SSBB Snapshot files. We need to crack em!

[Shining Blitz]

Hey, could it be possible to recrypt another image into a snapshot file- possibly in a higher resolution- at least so that Brawl could understand it? I'm asking because I have a theory about custom costumes (see the costume hacking thread, pg. 25- and I want to know if an alien image could be turned into something brawl can read and display. If it is possible, than my theory could have some merit.

 

[L0nk]

recrypting is technically no problem.. just we've been through this before: the files have a signature.. or in other words.. a finger print.. and we can't forge that one yet. So the game doesn't accept our files.

 

[Shining Blitz]

Well, since we can decrypt the file, couldn't we extract the signature of a legit snapshot, tinker with it if neccecery, and paste it into a new image?

 

[L0nk]

well.. yes, we can extract the signature.. however, we do not know how the signature is being generated:

A typical idea is: you have the following data: 3472394
now you make a finger print by adding each digit: 3+4+7+2+3+9+4 = 32 and again: 3+2 = 5 )
Okay.. we've got a signature of 5.. this is a valid signautre for 3472394.. now we change the data to 3472395 -> the signature will be 6.. in my case..
what the game does: once it sees a set of data.. it calculates the signature of it.. and compares the signature attached to it with the one it calculated.. if they match it's happy.. in my case: I changed 3472394 to 3472395 - but still 5 is attached as signature.. the game calculartes: aha, the signature for the data should be 6.. but the attached one is 5.. this must be wrong, I won't open the file!

Nintendo does it in a comparable way.. when we'd resize the pictures.. a new set of data is generated.. with a signature.. unfortunately we do not know how the signature is generated (that sum thing I used is a common example so that others get the idea).. in our cases the signature looks kinda like 3F 58 11 25 98 AB C5 44 3F C2 10 22

And we simply have no idea how the game calculates these kinda signatures from given data. We can change given data.. however we cannot calculate the new signature needed so that the game accepts the file.

 

[Shining Blitz]

I mean, can't we slap a legit sig on a hacked pic?

 

[L0nk]

follow my signature example again:

picture data is: 3472394 --> signature is 5
I resize.. new picture data is: 3472395 --> signature would have to be 6..

5 is WRONG now.. and thus.. a signature is only legit for specific data.. once we change the data (changing/resizing the picture) the signature is not legit anymore.

 

[Slo_Mo23]

Sighs and facepalms aside, there should really be a topic containing the words:

HEY ****ING *******, FOR THE LAST ****ING TIME, REPLAY FILES CANNOT BE CONVERTED TO VIDEO FORMAT. EVER. GET THIS TROUGH YOUR THICK HEADS.

This, sir, is why your correct.

 

[nick2x]

do u need sd card???

 

[comex]

So guys... guess what I found (with the help of crediar and a lot of other people)

To calculate the checksum of a decrypted replay/snapshot/stage, take the number at 0x1c (big-endian). Add 0x20 to that and take that much of the file from the beginning (should be most of the file, except for null bytes at the end for padding). Then, replace the four bytes at 0x10 with 0xDEADBEEF. crc32 and stick the result (again, big-endian) into 0x10.


Here is a quick Python script to do that:

import sys, struct, zlib
from UserString import MutableString
N = False
if len(sys.argv) == 4 and sys.argv[1] == '-n':
        N = True
        sys.argv = sys.argv[1:]
if len(sys.argv) != 3:
        print 'Usage: brawl-cksum [-n] <input> <output>'
        print 'If -n, I won\'t modify the size to 0'
        sys.exit(1)
f = open(sys.argv[1], 'r')
g = f.read()
f.close()
n = MutableString(g)
if not N: n[0x1c:0x20] = struct.pack('>I', 0) # Set the size to 0, it doesn't care if it's compressed
size = struct.unpack('>I', str(n[0x1c:0x20]))[0] + 0x20
m = MutableString(n[:size])
m[0x10:0x14] = struct.pack('>I', 0xDEADBEEF)
n[0x10:0x14] = struct.pack('>I', zlib.crc32(str(m)))
f = open(sys.argv[2], 'w')
f.write(str(n))
f.close()

so,
1. Decrypt the file using the sd-key (AB 01 B9...) and the brawl specific IV (4E 03 41...).
2. Run DeLZSS on it
3. Change the 4 bytes at 0x1c to be the same as the bytes as the 4 bytes at 0x18.
4. Run ^ with -n
5. Encrypt

and you can use the modified file. Warning, a lot of stuff (like having no tiles) causes Brawl to crash.

