Announcement

Collapse
No announcement yet.

[3DS] Monster Hunter 4 Ultimate (MH4U) Save data modification

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [3DS] Monster Hunter 4 Ultimate (MH4U) Save data modification

    I'm trying to make an editor for MH4U or at least the game save as that's really the only viable option at the moment. I know that Datel's Powersaves Pro claim that they can do that already, but i don't want to have to buy one and think it would be better to make my own.

    Has anyone looked into this yet?

    I'm using savedatafiler to extract the save from the system, and that is how i will inject it back in.

    I'll put the information i have here and people can just jump in where they can.

    If i extract the save there are 2 files within, "system" and "user1".

    The system data is unreadable and i don't know where to start, but putting that aside as it may not be needed for modifying the save.

    The user1 part of the save:
    There is a xorpad applied through the file, appears to be 0x2A30 bytes and it changes every time you save, so this will be interesting.

    There appears to be 2 blocks of encrypted data:
    1. at offset 0xBB50 size is 0x9B8 (2488) bytes
    2. at offset 0x139F8 size is 0x408 (1032) bytes
    Chances are that there's a couple of CRCs in there too for the encrypted data.

    I'm new to this forum and don't want to step on any toes.

    I'd like to Map out as much of the save file as possible, is there anyone that wants to join in?
    Last edited by Immortal_no1; 03-06-2015, 03:11:07 PM. Reason: More Information Added.

  • #2
    We would definitely be interested in hacking the saves and hopefully there are other people here who are as well and might be able to help. I have the Datel Device and would love to have a way to do it myself and also a SKY3DS cart too so I can extract saves that way too.
    Spoiler Alert! Click to view...

    THE BAD GUY!!!!!!

    Comment


    • #3
      I saw that there is a more generic thread about trying to modify powersave saves
      http://gamehacking.org/vb/threads/11...rsaves-editor/

      But this thread will be all about MH4U but will probably incorporate some powersave stuff. I see that you "Helder" were in the thread talking about things too

      Comment


      • #4
        I can always merge things down the road or change thread title's if it's required. You should give your background info so people know of your work in this field.
        Spoiler Alert! Click to view...

        THE BAD GUY!!!!!!

        Comment


        • #5
          Well I thought I ordered the Powersaves Pro, but instead I accidentally bought the Power Play for Pokemon, grrr, PowerPlay now arriving Wednesday.

          Comment


          • #6
            Just hit your local Walmart, they have those there well atleast here they do.
            Spoiler Alert! Click to view...

            THE BAD GUY!!!!!!

            Comment


            • #7
              Yeah, we have ASDA which was bought by Wallmart. I have it and been looking through what it does and how it does it.
              From what i can see, it extracts the first 0x200 bytes of the ROM header as thats all a save cartridge reader is able to get a hold of. This is then packaged up and the name of the CTR cartridge is then encrypted and sent to psapp.powersaves.net. Communication then authenticates software using your email_address and license_key from the file C:\Users\USERNAME\Powersaves3DS\Powersaves3DS.xml.

              Once authenticated it requests the savefile if you have asked for the save or extracts the save from your cartridge, compresses it ans sends it over to their server. Now in this second case, they will have to unpack it, decrypt it, make the change, rehash it, re- AES-MAC it (which would have to come from a real console..... unless they have worked out how the hardware performs this operation......... then packages it back up and sends it to us and is flashed into the cartridge.

              So....... to get their server to sign our own saves.......
              find a cartridge which EEPROM is large enough for the save we want to edit.
              Write the save to the cartridge by any means, (Gateway, NDS Adapter Pro, MM3, whatever you have)
              If we could put a breakpoint directly after the Powersaves Pro cardreader has read the header of the ROM, and inject our own 0x200 byte header from the game we want. the server should respond with cheats for that game.
              So phreaking would be complete at that point.
              Next up would be getting the mods made... so select what cheats you want to add then go ahead and press apply. At this point in time it should extract the EEPROM save data from the card to make a backup and send it to the server.
              IT IS NOT KNOWN if the Datel server checks the consistency of the file before hashing and re-aes-mac-ing the savefile to stop exactly this from happening. However if it doesn't care, then once we get the save back from the server, use the Gateway/NDS Adapter, Whatever to extract the gamesave and put that save onto your flashcard.

              If anyone knows of an easier way to do this i'm listening...

              From what I have seen it would appear when you select a cheat you want, it notifies it of the binary file to use.
              eeprom_id.bin
              ncsd.bin
              ncch@????.bin

              More information is needed but i've only had a couple of hours playing around with it. Datel should have a service to allow saves to be resigned using their stuff, i'd happily pay £5 a year for that feature which they could implement in a day. they already have the authentication server and the framework.

