80w ago - Previously we reported on several other PS3 cheating devices, and today Kotaku (linked above) has announced that a modern-day Game Genie Save Editor by Hyperkin for the PlayStation 3 is slated to debut at E3 2012 and launch on July 17th offering maximum lives and more.
Apparently it works through a USB flash drive that contains an installation program that allows you to transfer save files between the PS3 and PC.
A PC program in the USB drive will write cheats onto your save files allowing you to then transfer the edited save files from PC back to the PS3. It also will include a continuously updated server that adds new codes to the newest games.
To quote: "The Game Genie works by modifying save data with cheat codes that unlock a variety of possibilities. The Game Genie: Save Editor for PS3 is the first code device amongst any competitor's products that actually manipulates save files and works for the PS3. Hyperkin will debut the Game Genie: Save Editor for PS3 at E3, the premier trade show for the video game industry.
Located in Booth #417 in the South Hall, the Hyperkin booth will offer E3 attendees the opportunity to see firsthand the kinds of cheats available for several blockbuster games such as Uncharted 3, Batman: Arkham City, The Elder Scrolls V: Skyrim, Twisted Metal, Street Fighter X Tekken and Final Fantasy XII-2. Attendees will get to experience the power of maximum lives, ammo, power-ups and unlocked levels that make any game easily beatable.
The Game Genie: Save Editor for PS3 comes in a USB flash drive that contains an installation program that allows users to transfer save files between the PS3 and the PC. Players can use the PC program in the USB drive in order to write cheats onto their save files. Players can then transfer the edited save files from their PC back onto their PS3 to enjoy a powered-up game file. The Game Genie PC program works through a continuously updated server that adds the newest codes for the newest games.
Update: They're hoping to release it in the first week of July, a company rep tells me."
Below are the Game Genie Save Editor for PS3 features from the official site, as follows:
Save yourself the time having to grind for better stats, higher levels or more gold or treasures! The Game Genie: Save Editor for PS3 gives you access to infinite lives, infinite money and maxed out stats so you can breeze past all those boring parts of the game.
Optimized to work with the latest PS3 firmware, the Game Genie is an easy-to-use program that doesn’t require jailbreaking or modding your PS3. The Game Genie: Save Editor for PS3 works by allowing you to modify your saves on your PC with cheat codes that take effect once you load your game. Just pick the game you want to modify and the cheats you want and you’re set! Unlock Everything!
Loads, uploads and backs up your save data
All-in-one USB drive to transfer saves from PS3 to PC for easy modification
Automatic Profile Reassignment
Unlocks secret content from weapons, levels, items, etc.
Ability to trade game saves with other players
Secure access to the world’s premier cheat database with hundreds of available cheats
Live RSS feed continuously updated with the newest cheats for the newest games
Free updates via thegamegenie.com
PC required. Not compatible with MAC or Linux
1 GB USB Flash Drive pre-loaded with Game Genie Software
Here is how the new Game Genie lets you hack your PS3 saves: Some words from Wayne Beckett of Hyperkin (via arstechnica.com/gaming/2012/07/how-the-new-game-genie-lets-you-hack-your-ps3-saves/):
What is Game Genie today? (since we all remember the cartridge era):
PS3 Game Genie is actually just a computer program that lets you decode and modify PS3 save files stored on a standard USB stick.
But one thing the old and new Game Genies share is the ability for a determined, patient hacker to create their own cheats by diving in to the vagaries of the hexadecimal code. While most users will probably be satisfied clicking checkboxes to activate pre-built cheats like maximum health and full game unlocks (just like most users of the original Game Genie were satisfied copying down codes from the included booklet or game magazines), the Game Genie software also offers an Advanced mode that allows for more direct save file manipulation.
Breaking the Encryption:
While the interface the Game Genie uses for its save file hacking looks like a simple hexadecimal file editor, the software actually conceals a lot of behind-the-scenes work needed to make those files editable in the first place. “If you take a hex editor like Winhex on your PC and you open a PS3 save, the only thing you’re ever going to do is break it,” Beckett said. That’s because those save files are protected by “encryption, compression, checksums, second level encryption, and so on,” he explained.
“So we basically make all of that invisible to the user. We’ll actually decode the save on our server, then we’ll send it to you, and then you make the changes, then we’ll re-encode the save and send it back,” he said. (This process also makes it possible to re-encode a save file with the profile from another PS3 system, letting you easily transfer saves between hardware).
