[RELEASE] cro_tool: CRO resigner for ROM hacks, etc

Discussion in '3DS - ROM Hacking, Translations and Utilities' started by WulfyStylez, Aug 17, 2015.

  1. WulfyStylez
    OP

    WulfyStylez SALT/Bemani Princess

    Member
    1,149
    2,609
    Nov 3, 2013
    United States
    It came to my attention recently (@SciresM mentioned it elsewhere) that even with RSA checks patched, hacked 3DS app libraries (CROs) still won't run when patched. Because of that, I threw together this tool to allow exactly that.
    Hopefully this will help ROM hackers who've wanted to modify their games, but have been held back due to this. Pokemon, I've heard, has an assload of the game 'locked up' in CROs.

    CRO/CRRs modified with this tool will only work on 3DSes with PS:VerifyRsaSha256 patched in some form. On pirate CFWs, this is patched already. ARM11-based hacks which allow for romfs-file replacement won't work with this (though none exist/are out yet).

    Usage: cro_tool [-v] static.crr
    -v: verify crr/cros instead of rehashing/resigning
    Make sure you've got all the app's CROs in the same directory as cro_tool. Afterward you can even just drag-n-drop static.crr onto cro_tool (you should probably run it from cmd/shell to make sure it's working, though.)

    Downloads (win64 binary and source):
    MEGA
    MEDIAFIRE
     

    Attached Files:

    Last edited by WulfyStylez, Sep 15, 2015 - Reason: v1.2


  2. puss2puss

    puss2puss ♻ThinkGreen♻

    Member
    737
    456
    Dec 18, 2013
    Canada
    Niiiice! will be really usefull!
    Nice job Wulfy ;)
     
  3. SciresM

    SciresM GBAtemp Advanced Fan

    Member
    584
    1,745
    Mar 21, 2014
    United States
    Damn.

    This is really, really awesome.
     
  4. Traiver

    Traiver GBAtemp Maniac

    Member
    1,143
    1,203
    Aug 1, 2014
    Germany
    Pew! *Out of the bag*
    Wow, this came out of nowhere, thanks for this!
     
    XRaidersP likes this.
  5. WulfyStylez
    OP

    WulfyStylez SALT/Bemani Princess

    Member
    1,149
    2,609
    Nov 3, 2013
    United States
    So I wasn't aware that the Pokemon games have over 100 CROs, what a nightmare. I'm going to take a look and see if I can automate load order at all, since they're not alphabetical and I don't expect anyone to spend the time to figure out the proper order of that many files.

    EDIT: There's no magic to it, RO literally just scans to see if your SHA256 hash is anywhere in the hash table.
    I'm probably going to switch to just using all the CROs in the current directory instead of manual input, since that should work. Validation won't pass all the time unless the hash order is alphabetical, but that's not a super big deal.

    EDIT2: v1.1 out, emulates RO's hash verification behavior and thus doesn't require the user to specify every CRO in some arbitrary order. Should be good for now!
     
    Last edited by WulfyStylez, Aug 17, 2015
    SciresM and puss2puss like this.
  6. hoodlum47

    hoodlum47 Member

    Newcomer
    17
    0
    Feb 3, 2015
    United States
    You say romfs-file replacement methods won't work/don't exist. What about NTR CFW's LayeredFS? Though I don't know if it works through ARM11 or ARM9.
     
  7. WulfyStylez
    OP

    WulfyStylez SALT/Bemani Princess

    Member
    1,149
    2,609
    Nov 3, 2013
    United States
    NTR doesn't patch the service call of note here, though there are other ways given arm11 kernel access that these checks can be worked around (or even with userland if you gspwn ro's heap.)
     
  8. Xenon Hacks

    Xenon Hacks GBAtemp Guru

    Member
    7,072
    3,386
    Nov 13, 2014
    United States
  9. Asia81

    Asia81 In my Ecchi World <3

    Member
    5,068
    2,504
    Nov 15, 2014
    France
    Albi
    wtf ?
     
