Let me crash Twilight Princess / Modifying the savegame
Posted by ShovAge
|
Let me crash Twilight Princess / Modifying the savegame January 11, 2009 07:12PM | Registered: 15 years ago Posts: 19 |
Hello all,
I'm currently learning the buffer overflow theory.
And, I'd love to reproduce the TP exploit...
For now, I just want to crash the game by modify the horse name. (normally limited by 8 characters).
So, I created a new savegame, copy to my sd card, then unpack the savegame with SD tool.
I tried to modify my charecter name by adding some extra characters at 0x1bc4 and 0x1d5. I repacked the savegame and load TP with the new savegame. I did not notice anything. There was no modification in my character name.
I had another look and I found that there's six slots. It seems that each main slots (3) have its own backup slot.
So I tested:
- Modifying the name in the main slot and the backup slot (same modifs)
-> The game don(t want to show the "quest logs" (seems to be in an infinite loop)
- Modifying the name in the main slot and the backup slot (not sam modifs)
-> the "quest log" is corrupted say the game
- Delete all the backup slot and modify only the main slot
-> The game don(t want to show the "quest logs" (seems to be in an infinite loop)
( I had a look on the team twizzers savegame and it seems that they proceeded like it. There's no more valid backups slots)
So, my questions are:
- Do you see what I can test ?
- Is there some tools to execute the game step by step (for debugging and see what checks are done with the savegame) ?
- Is it possible to extract the dols files from my TP disc ? (to load it in IDA)
Rgds,
PS: English is not my native language.
I'm currently learning the buffer overflow theory.
And, I'd love to reproduce the TP exploit...
For now, I just want to crash the game by modify the horse name. (normally limited by 8 characters).
So, I created a new savegame, copy to my sd card, then unpack the savegame with SD tool.
I tried to modify my charecter name by adding some extra characters at 0x1bc4 and 0x1d5. I repacked the savegame and load TP with the new savegame. I did not notice anything. There was no modification in my character name.
I had another look and I found that there's six slots. It seems that each main slots (3) have its own backup slot.
000001b0 00 00 00 02 b6 23 55 9f 00 00 00 00 48 41 43 4b |.....#U.....HACK| 000001c0 4d 45 4d 45 00 00 00 00 00 00 00 00 00 45 70 6f |MEME.........Epo| 000001d0 6e 48 41 43 4b 00 00 00 00 00 00 00 00 00 00 00 |nHACK...........| 000001e0 00 00 00 00 00 00 00 00 01 00 00 01 02 00 01 5e |...............^|
00021b0 00 00 00 02 b6 23 55 9f 00 00 00 00 48 41 43 4b |.....#U.....HACK| 000021c0 4d 45 4d 45 00 00 00 00 00 00 00 00 00 45 70 6f |MEME.........Epo| 000021d0 6e 48 41 43 4b 00 00 00 00 00 00 00 00 00 00 00 |nHACK...........| 000021e0 00 00 00 00 00 00 00 00 01 00 00 01 02 00 01 5e |...............^|
So I tested:
- Modifying the name in the main slot and the backup slot (same modifs)
-> The game don(t want to show the "quest logs" (seems to be in an infinite loop)
- Modifying the name in the main slot and the backup slot (not sam modifs)
-> the "quest log" is corrupted say the game
- Delete all the backup slot and modify only the main slot
-> The game don(t want to show the "quest logs" (seems to be in an infinite loop)
( I had a look on the team twizzers savegame and it seems that they proceeded like it. There's no more valid backups slots)
So, my questions are:
- Do you see what I can test ?
- Is there some tools to execute the game step by step (for debugging and see what checks are done with the savegame) ?
- Is it possible to extract the dols files from my TP disc ? (to load it in IDA)
Rgds,
PS: English is not my native language.
|
Re: Let me crash Twilight Princess / Modifying the savegame January 11, 2009 08:16PM | Registered: 15 years ago Posts: 19 |
|
Re: Let me crash Twilight Princess / Modifying the savegame January 11, 2009 08:28PM | Registered: 15 years ago Posts: 93 |
There is a tool to fix zelda hack's checksum or something I never cared to look into what that program does or how it does... maybe it does the checksum stuff you are mentioning..
it's in the segher's tools...
btw: why do you invest your time in TP? If you want to experiment an exploit code you can simplify it first hacking your own code... or better you can select another game since there is no return on investment using the TP game... there is already a hack for that game...
Edited 1 time(s). Last edit at 01/11/2009 08:33PM by WiiCrazy.
it's in the segher's tools...
btw: why do you invest your time in TP? If you want to experiment an exploit code you can simplify it first hacking your own code... or better you can select another game since there is no return on investment using the TP game... there is already a hack for that game...
Edited 1 time(s). Last edit at 01/11/2009 08:33PM by WiiCrazy.
|
Re: Let me crash Twilight Princess / Modifying the savegame January 11, 2009 10:49PM | Registered: 15 years ago Posts: 19 |
Yes, there's a tool which calculate the checksum for TP savegame.
I saw how the checksum is calculated and now it works.
My questions are:
- How segher found the way to calculate the checksum ? By reversing the game itself ?
- Is there some tools to execute the game step by step (for debugging and reverse the checksum calculation) ?
- Is it possible to extract the dols files from my TP disc ? (to load it in IDA)
Note:
I already hacked my own code, and before play wit another game than TP, I prefer to know the whole process that has been used to hack TP.
And, because it's fun.
I saw how the checksum is calculated and now it works.
My questions are:
- How segher found the way to calculate the checksum ? By reversing the game itself ?
- Is there some tools to execute the game step by step (for debugging and reverse the checksum calculation) ?
- Is it possible to extract the dols files from my TP disc ? (to load it in IDA)
Note:
I already hacked my own code, and before play wit another game than TP, I prefer to know the whole process that has been used to hack TP.
And, because it's fun.
|
Re: Let me crash Twilight Princess / Modifying the savegame January 12, 2009 12:17AM | Registered: 15 years ago Posts: 93 |
Quote
ShovAge
Yes, there's a tool which calculate the checksum for TP savegame.
I saw how the checksum is calculated and now it works.
My questions are:
- How segher found the way to calculate the checksum ? By reversing the game itself ?
Dunno, but probably they first crashed it and then later figured out that there is some kind of checksum... just a guess..
Quote
- Is there some tools to execute the game step by step (for debugging and reverse the checksum calculation) ?
Never used (i don't have it) but you can use usbgecko for that matter I guess...
Quote
- Is it possible to extract the dols files from my TP disc ? (to load it in IDA)
Yeah certainly, search for the tool called trucha signer.. you need the common key for that to work...
Quote
Note:
I already hacked my own code, and before play wit another game than TP, I prefer to know the whole process that has been used to hack TP.
And, because it's fun.
Ok buddy, have fun then... but I don't think it's fun... for your full fledged hack you need to write a sd loading stub (for the exploit code) if you don't want to rip TT and I don't think it's fun... you need to educate yourself pretty good...
Sorry, only registered users may post in this forum.