Unfortunately, this means that the Game Genie only works with a selection of about 70 PS3 games that Hyperkin has gone to the trouble of figuring out how to decrypt and decompress to be directly editable (the company is working to expand that list going forward with automatic online updates). Beckett said the involved process of unlocking the specific save format for a single game can take days or even weeks, especially for complicated files like those found in Skyrim or Max Payne 3.
Playing with HEX: Memory Hunt
Performing these kinds of searches with the Game Genie software is relatively simple, thanks to a “find” function that automatically converts decimal values to hexadecimal. Unfortunately, the software doesn’t provide much help in comparing those discovered memory locations across two different save files. The program doesn’t provide the opportunity to run a simple “diff” operation between two different save files, which would make it relatively simple to see which memory locations are being changed between two largely similar saves states (Beckett said they hope to add this feature in the future). It’s not even possible to copy the raw data out to your own more powerful hex editor to find those differences for yourself, or to open two save files side by side to do a direct visual comparison. The only option is to copy down the memory values by hand and compare them that way, a tedious and laborious process.
Once you’ve found the key memory location, though, it’s just a matter of editing it to whatever hexadecimal value you want (Beckett noted that most experienced hackers have memorized the hexadecimal value for 9,999,999 for this very reason). It may take a few trial-and-error passes to figure out exactly how extensive the edits should be (does the gold value take up 8 bits or 16 bits, for instance?) but the Game Genie backs up the original saves, so you don’t have to worry about screwing up your save file permanently.
The Game Genie name doesn’t exactly have a sterling reputation, as far as some first-party console manufacturers are concerned, at least. Back in the early ‘90s, Nintendo actually sued Game Genie maker Galoob, alleging the modifications the device made to its games and system amounted to copyright infringement.
The case took the Game Genie off the market for a time, but Galoob eventually prevailed. In the process, the case set a precedent for a user’s right to modify their own technological property for personal use.
That doesn’t mean Hyperkin is out to antagonize Sony by letting players gain unearned PS3 trophies or an unfair advantage in online play. Those kinds of things are pretty much impossible with the Game Genie, anyway, since editing a local save file can’t alter the server-side player statistics maintained by the publisher. Still, Beckett said they keep an eye out for things that might affect online gameplay and purposely leave them out of pre-loaded code lists.
While Beckett expects that the new Game Genie will “will mildly irritate Sony,” he was adamant that hacking your own, single-player save files is a basic right. “The games companies don’t have a right to dictate how you play your game. If you want to fast forward through a DVD and watch the second half or the ending, as long as you bought the DVD, it’s your right to do that.”
From and_fis comes some Game Genie Codes Decrypted, as follows:
Here is the decryption process for game genie codes so once you decrypt a game save you know what to change. All the known game codes are at game genie's web site. Example code:
offset from pointer
value to change too
0TXXXXXX 000000YY = 8Bit Write
1TXXXXXX 0000YYYY = 16Bit Write
2TXXXXXX YYYYYYYY = 32Bit Write
Y= Value to write
T=Address/Offset type (0 = Normal / 8 = Offset From Pointer
Y= Value to write (Starting)
N=Times to Write
W=Increase Address By
V=Increase Value By
0 / 8 = 8bit
1 / 9 = 16bit
2 / A = 32bit
Z= Amount of times to find before Write
X= Amount of data to Match
Y= Seach For (note can be xtended for more just continue it like YYYYYYYY YYYYYYYY under it)
Once u have your Seach type done then place one of the standerd code types under it with setting T to the Pointer type
Special Code Types
AA= Break address
YY= Count in bytes to insert at location 40
CC= Coprocessor break type (upper half)
FF= Breakpoint mask (usually FFFFFFFF)
00= bytes of code in address order
Some basic skills are required in order to reverse engineer. You must be familiar with the types of data used by games, and how this data is stored inside files.
The integer (a whole number, such as 1000) is extremely common. Since data is usually examined in a hex editor, the values are written in hex. Thus the value 1000 is 3E8 in hex (in order to distinguish between hex and decimal, the rest of this guide will prefix hex numbers with "0x", like the C programming language does - therefore 1000 is the same as 0x3E8.)
There are different variants of integers, but the most common are 16-bit and 32-bit. 16-bit integers occupy two bytes of space, and 32-bit integers occupy four bytes of space. In hex, every two digits are a byte. So 0x12 is one byte (8-bit), 0x1234 takes up two bytes (16-bit) and 0x12345678 takes up four bytes (32-bit). If you were to store 0x12 in a 32-bit integer, it would be 0x00000012 (the leading zeroes are ignored, like in decimal - 1000 is the same as 001000.)
