ROM Hack [Release] 3DS_CTR_Decryptor-VOiD

[I pwned U!]

Maybe you need to find the SHA-256 hash of the original exefs in exheader.bin and edit it to match the new file?

I was talking about repacking the ExeFS and recompressing the code.bin file. I already found a good program for calculating the SHA-256 hashes.

 

[piratesephiroth]

I was talking about repacking the ExeFS and recompressing the code.bin file. I already found a good program for calculating the SHA-256 hashes.

there's an option in the rsf file for compressing code.bin

 

[hippy dave]

I cobbled up a quick tool for manually compressing code.bin the other week, it's built on makerom's sources, I just wrapped the needed functions. I never cleaned it up for sharing, but here it is anyway, I didn't remove the unnecessary files so everything from makerom is there, I did change the Makefile so you can just "make" it. Haven't added proper credits but it's obviously all from https://github.com/3DSGuy/Project_CTR/tree/master/makerom by 3DSGuy et al.

Edit: if you're wanting to reinsert the new compressed code.bin into the original exefs, you'll have to make sure it doesn't end up bigger than the original compressed code.bin, or things will get ugly.

 

[ground]

I am having trouble repacking the ExeFS from Mario & Luigi Dream Team and recompressing the code.bin. I am also wondering how to encrypt and inject the ExeFS back into the ROM. I also want the game to use its original encryption (using the .xorpad files) when it is repacked, not the 0-key encryption.

Well, i think if you repack it with makerom without encrypting it and use the same titleid in the .rsf file, you can use the same xor files ( although you need to resize them maybe) but i am not sure.

 

[I pwned U!]

hmmm for that you would probably have to rebuild, then extract the exefs again in decrypted form, re-xor it with the original xor, and inject it back into the original rom, then fix the exefs hash, i actually haven't tried any exefs mods, so im not 100% sure it will be that easy, but give it a go

Well, i think if you repack it with makerom without encrypting it and use the same titleid in the .rsf file, you can use the same xor files ( although you need to resize them maybe) but i am not sure.

I used makerom to create a decrypted ROM in the original size. I tried to extract the decrypted ExeFS from it, but it gave me an error about an ID mismatch. In the .rsf file, I put "SUPER MARIO 3D LAND" for the title ID. In the icon.bin files that I got the names from, there seemed to be a space between each letter. Should I have formatted the title ID in the same way? Was there something else that I needed to add to the .rsf file?

I am getting closer. In the Gateway ROM selection menu, it shows the Dream Team icon with SUPER MARIO 3D LAND under it. Oddly enough, after it shows up in the game card slot, the banner is from Dream Team, but the icon and description is from blargSNES. Is there any reason why that happens? (I do have the emulator on my Gateway microSD card)

After the 3DS logo is gone when I launch the game, it says that an error has occurred and I need to turn the power off. (probably because I was not able to extract the edited ExeFS from the ROM to change the icon.bin hash and the .rsf file might not have recompressed the code.bin file)

Once I am able to successfully extract the edited ExeFS from the decrypted ROM, how do I re-xor it? Do I use the same command that I used for decryption in xor.exe, or is the method different? After I re-xor it, how do I inject it back into the original ROM? Does ctrtool have an option that is the opposite of the -p command, or do I need to use another program?

(And thank you for all of the useful suggestions and instructions!)

 

[gamesquest1]

I used makerom to create a decrypted ROM in the original size. I tried to extract the decrypted ExeFS from it, but it gave me an error about an ID mismatch. In the .rsf file, I put "SUPER MARIO 3D LAND" for the title ID. In the icon.bin files that I got the names from, there seemed to be a space between each letter. Should I have formatted the title ID in the same way? Was there something else that I needed to add to the .rsf file?

I am getting closer. In the Gateway ROM selection menu, it shows the Dream Team icon with SUPER MARIO 3D LAND under it. Oddly enough, after it shows up in the game card slot, the banner is from Dream Team, but the icon and description is from blargSNES. Is there any reason why that happens? (I do have the emulator on my Gateway microSD card)

After the 3DS logo is gone when I launch the game, it says that an error has occurred and I need to turn the power off. (probably because I was not able to extract the edited ExeFS from the ROM to change the icon.bin hash and the .rsf file might not have recompressed the code.bin file)

Once I am able to successfully extract the edited ExeFS from the decrypted ROM, how do I re-xor it? Do I use the same command that I used for decryption in xor.exe, or is the method different? After I re-xor it, how do I inject it back into the original ROM? Does ctrtool have an option that is the opposite of the -p command, or do I need to use another program?

