 0x0000 - 0x0007 it has some type of cheksum that changes always you modify your name.

    http://my1993.com/wip/mh4genc.php

    Also I found Palico's offset name 0xC4B8-0xC4BF and Hunter's name offset 0x0038 - 0x003F. But also, some other bytes are implied... This log shows the diferences after chaning Hunter's name and Palico's name.

    SAV user1 - 1 Pos[0x00] = 0x56
    SAV user1 - 1_edit3 Pos[0x00] = 0xEB
    SAV user1 - 1 Pos[0x01] = 0xDC
    SAV user1 - 1_edit3 Pos[0x01] = 0x76
    SAV user1 - 1 Pos[0x02] = 0x1E
    SAV user1 - 1_edit3 Pos[0x02] = 0xEF
    SAV user1 - 1 Pos[0x03] = 0xD0
    SAV user1 - 1_edit3 Pos[0x03] = 0x3B
    SAV user1 - 1 Pos[0x04] = 0x50
    SAV user1 - 1_edit3 Pos[0x04] = 0x2E
    SAV user1 - 1 Pos[0x05] = 0x2D
    SAV user1 - 1_edit3 Pos[0x05] = 0x0B
    SAV user1 - 1 Pos[0x06] = 0x3B
    SAV user1 - 1_edit3 Pos[0x06] = 0xD3
    SAV user1 - 1 Pos[0x07] = 0x46
    SAV user1 - 1_edit3 Pos[0x07] = 0xD8
    -----------------------------------------------
    Bytes: 8 |Offset: 0x00 - 0x07
    -----------------------------------------------

    SAV user1 - 1 Pos[0x38] = 0x97
    SAV user1 - 1_edit3 Pos[0x38] = 0xEA
    SAV user1 - 1 Pos[0x39] = 0x6D
    SAV user1 - 1_edit3 Pos[0x39] = 0x14
    SAV user1 - 1 Pos[0x3A] = 0xB7
    SAV user1 - 1_edit3 Pos[0x3A] = 0xC2
    SAV user1 - 1 Pos[0x3B] = 0x88
    SAV user1 - 1_edit3 Pos[0x3B] = 0xDD
    SAV user1 - 1 Pos[0x3C] = 0x67
    SAV user1 - 1_edit3 Pos[0x3C] = 0x42
    SAV user1 - 1 Pos[0x3D] = 0x50
    SAV user1 - 1_edit3 Pos[0x3D] = 0x82
    SAV user1 - 1 Pos[0x3E] = 0x19
    SAV user1 - 1_edit3 Pos[0x3E] = 0xD1
    SAV user1 - 1 Pos[0x3F] = 0x1E
    SAV user1 - 1_edit3 Pos[0x3F] = 0xD8
    -----------------------------------------------
    Bytes: 8 |Offset: 0x38 - 0x3F
    -----------------------------------------------

    SAV user1 - 1 Pos[0xC4B8] = 0xAF
    SAV user1 - 1_edit3 Pos[0xC4B8] = 0x85
    SAV user1 - 1 Pos[0xC4B9] = 0xCC
    SAV user1 - 1_edit3 Pos[0xC4B9] = 0x44
    SAV user1 - 1 Pos[0xC4BA] = 0x2D
    SAV user1 - 1_edit3 Pos[0xC4BA] = 0x23
    SAV user1 - 1 Pos[0xC4BB] = 0x19
    SAV user1 - 1_edit3 Pos[0xC4BB] = 0xD6
    SAV user1 - 1 Pos[0xC4BC] = 0x07
    SAV user1 - 1_edit3 Pos[0xC4BC] = 0x48
    SAV user1 - 1 Pos[0xC4BD] = 0x3B
    SAV user1 - 1_edit3 Pos[0xC4BD] = 0x2B
    SAV user1 - 1 Pos[0xC4BE] = 0xF7
    SAV user1 - 1_edit3 Pos[0xC4BE] = 0x08
    SAV user1 - 1 Pos[0xC4BF] = 0xB3
    SAV user1 - 1_edit3 Pos[0xC4BF] = 0x4F
    SAV user1 - 1 Pos[0xC4C0] = 0xA5
    SAV user1 - 1_edit3 Pos[0xC4C0] = 0xBD
    SAV user1 - 1 Pos[0xC4C1] = 0x54
    SAV user1 - 1_edit3 Pos[0xC4C1] = 0x84
    SAV user1 - 1 Pos[0xC4C2] = 0x0D
    SAV user1 - 1_edit3 Pos[0xC4C2] = 0xF4
    SAV user1 - 1 Pos[0xC4C3] = 0x9C
    SAV user1 - 1_edit3 Pos[0xC4C3] = 0xD4
    SAV user1 - 1 Pos[0xC4C4] = 0x12
    SAV user1 - 1_edit3 Pos[0xC4C4] = 0x5F
    SAV user1 - 1 Pos[0xC4C5] = 0x37
    SAV user1 - 1_edit3 Pos[0xC4C5] = 0x8A
    SAV user1 - 1 Pos[0xC4C6] = 0x9F
    SAV user1 - 1_edit3 Pos[0xC4C6] = 0x4C
    SAV user1 - 1 Pos[0xC4C7] = 0xB6
    SAV user1 - 1_edit3 Pos[0xC4C7] = 0x98
    -----------------------------------------------
    Bytes: 16 |Offset: 0xC4B8 - 0xC4C7
    -----------------------------------------------