When these integers are written to a file however, the order of each byte is different. The value 0x1234 is written as two bytes, 0x12 and 0x34. However because DOS is little-endian, the order is reversed. Thus when looking at a file with a hex editor, the two bytes will appear as 0x34 followed by 0x12. A 32-bit number might look like this in a hex editor:
78 56 34 12
Reversing the order of those bytes reveals the number 0x12345678. Likewise, this might be another number seen in a hex editor:
23 67 01 00
This is where reverse engineering skills come into play. Is this a single 32-bit integer (0x00016723) or two 16-bit integers (0x6723 and 0x0001)? Being able to determine which is which is a skill a reverse engineer must learn. (In this case it is most likely to be a 32-bit integer, because the first 16-bit integer is so large and the second is so small. Usually sequential numbers are similar in value.)
Hex editor view
In order to examine game data, a hex editor must be used. It is important to know how to read data in a hex editor, as well as how to edit data. When opening a file, the data will appear something like this:
00000000 61 62 63 64 65 66 67 68 abcdefgh
Here, the first number is the offset. The very first byte in the file is at offset 0. The second byte is at offset 1, and so on. The first number tells you where in the file the data is positioned.
The next set of numbers (61 to 68 above) are hex values of the data. In this case, the first byte in the file is value 0x61. The third byte in the file is value 0x63.
After the numbers come ASCII (text) representations of the *same* numbers. In the example above, the first character is a lowercase "a" because 0x61 is the ASCII code for a lowercase letter A.
It is important to note that the numbers (61 to 68 above) and the letters (a-h above) are different representations of the same data. This is because sometimes it is easier to look at the data in numeric form, and sometimes it is easier to look at it in text. Having both views of the same data on the screen at the same time makes it easy to switch between the two.
By way of example, if you were trying to decode a 32-bit integer (as described in the previous section) you'd be looking at the hex numbers, but if you were trying to read some filenames it would be much easier to look at the text. After all, reading "6D 61 70 73 2E 64 61 74" is a lot harder than reading "maps.dat" but they are both the same data!
This is why, when editing data using a hex editor, if you change the numbers the text will also change, and likewise if you type over the text the numbers will change accordingly.
From and_fis on hacking the GameGenie DRM dongle:
Ok, so I got a copy of ggseps3.exe of the cheat editor. I'm looking at trying to bypass their drm for checking for a dongle before booting up the editor. I found the sub function call to check for dongle and i found the sub that needs to be called in place of it to bypass it....
But I cant get ida to step through the exe file to verify that it will work.. So if anyone wants to help i would appreciate it the sub call that needs to be bypassed to is sub_48D90... so sub_25D80+75 needs to point to sub_48D90.. That would bypass the call check for the dongle and should allow bootup into the editor.
The reason's why I'm trying to acheive this is we would have a pre-made hex editor already setup and configured for game saves. We would be able to use any game save thats we can encrypt and decrypt with ps3 save resigner and easily modify a save with gamegenie codes or make our own thats can be easily shared.
I have a screen shot of ida pro showing the sub fuction. I uploaded a copy of ggseps3.exe as well as the screen shot if anyone wants to help. I just can't figure out how to edit the sub functions in ida without it giving me an error... (pictured HERE).
From Gemma Arden: Here is the patched one from a couple days ago: http://www.2shared.com/file/G9cPU7o7/GGSEPS3.html
When I click resign save, it backs up save then errors out. I don't get basic and advance modes either. When the version I linked starts, a pop up box shows exception, just click on the continue button. It has the changes I posted on the previous page. (It doesn't ask for serial. Your not being thick; you're using different version of program.)
ILSpy is good for browsing the code. You can have it show as il, c#, or VB. click on plus next to items in right pane will expand the entry to show the il code for example. It is open source project.
I deleted the game genie entries from the registry to start over fresh. Downloaded a clean copy of game genie from media fire (provided by and_fis_). Started GGSEPS3.exe; it crashed at please insert... then found this key in the registry:
(substituted X's for the 32 digit number I used)
"Location"="C:\\Documents and Settings\\Gemma Arden\\My Documents\\Game Genie\\PS3 Saves Backup"
Started GGSEPS3.exe again game genie crashed at popup box: please insert... I added to registry in same key as serial:
Started GGSEPS.exe got pop up message:
There is a new version of Game Genie available. You MUST download this version to continue using the product. Download now? yes no I entered yes.
