Let me crash Twilight Princess / Modifying the savegame Hello all, I'm currently learning the buffer overflow theory. And, I'd love to reproduce the TP exploit... For now, I just want to crash the game by modify the horse name. (normally limited by 8 characters). So, I created a new savegame, copy to my sd card, then unpack the savegame with SD tool. I tried to modify my charecter name by adding some extra characters at 0x1bc4 and 0x1d5. I repacked the savegame and load TP with the new savegame. I did not notice anything. There was no modification in my character name. I had another look and I found that there's six slots. It seems that each main slots (3) have its own backup slot. 000001b0 00 00 00 02 b6 23 55 9f 00 00 00 00 48 41 43 4b |.....#U.....HACK| 000001c0 4d 45 4d 45 00 00 00 00 00 00 00 00 00 45 70 6f |MEME.........Epo| 000001d0 6e 48 41 43 4b 00 00 00 00 00 00 00 00 00 00 00 |nHACK...........| 000001e0 00 00 00 00 00 00 00 00 01 00 00 01 02 00 01 5e |...............^| 00021b0 00 00 00 02 b6 23 55 9f 00 00 00 00 48 41 43 4b |.....#U.....HACK| 000021c0 4d 45 4d 45 00 00 00 00 00 00 00 00 00 45 70 6f |MEME.........Epo| 000021d0 6e 48 41 43 4b 00 00 00 00 00 00 00 00 00 00 00 |nHACK...........| 000021e0 00 00 00 00 00 00 00 00 01 00 00 01 02 00 01 5e |...............^| So I tested: - Modifying the name in the main slot and the backup slot (same modifs) -> The game don(t want to show the "quest logs" (seems to be in an infinite loop) - Modifying the name in the main slot and the backup slot (not sam modifs) -> the "quest log" is corrupted say the game - Delete all the backup slot and modify only the main slot -> The game don(t want to show the "quest logs" (seems to be in an infinite loop) ( I had a look on the team twizzers savegame and it seems that they proceeded like it. There's no more valid backups slots) So, my questions are: - Do you see what I can test ? - Is there some tools to execute the game step by step (for debugging and see what checks are done with the savegame) ? - Is it possible to extract the dols files from my TP disc ? (to load it in IDA) Rgds, PS: English is not my native language.http://forum.wiibrew.org/read.php?21,7624,7624#msg-7624Tue, 10 Mar 2026 04:20:42 +0100 Phorum 5.2.23 http://forum.wiibrew.org/read.php?21,7624,7645#msg-7645 Re: Let me crash Twilight Princess / Modifying the savegamehttp://forum.wiibrew.org/read.php?21,7624,7645#msg-7645
Quote
ShovAge
Yes, there's a tool which calculate the checksum for TP savegame.
I saw how the checksum is calculated and now it works.

My questions are:
- How segher found the way to calculate the checksum ? By reversing the game itself ?

Dunno, but probably they first crashed it and then later figured out that there is some kind of checksum... just a guess..

Quote

- Is there some tools to execute the game step by step (for debugging and reverse the checksum calculation) ?

Never used (i don't have it) but you can use usbgecko for that matter I guess...

Quote

- Is it possible to extract the dols files from my TP disc ? (to load it in IDA)

Yeah certainly, search for the tool called trucha signer.. you need the common key for that to work...

Quote

Note:
I already hacked my own code, and before play wit another game than TP, I prefer to know the whole process that has been used to hack TP.
And, because it's fun.

Ok buddy, have fun then... but I don't think it's fun... for your full fledged hack you need to write a sd loading stub (for the exploit code) if you don't want to rip TT and I don't think it's fun... you need to educate yourself pretty good...]]> WiiCrazy Homebrew GeneralMon, 12 Jan 2009 00:17:50 +0100 http://forum.wiibrew.org/read.php?21,7624,7642#msg-7642 Re: Let me crash Twilight Princess / Modifying the savegamehttp://forum.wiibrew.org/read.php?21,7624,7642#msg-7642I saw how the checksum is calculated and now it works.

