#81329 - kv83 - Fri Apr 28, 2006 1:01 pm
Hey guys. Just bought Lost Magic, and I saw it can send a demo to another ds, so someone else can "test" the game. I immidiatly remembered that you guys try to capture those demo's from download stations... would it be possible to capture one from a game too? I would like to capture it so you guys can test Lost Magic. So if anyone gives me instructions, I would share it with you guys.
Send me a mail kvince83@gmail.com, since I'm not checking this forum very often :)
#81331 - dualscreenman - Fri Apr 28, 2006 1:07 pm
Here's a place with info on Capturing Demos:
http://wiki.akkit.org/DSDemoCapture
The site also has some demos for download.
_________________
| dualscreenman wrote: |
| What about Gaim DS? Gaim pretty much has support for all IM programs. |
| tepples wrote: |
| "Goshdammit, the DS is not a Gaim-boy! It's a third pillar!" |
#81340 - Normmatt - Fri Apr 28, 2006 3:21 pm
you could also dump the rom and extract its contents with ndstool and search for any files with .srl extensions as they are usually the wireless demos
#81372 - josath - Fri Apr 28, 2006 8:06 pm
a lot of times the demos sent from commerical games require the commercial game itself. this one may be different, but many of them in the past (the sonic one for example), won't boot unless the demo is sent from an actual DS with the game running in it.
#81376 - thundrestrike - Fri Apr 28, 2006 9:31 pm
i got an idea, what if somone captured it and then asked thoduv to recompress it and see if it can be sent using the DS DOWNLOAD dump thingy to other DS's
of course its RSA signed, right?
_________________
popcorn
#81379 - tepples - Fri Apr 28, 2006 9:57 pm
| josath wrote: |
| many [WMB demos] (the sonic one for example), won't boot unless the demo is sent from an actual DS with the game running in it. |
That's called a multi-stage loader, and it may be exploitable to load homebrew.
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.
#81549 - m2pt5 - Sun Apr 30, 2006 12:04 am
| josath wrote: |
| a lot of times the demos sent from commerical games require the commercial game itself. this one may be different, but many of them in the past (the sonic one for example), won't boot unless the demo is sent from an actual DS with the game running in it. |
The Sonic Rush demo / multiboot stub is one of the few that will boot and run on an unmodified DS from a ROM.
_________________
Don't sign your posts, it's dumb.
#81607 - kv83 - Sun Apr 30, 2006 4:25 pm
So.... Is it possible? And if it is; how can I do it... can't anybody make some kind of "walkthrouh" for this stuff?
#82153 - Rain - Thu May 04, 2006 7:51 am
I did it, and yes, it's a multi-stage loader.
The thing is, the game as a .srl file inside it. I unpacked it and uploaded it through wmb.
What it does is that it uploads a loader to your DS. A loader which runs, and then looks for the source DS that sent it in the first place to download even more data - Something that nobody recreated so far with the wmb tool.
Technically, i think it owuld be possible. Kinda hard, since the wmb uploader tool would have to be updated to receive a request from more data, and we would have to have the actual data to be sent.
In other words, Lost Magic demo is like Sonic Rush demo. By today's standards, we can't just capture it/dump it and send them ourselves.
I don't know if this kinda of multi-stage loader is something nintendo has to do because of DS's memory limits or if it's something that nintendo is doing to avoid the capture/distribution of those demos through the internet. The new download stations also send a Loader to the DS, and then send compressed data (something that, if we captured, wouldn't be of much use, since we would need to decompress it before sending with wmb).
#82180 - chishm - Thu May 04, 2006 1:30 pm
They do it to not double up on the game resources stored on the DS card.
_________________
http://chishm.drunkencoders.com
http://dldi.drunkencoders.com
#82185 - tepples - Thu May 04, 2006 2:03 pm
But do most of these multi-stage loaders also verify the RSA signature?
wifime2?
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.
#82193 - chishm - Thu May 04, 2006 2:44 pm
| tepples wrote: |
But do most of these multi-stage loaders also verify the RSA signature?
wifime2? |
Most likely not, since it is mainly game data and not the executable that is sent in the 2nd stage.
_________________
http://chishm.drunkencoders.com
http://dldi.drunkencoders.com
#82200 - tepples - Thu May 04, 2006 3:24 pm
So what happens when you send more game data than the program expects, or malformed data? Is it possible to buffer-overflow the program and have it execute data?
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.
#82202 - Rain - Thu May 04, 2006 3:55 pm
The way i see it, somebody would have to code a wmb-like tool (or update wmb-tool) to allow multi-stage loaders to work.
Then, we would have to tamper with the files sent, to see what would be able to do.
Best case scenario, we have two new features: hability to play multi-stage demos and wifime2 for newer firmware DSes.
Worst case scenario, we have the hability to play multi-stage demos.
Only thing that's holding both the multi-stage demo playing and wifime2 attempts is lack of interest/time from the people that know what they're doing to try to do it. We can theorize all day what would happen if we buffer overflow any milti-stage loaders, but nobody will actually know what will happen unless somebody with knowledge actually tries it
Edit: i guess it could be possible for somebody to download a multi-loader demo-offering game, change the files it sends after the loader, rebuild the rom, flash to a flashme'd DS and try to upload the demo to a non-flashmed DS... yeah, that sounds easier than updating wmbtool...
#82599 - DarkKiller - Sun May 07, 2006 6:24 pm
I have been experimenting all day, and here's the reason why Nintendo made multi-stage loaders: Ram.
If the DS Download Stations does the same as all the loader games, here's what the sending DS do:
Firstly, the loader for the demo is loaded into ram. If it was a big demo, without a multistage loader, it would crash the DS because of the existing ram used by the game (this is a big reason). Then when the loader is recieved at the recieving DS, the sending DS sends every data, bit by bit.
When all data is sent, it'll boot the demo.
So I don't think Nintendo did it because of the hackers. More of the useability ;)
PS: This is highly thinking and guessing. Nothing else.
_________________
The Dark... Is going to kill you today!
#82663 - chishm - Mon May 08, 2006 9:25 am
You may be onto something there. IIRC, ARM9 binaries loaded via WMB can be a maximum of 2.5MB in size, because of where the loader code sits in memory, etc. Game assets can be loaded after the binary. So it isn't sending a bootstrapper, but the full game binaries which then load the assets in the second stage.
_________________
http://chishm.drunkencoders.com
http://dldi.drunkencoders.com
#82701 - LiraNuna - Mon May 08, 2006 6:35 pm
ToD's ARM9 binary was 3.1MB and the game was working fine from WMB.
#82750 - chishm - Tue May 09, 2006 9:27 am
That's why I said IIRC :D
But I have had WMB transfers fail because the NDS file didn't conform to Nintendo's specs, even though it worked via GBAMP.
_________________
http://chishm.drunkencoders.com
http://dldi.drunkencoders.com
#82757 - DarkKiller - Tue May 09, 2006 12:48 pm
Thats via WMB. Not an actual DS sending it to another ;)
Try opening a game which sends a demo without any multistage loaders with DSLazy (I'm too lazy to use NDSTool myself), and replace the binary with ToD. Should hopefully show what happens.
DarkKiller
_________________
The Dark... Is going to kill you today!