Professor Layton hacking into the secret door?

Discussion in 'NDS - ROM Hacking and Translations' started by hova1, Feb 16, 2008.

Feb 16, 2008
  1. hova1
    OP

    Member hova1 GBAtemp Advanced Fan

    Joined:
    Oct 26, 2007
    Messages:
    690
    Country:
    Germany
    if you played Professor Layton already, you maybe know about this secret password protected door. the password will be available in the game manual for the sequel. i thought maybe its possible to open up the ROM and see inside it or something.
    so is it possible?
     


  2. FAST6191

    Reporter FAST6191 Techromancer

    pip
    Joined:
    Nov 21, 2005
    Messages:
    21,737
    Country:
    United Kingdom
    I have not played the game but anything is possible (within the limits of the system), it can however be very difficult.
    My first guess is is they hashed the password and then run a compare against said hash. They match and off they go, they do not match and goto bad password routine.

    If this is the case if is theoretically possible to either switch the goto bad password with the good (which could be as simple as altering a few bits: http://nocash.emubase.de/gbatek.htm#thumbinstructionsummary ) or even overwrite the hash as it will likely appear in a register/memory section at some point.

    Of course it can be made far more complex (multiple checks/usages) very easily.
     
  3. Normmatt

    Member Normmatt Former AKAIO Programmer

    Joined:
    Dec 14, 2004
    Messages:
    2,135
    Country:
    New Zealand
    Providing a save file would help anyone interested in hacking this
     
  4. deufeufeu

    Member deufeufeu GBAtemp Advanced Fan

    Joined:
    Nov 21, 2005
    Messages:
    880
    Country:
    Cote d'Ivoire
    there's a file called secret.txt in the rom with the text
    0123456789QWERTYUIOPASDFGHJKLZXCVBNM
    I can't test it.
     
  5. hova1
    OP

    Member hova1 GBAtemp Advanced Fan

    Joined:
    Oct 26, 2007
    Messages:
    690
    Country:
    Germany
    it only fits 8 letters
     
  6. masterful

    Newcomer masterful Advanced Member

    Joined:
    May 26, 2007
    Messages:
    63
    Country:
    Australia

    0123456789
    QWERTYUIOP
    ASDFGHJKL
    ZXCVBNM

    Looks familiar anyone?
     
  7. deufeufeu

    Member deufeufeu GBAtemp Advanced Fan

    Joined:
    Nov 21, 2005
    Messages:
    880
    Country:
    Cote d'Ivoire
    yes I know it's a qwerty keyboard, but this was the text of the file.
    On a side note, there's 162 puzzles in the game rom and only 135 unlockables in game.
    So I guess the remaining one are the wifi puzzles and guess what ? it's not...
     
  8. masterful

    Newcomer masterful Advanced Member

    Joined:
    May 26, 2007
    Messages:
    63
    Country:
    Australia
    Nothing else really stands out. Maybe if someone was crazy enough to look through all of the text files. haha (that would be seriously insane though).

    Anyway, what's so good about this "door"? Besides being an secret and all.

    Edit: Oh, bonus mode. Well there's always 'brute force'. [​IMG]
     
  9. deufeufeu

    Member deufeufeu GBAtemp Advanced Fan

    Joined:
    Nov 21, 2005
    Messages:
    880
    Country:
    Cote d'Ivoire
    but I don't get what is supposed to be behind the door ? The remaining puzzles I was talking about ?

    some new infos : apparently the code is linked with your own ds id, so you need a copy of layton2 to tell you the code for unlocking the door based on the id.

    Some amazing thing : the code is encrypted ! first time I've seen this in a ds rom. I don't understand why it is so... but the code rewrite itself somewhere else in ram when it starts. So it might be a bit tough to disassemble.
     
  10. SkH

    Member SkH GBAtemp Maniac

    Joined:
    Apr 5, 2006
    Messages:
    1,112
    Country:
    Algeria
    There's already out the 2nd Layton in Japanese, so you might check it out to get the code.
     
