ROM Hack [RELEASE] cro_tool: CRO resigner for ROM hacks, etc

  • Thread starter Thread starter WulfyStylez
  • Start date Start date
  • Views Views 19,747
  • Replies Replies 42
  • Likes Likes 19

WulfyStylez

SALT/Bemani Princess
Member
Joined
Nov 3, 2013
Messages
1,149
Reaction score
2,627
Trophies
0
XP
2,888
Country
United States
It came to my attention recently (@SciresM mentioned it elsewhere) that even with RSA checks patched, hacked 3DS app libraries (CROs) still won't run when patched. Because of that, I threw together this tool to allow exactly that.
Hopefully this will help ROM hackers who've wanted to modify their games, but have been held back due to this. Pokemon, I've heard, has an assload of the game 'locked up' in CROs.

CRO/CRRs modified with this tool will only work on 3DSes with PS:VerifyRsaSha256 patched in some form. On pirate CFWs, this is patched already. ARM11-based hacks which allow for romfs-file replacement won't work with this (though none exist/are out yet).

Usage: cro_tool [-v] static.crr
-v: verify crr/cros instead of rehashing/resigning
Make sure you've got all the app's CROs in the same directory as cro_tool. Afterward you can even just drag-n-drop static.crr onto cro_tool (you should probably run it from cmd/shell to make sure it's working, though.)

Downloads (win64 binary and source):
MEGA
MEDIAFIRE
 

Attachments

Last edited by WulfyStylez, , Reason: v1.2
So I wasn't aware that the Pokemon games have over 100 CROs, what a nightmare. I'm going to take a look and see if I can automate load order at all, since they're not alphabetical and I don't expect anyone to spend the time to figure out the proper order of that many files.

EDIT: There's no magic to it, RO literally just scans to see if your SHA256 hash is anywhere in the hash table.
I'm probably going to switch to just using all the CROs in the current directory instead of manual input, since that should work. Validation won't pass all the time unless the hash order is alphabetical, but that's not a super big deal.

EDIT2: v1.1 out, emulates RO's hash verification behavior and thus doesn't require the user to specify every CRO in some arbitrary order. Should be good for now!
 
Last edited by WulfyStylez,
You say romfs-file replacement methods won't work/don't exist. What about NTR CFW's LayeredFS? Though I don't know if it works through ARM11 or ARM9.
 
You say romfs-file replacement methods won't work/don't exist. What about NTR CFW's LayeredFS? Though I don't know if it works through ARM11 or ARM9.
NTR doesn't patch the service call of note here, though there are other ways given arm11 kernel access that these checks can be worked around (or even with userland if you gspwn ro's heap.)
 
It came to my attention recently (@SciresM mentioned it elsewhere) that even with RSA checks patched, hacked 3DS app libraries (CROs) still won't run when patched. Because of that, I threw together this tool to allow exactly that.
Hopefully this will help ROM hackers who've wanted to modify their games, but have been held back due to this. Pokemon, I've heard, has an assload of the game 'locked up' in CROs.

CRO/CRRs modified with this tool will only work on 3DSes with PS:VerifyRsaSha256 patched in some form. On pirate CFWs, this is patched already. ARM11-based hacks which allow for romfs-file replacement won't work with this (though none exist/are out yet).

Usage: cro_tool [-v] static.crr
-v: verify crr/cros instead of rehashing/resigning
Make sure you've got all the app's CROs in the same directory as cro_tool. Afterward you can even just drag-n-drop static.crr onto cro_tool (you should probably run it from cmd/shell to make sure it's working, though.)

Downloads (win64 binary and source):
MEGA
MEDIAFIRE
"ARM11-based hacks which allow for romfs-file replacement won't work with this (though none exist/are out yet)"
Uh... NTR-CFW?
 
NTR doesn't patch the service call of note here, though there are other ways given arm11 kernel access that these checks can be worked around (or even with userland if you gspwn ro's heap.)
Does NTR 3 count if you boot it in rxTools or something? This seems nice though, I was just about to see if i can find and modify the shiny check routine (assuming that it's stored in a CRO)
 
Thanks for this. In case anyone else is looking to use it on Mac, I found I had to comment out (put a # at the start) the LIBS line in the Makefile to get it to build, because "Static linking of user binaries is not supported on Mac OS X".
 
This seems to fail for Pokemon Alpha Sapphire, at least -- the game blackscreens when using a modified CRO/CRR fixed by this.

My best guess would be because this doesn't touch static.crs, but I've no idea how that works (and I might be completely wrong).
 
This seems to fail for Pokemon Alpha Sapphire, at least -- the game blackscreens when using a modified CRO/CRR fixed by this.

My best guess would be because this doesn't touch static.crs, but I've no idea how that works (and I might be completely wrong).
static.crs isn't rsa-verified and doesn't have hashtables for other files in it. double-check and be sure all the hashtables verify with stock files? just pipe cmd to a file and ctrl + f 'invalid'. if that's still no go i can look into it.
 
static.crs isn't rsa-verified and doesn't have hashtables for other files in it. double-check and be sure all the hashtables verify with stock files? just pipe cmd to a file and ctrl + f 'invalid'. if that's still no go i can look into it.

Prior to modification, everything reads as valid: http://pastebin.com/dYTs5Vba

After modification but before resigning, the hash for the appropriate section reads as invalid and nothing else.

After resigning, everything reads as valid again, but the game blackscreens.
 
Prior to modification, everything reads as valid: http://pastebin.com/dYTs5Vba

After modification but before resigning, the hash for the appropriate section reads as invalid and nothing else.

After resigning, everything reads as valid again, but the game blackscreens.
weird, i'll look into it. might be some weird behavior from ro.
 
Looks like the storing of hashes in unmodified CRR's for OR/AS is in ascending order.

Release Omega Ruby
1.4 Alpha Sapphire

(filename, hash, offset within CRR)

This tool doesn't mimic that (it's doing alphabetical or whatever the read in order ends up), probably won't matter.

Would the CRR's modulo check require patching as well?
 
Last edited by Kaphotics,
I tested a compiled version of your Pk3ds yesterday with the CRO editing tools and it works perfectly.

Thanks for making this possible!
 
  • Like
Reactions: XRaidersP
Looks like the storing of hashes in unmodified CRR's for OR/AS is in ascending order.

Release Omega Ruby
1.4 Alpha Sapphire

(filename, hash, offset within CRR)

This tool doesn't mimic that (it's doing alphabetical or whatever the read in order ends up), probably won't matter.

Would the CRR's modulo check require patching as well?
While I initially thought the order mattered, my RE of RO (ha) led me to find out it just verifies that the hash of a loaded CRO is somewhere in the CRR hashtable. This is probably so developers can rename/compress/do whatever with CRO files. Lots of games have them in archives, SKATER has them compressed.
The CRR's signature + modulo are actually resigned with a new RSA key as the final step. Since this modulo doesn't match Nintendo's signature over it, it won't work without PS:VerifyRsaSha256 patched. Since (all?) public CFWs have that patched though, this just works.
 
Screenshot_10.png
thanks to this tool we actually have real starter randomization in oras xy, thanks to your program and kaphotic's latest build of pk3ds
 
  • Like
Reactions: Februarysn0w

Site & Scene News

Popular threads in this forum