ROM Hack Professor Layton hacking into the secret door?

hova1

Well-Known Member
OP
Member
Joined
Oct 26, 2007
Messages
689
Trophies
0
Website
Visit site
XP
216
Country
Gambia, The
if you played Professor Layton already, you maybe know about this secret password protected door. the password will be available in the game manual for the sequel. i thought maybe its possible to open up the ROM and see inside it or something.
so is it possible?
 

FAST6191

Techromancer
Editorial Team
Joined
Nov 21, 2005
Messages
35,977
Trophies
3
Website
trastindustries.com
XP
26,589
Country
United Kingdom
I have not played the game but anything is possible (within the limits of the system), it can however be very difficult.
My first guess is is they hashed the password and then run a compare against said hash. They match and off they go, they do not match and goto bad password routine.

If this is the case if is theoretically possible to either switch the goto bad password with the good (which could be as simple as altering a few bits: http://nocash.emubase.de/gbatek.htm#thumbinstructionsummary ) or even overwrite the hash as it will likely appear in a register/memory section at some point.

Of course it can be made far more complex (multiple checks/usages) very easily.
 
D

Deleted User

Guest
there's a file called secret.txt in the rom with the text
0123456789QWERTYUIOPASDFGHJKLZXCVBNM
I can't test it.
 
D

Deleted User

Guest
yes I know it's a qwerty keyboard, but this was the text of the file.
On a side note, there's 162 puzzles in the game rom and only 135 unlockables in game.
So I guess the remaining one are the wifi puzzles and guess what ? it's not...
 

masterful

Well-Known Member
Newcomer
Joined
May 26, 2007
Messages
63
Trophies
0
XP
88
Country
Nothing else really stands out. Maybe if someone was crazy enough to look through all of the text files. haha (that would be seriously insane though).

Anyway, what's so good about this "door"? Besides being an secret and all.

Edit: Oh, bonus mode. Well there's always 'brute force'.
laugh.gif
 
D

Deleted User

Guest
Nothing else really stands out. Maybe if someone was crazy enough to look through all of the text files. haha (that would be seriously insane though).

Anyway, what's so good about this "door"? Besides being an secret and all.

Edit: Oh, bonus mode. Well there's always 'brute force'.
laugh.gif
but I don't get what is supposed to be behind the door ? The remaining puzzles I was talking about ?

some new infos : apparently the code is linked with your own ds id, so you need a copy of layton2 to tell you the code for unlocking the door based on the id.

Some amazing thing : the code is encrypted ! first time I've seen this in a ds rom. I don't understand why it is so... but the code rewrite itself somewhere else in ram when it starts. So it might be a bit tough to disassemble.
 

SkH

Well-Known Member
Member
Joined
Apr 5, 2006
Messages
1,111
Trophies
0
XP
412
Country
Algeria
There's already out the 2nd Layton in Japanese, so you might check it out to get the code.
 
D

Deleted User

Guest
mmm everything seems like they guessed that people will look at their code and decided to make a new puzzle out of it. So if someone could send me a save file with the bonus unlocked, I could dig a bit deeper it it.

Oh by the way, I've overcomed the encryption by dumping the ram of the game in a runnning state.
 
D

Deleted User

Guest
Wait the arm binaries are encrypted deufeufeu? I have dealt with smaller scale stuff for years when cheating but this one is new to me as well.
I think it's more a compression scheme than an encryption one, but it does the same thing, it prevents someone from directly messing into the code.
Here's what the game does when starting : it boots at 0x02000800, then it initializes the system, and it starts rewrite itself from the end, so this way it doesn't rewrite something that will be read I guess. Anyways, after the first routine has started the game takes the whole first part of ram as if the arm9 was normally loaded. The compression scheme looks like bmp rle compression....it's not plain old lzss because of the strange backward writing.
The gamedev have used c++ to code their game, so it looks like either a clever homedev has made the encryption system, or a third party has started to sell this... I don't know.
I don't really see the point of this... it won't stop anything, it just take 10 seconds more to get the binary (run the emu and dump memory). What where they thinking ? >_
 
D

Deleted User

Guest
I'm also interested in what that "secret door" contains...

So here's my save file (compressed no$gba) with all puzzles unlocked...

http://qshare.com/get/147677/Professor_Lay...ge_USA.SAV.html
what are your settings for no$gba ? It won't run it here, I've got black screen as soon as it tries to access the saves files.

EDIT : http://deufeufeu.free.fr/layton/puzzles.html puzzles info dumped for those interested, with picture and solution (not shown if you don't click on it).
 

bunsy

Well-Known Member
Newcomer
Joined
Nov 23, 2005
Messages
88
Trophies
0
XP
94
Country
I think it's more a compression scheme than an encryption one, but it does the same thing, it prevents someone from directly messing into the code.
Here's what the game does when starting : it boots at 0x02000800, then it initializes the system, and it starts rewrite itself from the end, so this way it doesn't rewrite something that will be read I guess. Anyways, after the first routine has started the game takes the whole first part of ram as if the arm9 was normally loaded. The compression scheme looks like bmp rle compression....it's not plain old lzss because of the strange backward writing.
The gamedev have used c++ to code their game, so it looks like either a clever homedev has made the encryption system, or a third party has started to sell this... I don't know.
I don't really see the point of this... it won't stop anything, it just take 10 seconds more to get the binary (run the emu and dump memory). What where they thinking ? >_<

This is an SDK option. All games can use it but only a fraction does (~20%). As you noted it's a variant of LZ but starts from the back so it can be run in-place. I made an unpacker but as you realized you can just breakpoint on the unpacker routine and dump the ram afterwards.
 

aksmet

New Member
Newbie
Joined
May 9, 2006
Messages
3
Trophies
0
XP
49
Country

bunsy

Well-Known Member
Newcomer
Joined
Nov 23, 2005
Messages
88
Trophies
0
XP
94
Country
The save works here. Where do i go for the secret door?

Edit: Oh, in the bonus section. Duh.

Edit: It's a few pages of concept art. Boring.
 

You may also like...

General chit-chat
Help Users
  • No one is chatting at the moment.
    M4x1mumReZ @ M4x1mumReZ: @BentlyMods, Priiloader and BootMii as boot2 and you're all set