Really this should be a lot easier than using the USBGecko to mess with stuff...

 

[Heinermann]

I love you.

EDIT: http://heinermann.kakkoister.com/st_360307_0455.bin

 

[Full Metal Kirby]

Bravo, comex, bravo.

 

[comex]

Here are two Python scripts to convert from a decrypted stage .bin to a more human-readable format + a jpg, and back... (but you will need to do the decrypting, encrypting, and de-lzssing yourself).

They don't do names correctly. Music works if you have musicSFX_ID.txt in the current directory...

Requires PyYAML.

http://qoid.us/sb2yaml.py
http://qoid.us/yaml2sb.py

 

[gehaga]

YES! YES!
-M. Bision, Street fighter us cartoon

 

[gehaga]

So guys... guess what I found (with the help of crediar and a lot of other people)

To calculate the checksum of a decrypted replay/snapshot/stage, take the number at 0x1c (big-endian). Add 0x20 to that and take that much of the file from the beginning (should be most of the file, except for null bytes at the end for padding). Then, replace the four bytes at 0x10 with 0xDEADBEEF. crc32 and stick the result (again, big-endian) into 0x10.


Here is a quick Python script to do that:

import sys, struct, zlib
from UserString import MutableString
N = False
if len(sys.argv) == 4 and sys.argv[1] == '-n':
        N = True
        sys.argv = sys.argv[1:]
if len(sys.argv) != 3:
        print 'Usage: brawl-cksum [-n] <input> <output>'
        print 'If -n, I won\'t modify the size to 0'
        sys.exit(1)
f = open(sys.argv[1], 'r')
g = f.read()
f.close()
n = MutableString(g)
if not N: n[0x1c:0x20] = struct.pack('>I', 0) # Set the size to 0, it doesn't care if it's compressed
size = struct.unpack('>I', str(n[0x1c:0x20]))[0] + 0x20
m = MutableString(n[:size])
m[0x10:0x14] = struct.pack('>I', 0xDEADBEEF)
n[0x10:0x14] = struct.pack('>I', zlib.crc32(str(m)))
f = open(sys.argv[2], 'w')
f.write(str(n))
f.close()

so,
1. Decrypt the file using the sd-key (AB 01 B9...) and the brawl specific IV (4E 03 41...).
2. Run DeLZSS on it
3. Change the 4 bytes at 0x1c to be the same as the bytes as the 4 bytes at 0x18.
4. Run ^ with -n
5. Encrypt

and you can use the modified file. Warning, a lot of stuff (like having no tiles) causes Brawl to crash.

Really this should be a lot easier than using the USBGecko to mess with stuff...

Yes but please make a step by step instrution book, no CDI pun intended.
plz include what programs that are needed.

 

[Keshire]

Heinermann, I'm not sure if you recieved my PM or not. But the file spec for the brres doesn't look up to date on your site.
http://heinermann.kakkoister.com/brawlFormats.txt

This is what I have for it:

//Hex Workshop Structures//
//SSBB brres//


#include "standard-types.hsl"

#pragma byteorder(big_endian)
#pragma maxarray(1024)


#pragma Hide()

typedef struct File
{
    word    unknown; //Offset ??
    word    x0000; //Always x0000 ??
    word    unknown; //File ID/Attrib ??
    word    unknown; //File ID/Attrib ??
    dword    pString; //Offset to string table
    dword    pFile; //Offset to File

}File;

typedef struct    RootIndex
{
    dword    xFFFF0000; //Always
    word    unknown;
    word    unknown;
    dword    unknown;
    dword    unknown;
    File    Folders[ulongAt(28)]; //[UniqueFileTypes]
    word    Padding;
}RootIndex;

typedef struct    Index
{
    word    Size;
    word    x0000; //Always x0000
    word    FileNumber;
    dword    xFFFF0000; //Always
    word    unknown;
    word    unknown;
    dword    unknown;
    dword    unknown;
    File    Files[FileNumber];
    word    Padding;

}Index;

#pragma Show()

struct Main
{
    char    ID[4]; //'bres'
    dword    xFEFF;
    dword    FileSize;
    word    pRoot; //Pointer to 'root'
    word    Sections; //Includes root

    struct Root
    {
    char        ID[4]; //'Root'    
    dword        HeaderSize;
    dword        IndexSize;
    dword        UniqueFileTypes;

    RootIndex    RootFolders; //See Root Index
    Index        FileIndex[ulongAt(28)]; //See Index [UniqueFileTypes]

    };
};

The guys working the texture hacks wanted to be able to just recompile the brres instead of manually hex editing it.

