Thanks for your reply. You perfectly answered to my question ! :)by ShovAge - Homebrew General
Hello all, I succeeded to crash Zelda Twilght Princess by adding extra characters to the horse name. (I reversed myself the checksum calculation process with a little cle of bushing). So now, the game crash but it only freeze. I saw on the Internet some screenshots which show helpful mesages named DSI exceptions with the dumps of processor register and a trace back. I have not this messagby ShovAge - Homebrew General
Thanks for your precious help ! I think that I found the function : 00017278 000040 8001db98 4 mDoMemCdRWm_SetCheckSumGameData(unsigned char *, unsigned char) m_Do_MemCardRWmng.o Edit: There's another function which calculate a checksum for the 3 slots. I will search it. I had a look on the ppc code and I think that it's the function that I search for. it takes the slot nby ShovAge - Homebrew General
Hello, I'm currently trying to reverse the checksum calculation process applied on Zelda TP savegames. I know that segher already wrote a tool which allow to fix the checksum on Zelda savegames. In fact, I'm curious about how he done it. I put the main.dol in IDA, and tried to locate it, I also used my gecko usb, run the game with the debugger and tried some breakpoints. Unfoby ShovAge - Homebrew General
Great ! That's working ! Happy to play with this new tool ! :) Thanks for your help !by ShovAge - Coding
Thanks a lot for your help. Your answer really helps. If I'm right, the executable sections from stub and loader are extracted to a bin file. Then this bin file is converted to an ASM source file. Then these files are compiled in the same time than geckoloader and included in geckoloder.elf That's it ? I tried objdump on my linux box. It seems that the original objdump is onlby ShovAge - Coding
Hello everyone, I'm currently examining the source of geckoloader. (I want to learn how create a stub and a loader.) So I examined the stub code and quickly the loader code. All this code make sense for me However regarding the boot code, I see these global variables at the beginning of the code : extern u8 stub_bin[]; extern u32 stub_bin_size; extern u8 loader_dol[]; externby ShovAge - Coding
Yes, there's a tool which calculate the checksum for TP savegame. I saw how the checksum is calculated and now it works. My questions are: - How segher found the way to calculate the checksum ? By reversing the game itself ? - Is there some tools to execute the game step by step (for debugging and reverse the checksum calculation) ? - Is it possible to extract the dols files from my Tby ShovAge - Homebrew General
Hello, I think that there's a checksum somwhere. I'm trying to find it. Please let me know if you have an idea.by ShovAge - Homebrew General
Hello all, I'm currently learning the buffer overflow theory. And, I'd love to reproduce the TP exploit... For now, I just want to crash the game by modify the horse name. (normally limited by 8 characters). So, I created a new savegame, copy to my sd card, then unpack the savegame with SD tool. I tried to modify my charecter name by adding some extra characters at 0x1bc4 andby ShovAge - Homebrew General
Hi, Thank you a lot WiiCrazy. Finally, The answer is obvious, these NG keys are used to sign the savegame, so it prevent tampering of the data. I assume that it is possible to generate fake keys. However, it's more simple to grab these keys with bushing's tool. Thank you for your answer and your tool. Thanks to segher too. PS: I tried to copy a guitar hero savegame fromby ShovAge - Homebrew General
I know it. I already used your tool and repack save games. But you do not answer to my questions ;) Is my english so poor ?by ShovAge - Homebrew General
Hello, Fisrt, sorry for my poor english. It's not my native language. I have some questions regarding the savegames keys. I played with segher's tool. And, I successfully unpacked some savegame files with the following keys: - sd-key (shared) - sd-iv (also shared) - md5-blanker But, to pack a savegame file, I needed my wii's keys: - NG-id - NG-key-id - NG-mac - Nby ShovAge - Homebrew General
Hello all, First, sorry for my poor english. It's not my native language. I played with this library, it was very fun. I wonder how we create such a library. Is that a IOS reversing, a game reversing, the system menu reversing ? Where did you find all these functions and these features ? Regards,by ShovAge - Coding
@svpe Regarding this Game Memory access, you are talking about patching the game. I saw on gecko website that we can dump the memory (with Wiird and the game launched by GeckoOS). So, Is GeckoOS patch the game on the fly to allow memory dumps ? And, is there a way to patch the game, fakesign it, and run it whithout using GeckoOS ? Then, can we load this kind of dump in IDA and see intrucby ShovAge - Software
Hi, Quote Therefore to duplicate a valid signing, you would need Nin's private key. Yeah, you're right ! I think it's a really well guarded secret. I'm currently reading this : It answers to my questions. But I think that I will have many others when I'll finish... Thanks for your help.by ShovAge - Homebrew General
Quotewhodares Because we only have one set of keys. I thought that the common key was an RSA private one or somrthing like that. I re-red it : In fact, the extracted common key is an AES one. So It do not allow to sign any content. Sorry for this question. I'll try to do not again. Quotewhodares Does that help? Thank you so much for your example. I watched the video another timeby ShovAge - Homebrew General
Hello all, First, sorry for my poor English.I'm french, you know. I'm new in the Wii hacking so my questions could be boring for the wii gurus. I watched with much interest the 25c3 videos. I understood that the tweeser attack has allowed to access to the common keys and all other intersting keys. Why these keys don't allow to sign content ? Why do we have to fakesign hby ShovAge - Homebrew General