Hacking Mario Kart 7 Save Hacking [Help]

[someonewhodied]

Ok, so I got my savedongle (And no need to pester me, im typing up my review)

My first thought was to hack the MK7 Save Data. So i made 2 saves. The first, i just extracted my current one. The second one, I did a cup, got 40 coins, and that was the extent of it.

There were thousands of bytes that were different. And i tried searching for my VR and my Coin amounts, and nothing came up. (Yes, i converted the amounts to hex, and after that didn't work i reversed the byte order as some games i've savehacked have done that)

So has anyone figured out how to hack coins?

 

[CollosalPokemon]

They're probably in endian or something but definitely not in plain text.

Even if they were plain text the scene members don't know how to modify saves yet. Nintendo put a dozen checksums to prevent modifications not done through gameplay. The scene is still learning how to make these checksums so illegal modifications can be made.

 

[Deleted-236924]

Besides, not everything is always written in hex code in the data.

 

[someonewhodied]

Oh, well i guess i just have to wait for a 3ds ram editor of sorts then. >.>

I have to admit im surprised there isn't an AR3DS yet though.

 

[Deleted-236924]

Oh, well i guess i just have to wait for a 3ds ram editor of sorts then. >.>

I have to admit im surprised there isn't an AR3DS yet though.

There is no AR3DS because the 3DS hasn't been hacked yet.

 

[someonewhodied]

oh wait, i just understood why.

We can load unsigned code in DS mode, but not in 3ds mode. I forgot that there are two modes in 3ds lol. Im stupid.

 

[CollosalPokemon]

oh wait, i just understood why.

We can load unsigned code in DS mode, but not in 3ds mode. I forgot that there are two modes in 3ds lol. Im stupid.

Actually, there are four modes in the 3DS.

DS mode
DSi-hybrid mode
DSi mode
3DS mode

 

[Deleted-236924]

oh wait, i just understood why.

We can load unsigned code in DS mode, but not in 3ds mode. I forgot that there are two modes in 3ds lol. Im stupid.

Actually, there are four modes in the 3DS.

DS mode
DSi-hybrid mode
DSi mode
3DS mode

Define "DSi-hybrid"

 

[CollosalPokemon]

oh wait, i just understood why.

We can load unsigned code in DS mode, but not in 3ds mode. I forgot that there are two modes in 3ds lol. Im stupid.

Actually, there are four modes in the 3DS.

DS mode
DSi-hybrid mode
DSi mode
3DS mode

Define "DSi-hybrid"

A game that uses DSi-mode features (camera, ram, etc) when in DSi mode but can also play on a normal DS or in DS-mode. (eg Pokemon Black/White, Fossil Fighters, Classic Word Games, to name a few)

 

[Deleted-236924]

oh wait, i just understood why.

We can load unsigned code in DS mode, but not in 3ds mode. I forgot that there are two modes in 3ds lol. Im stupid.

Actually, there are four modes in the 3DS.

DS mode
DSi-hybrid mode
DSi mode
3DS mode

Define "DSi-hybrid"

A game that uses DSi-mode features (camera, ram, etc) when in DSi mode but can also play on a normal DS or in DS-mode. (eg Pokemon Black/White, Fossil Fighters, Classic Word Games, to name a few)

They play in DSi-mode.
There is no such thing as DSi-hybrid mode.

 

[CollosalPokemon]

oh wait, i just understood why.

We can load unsigned code in DS mode, but not in 3ds mode. I forgot that there are two modes in 3ds lol. Im stupid.

Actually, there are four modes in the 3DS.

DS mode
DSi-hybrid mode
DSi mode
3DS mode

Define "DSi-hybrid"

A game that uses DSi-mode features (camera, ram, etc) when in DSi mode but can also play on a normal DS or in DS-mode. (eg Pokemon Black/White, Fossil Fighters, Classic Word Games, to name a few)

They play in DSi-mode.
There is no such thing as DSi-hybrid mode.

But they also play in DS mode. DSi mode games do not play in DS mode, thus DSi-hybrid is a game that runs in either DS-mode or DSi-mode where the game plays fine in DS mode, but has additional content in DSi mode.

A good example of a "DSi-mode" game would be System Flaw. It will refuse to play in DS mode but will play in DSi mode. Therefore System Flaw is a true DSi mode game, while hybrids will play in either DS mode or DSi mode.

 

[Deleted-236924]

oh wait, i just understood why.

We can load unsigned code in DS mode, but not in 3ds mode. I forgot that there are two modes in 3ds lol. Im stupid.

Actually, there are four modes in the 3DS.