(And thank you for all of the useful suggestions and instructions!)

did you change the unique ID.....im guessing not if its showing as blarg, basically you need to change the unique ID to match that of the game, i.e dream team's titleID is 00040000000D5A00, you dont use all of it, you omit the last "00" and take the 2 bytes next to it i.e "0D5A", so in the RSF file you would need to make the RSF file have
UniqueId : 0x0D5A

 

[I pwned U!]

did you change the unique ID.....im guessing not if its showing as blarg, basically you need to change the unique ID to match that of the game, i.e dream team's titleID is 00040000000D5A00, you dont use all of it, you omit the last "00" and take the 2 bytes next to it i.e "0D5A", so in the RSF file you would need to make the RSF file have
UniqueId : 0x0D5A

I just tried this. The icon and description are correct now, but I still get the same error from ctrtool when I try to extract the ExeFS.

ctrtool -p --exefs=exefs.bin romedited.3ds
Header:                NCSD
Signature:              82F43B7730A77CCB55778511DD6C20321C7DF196DA48FA0C92B4244F
13C368B9
                        C6959E8840089F0B85F27286F244DD7A5762E7915AF7E8BE3D46F042
3082D333
                        43DEF8C57197F68137B8FCB2B179C32AB58D80BD480810664E0604AA
8B8FECB6
                        78B29B0D52E968D8F0667FE45874924E8DC33AE68624F14636E40F67
F831F2A7
                        EC251BF444E04636AE737A3024A5531034EAC7E3A67CEE9EF832F9CD
73EC2EED
                        8B1297FA88D7876ACDF8D40433763FE81EBFDEB220DF816126257C6F
AEB6704C
                        5586C699BC5E4AE401F6FCDF512DEABFF1BC16119EE248234942AC2C
D1424E98
                        EF7C6960D77A415E22981036164060FF0BF32BBDE3E23576FD22FDC2
6866E659
Media size:            0x00200000
Media id:              00040000000d5a00
 
Partition 0
Id:                    005A0D0000000400
Area:                  0x00004000-0x003EC600
Filesystem:            00
Encryption:            00
 
Extended header hash:  00000000000000000000000000000000000000000000000000000000
00000000
Additional header size: 00000000
Sector zero offset:    00000000
Flags:                  0000000201010000
> Mediaunit size:      0x200
> Mediatype:          Card1
> Card Device:        None
 
NCCH:
Header:                NCCH
Signature:              5A6DA49C8CEC28437F372E50BF436C54E3E0410B1A2F3C3F7962BFEE
808F0967
                        6E7C59983AF95D2D856A85853A61776937B1CB4D17FBC6D7080450DE
ACF533A2
                        E07462FB03F3C41AC661F9996520F0BAD50CD7F4CD72F93F426E08C0
EFD5275E
                        B4D1E71570468B0D913B3C4578CDB337AEBA7104F114D893AF1979A1
19569FB7
                        5C49057966CBCC8350AEB1EFAD18CECC7592DB842AE0AA9434A47296
14112EC9
                        E9BF8A98577272E8215868C85024688B09B0FF914DD9ECA839CA32DF
0A3B6497
                        8C6C9ECF869F61BFD2DC71732DB842B8092EC70BD91F2771A05933C5
018220D7
                        7B5723EA4B0CFB4123EF529DAA6A84A1F76B3121AAB8C873CA11CA0E
A23E1EAD
Content size:          0x003e8600
Partition id:          00040000000d5a00
Maker code:            3030
Version:                0002
Program id:            00040000000d5a00
Logo hash:              DD8C470EDF60553B03FD5A42304923B47625409AE04D61A320812254
7EDC5150
Product code:          *your code here
Exheader size:          00000400
Exheader hash:          BCEDCC624FEE81174503A946A8DF6E49FF9F77A2F477892BB634C1F1
7EECF480
Flags:                  0100030100000000
> Mediaunit size:      0x200
> Crypto key:          Zeros
> Form type:          Executable content
> Content type:        Application
> Content platform:    CTR
Plain region offset:    0x00000000
Plain region size:      0x00000000
Logo offset:            0x00004a00
Logo size:              0x00002000
ExeFS offset:          0x00006a00
ExeFS size:            0x003e5c00
ExeFS hash region size: 0x00000200
RomFS offset:          0x00000000
RomFS size:            0x00000000
RomFS hash region size: 0x00000000
ExeFS Hash:            0889FCD6E2F873EE987AAF1DC780DD1F0EADAD3B922DD3C7993FB008
BE9D4281
RomFS Hash:            00000000000000000000000000000000000000000000000000000000
00000000
Saving ExeFS...
Error, program id mismatch. Wrong key?