  11. deufeufeu

    Member deufeufeu GBAtemp Advanced Fan

    Joined:
    Nov 21, 2005
    Messages:
    880
    Country:
    Cote d'Ivoire
    mmm everything seems like they guessed that people will look at their code and decided to make a new puzzle out of it. So if someone could send me a save file with the bonus unlocked, I could dig a bit deeper it it.

    Oh by the way, I've overcomed the encryption by dumping the ram of the game in a runnning state.
     
  12. NeSchn

    Member NeSchn GBAPimpdaddy.

    Joined:
    Oct 4, 2007
    Messages:
    3,533
    Location:
    Troy,New York PimpStatus: King
    Country:
    United States
    Oooo, so there are even secrets in the game rom itself.
     
  13. FAST6191

    Reporter FAST6191 Techromancer

    pip
    Joined:
    Nov 21, 2005
    Messages:
    21,737
    Country:
    United Kingdom
    Wait the arm binaries are encrypted deufeufeu? I have dealt with smaller scale stuff for years when cheating but this one is new to me as well.
     
  14. deufeufeu

    Member deufeufeu GBAtemp Advanced Fan

    Joined:
    Nov 21, 2005
    Messages:
    880
    Country:
    Cote d'Ivoire
    I think it's more a compression scheme than an encryption one, but it does the same thing, it prevents someone from directly messing into the code.
    Here's what the game does when starting : it boots at 0x02000800, then it initializes the system, and it starts rewrite itself from the end, so this way it doesn't rewrite something that will be read I guess. Anyways, after the first routine has started the game takes the whole first part of ram as if the arm9 was normally loaded. The compression scheme looks like bmp rle compression....it's not plain old lzss because of the strange backward writing.
    The gamedev have used c++ to code their game, so it looks like either a clever homedev has made the encryption system, or a third party has started to sell this... I don't know.
    I don't really see the point of this... it won't stop anything, it just take 10 seconds more to get the binary (run the emu and dump memory). What where they thinking ? >_
     
  15. aksmet

    Newcomer aksmet Newbie

    Joined:
    May 9, 2006
    Messages:
    3
    Country:
    Philippines
  16. deufeufeu

    Member deufeufeu GBAtemp Advanced Fan

    Joined:
    Nov 21, 2005
    Messages:
    880
    Country:
    Cote d'Ivoire
    what are your settings for no$gba ? It won't run it here, I've got black screen as soon as it tries to access the saves files.

    EDIT : http://deufeufeu.free.fr/layton/puzzles.html puzzles info dumped for those interested, with picture and solution (not shown if you don't click on it).
     
  17. bunsy

    Newcomer bunsy Advanced Member

    Joined:
    Nov 23, 2005
    Messages:
    88
    Country:
    Sweden
    This is an SDK option. All games can use it but only a fraction does (~20%). As you noted it's a variant of LZ but starts from the back so it can be run in-place. I made an unpacker but as you realized you can just breakpoint on the unpacker routine and dump the ram afterwards.
     
  18. aksmet

    Newcomer aksmet Newbie

    Joined:
    May 9, 2006
    Messages:
    3
    Country:
    Philippines
    I'm using default settings for everything else except the save type which is EEPROM 64KBytes.
     
  19. bunsy

    Newcomer bunsy Advanced Member

    Joined:
    Nov 23, 2005
    Messages:
    88
    Country:
    Sweden
    The save works here. Where do i go for the secret door?

    Edit: Oh, in the bonus section. Duh.

    Edit: It's a few pages of concept art. Boring.
     
  20. ZPE

    Member ZPE GBAtemp Fan

    Joined:
    Aug 27, 2007
    Messages:
    437
    Location:
    England
    Country:
    United Kingdom
    Hey thanks man. Really useful for those that don't have the game.
     

Share This Page