My questions are:
- How segher found the way to calculate the checksum ? By reversing the game itself ?
- Is there some tools to execute the game step by step (for debugging and reverse the checksum calculation) ?
- Is it possible to extract the dols files from my TP disc ? (to load it in IDA)

Note:
I already hacked my own code, and before play wit another game than TP, I prefer to know the whole process that has been used to hack TP.
And, because it's fun.]]> ShovAge Homebrew GeneralSun, 11 Jan 2009 22:49:46 +0100 http://forum.wiibrew.org/read.php?21,7624,7634#msg-7634 Re: Let me crash Twilight Princess / Modifying the savegamehttp://forum.wiibrew.org/read.php?21,7624,7634#msg-7634
it's in the segher's tools...

btw: why do you invest your time in TP? If you want to experiment an exploit code you can simplify it first hacking your own code... or better you can select another game since there is no return on investment using the TP game... there is already a hack for that game...]]> WiiCrazy Homebrew GeneralSun, 11 Jan 2009 20:28:33 +0100 http://forum.wiibrew.org/read.php?21,7624,7632#msg-7632 Re: Let me crash Twilight Princess / Modifying the savegamehttp://forum.wiibrew.org/read.php?21,7624,7632#msg-7632
I think that there's a checksum somwhere.
I'm trying to find it. Please let me know if you have an idea.]]> ShovAge Homebrew GeneralSun, 11 Jan 2009 20:16:21 +0100 http://forum.wiibrew.org/read.php?21,7624,7624#msg-7624 Let me crash Twilight Princess / Modifying the savegamehttp://forum.wiibrew.org/read.php?21,7624,7624#msg-7624
I'm currently learning the buffer overflow theory.
And, I'd love to reproduce the TP exploit...

For now, I just want to crash the game by modify the horse name. (normally limited by 8 characters).
So, I created a new savegame, copy to my sd card, then unpack the savegame with SD tool.

I tried to modify my charecter name by adding some extra characters at 0x1bc4 and 0x1d5. I repacked the savegame and load TP with the new savegame. I did not notice anything. There was no modification in my character name.

I had another look and I found that there's six slots. It seems that each main slots (3) have its own backup slot.

000001b0  00 00 00 02 b6 23 55 9f  00 00 00 00 48 41 43 4b  |.....#U.....HACK|
000001c0  4d 45 4d 45 00 00 00 00  00 00 00 00 00 45 70 6f  |MEME.........Epo|
000001d0  6e 48 41 43 4b 00 00 00  00 00 00 00 00 00 00 00  |nHACK...........|
000001e0  00 00 00 00 00 00 00 00  01 00 00 01 02 00 01 5e  |...............^|


00021b0  00 00 00 02 b6 23 55 9f  00 00 00 00 48 41 43 4b  |.....#U.....HACK|
000021c0  4d 45 4d 45 00 00 00 00  00 00 00 00 00 45 70 6f  |MEME.........Epo|
000021d0  6e 48 41 43 4b 00 00 00  00 00 00 00 00 00 00 00  |nHACK...........|
000021e0  00 00 00 00 00 00 00 00  01 00 00 01 02 00 01 5e  |...............^|

So I tested:
- Modifying the name in the main slot and the backup slot (same modifs)
-> The game don(t want to show the "quest logs" (seems to be in an infinite loop)
- Modifying the name in the main slot and the backup slot (not sam modifs)
-> the "quest log" is corrupted say the game
- Delete all the backup slot and modify only the main slot
-> The game don(t want to show the "quest logs" (seems to be in an infinite loop)
( I had a look on the team twizzers savegame and it seems that they proceeded like it. There's no more valid backups slots)

So, my questions are:
- Do you see what I can test ?
- Is there some tools to execute the game step by step (for debugging and see what checks are done with the savegame) ?
- Is it possible to extract the dols files from my TP disc ? (to load it in IDA)


Rgds,

PS: English is not my native language.]]> ShovAge Homebrew GeneralSun, 11 Jan 2009 19:12:14 +0100