Do I have to 0-key decrypt the ROM first, or is there something else that I am missing?

 

[gamesquest1]

I just tried this. The icon and description are correct now, but I still get the same error from ctrtool when I try to extract the ExeFS.

Spoiler

ctrtool -p --exefs=exefs.bin romedited.3ds
Header:                NCSD
Signature:              82F43B7730A77CCB55778511DD6C20321C7DF196DA48FA0C92B4244F
13C368B9
                        C6959E8840089F0B85F27286F244DD7A5762E7915AF7E8BE3D46F042
3082D333
                        43DEF8C57197F68137B8FCB2B179C32AB58D80BD480810664E0604AA
8B8FECB6
                        78B29B0D52E968D8F0667FE45874924E8DC33AE68624F14636E40F67
F831F2A7
                        EC251BF444E04636AE737A3024A5531034EAC7E3A67CEE9EF832F9CD
73EC2EED
                        8B1297FA88D7876ACDF8D40433763FE81EBFDEB220DF816126257C6F
AEB6704C
                        5586C699BC5E4AE401F6FCDF512DEABFF1BC16119EE248234942AC2C
D1424E98
                        EF7C6960D77A415E22981036164060FF0BF32BBDE3E23576FD22FDC2
6866E659
Media size:            0x00200000
Media id:              00040000000d5a00
 
Partition 0
Id:                    005A0D0000000400
Area:                  0x00004000-0x003EC600
Filesystem:            00
Encryption:            00
 
Extended header hash:  00000000000000000000000000000000000000000000000000000000
00000000
Additional header size: 00000000
Sector zero offset:    00000000
Flags:                  0000000201010000
> Mediaunit size:      0x200
> Mediatype:          Card1
> Card Device:        None
 
NCCH:
Header:                NCCH
Signature:              5A6DA49C8CEC28437F372E50BF436C54E3E0410B1A2F3C3F7962BFEE
808F0967
                        6E7C59983AF95D2D856A85853A61776937B1CB4D17FBC6D7080450DE
ACF533A2
                        E07462FB03F3C41AC661F9996520F0BAD50CD7F4CD72F93F426E08C0
EFD5275E
                        B4D1E71570468B0D913B3C4578CDB337AEBA7104F114D893AF1979A1
19569FB7
                        5C49057966CBCC8350AEB1EFAD18CECC7592DB842AE0AA9434A47296
14112EC9
                        E9BF8A98577272E8215868C85024688B09B0FF914DD9ECA839CA32DF
0A3B6497
                        8C6C9ECF869F61BFD2DC71732DB842B8092EC70BD91F2771A05933C5
018220D7
                        7B5723EA4B0CFB4123EF529DAA6A84A1F76B3121AAB8C873CA11CA0E
A23E1EAD
Content size:          0x003e8600
Partition id:          00040000000d5a00
Maker code:            3030
Version:                0002
Program id:            00040000000d5a00
Logo hash:              DD8C470EDF60553B03FD5A42304923B47625409AE04D61A320812254
7EDC5150
Product code:          *your code here
Exheader size:          00000400
Exheader hash:          BCEDCC624FEE81174503A946A8DF6E49FF9F77A2F477892BB634C1F1
7EECF480
Flags:                  0100030100000000
> Mediaunit size:      0x200
> Crypto key:          Zeros
> Form type:          Executable content
> Content type:        Application
> Content platform:    CTR
Plain region offset:    0x00000000
Plain region size:      0x00000000
Logo offset:            0x00004a00
Logo size:              0x00002000
ExeFS offset:          0x00006a00
ExeFS size:            0x003e5c00
ExeFS hash region size: 0x00000200
RomFS offset:          0x00000000
RomFS size:            0x00000000
RomFS hash region size: 0x00000000
ExeFS Hash:            0889FCD6E2F873EE987AAF1DC780DD1F0EADAD3B922DD3C7993FB008
BE9D4281
RomFS Hash:            00000000000000000000000000000000000000000000000000000000
00000000
Saving ExeFS...
Error, program id mismatch. Wrong key?