 

[Royale]

Sighs and facepalms aside, there should really be a topic containing the words:

HEY ****ING *******, FOR THE LAST ****ING TIME, REPLAY FILES CANNOT BE CONVERTED TO VIDEO FORMAT. EVER. GET THIS TROUGH YOUR THICK HEADS. /huge size

This is why people often buy a game bridge so they can record not only their Replay files, but anything over 3 hole freaking minutes! Who'd a thought?

 

[GaryCXJk]

I really need to gets me one.

 

[Shining Blitz]

Hey! now, maybe we can load custom alt costume textures into brawl as snapshots, copy them into the wii if nececerry, and use usbgecko/ocarina to use them instead of the internal textures, just like I thought!

Oh, and pc stage builder with no rules. YAYAYAYYAYAYAY!

 

[Heinermann]

Actually that's not a bad idea, loading replacement files or ASM in content files, then referencing them with ocarina/usbgecko.

 

[Shining Blitz]

GHOSTNEO MUST BE INFORMED!!!!!!!!!
... eventually

 

[E123Omega]

Links to the last 2 sites are broken.

 

[djgwiz]

So do we have a program to encode brawl snapshots (like a jpg2bin)? If not, do we have instructions on how to do it?

Edit: Actually could someone just make a brawl snapshot file with this picture? I have no idea how to do any of this.
http://i38.tinypic.com/15i4sp5.jpg

 

[Shining Blitz]

It's official. SCU Pizzaboy is 2/3rds of the way done with making what I was just talking about possible. HOORAY!

 

[GaryCXJk]

This might sound stupid, but...

We talk about encryption, yet there is no program to encrypt.

 

[Xane]

Teststage featuring the secret block:
http://xane.gamez-interactive.de/Priv/Downloads/st_Teststage.bin

Teststage showing the spring's strenth parameter:
http://xane.gamez-interactive.de/Priv/Downloads/st_Springs.bin

 

[Lucario Boricua]

I wonder why would Nintendo would want to encrypt the snapshots of Super Smash Bros. BRAWL. Is it that they are obsessed with the copyrights of ALL the information related to their videogames or something like it? Or is it a test of "how fanatic are the SSBB players about the videogame"? I haven't had the chance to experiment on the files, since my cmputer's SD Card reader is somewhat broken.

 

[Wolfenpilot687]

Yep. They are obsessed with the copyrighting. But I already have a lot of the in .jpg format.

 

[GaryCXJk]

Big huge question.

Can I use PGP to encrypt the files? Or is the RSA encryption different on that program?

 

[Isaac356]

It looks like once again there's a problem with the kakkoister.com site.

Heinermann & GTCoder, is there another place where I can get some of your utilities (they sound awesome)

EDIT: Here is a .NET decryptor and encryptor I quickly through together...and it doesn't erase the first 16 bytes (GT, no offence...)

Link: http://www.mediafire.com/?z00yuz3omnt

I have tested it (decrypt -> encrypt), and have gotten the same file back, so I assume it works.

One down, two to go (checksum, compression, encryption)...

EDIT 2: Comex: I can't get your CRC thingy to work. I'm testing it on an unmodified file from Brawl. It's decrypted, I took the correct portion of the file (value at 0x1C, + 0x20), I replaced 0x10 with 0xDEADBEEF (lol), and when I crc it, I get a different hash back than the one that was there before. If you have any ideas, I'm listening.

 

[Xane]

It looks like once again there's a problem with the kakkoister.com site.
(...)

Yea.. it's crowded like hell and that's too much for the server. :/
You can try the one I'm hosting myself, it's the same minus the Image Hosting capability.
http://xane.gamez-interactive.de/Brawl/Decrypter/

 

[Isaac356]

Yea.. it's crowded like hell and that's too much for the server. :/
You can try the one I'm hosting myself, it's the same minus the Image Hosting capability.
http://xane.gamez-interactive.de/Brawl/Decrypter/

Nice, thanks for the info.

Also just wanted to say that I wrote a quick program to fill 0x10 with random bytes until the CRCs matched. My "magic bytes", so to speak, are 0xD8D75498, as opposed to 0xDEADBEEF.

Perhaps they are different for every Wii, but interoperable (because replays/stages from other Wiis work on mine).

Just food for thought.

EDIT: Wrong value; fixed.

 

[Xane]

Nice, thanks for the info.

Also just wanted to say that I wrote a quick program to fill 0x10 with random bytes until the CRCs matched. My "magic bytes", so to speak, are 0xB93B3E2A, as opposed to 0xDEADBEEF.