    Bytes readed: 81408
    Diferent bytes: 32

    I would apreciate if someone want and can help me to create and mh4 sav editor

    Thanks in advance.
     
  3. anthony001
    OP

    anthony001 GBAtemp Regular

    Member
    299
    5
    Oct 19, 2007
    sorry but would like to ask if thats for mh4 or mh4G
     
  4. didix16

    didix16 Advanced Member

    Newcomer
    82
    43
    Jan 23, 2015
    Oh sorry i didn't see the G... Whell that is for MH4U. Anyway I think both works equal
     
  5. upfromtheskies

    upfromtheskies GBAtemp Regular

    Member
    247
    81
    Mar 21, 2015
    United States
    It's possible because Powersaves has cheats for Monster Hunter, but the save is uploaded to their server, edited, then downloaded again, so no one knows what they're doing exactly.
     
  6. Drak0rex

    Drak0rex GBAtemp Advanced Maniac

    Member
    1,923
    700
    Oct 12, 2014
    United States
    A buddy of mine is HR1 with Fatalis armor. Said he used an R4 save dongle
     
  7. anthony001
    OP

    anthony001 GBAtemp Regular

    Member
    299
    5
    Oct 19, 2007
    are powersaves extracted save file the same format as the gateway save file?
     
  8. upfromtheskies

    upfromtheskies GBAtemp Regular

    Member
    247
    81
    Mar 21, 2015
    United States
    I'm not sure exactly how powersaves does it, but I know they somehow encrypt the game saves, because powersaves save dumps can't be loaded into other save editors like PKHeX
     
  9. anthony001
    OP

    anthony001 GBAtemp Regular

    Member
    299
    5
    Oct 19, 2007
    how aboutr gateways save? is it the same as the retail?
     
  10. didix16

    didix16 Advanced Member

    Newcomer
    82
    43
    Jan 23, 2015

    Not exactly, but similar. Powersave has an extraheader checksum and savenamefile that checks he inegrity of the file and analize if the file is "legit" to inject into cartdrige. Any code applied to the save, generates a new checksum. This is what Datel server does. We need to know how the mh4u encryption works for decrypt it and edit it by ourselves. In some forum I saw an user specultaing about blowfish encryption...
     
  11. didix16

    didix16 Advanced Member

    Newcomer
    82
    43
    Jan 23, 2015

    The save can be extracted from powersave and load with pkhex but reverse its impossible. Only Datel does.
     
  12. didix16

    didix16 Advanced Member

    Newcomer
    82
    43
    Jan 23, 2015
    Yes since it is possible extract save in classic mode, edit it and reinject it with SDF, however the encryption that use gateway is kinda diferent from the update firmwares of 3DS, this means if you want to play with game that is saved in normal mode and then you want to play in classic mode, the result would be a data save corrupted.
     
  13. anthony001
    OP

    anthony001 GBAtemp Regular

    Member
    299
    5
    Oct 19, 2007
    Is classic mode = normal 3ds without gateway? and normal mode =gateway?
     
  14. didix16

    didix16 Advanced Member

    Newcomer
    82
    43
    Jan 23, 2015
    Classic Mode is a mode of Gateway software wich allows play physical cartdrige using emuNAND. Normal mode is how I referer when playing a game without Gateway nor Sky3DS or any other third-party hardware/software
     
  15. Arcanuskun

    Arcanuskun GBAtemp Regular

    Member
    208
    81
    May 7, 2014
    you can actually use savedatafiler for extracting the save in decrypted form. The problem is applying hex codes in the save. I believe it has checksums that needs to be satisfied before loading the said "cheats."
     
  16. _eyCaRambA_

    _eyCaRambA_ GBAtemp Advanced Fan

    Member
    523
    139
    Apr 22, 2009
    United States
    Right around the cornerâ„¢
    MH4G/U save uses an additional encryption layer. SDF will just give you the encrypted file.
     
  17. anthony001
    OP

    anthony001 GBAtemp Regular

    Member
    299
    5
    Oct 19, 2007
    hi eycaramba how did you know that? was there an actual hack attempt?