Knowledge Base

Preserving for the future: Shell scripts, AoC, and more

The checksum for the savegame file for Snoopy vs. the Red Baron

bgstack15

Comments

This is part 2 of my research for hacking the savegame file to Snoopy vs. the Red Baron. See part 1 for more context.

The program delsum has a few commands. You can tell it to guess which checksum algorithm is used if you give it enough samples and the checksums.

So I had to prepare the checksums.

for word in ~/Documents/Snoopy\ vs.\ the\ Red\ Baron/Profile\ 1/*sav ; do printf '%s,' "$( xxd -p -l 4 "${word}" )" ; done > ~/checksums1

Then given those existing checksums, use those same files (hopefully the shell globbing hasn't changed the order of those files in the past 8 seconds...):

$ cd ~/Documents/Snoopy\ vs.\ the\ Red\ Baron/Profile\ 1
$ ~/Downloads/delsum reverse --extended-search --start 4 --model 'crc width=32 init=0' --checksums "$( cat ~/foo1 | sed -r -e 's/,$//;' )" *sav
crc width=32 poly=0x4c11db7 init=0x0 xorout=0x235b4b9c refin=false refout=false out_endian=little

And that is the important part! It solved it. It took less than a second! It felt instantaneous. That's the magic information I hadn't been able to find after about 12 hours of research across the past 5 days.

I spent some time in Ghidra looking for this polynomial, literal 0x41c1db7 and I found it. I forget the offset, but it's in the binary. It was inside some dumb FUN_01234982748() type function that returns void. So clearly decompiling has its limits.

So, with this whole derived specification of a checksum, I hacked up test1.sav by changing how much money I have in-game. I used vim with :%!xxd to get the hex dump (maybe I should research a proper hexeditor again), make the 2-byte change at offset 0x284 (little-endian, of course). Reverse it with :%!xxd -r, and save the file.

Then I derived the checksum I'll have to insert back into the file:

$ ~/Downloads/delsum check -m 'crc width=32 poly=0x4c11db7 init=0x0 xorout=0x235b4b9c refin=false refout=false out_endian=little' --start 4 test1.sav
1cc2e3b4

So then I opened up the file again, xxd again, put that as the first 4 bytes, reversed xxd again and saved it. I replaced the main file, and told the game to reload. Nope, corrupted.

After some brief checking, I learned my test1.sav was one byte larger. Vim had of course saved the newline on the end. So, a :set binary and :set noeol later, I could save the file. And then the game can load my hacked savegame file!

I intend to write a small python tool to facilitate making this process easier. I might even add a small frontend to make it easier to set the various in-game attributes, like profile name, settings, achievements/unlockables, etc. We'll see.

Comments