Understading 6.x save geography and MH4U items editing

Discussion in '3DS - ROM Hacking, Translations and Utilities' started by lucoia, Apr 12, 2015.

  1. lucoia
    OP

    lucoia Advanced Member

    Newcomer
    90
    10
    Nov 29, 2008
    United States
    So, I was able to edit items in MH4U messing with the Gateway 512KB .sav but I got good news and bad news about it.

    First of all what I did.

    I'm not a programmer or an hacker and I don't use any advanced tool or tech, it was just Ultraedit and Ultracompare.

    Since I saw MH4U can't be cheated with the browser trick, I couldn't resist going for the savegame and trying to understand.

    I spent some hours this night by looking and comparing the gateway save games, I compared MH4U savegame with 1 save slot and 2 save slot used, or with little items or money change, or without change nothing but just saving more than once and I did even compare just the empty formatted savegame with other 6.x empty formatted savegames and compared them all too.

    Doing so I was able to have a nice geography on how the savegame are being made.

    First of all they are sequential, it's like 3DS count how many time you overwrite that savegame, and every time the encryption change.

    Second of all by comparing the identical part of different games empty formatted saves with the actual MH4U save game I understand were you can edit stuff, and the fixed things you don't have to touch.

    Basically, the actual game savegame data starts at 00002000h after the second wave of FF FF FF FF, everything before it's pretty similar on all the other saves and different games with a lot of fixed and/or sequential hex, so you don't mess around with those or the game will reboot the 3DS in home, or will say that the savegame is corrupted and need to be reformatted to be used.

    Now, since my MH4U savegame is at almost 500hours and I'm full of stuff, I just backed up the save and sold almost everything, dismissed all the palicoes, so I just ended up with 9999999 zenny, 4 talismans (my best one), one equipped set, and just few things in the item box (10 of each abrasive, 10 of each armor sphere, and 10 wyvern honing gems normal and L) so I can actually see if I changed something.

    Now for the good news, after few testing the first thing that actually did something was changing 2b80h from 69 to 79, but the results were pretty ugly, just by changing that, I ended up in my item box with 2 new more items at 13 and 8 (earth crystal and another one) and some of my items changed from 10 to 11 or from 10 to 3, and one of my abrasives from 10 to 18.

    Making this even more weird is that if I revert all and try to change that single string from 69 to 89, the results with the items are identical!

    Another single hex change that did something (I don't remember the address, but always around the 00002bXXh range) was just deleting all my unregistered quests.

    So it's not only that you can't change one string to change one things in the game, it's just like messing with one string, and the game sorta recalculate and re decrpyt and encrypt the savegame.

    So bottom line is that decryption seems the only way to make the savegames editable properly.

    I also don't know if that layer of encryption is made by the actual 3DS or by Gateway, but I didn't have time to check the proper 3ds user savegames too to compare them.

    I'll probably test other things but before going on I thought I could share those, maybe somebody will find them useful maybe not, and maybe somebody who knows a lot more than me will might tell me I'm just wasting time or will point me in the right direction as how to use my time to test things more properly.


    P.S.: Another inherent thing I was thinking is if somebody with a Powersave can use a packet sniffer like Fiddler when they use it to see what's going on, but as I heard how Powersave works I'm pretty sure that all the decryption-encryption happens on their server after you upload your save, so you won't actually see nothing.
     
  2. Rurounik9999

    Rurounik9999 Advanced Member

    Newcomer
    91
    19
    May 25, 2004
    Brazil
  3. lucoia
    OP

    lucoia Advanced Member

    Newcomer
    90
    10
    Nov 29, 2008
    United States
  4. lucoia
    OP

    lucoia Advanced Member

    Newcomer
    90
    10
    Nov 29, 2008
    United States
    Alright, I tried to go with the RAW saves by exporting with SaveDataFiler and there is not a single portion of the user1 file who got similarities between different saves, it's all encrypted with different keys every time.

    Also if modifying the Gateway .sav can have little success as I explained before and the geography is way clearer, modifying the user1 file looks way more delicate as I tried about 10 times every time with a single byte digit, and when I reimport the raw to .sav and rename it with proper Title ID, the game says the save is corrupted.

    Now, I was thinking, since compares for items changes like ram dumping are a no no with the different encryptions, why don't do it in reverse?

    Let's say I got 5674382z (in game money) on my savegame, I can make 2 or more different identical saves without changing nothing in game, and then compare the saves in reverse, by looking for the similarities between the files for a 5674382 string.

    That reminds me of a very old Winzip password cracker who worked similar to this, if the password zipped file had multiple files encrypted inside and you ended up having one of those files decrypted in your hdd, you could input one of those files to speed up the password recoverying by comparing the decrypted file with the password zipped file instead of going for the classic dictionary brute force that would take forever.

    Now, is there a tool that can make something like that for the encrypted MH4U raw files or any other way to do such a comparing things?

    Or anybody with a better knowledge than me that can help the cause and find any solution to this? Nobody?

    As I said I'm not a programmer so I'm not even able to make such tools on my own or go for debugging, decompiling or disassembling or whatever stuff like that or I would already tried to do that, I'll just go keep trying hex editing and trying to figure out something on the raw saves in the meantime.