Do I have to 0-key decrypt the ROM first, or is there something else that I am missing?

here a lil batch script i made to kinda keep things tidy....ish while doing that kind of stuff, might be useful too you, basically drag the .3ds file on and choose if you want decrypted(only works on zero encrypted stuff) or encrypted output and if you want the exefs,exheader,romfs or all

Spoiler

Echo off
set input=
set /p input= What do you want to do with %1 do you want the extracted contents 1. decrypted or 2.left using current encryption:
if %input%==1 goto decrypted

if %input%==2 goto encrypted
:encrypted
set /p input= What part do you want 1. extract exefs 2. extract exheader 3. extract romfs 4. extract all:
if %input%==1 goto 11
if %input%==2 goto 22
if %input%==3 goto 33
if %input%==4 goto 44
exit
:11
ctrtool -p --exefs=exefsencrypted.bin %1
pause
exit
:22
ctrtool -p --exheader=exheaderencrypted.bin %1
pause
exit
:33
ctrtool -p --romfs=romfsencrypted.bin %1
pause
exit
:44
ctrtool -p --exefs=exefsencrypted.bin %1
ctrtool -p --romfs=romfsencrypted.bin %1
ctrtool -p --romfs=romfsencrypted.bin %1
ctrtool -p --romfs=romfsencrypted.bin %1
pause
exit

:decrypted
set /p input= What part do you want 1. extract exefs 2. extract exheader 3. extract romfs 4. extract all:
if %input%==1 goto 1
if %input%==2 goto 2
if %input%==3 goto 3
if %input%==4 goto 4
exit
:1
ctrtool --exefs=exefsdecrypted.bin %1
pause
exit
:2
ctrtool --exheader=exheaderdecrypted.bin %1
pause
exit
:3
ctrtool --romfs=romfsdecrypted.bin %1
pause
exit
:4
ctrtool --exefs=exefsdecrypted.bin %1
ctrtool --exheader=exheaderdecrypted.bin %1
ctrtool --romfs=romfsdecrypted.bin %1
pause
exit

 

[I pwned U!]

here a lil batch script i made to kinda keep things tidy....ish while doing that kind of stuff, might be useful too you, basically drag the .3ds file on and choose if you want decrypted(only works on zero encrypted stuff) or encrypted output and if you want the exefs,exheader,romfs or all

Spoiler

Echo off
set input=
set /p input= What do you want to do with %1 do you want the extracted contents 1. decrypted or 2.left using current encryption:
if %input%==1 goto decrypted

if %input%==2 goto encrypted
:encrypted
set /p input= What part do you want 1. extract exefs 2. extract exheader 3. extract romfs 4. extract all:
if %input%==1 goto 11
if %input%==2 goto 22
if %input%==3 goto 33
if %input%==4 goto 44
exit
:11
ctrtool -p --exefs=exefsencrypted.bin %1
pause
exit
:22
ctrtool -p --exheader=exheaderencrypted.bin %1
pause
exit
:33
ctrtool -p --romfs=romfsencrypted.bin %1
pause
exit
:44
ctrtool -p --exefs=exefsencrypted.bin %1
ctrtool -p --romfs=romfsencrypted.bin %1
ctrtool -p --romfs=romfsencrypted.bin %1
ctrtool -p --romfs=romfsencrypted.bin %1
pause
exit

:decrypted
set /p input= What part do you want 1. extract exefs 2. extract exheader 3. extract romfs 4. extract all:
if %input%==1 goto 1
if %input%==2 goto 2
if %input%==3 goto 3
if %input%==4 goto 4
exit
:1
ctrtool --exefs=exefsdecrypted.bin %1
pause
exit
:2
ctrtool --exheader=exheaderdecrypted.bin %1
pause
exit
:3
ctrtool --romfs=romfsdecrypted.bin %1
pause
exit
:4
ctrtool --exefs=exefsdecrypted.bin %1
ctrtool --exheader=exheaderdecrypted.bin %1
ctrtool --romfs=romfsdecrypted.bin %1
pause
exit

This was very helpful! I was finally able to extract the edited ExeFS! Then, I used 3DSExplorer to find where it was located in the ROM, and use a hex editor to select it and copy and insert the new ExeFS.

