Possible Downloaded Software's Save Data Exploitation

Discussion in '3DS - ROM Hacking, Translations and Utilities' started by Thomas England, May 26, 2015.

  1. Thomas England
    OP

    Thomas England Member

    Newcomer
    10
    3
    May 26, 2015
    Before I say anything, new to this forum, I think this is the correct place but as it can be used for other things I don't exactly know. Feel free to move it and shout at me.

    So first things first, the 3ds seems to store it's downloadable software's save data/extra data on the sdcard, so the saves are directly modifiable (Possibly, don't know if someone else talked about this but i couldn't find anything else like it) but instead of ruining your main save with this, you can use the save data backup which 'backs up' your software/game's save data to your SD Card in the directory SD Card\Nintendo 3DS\(combination of 32 characters, letters and numbers)\(combination of 32 characters, letters and numbers, again but different combo)\backup. instead, if you make a backup, then another identical one, you can use the second backup for modifying and the first to play the game legitimately.

    Usually, you can just tap the little arrow to the left of the 'Open' button and tap Save Data Backup, then follow instructions on screen, but for some games (if instead of exploiting code you want to mod a save), backup does not work, so you will have to directly modify the save, thanks to information given by nanika, you can find the direct save in X:/Nintendo 3DS/[random]/[random]/title/[game-specific]/[game-specific]/data/*.sav

    For me, in that backup directory there is just 1 folder, but if you have backed other things up there may be more, then afterwards another combination of letters and numbers which may be some sort of title id, in there you find the save files of your software in question, mine was the file 000001.sav as you can see here:[​IMG]
    The process to verify i could make apply-able changes to the file and then restore it as a a backup were:
    1. Open the file with a hex editor (To avoid encryption confusing text editor)
    2. Change a bunch of bits with corrupted data (keyboard mashing)
    3. Extend the file by adding more null byte data on the end
    4. Save changes and overwrite the old sav file.
    5. Plug SD back into 3DS
    6. Go into System Settings>Data Management>Save Data Backup and restore my newly corrupted save from my sdcard back into NAND.

    Upon running the game I am greeted with this:
    [​IMG]
    This is because the save is corrupted and decryption failed (thanks nanika), but I intend to somehow find a way of universally getting that code (maybe by first making a buffer overflow and watching the game decrypt the data as it's running or something, not got this far yet)
    Reply if you had any findings or found out how to actually edit something. a few interesting code injections could be done with buffer overflows and utilizing the large zero areas in the save(s). I don't know if it is just me, but my save had a lot of these.
    This is on firmware 9.7.0-25E
    Info on new possible buffer overflow/memory leak attempts:
    Again, like ninjhax was it could possibly have a new and working sibling, that hasn't been patched by nintendo in firmware 9.5, I need help working out how QR codes work in the game PYRAMIDS, which even has a demo available to run it as a test, 30 times, I also need to know how to put RAW data/hex data into a qr code which is encoded correctly for the game (search pyramids qr code on google images to see loads). I have attempted to make a large qr code, but i can't scan it with pyramids as it doesn't get enough detail to see the full thing.
     
  2. Thomas England
    OP

    Thomas England Member

    Newcomer
    10
    3
    May 26, 2015
    Image too big?
     
  3. DJPlayer

    DJPlayer Banned

    Banned
    542
    184
    May 21, 2015
    Netherlands
    Linkformat not supported with [ img ]
     
  4. Thomas England
    OP

    Thomas England Member

    Newcomer
    10
    3
    May 26, 2015
    ? I see images just fine
     
  5. DJPlayer

    DJPlayer Banned

    Banned
    542
    184
    May 21, 2015
    Netherlands
    It is because you're logged in your own google-account. You didn't made this images available for everyone. Upload them on websites like imgur.com or abload.de
     
    Thomas England likes this.
  6. Thomas England
    OP

    Thomas England Member

    Newcomer
    10
    3
    May 26, 2015
    oh sorry... let me just fix that
     
  7. Thomas England
    OP

    Thomas England Member

    Newcomer
    10
    3
    May 26, 2015
    Images fixed... hopefully
     
  8. Thomas England
    OP

    Thomas England Member

    Newcomer
    10
    3
    May 26, 2015
    Quick addition not worth editing in, video of starting game:
     
  9. nanika

    nanika 文鎮じゃダメ!まぁ、こんな文字小さしすぎてどうせ読めないっしょ。

    Member
    249
    27
    Apr 22, 2008
    United States
    Downloaded game saves aren't stored in NAND in the first place.
    They're stored in X:/Nintendo 3DS/[random]/[random]/title/[game-specific]/[game-specific]/data/*.sav.
    The Save Data Backup just copies the /data/ directory into X:/Nintendo 3DS/[random]/[random]/backup/, as you've found.

    The saves are encrypted with a key specific to your 3DS, which is just about impossible to guess, so unless you can get that key, you can't decrypt and re-encrypt them.
    It's basically just throwing up an error because the save fails the decryption now.
     
  10. Thomas England
    OP

    Thomas England Member

    Newcomer
    10
    3
    May 26, 2015
    Ah stupid me. There's still a point for this thread as I'm currently soldering the nand points and ram points into my serial port now. Gonna find a universal way to get past that encryption (Dont you dare say it's impossible, it's not. I hope) and instead of directly modifying the save, the backup(s) can then be easily managed and you can switch between modded and unmodded saves. Plus now i have alot of work to do in editing my first post :P
     
  11. Thomas England
    OP

    Thomas England Member

    Newcomer
    10
    3
    May 26, 2015
    UPDATE: Well, this is good stuff: 3dbrew savegame info
    I think that CTR-SIGN is the encryption that should be focused on, as it does say it is SD encryption for savegames
     
  12. gamesquest1

    gamesquest1 Nabnut

    Member
    14,081
    9,416
    Sep 23, 2013
    saves are encrypted AND signed........its not enough to just decrypt edit and re-encrypt a save, you would need the 3DS to sign it.....and really there is little point in doing it as CN already has a well documented save exploit, if you really had the skill to find exploits on the 3DS for 9.7 you would be focusing on that rather than randomly corrupting your saves

    basically have you ever done any sort of RE work at this level....no im not talking about save edits, or cheat engine stuff, but actual new and original console hacks, if not i would suggest you go learn the basics before you mess about soldering serial ports to the 3ds nand or whatever it is your doing :rolleyes:
     
  13. Thomas England
    OP

    Thomas England Member

    Newcomer
    10
    3
    May 26, 2015
    I have done some hardware hacks through reprogramming microcontrollers, or using JTAG points to dump enough firmware to work off of to reverse engineer, but you've got me there, I'm no Smealum.


    Still doesn't stop me from trying though. :nds:
     
  14. Nollog

    Nollog GBAtemp Addict

    Member
    2,703
    472
    Oct 10, 2008
    You have the youtube and image thing down, you just need "[WIP]" and constant debates about piracy and you're a top gbatemp thread.
     
    Subtle Demise and Thomas England like this.
  15. Thomas England
    OP

    Thomas England Member

    Newcomer
    10
    3
    May 26, 2015
    Hah! I can't tell if that's sarcasm or not. If it is or if it isn't, the sad thing is that it's correct.