              I don't want to take business away from Datel as i've loved their products for the last 20 years and have been making my own codes for just as long.

              Comment


              • #8
                I can help by providing saves via retail card and/or gateway. I have a PowerSaves also and can test if needed.
                Last edited by Bahumat; 03-12-2015, 03:18:12 AM.

                Comment


                • #9
                  Thanks Bahumat, i've been thinking about the best way to tackle this...
                  You can have a maximum of 10 characters in your name, so could you do the following:
                  1. Start a new game and when you get to the point where you've saved the game, Back it up with the powersaves.
                  2. Use the Powersaves to change your character name to AAAAAAAAAA and back up the save- rename it to user?-A.
                  3. Use the Powersaves to change your character name to BBBBBBBBBB and back up the save- rename it to user?-B.
                  4. Use the Powersaves to change your character name to CCCCCCCCCC and back up the save- rename it to user?-C.

                  Mail me all 3 saves, don't run the game in your 3DS between the changes we need to keep the number of changes to a minimum. Need to work out what process is used to encrypt each value. It's a shame that the people who already know how to do this aren't saying anything.

                  Comment


                  • #10
                    I'm starting to think more and more that this isn't an xorpad, but instead revolving cypher. Bahumat, i don't know if you've started making the files i asked for, if you haven't, can you instead make me 2 saves, 1 with 1z and the other with 2z (money).

                    hopefully i'll get a handle on this but it may be that there is a lookup table for a certain byte in the file which then when ran through an equation will generate the pad which is then applied on a byte by byte basis using the current value of the byte at a given offset looked up in a table and the pad would be applied to the byte, Therefore hopefully there should be something somewhere in the file which will highlight this and i believe that was what i mistakenly took as being the xorpad. It would still make sense that the pad is 0x2A30 bytes in size before it rotates back to the beginning.

                    I hope to know more when i get the files. As always if there's anyone else out there who can help out in this manner you are welcome to join in.

                    Comment


                    • #11
                      Originally posted by Immortal_no1 View Post
                      Thanks Bahumat, i've been thinking about the best way to tackle this...
                      You can have a maximum of 10 characters in your name, so could you do the following:
                      1. Start a new game and when you get to the point where you've saved the game, Back it up with the powersaves.
                      2. Use the Powersaves to change your character name to AAAAAAAAAA and back up the save- rename it to user?-A.
                      3. Use the Powersaves to change your character name to BBBBBBBBBB and back up the save- rename it to user?-B.
                      4. Use the Powersaves to change your character name to CCCCCCCCCC and back up the save- rename it to user?-C.

                      Mail me all 3 saves, don't run the game in your 3DS between the changes we need to keep the number of changes to a minimum. Need to work out what process is used to encrypt each value. It's a shame that the people who already know how to do this aren't saying anything.
                      There is a tool here enabling you do that: http://my1993.com/wip/mh4genc.php

                      It can obviously read/decrypt the save and re-encrypt properly since money can be decrypted and names can be changed using this tool. I tested it and it works for names just fine.

                      Below is a random save from someone I picked up on GBAtemp, I just changed the character name to: aa and palico's name to aa, ab and bb respectively.

                      http://a.pomf.se/qxthgc.rar


                      Structure of userX:

                      0x0000 > 0x0007 = some kind of checksum
                      0xC4B8 > 0xC4BF = palico's name

                      Character name is always: aa [the less variables that change, the better]

                      Checksum (0x0000 to 0x0007)

                      • 53 BB B0 DF 42 11 6F 33 : when palico's name is aa
                      • 4D 0C 91 95 F1 B0 4B 7D : when palico's name is ab
                      • F1 57 FA F2 9F 55 3D E6 : when palico's name is bb



                      Palico's name (0xC4B8 > 0xC4BF)


                      • DA C6 8F AF 7F 3A F4 B5 : when palico's name is aa
                      • 91 A3 F8 7E DC 5D 8D 6B : when palico's name is ab
                      • 7D 67 75 82 B7 37 55 45 : when palico's name is bb


                      ---

                      That's as far I could go. There's more to it than a simple Xorpad it seems, but it musn't be that hard to decrypt since several people in Japan did, Datel obviously did (with Powersave and SaveEditor 2 in Japan). So we're not talking about some crazy cipher here.

                      I used Palico's name to do my tests since character names bytes are early in the file (near the the checksum), so I didn't want to be confused.

                      If someone manage to understand how the palico's name work, then editing money should be easy since we already know where it's located in the file. Actually the whole save structure is already known. It's a matter of understanding the decrypting/encrypting process and figuring out the checksum at the beginning of the file.
                      Last edited by Anonkun; 03-22-2015, 06:07:48 PM.