Now I have a new problem. I can select the edited game in the Gateway ROM selection menu, but after I do that, it does not show up in the game card slot. I also tried loading other ROMs, and they worked fine.

What could be causing this?

 

[hippy dave]

Probably didn't fix some checksums.

 

[Nic333]

This was very helpful! I was finally able to extract the edited ExeFS! Then, I used 3DSExplorer to find where it was located in the ROM, and use a hex editor to select it and copy and insert the new ExeFS.

Now I have a new problem. I can select the edited game in the Gateway ROM selection menu, but after I do that, it does not show up in the game card slot. I also tried loading other ROMs, and they worked fine.

What could be causing this?

Did you fix the hashes?
If you didn't here is your problem

 

[I pwned U!]

Probably didn't fix some checksums.

Did you fix the hashes?
If you didn't here is your problem

Here is the problem:

When ctrtool extracts the original ExeFS from the unedited ROM, ctrtool lists the hash as 86D4D2F2FF737E4060CA19C9E4373E6972419AEE6F0FFC569F10FE72CEB75457 and says "Saving ExeFS...
Error, program id mismatch. Wrong key?".

When I use my hash check program on the unedited ExeFS, it says that the hash is 31D594A02C49A97C64DF3226690E7D53E023EF4BBD99036DCF6E2B27438C9B9E.

Why is the ExeFS hash different inside the ROM than it is outside the ROM? I have tried using the hash program and overwriting the original hash with the new hash using a hex editor, but it still does not show up in the game card slot after choosing it from the Gateway ROM selection menu. I even made sure to fix the icon.bin hash in the decrypted exefs.bin before re-xorring in and inserting it into the ROM.

 

[piratesephiroth]

You need to extract stuff with the -p switch

 

[I pwned U!]

You need to extract stuff with the -p switch

The .bat file I ran did use the -p switch, but it still came up with the error.

 

[ground]

Did you calculate the hashes over the whole exefs? As i dont think that that is how it works. I dont know over which bytes itis calculated, but i cnat check it now

 

[I pwned U!]

Did you calculate the hashes over the whole exefs? As i dont think that that is how it works. I dont know over which bytes itis calculated, but i cnat check it now

The hashes I calculated were for the entire original encrypted ExeFS. If it is true that the games calculate the hash for a certain portion of the ExeFS, then that could explain my problem. Hopefully I can find out which part the hash comes from.

 

[ground]

Well thr hash need to be calculated over the decrypted exefs for sure. And i think over only the first 200 bytes

 

[hippy dave]

Maybe 0x200 (512).

 

[Arisotura]

I'm not sure if I missed anything, but I can't get it to work.

I wanted to get Rayman 3D decrypted to obtain its DSP binary for the sake of science. I figured, as lazy as this game is, it's unlikely to use a fancy specific DSP program.

So, I dumped my Rayman 3D cart via the Gateway menu. As instructed, I gave it to ctrKeyGen.exe. Placed ncchinfo.bin at the root of my SD card, along with the GW Launcher.dat. I used xerpi's refactored version.

I did the thing to start Launcher.dat. It says:

3DS CTR DECRYPTOR by VOiD, refactored by xerpi
Opening sd:/ncchinfo.bin ...

And it sits there.


Did I do something wrong, or is it just that there is a specific thing with Rayman 3D? Or is my ROM dump bad or whatever?

 

[gamesquest1]

I'm not sure if I missed anything, but I can't get it to work.

I wanted to get Rayman 3D decrypted to obtain its DSP binary for the sake of science. I figured, as lazy as this game is, it's unlikely to use a fancy specific DSP program.

So, I dumped my Rayman 3D cart via the Gateway menu. As instructed, I gave it to ctrKeyGen.exe. Placed ncchinfo.bin at the root of my SD card, along with the GW Launcher.dat. I used xerpi's refactored version.

I did the thing to start Launcher.dat. It says:

3DS CTR DECRYPTOR by VOiD, refactored by xerpi
Opening sd:/ncchinfo.bin ...

And it sits there.


Did I do something wrong, or is it just that there is a specific thing with Rayman 3D? Or is my ROM dump bad or whatever?

reboot a few times if it sits for more than a few seconds retry