Perhaps they are different for every Wii, but interoperable (because replays/stages from other Wiis work on mine).

Just food for thought.

0xB93B3E2A is correct and works for every file on every Wii.

 

[Isaac356]

0xB93B3E2A is correct and works for every file on every Wii.

Really? I was just about to edit and say that I used the wrong checksum when "attacking" my file. I used the correct one this time and got 0xD8D75498 back (which works on ALL of my other files)

Or, maybe it doesn't matter at all...but that's unlikely.

...I don't know, I'm so confused right now. But 0xD8D75498 works for me. (EDIT: Don't know if it matters, but I'm working with a replay.)

(General note to self: always test before posting...)

...checksum, compression, encryption...

 

[prOAPC]

THP Video Converter
http://ssbb.kakkoister.com/thp

Replay file to Video service
http://ssbb.kakkoister.com/replay

can anybody explain me what are these please ^^^^

 

[Isaac356]

can anybody explain me what are these please ^^^^

The first is a program for converting the SSE & Opening cutscenes to a file viewable on your computer.

The second sounds like it is supposed to convert your replays to videos, but this is probably not likely. If it is, then it's probably FAR from complete.

-------------------------------------------------

EDIT: I have a hashed and encrypted replay that is not compressed (2.25kb). I will throw it on my Wii and see if Brawl accepts it as soon as my friends are done playing SSE, lol!

EDIT 2: The file shows up as corrupted. It looks like we need that compressor.

 

[Xane]

(...)
EDIT: I have a hashed and encrypted replay that is not compressed (2.25kb). I will throw it on my Wii and see if Brawl accepts it as soon as my friends are done playing SSE, lol!

EDIT 2: The file shows up as corrupted. It looks like we need that compressor.

Brawl doesn't need all files compressed, it reads all my encrypted, but still uncompressed files just fine.

 

[GaryCXJk]

Encrypting a decrypted stage works fine, but after DeLZSSing it and never mind, I'll just go and try to convert the DeLZSS thing to reverse LZSS.

Basically, it crashes when I DeLZSS and checksum.

EDIT:

Onverwerkte uitzondering: System.Security.Cryptography.CryptographicException: De lengte van de te coderen gegevens is ongeldig.
   bij System.Security.Cryptography.RijndaelManagedTransform.EncryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast)
   bij System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount)
   bij BinEncryptor.Program.Main(String[] args)

Translated:

Unexpected exception: System.Security.Cryptography.CryptographicException: The length of the data to encode is invalid.
   at System.Security.Cryptography.RijndaelManagedTransform.EncryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast)
   at System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount)
   at BinEncryptor.Program.Main(String[] args)

 

[Isaac356]

Encrypting a decrypted stage works fine, but after DeLZSSing it and never mind, I'll just go and try to convert the DeLZSS thing to reverse LZSS.

Basically, it crashes when I DeLZSS and checksum.

Okay, the problem is, AES needs files in multiples of 384(?) bytes, so if a file is not this big, it won't work.

Basically, you see on the decrypted files (the whole 0x1D + 0x20 thing, covered somewhere before) that at the end of the file there are some 0x00 bytes to make the file the correct size; you need to do the same with your file (updating 0x1D accordingly)

Also, you need to make sure you have the very first 16 bytes (if you used my decryptor, you do, but if you used GTCoder's, you wont; this may cause a problem)

Anyways...that would be AWESOME if you could reverse the DeLZSS source to make it compress files. That is EXACTLY what we need. It looks like it's hard, though (at least, I can't wrap my head around the code)

Brawl doesn't need all files compressed, it reads all my encrypted, but still uncompressed files just fine.

Really? How big are your uncompressed files? Maybe Brawl has a size cutoff where if a file is so big, it doesn't read it. (If you're 100% sure any size file can be read uncompressed, then I need to check and make sure I'm doing everything right)

--------------------------------

EDIT: Okay, here's a zip with everything so far (encrypt, decrypt, delzss(modified to handle the first 16 bytes), delzss source, and batch files (obviously the "Compress and Encrypt" batch file doesn't compress yet).

Link: http://www.mediafire.com/?y2zywcu2zyw

 

[GaryCXJk]

I have the feeling 0xDEADBEEF is mainly for screenshots, 0xD8D75498 is for replays and 0xB93B3E2A for stages.

Oh, and

 

[Xane]

I have the feeling 0xDEADBEEF is mainly for screenshots, 0xD8D75498 is for replays and 0xB93B3E2A for stages.

Oh, and

I just use one for all kinds of files and it works.