Mario Kart 7 Save Hacking [Help]

Discussion in '3DS - Flashcards & Custom Firmwares' started by someonewhodied, Dec 28, 2011.

Thread Status:
Not open for further replies.
Dec 28, 2011
  1. someonewhodied
    OP

    Member someonewhodied Lazy Person

    Joined:
    Sep 21, 2008
    Messages:
    869
    Country:
    United States
    Ok, so I got my savedongle (And no need to pester me, im typing up my review)

    My first thought was to hack the MK7 Save Data. So i made 2 saves. The first, i just extracted my current one. The second one, I did a cup, got 40 coins, and that was the extent of it.

    There were thousands of bytes that were different. And i tried searching for my VR and my Coin amounts, and nothing came up. (Yes, i converted the amounts to hex, and after that didn't work i reversed the byte order as some games i've savehacked have done that)

    So has anyone figured out how to hack coins?
     


  2. CollosalPokemon

    Member CollosalPokemon ばん。。。かい

    Joined:
    Oct 18, 2009
    Messages:
    681
    Country:
    United States
    They're probably in endian or something but definitely not in plain text.

    Even if they were plain text the scene members don't know how to modify saves yet. Nintendo put a dozen checksums to prevent modifications not done through gameplay. The scene is still learning how to make these checksums so illegal modifications can be made.
     
  3. Ammako

    Member Ammako GBAtemp Guru

    Joined:
    Dec 22, 2009
    Messages:
    6,372
    Country:
    Canada
    Besides, not everything is always written in hex code in the data.
     
  4. someonewhodied
    OP

    Member someonewhodied Lazy Person

    Joined:
    Sep 21, 2008
    Messages:
    869
    Country:
    United States
    Oh, well i guess i just have to wait for a 3ds ram editor of sorts then. >.>

    I have to admit im surprised there isn't an AR3DS yet though.
     
  5. Ammako

    Member Ammako GBAtemp Guru

    Joined:
    Dec 22, 2009
    Messages:
    6,372
    Country:
    Canada
    There is no AR3DS because the 3DS hasn't been hacked yet.
     
  6. someonewhodied
    OP

    Member someonewhodied Lazy Person

    Joined:
    Sep 21, 2008
    Messages:
    869
    Country:
    United States
    oh wait, i just understood why.

    We can load unsigned code in DS mode, but not in 3ds mode. I forgot that there are two modes in 3ds lol. Im stupid.
     
  7. CollosalPokemon

    Member CollosalPokemon ばん。。。かい

    Joined:
    Oct 18, 2009
    Messages:
    681
    Country:
    United States
    Actually, there are four modes in the 3DS.

    DS mode
    DSi-hybrid mode
    DSi mode
    3DS mode
     
  8. Ammako

    Member Ammako GBAtemp Guru

    Joined:
    Dec 22, 2009
    Messages:
    6,372
    Country:
    Canada
    Define "DSi-hybrid"
     
  9. CollosalPokemon

    Member CollosalPokemon ばん。。。かい

    Joined:
    Oct 18, 2009
    Messages:
    681
    Country:
    United States
    A game that uses DSi-mode features (camera, ram, etc) when in DSi mode but can also play on a normal DS or in DS-mode. (eg Pokemon Black/White, Fossil Fighters, Classic Word Games, to name a few)
     
  10. Ammako

    Member Ammako GBAtemp Guru

    Joined:
    Dec 22, 2009
    Messages:
    6,372
    Country:
    Canada
    They play in DSi-mode.
    There is no such thing as DSi-hybrid mode.
     
  11. CollosalPokemon

    Member CollosalPokemon ばん。。。かい

    Joined:
    Oct 18, 2009
    Messages:
    681
    Country:
    United States
    But they also play in DS mode. DSi mode games do not play in DS mode, thus DSi-hybrid is a game that runs in either DS-mode or DSi-mode where the game plays fine in DS mode, but has additional content in DSi mode.

    A good example of a "DSi-mode" game would be System Flaw. It will refuse to play in DS mode but will play in DSi mode. Therefore System Flaw is a true DSi mode game, while hybrids will play in either DS mode or DSi mode.
     