DS mode
DSi-hybrid mode
DSi mode
3DS mode

Define "DSi-hybrid"

A game that uses DSi-mode features (camera, ram, etc) when in DSi mode but can also play on a normal DS or in DS-mode. (eg Pokemon Black/White, Fossil Fighters, Classic Word Games, to name a few)

They play in DSi-mode.
There is no such thing as DSi-hybrid mode.

But they also play in DS mode. DSi mode games do not play in DS mode, thus DSi-hybrid is a game that runs in either DS-mode or DSi-mode where the game plays fine in DS mode, but has additional content in DSi mode.

A good example of a "DSi-mode" game would be System Flaw. It will refuse to play in DS mode but will play in DSi mode. Therefore System Flaw is a true DSi mode game, while hybrids will play in either DS mode or DSi mode.

But the thing is, you cannot play a DSi-enhanced game in DS mode on a 3DS.
It automatically runs it in DSi-mode.
(Running them on flashcards do not count.)

Besides, if what you said actually was real, then the game would run in DS mode or in DSi mode.
There's no "in-between" mode.

 

[elisherer]

Ok, so I got my savedongle (And no need to pester me, im typing up my review)

My first thought was to hack the MK7 Save Data. So i made 2 saves. The first, i just extracted my current one. The second one, I did a cup, got 40 coins, and that was the extent of it.

There were thousands of bytes that were different. And i tried searching for my VR and my Coin amounts, and nothing came up. (Yes, i converted the amounts to hex, and after that didn't work i reversed the byte order as some games i've savehacked have done that)

So has anyone figured out how to hack coins?

simple. it's encrypted!

 

[McHaggis]

The files are encrypted, so you need to use Crediar's 3DSaveTool to decrypt the file before you can modify any values. However, I think there's something funky going on with the saves, although I haven't had chance to thoroughly check it out. When I got my save dongle, I took a look at a few saves of my (already 100% completed) OOT cart - both in the same place with a different amount of rupees. I was able to find matching little endian values by searching, but in both saves the offsets for the values I found were different, even though the data around looked the same. Modifying all the matching values resulted in a corrupt save file.

My guess is that there's something going on, either in the official SDK or specifically on Nintendo games, to obfuscate the data in the save files to prevent easy modification – likely to prevent save game exploits caused by buffer overflows. I'm not even sure that the values I found were the values I was looking for. There are some visible strings in the file, e.g. 'ZELDA' and 'L.i.n.k', in the latter each character is separated by a null value (denoted by dots here and in a hex editor) and I think that's the name of my save.

Theoretically, if we can decrypt the save then we can modify values, but if it's obfuscated then it's probably going to require someone smarter than me to deobfuscate it. I'm going to take a closer look when I get more time (read: when the kids go back to school), I got a few games for Xmas so I have a lot more to work with now

 

[elisherer]

Your investigating something that we (the scene members) worked a lot on...
please read http://3dbrew.org/wiki/Savegames for further information...

 

[SanGor]

Even after that layer there could be another encryption layer implemented by the devs, Mario Kart Double Dash already had an encrypted savefile and iirc MK for DS aswell.

Sooo it might be a while until you can modify this savefile.

 

[McHaggis]

Your investigating something that we (the scene members) worked a lot on...
please read http://3dbrew.org/wiki/Savegames for further information...

Great stuff, that saves me a lot of time. I'll give it a more thorough read later.

 

[someonewhodied]

So um, how do i encrypt/decrypt the save with 3dsSaveTool? Do i drag and drop? or do I have to use a .bat file?


And uh, how do i get the XORkey.bin from my save?

 

[McHaggis]

So um, how do i encrypt/decrypt the save with 3dsSaveTool? Do i drag and drop? or do I have to use a .bat file?


And uh, how do i get the XORkey.bin from my save?

For Mario Kart 7? You don't. As explained by the wiki page Elisherer linked to, MK 7 and SM3DL cannot be decrypted by 3DSaveTool because the XOR padding was changed for those games. The tool itself is pretty explanatory, open a command prompt and run the program without any arguments for an overview:

3DSaveTool v0.2b
Built: Apr 3 2011 15:30:30
It is not allowed to resell, rehost, redistribute
or include this file in any packages!

by crediar
Original flaw found by Erant!

Usage:
3DSaveTool [-x|-f] in.bin out.bin key.bin
-x: decrypt/encrypt a savefile
-f: find XOR key

Example usage:
3DSaveTool -x savefile.bin [decrypted.bin|encrypted.bin] key.bin
3DSaveTool -f savefile.bin key.bin

Extract the key first, then use it to decrypt/encrypt.

 

[someonewhodied]

Ah thanks. And MK7 isn't my only 3ds game lol. I also wanted to hack my BBCS2 save.

I'll just wait for someone to figure out the encryption on the MK7 save in order to hack coins then.