  10. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    12,113
    5,180
    Mar 17, 2010
    Norway
    Alola
    "ARM11-based hacks which allow for romfs-file replacement won't work with this (though none exist/are out yet)"
    Uh... NTR-CFW?
     
  11. froggestspirit

    froggestspirit D/P/Pt Demix Guy

    Member
    1,096
    535
    Jul 28, 2011
    United States
    Does NTR 3 count if you boot it in rxTools or something? This seems nice though, I was just about to see if i can find and modify the shiny check routine (assuming that it's stored in a CRO)
     
  12. hippy dave

    hippy dave Butts Butts Megabutts

    Member
    2,588
    1,803
    Apr 30, 2012
    Thanks for this. In case anyone else is looking to use it on Mac, I found I had to comment out (put a # at the start) the LIBS line in the Makefile to get it to build, because "Static linking of user binaries is not supported on Mac OS X".
     
  13. SciresM

    SciresM GBAtemp Advanced Fan

    Member
    584
    1,745
    Mar 21, 2014
    United States
    This seems to fail for Pokemon Alpha Sapphire, at least -- the game blackscreens when using a modified CRO/CRR fixed by this.

    My best guess would be because this doesn't touch static.crs, but I've no idea how that works (and I might be completely wrong).
     
  14. WulfyStylez
    OP

    WulfyStylez SALT/Bemani Princess

    Member
    1,149
    2,609
    Nov 3, 2013
    United States
    static.crs isn't rsa-verified and doesn't have hashtables for other files in it. double-check and be sure all the hashtables verify with stock files? just pipe cmd to a file and ctrl + f 'invalid'. if that's still no go i can look into it.
     
  15. SciresM

    SciresM GBAtemp Advanced Fan

    Member
    584
    1,745
    Mar 21, 2014
    United States
    Prior to modification, everything reads as valid: http://pastebin.com/dYTs5Vba

    After modification but before resigning, the hash for the appropriate section reads as invalid and nothing else.

    After resigning, everything reads as valid again, but the game blackscreens.
     
  16. WulfyStylez
    OP

    WulfyStylez SALT/Bemani Princess

    Member
    1,149
    2,609
    Nov 3, 2013
    United States
    weird, i'll look into it. might be some weird behavior from ro.
     
  17. Kaphotics

    Kaphotics badc0ded

    Member
    611
    460
    Sep 10, 2010
    United States
    Looks like the storing of hashes in unmodified CRR's for OR/AS is in ascending order.

    Release Omega Ruby
    1.4 Alpha Sapphire

    (filename, hash, offset within CRR)

    This tool doesn't mimic that (it's doing alphabetical or whatever the read in order ends up), probably won't matter.

    Would the CRR's modulo check require patching as well?
     
    Last edited by Kaphotics, Aug 24, 2015
  18. Traiver

    Traiver GBAtemp Maniac

    Member
    1,143
    1,203
    Aug 1, 2014
    Germany
    Pew! *Out of the bag*
    I tested a compiled version of your Pk3ds yesterday with the CRO editing tools and it works perfectly.

    Thanks for making this possible!
     
    XRaidersP likes this.
  19. WulfyStylez
    OP

    WulfyStylez SALT/Bemani Princess

    Member
    1,149
    2,609
    Nov 3, 2013
    United States
    While I initially thought the order mattered, my RE of RO (ha) led me to find out it just verifies that the hash of a loaded CRO is somewhere in the CRR hashtable. This is probably so developers can rename/compress/do whatever with CRO files. Lots of games have them in archives, SKATER has them compressed.
    The CRR's signature + modulo are actually resigned with a new RSA key as the final step. Since this modulo doesn't match Nintendo's signature over it, it won't work without PS:VerifyRsaSha256 patched. Since (all?) public CFWs have that patched though, this just works.
     
  20. KashiToxicBlood

    KashiToxicBlood how2hakpls

    Banned
    385
    179
    Jan 30, 2015
    United States
    same place as Huntereb
    Screenshot_10.png thanks to this tool we actually have real starter randomization in oras xy, thanks to your program and kaphotic's latest build of pk3ds
     
    Februarysn0w likes this.