+- Dolphin, the GameCube and Wii emulator - Forums (https://forums.dolphin-emu.org)
+-- Forum: Dolphin Emulator Discussion and Support (https://forums.dolphin-emu.org/Forum-dolphin-emulator-discussion-and-support)
+--- Forum: Development Discussion (https://forums.dolphin-emu.org/Forum-development-discussion)
+--- Thread: Learning how to reverse-engineer a game (/Thread-learning-how-to-reverse-engineer-a-game)
Learning how to reverse-engineer a game - shockdude - 04-12-2019
A long time ago, people looked at DJ Hero to see if they could add custom songs & charts to the game. Unfortunately, each chart has a unique hash, and if the hash doesn't match the chart the game won't load the chart.
It is theoretically possible to reverse-engineer the hash format. Dolphin's debugger is quite nice. However, this is my first time doing any "real" reverse-engineering, and the lack of symbol table makes things annoying.
So far I've done the following:
Found the Assembler Tutorial at WiiBrew
Load the signature database for basic SDK symbols
Locate the chart's hash in memory, set a breakpoint at that address, and step through a couple instructions.
Am I on the right track? Does anyone have tips on how to proceed further?
RE: Learning how to reverse-engineer a game - shockdude - 04-13-2019
Welp, why reverse-engineer the hash format when you can just disable the hash check entirely.
I got lucky. Using the memory breakpoint at the address of the chart's hash, I quickly found the code that compares the hash against the computed hash. I then replaced the instructions that execute when the integrity test fails with nops. DJ Hero can now load custom charts.
Props to the dev team for the nice debugger, and to WiiBrew for the PPC assembler reference.
Gecko Code to disable the chart integrity test and allow loading custom charts.
For DJ Hero NTSC (SWAE52). Tested in Dolphin, haven't tested on a Real Wii yet.
Code:
$Enable Custom Charts [shockdude]
042acaf4 60000000
042acaf8 60000000
*Enable loading custom charts by disabling the game's chart integrity check.RE: Learning how to reverse-engineer a game - dreamsyntax - 04-14-2019
Nice job with that clever solution!
How did you eventually reach the function to determine it was checking the hashes?
RE: Learning how to reverse-engineer a game - shockdude - 04-24-2019
Sorry for the late reply.
When I put the memory breakpoint where the hash was, I reached an instruction that compared the hash against another value in a CPU register, which turned out to be the computed hash. When I edited the values so that the comparison passed, the chart was able to load correctly.
As an update, by observing which bytes in the chart were affecting the hash, and with an absurd amount of luck, I figured out what the hash function is. It's just CRC32 from the 8th byte to the last line in the chart.