Progress bar finishes, preparing to install message pops up and disappears. When installing it creates files:
C:\Program Files\Game Genie\Save Editor for PS3\GGSEPS3.exe, GGSEPS3.exe.config, GameGenie SaveEditorfor PS3-Manual.pdf
Started GGSEPS3.exe, in the registry the hash entry had been deleted.
I uninstalled game genie. Reinstalled while offline and added hash value to registry again. Backed up the Game Genie directory contents. Started GGSEPS3.exe while offline. The fake serial and fake hash still present in the registry.
Here's a copy of ggusercheat.xml that someone uploaded: http://www.mediafire.com/?uyz2dperptpsdtp
The temp folder for the installer update files was: C:\Documents and Settings\username\Local Settings\Temp
The decrypted saves maybe in: C:\Documents and Settings\username\Local Settings\Temp\PS3SE or I have read also here: C:\Users\(USERID)\AppData\Local\Temp\PS3SE
I have wasted a lot of time trying to debug it in visual studio, but it doesn't work so good. Guess I will go back to static analysis, maybe I'll try net reflector/reflexil. Thanks for the info.
A little more progress. Now it will load the list of cheats from the games_list.xml. Here's a picture of games listed with the check show all box checked. Double clicked Final Fantasy XIII in the list and the Quick Mode pops up with list of cheats for that game. You can see there are no check boxes and the apply button is grayed out because I don't have this game.
Uncheck show all, double click GTA saves, the individual save files show. Right click one of the GTA saves, click Quick Mode and it pops up. The quick mode for GTA shows the check boxes. Checking some of the boxes causes the apply button to not be grayed out. This won't actually apply cheats without a decrypted save and even then, that likely will have to be fixed as well if possible.
The GetOnlineGamesList function and a little patch to MainForm_load are the only new changes. This patched for testing only version and the xml files are uploaded.
That genie folder in the archive needs to be placed on the C: drive, and also that zip file inside needs to remain zipped for the save editor to recognize it (you'll see the zip file inside the genie folder when you unrar genie.rar).
When right clicking a save and choosing advanced mode, the save editor creates ps3_files_list.xml in the temp directory and then tries to upload the save.
In quick mode, after selecting cheats, choosing a profile, and clicking apply, a warning pops up: "The save on the selected USB drive is about to be overwritten. Once completed, this cannot be undone. Do you wish to proceed?" Click yes, it creates the ps3_files_list.xml. A pop up box titled "Quick Mode" with progress bar labeled "uploading save" errors out.
Location of ps3_files_list.xml: C:\Documents and Settings\username\Local Settings\Temp
This contains 2 exe's (..._mod.exe and ..._clean.exe); they can be run at the same time, each with it's own decrypted save file in a separate folder.. same requirements as before:
The cheat list (Gameslist.zip) and news feed (RSS.xml) must be placed in C:\genie
Of course a ps3 save on usb.
A decrypted save file (and no other files) must be placed in the temp folder to load advanced edit.
C:\Documents and Settings\username\Local Settings\Temp\PS3SE_clean\
C:\Documents and Settings\username\Local Settings\Temp\PS3SE_mod\
Like in this image (green guide lines and label drawn on) 8's in highlighted area that I guess would be changed.
Finally, from SkillerCMP on explaining the Game Genie codes format:
Standerd Code types
XXXXXX = Offset to write to
YY = 8-Bit value to write
YYYY = 16-Bit value to write
YYYYYYYY = 32-Bit value to write
T = Offset Type
0 = From start of the data
8 = From found from a search
XXXXXX = Offset to start with
YYYYYYYY = 8/16/32-Bit value to start with
NNN = Number of times to repeat
WWWW = Increase address by (in bytes)
VVVVVVVV = Increase value by
T = Bit Size
0 = 8-Bit from start of the data
1 = 16-Bit from start of the data
2 = 32-Bit from start of the data
8 = 8-Bit from found from a search
9 = 16-Bit from found from a search
A = 32-Bit from found from a search
XXXXXX = Offset to copy from
YYYYYY = Offset to copy to
ZZZZZZZZ = Number of bytes to copy
T = Bit Size
0 = From start of the data
8 = From found from a search
ZZZ = Number of times to find data
XXXX = Size of data to be found
YYYYYYYY = Raw data to search for
Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!