  12. Ammako

    Member Ammako GBAtemp Guru

    Joined:
    Dec 22, 2009
    Messages:
    6,372
    Country:
    Canada
    But the thing is, you cannot play a DSi-enhanced game in DS mode on a 3DS.
    It automatically runs it in DSi-mode.
    (Running them on flashcards do not count.)

    Besides, if what you said actually was real, then the game would run in DS mode or in DSi mode.
    There's no "in-between" mode.
     
  13. elisherer

    Member elisherer I ♥ 3DS

    Joined:
    Dec 16, 2009
    Messages:
    778
    Location:
    3dbrew.org
    Country:
    Israel
    simple. it's encrypted!
     
  14. McHaggis

    Member McHaggis Fackin' Troller

    Joined:
    Oct 24, 2008
    Messages:
    1,656
    Country:
    United Kingdom
    The files are encrypted, so you need to use Crediar's 3DSaveTool to decrypt the file before you can modify any values. However, I think there's something funky going on with the saves, although I haven't had chance to thoroughly check it out. When I got my save dongle, I took a look at a few saves of my (already 100% completed) OOT cart - both in the same place with a different amount of rupees. I was able to find matching little endian values by searching, but in both saves the offsets for the values I found were different, even though the data around looked the same. Modifying all the matching values resulted in a corrupt save file.

    My guess is that there's something going on, either in the official SDK or specifically on Nintendo games, to obfuscate the data in the save files to prevent easy modification – likely to prevent save game exploits caused by buffer overflows. I'm not even sure that the values I found were the values I was looking for. There are some visible strings in the file, e.g. 'ZELDA' and 'L.i.n.k', in the latter each character is separated by a null value (denoted by dots here and in a hex editor) and I think that's the name of my save.

    Theoretically, if we can decrypt the save then we can modify values, but if it's obfuscated then it's probably going to require someone smarter than me to deobfuscate it. I'm going to take a closer look when I get more time (read: when the kids go back to school), I got a few games for Xmas so I have a lot more to work with now :)
     
  15. elisherer

    Member elisherer I ♥ 3DS

    Joined:
    Dec 16, 2009
    Messages:
    778
    Location:
    3dbrew.org
    Country:
    Israel
  16. SanGor

    Member SanGor Witchhunter

    Joined:
    Aug 21, 2008
    Messages:
    993
    Country:
    United States
    Even after that layer there could be another encryption layer implemented by the devs, Mario Kart Double Dash already had an encrypted savefile and iirc MK for DS aswell.

    Sooo it might be a while until you can modify this savefile.
     
  17. McHaggis

    Member McHaggis Fackin' Troller

    Joined:
    Oct 24, 2008
    Messages:
    1,656
    Country:
    United Kingdom
    Great stuff, that saves me a lot of time. I'll give it a more thorough read later.
     
  18. someonewhodied
    OP

    Member someonewhodied Lazy Person

    Joined:
    Sep 21, 2008
    Messages:
    869
    Country:
    United States
    So um, how do i encrypt/decrypt the save with 3dsSaveTool? Do i drag and drop? or do I have to use a .bat file?


    And uh, how do i get the XORkey.bin from my save?
     
  19. McHaggis

    Member McHaggis Fackin' Troller

    Joined:
    Oct 24, 2008
    Messages:
    1,656
    Country:
    United Kingdom
    For Mario Kart 7? You don't. As explained by the wiki page Elisherer linked to, MK 7 and SM3DL cannot be decrypted by 3DSaveTool because the XOR padding was changed for those games. The tool itself is pretty explanatory, open a command prompt and run the program without any arguments for an overview:

    Extract the key first, then use it to decrypt/encrypt.
     
  20. someonewhodied
    OP

    Member someonewhodied Lazy Person

    Joined:
    Sep 21, 2008
    Messages:
    869
    Country:
    United States
    Ah thanks. And MK7 isn't my only 3ds game lol. I also wanted to hack my BBCS2 save.

    I'll just wait for someone to figure out the encryption on the MK7 save in order to hack coins then.
     
Thread Status:
Not open for further replies.

Share This Page