The checksum for the savegame file for Snoopy vs. the Red Baron
This is part 2 of my research for hacking the savegame file to Snoopy vs. the Red Baron. See part 1 for more context.
The program delsum has a few commands. You can tell it to guess which checksum algorithm is used if you give it enough samples and the checksums.
So I had to prepare the checksums.
for word in ~/Documents/Snoopy\ vs.\ the\ Red\ Baron/Profile\ 1/*sav ; do printf '%s,' "$( xxd -p -l 4 "${word}" )" ; done > ~/checksums1
Then given those existing checksums, use those same files (hopefully the shell globbing hasn't changed the order of those files in the past 8 seconds...):
$ cd ~/Documents/Snoopy\ vs.\ the\ Red\ Baron/Profile\ 1 $ ~/Downloads/delsum reverse --extended-search --start 4 --model 'crc width=32 init=0' --checksums "$( cat ~/foo1 | sed -r -e 's/,$//;' )" *sav crc width=32 poly=0x4c11db7 init=0x0 xorout=0x235b4b9c refin=false refout=false out_endian=little
And that is the important part! It solved it. It took less than a second! It felt instantaneous. That's the magic information I hadn't been able to find after about 12 hours of research across the past 5 days.
I spent some time in Ghidra looking for this polynomial, literal 0x41c1db7
and I found it. I forget the offset, but it's in the binary. It was inside some dumb FUN_01234982748()
type function that returns void. So clearly decompiling has its limits.
So, with this whole derived specification of a checksum, I hacked up test1.sav
by changing how much money I have in-game. I used vim with :%!xxd
to get the hex dump (maybe I should research a proper hexeditor again), make the 2-byte change at offset 0x284 (little-endian, of course). Reverse it with :%!xxd -r
, and save the file.
Then I derived the checksum I'll have to insert back into the file:
$ ~/Downloads/delsum check -m 'crc width=32 poly=0x4c11db7 init=0x0 xorout=0x235b4b9c refin=false refout=false out_endian=little' --start 4 test1.sav 1cc2e3b4
So then I opened up the file again, xxd again, put that as the first 4 bytes, reversed xxd again and saved it. I replaced the main file, and told the game to reload. Nope, corrupted.
After some brief checking, I learned my test1.sav was one byte larger. Vim had of course saved the newline on the end. So, a :set binary
and :set noeol
later, I could save the file. And then the game can load my hacked savegame file!
I intend to write a small python tool to facilitate making this process easier. I might even add a small frontend to make it easier to set the various in-game attributes, like profile name, settings, achievements/unlockables, etc. We'll see.
Comments