                      Comment


                      • #12
                        I was under the impression from what i have seen that 0x0000 to 0x0007 is the total Z (money) plus checksum overall encrypted as when you use the online tool it takes money away form your game to perform the action.

                        I found a webpage which talked about the encryption performed on the PSP version of MH3G and below. it is quite intricate and looks like the encryption differs for each game. While looking into the contents of the rom i see mentioned a couple of blowfish keys, i'm not going to post them here at the moment but if other people need the keys they can message me for them along with whatever progress they have on making an editor before i share any part of the key. Now if this is a blowfish encryption... looking at the wiki page: http://en.wikipedia.org/wiki/Blowfish_(cipher) The round function (Feistel function) of Blowfish appears to work on 32 bit values, which would stay constant with what we have for 0x0000 to 0x0007 being 0x0000 to 0x0003 being data and 0x0004 to 0x0007 being a crc of the data in 0x0000 to 0x0003. This way MH4U software could read anypart of the save file from a known offset and read the value stored within and replace it without disturbing the encryption on the rest of the file.

                        I think on other games the encryption has been AES... and i hope someone can confirm this. It would be odd to change to a blowfish encryption now, but i don't see why it wouldn't be done.

                        If what i see ifs the key... there are two of them, which may match up with an implementation of Twofish based on blowfish http://en.wikipedia.org/wiki/Twofish whereby "One half of an n-bit key is used as the actual encryption key and the other half of the n-bit key is used to modify the encryption algorithm" which would make a lot of sense so there are a couple of possible routes for this and may take some time to determine which is which if either are to be used at all.

                        If anyone wants to jump on the bandwaggon, now is the time.
                        Last edited by Immortal_no1; 03-24-2015, 03:30:54 AM. Reason: highlighting mportant point

                        Comment


                        • #13
                          I don't know much, if anything, about this. But I'd like to learn, and I'd like to help if I can. I have some experience, but nothing involving encryption. If you're willing to share, and point in the right direction, I'd be happy to assist and learn.

                          Comment


                          • #14
                            I want to cooperate for create MH4U save data editor

                            Originally posted by Immortal_no1 View Post
                            I was under the impression from what i have seen that 0x0000 to 0x0007 is the total Z (money) plus checksum overall encrypted as when you use the online tool it takes money away form your game to perform the action.

                            I found a webpage which talked about the encryption performed on the PSP version of MH3G and below. it is quite intricate and looks like the encryption differs for each game. While looking into the contents of the rom i see mentioned a couple of blowfish keys, i'm not going to post them here at the moment but if other people need the keys they can message me for them along with whatever progress they have on making an editor before i share any part of the key. Now if this is a blowfish encryption... looking at the wiki page: http://en.wikipedia.org/wiki/Blowfish_(cipher) The round function (Feistel function) of Blowfish appears to work on 32 bit values, which would stay constant with what we have for 0x0000 to 0x0007 being 0x0000 to 0x0003 being data and 0x0004 to 0x0007 being a crc of the data in 0x0000 to 0x0003. This way MH4U software could read anypart of the save file from a known offset and read the value stored within and replace it without disturbing the encryption on the rest of the file.

                            I think on other games the encryption has been AES... and i hope someone can confirm this. It would be odd to change to a blowfish encryption now, but i don't see why it wouldn't be done.

                            If what i see ifs the key... there are two of them, which may match up with an implementation of Twofish based on blowfish http://en.wikipedia.org/wiki/Twofish whereby "One half of an n-bit key is used as the actual encryption key and the other half of the n-bit key is used to modify the encryption algorithm" which would make a lot of sense so there are a couple of possible routes for this and may take some time to determine which is which if either are to be used at all.

                            If anyone wants to jump on the bandwaggon, now is the time.
                            Hey Immortal_no1 I want to cooperate for create an editor. I dont know much about encryption but if we make some kinda brainstorming maybe we can make something. Tell me what can I do to start.

                            Comment


                            • #15
                              Right, I think at this point there are a couple of options:
                              1. Write a blowfish decrypt/encrypt application which allows for testing different keys. Ideally knowing what a given value exactly is would be great, the only thing that I can think of at the moment is to take the offset of the character name and try to decrypt that data.
                              2.continue looking through the ASM in the rom and try to determine what the encryption is and how it is implemented.
                              3. There was something else I wanted to try... If I'm able to find where the encrypt/decrypt code is, I want to try removing the code and stub the functions so it saves in unencrypted clear text...

                              There are lots of fronts to take point on and I don't know which one will give the fastest results.

                              Didix16 if you want to start a brainstorming session, go ahead and post a starting point.

                              Comment

                              Working...
                              X