PS3 Folklore - need help hex editing savegames (or making mods)

[ElevenCloud72]

Hi there!

I'm a huge fan of Folklore for the PS3. Now I'm trying to hex edit savegames for it. The goal is to unlock hard-to-get content for the fan community to enjoy. I'm however struggling with edits corrupting the savegames, so I was hoping this forum could offer some support. Sorry for the large amount of text.

For starters, Folklore does apparently not use standard PS3 savegame encryption as it has no "secure file id" (according to Bruteforce Save Data), meaning savegames are "unprotected". The reason for corruption when hex editing appears to be a "checksum or integrity hash" (suggested by Chat-GPT) in the form of a 8-byte block - such as F1 12 48 0E B8 00 00 04 - at the very end of savegame data. This block, especially the five first bytes, completely changes even with small game changes. I assume the checksum must be calculated manually to include any hex edits, for which its algorithm must be discovered.

Further analysis of three similar savegames in Chat-GPT suggests that "none of the standard hash or checksum algorithms (like CRC32, Adler-32, MD5, SHA-1, or SHA-256) match the checksum" and that the algorithm (after Chat-GPT failed bruteforce) is possibly "more complex than simple sums or hashes, likely includes bit-level transformations or a secret key (possibly a keyed hash like HMAC, AES-based MAC, or something Sony-specific), or that the last 8 bytes are not a checksum at all but possibly an encrypted or compressed metadata block." I know nothing about encryption nor PS3 savegame mechanics, so assuming Chat-GPT isn't "hallucinating" I get the impression Folklore savegames are incredibly well protected.

And yet, cheats for Folklore do exist, available at the PS3 Artemis Codelist Database. I've gotten some of them to work by converting them to Artemis patches in RPCS3 per online guides. I've yet to succeed in making my own cheats based on what hex values I think must be edited, but that might be my own fault.

Any experienced PS3 modder would probably know what next step to take better than me, but I've got these questions:

1. Is trying to find the checksum algorithm a feasible goal, or is it likely impossible? Alternatively, is it impractical compared to other potential approaches?
2. How do the existing Folklore Artemis cheats work, if they do not modify the savegames directly?
3. An example of a hex value I think must be edited is address 00035CAB changing from 00 to 01. How would this look like as an Artemis patch in RPCS3? (example)
4. I've read that some game developers to use "a custom additional encryption layer for their save files. In these cases you need to reverse-engineer the game itself." Is the Folklore 8-byte block a case of this?

For the record I assume the info I need is too specific for Chat-GPT to provide, nor can I fully trust Chat-GPT as I, again, know nothing of PS3 savegame mechanics. Any response is appreciated.

 

[GuilloteTesla]

ChatGPT won't help you with PS3 encryption.

You first need to understand the PS3 game save files structure (the dev wiki is a good place to start), how to decrypt them (some games implement their own encryption, some don't encrypt anything at all), the save data structure, and then use a hex editor to find key values that can be modified (like number of lives, or money).

You can use GameGenie for PS3, or NetCheat + CCAPI + DEX console in order to search memory addresses to edit.

Again, no free AI tool will help you with this, and a payed, more code-oriented one like Cursor or Claude first needs to be trained on PS3 development.

 

[Berion]

Every game is different so every save structure is different. You need a lot of time and reverse engineer skills to map it. What you written from neural network is mixed nonsense. ;]

Your best bet is taking two saves, one with unlocked content, one with locked. Both decrypted and if there is another encryption layer (game's one, not CellOS one), also do decryption. Then compare both files to determine locations and checksums. Still you need IT knowledge for that.

 

[bucanero]

savegame hacks have nothing to do with Artemis.

Artemis cheats are in-memory modifications, so they hack the game memory while the game is running.

In any case, the AI tool is probably right saying that the save might have a checksum protection, so you'll need to decompile and reverse engineer the game EBOOT code to find out how the checksum is generated, and only then you'll be able to trick the game with a hacked save.

On a side note, a possible mix would be to use Artemis to hack the game to disable the save-game checksum, and then in theory you would be able to load a save-game without proper checksum, but in any case it would require a lot of work to create an Artemis cheat that hacks the game checksum verification.

 

[ElevenCloud72]

Thanks for all the replies so far. I'm not surprised the Chat-GPT answers are mostly nonsense, that goes to show my lack of knowledge about this. Unfortunately I'm still not entirely sure where to go from here.

You first need to understand the PS3 game save files structure (...), how to decrypt them (...), the save data structure, (...) values that can be modified

I think I'm getting a better understanding of the 'pipeline' of making PS3 cheats now, but it's difficult to find info about these topics. For instance, the dev wiki does not provide any info on how to actually determine what types of protection Folklore uses. PSX-place has a large number of guides, but they all seem to concern PS3 modding/jailbreaking in some way or niche topics like on the Tip's / Trick's / Guide's & Tutorial's list. No offense to any of it though, it's all very impressive info. The best info I've found so far is this How to find addresses guide at nextgenupdate, though I'm not sure how much it can help me.

Could you suggest any additional resources on PS3 savegame info, PSX-place or otherwise, more specific topics to search for, or even provide a brief explanation of the topics you've listed? ("the save data structure refers to ...", "you can determine if a game uses encryption by ...") Sorry if I'm asking a lot, I'm at the level where I have lacking understanding of the entire process in general.

The only part I assume I've managed to do so far is identify values that must be changed to unlock content, such as the 00035CAB changing from 00 to 01. Although, it's difficult to be sure without any current way of testing. Also, this is only hex values in the savedata file, not memory addresses, if I understand correctly that there's a difference. For context, Folklore is a monster-capture type of game where you gather "folks". My aim is to unlock as early as possible - ideally at start - some folks rewarded from gameplay in a (frankly poorly designed) online feature called the Dungeon Trial.

You can use GameGenie for PS3, or NetCheat + CCAPI + DEX console in order to search memory addresses to edit.

I assume this is the kind of info described in the "How to find addresses" guide. Do these programs require a jailbroken PS3? Also, are these the same values modified by Artemis in the in-memory modifications mentioned in this thread by user bucanero?

(...) if there is another encryption layer (game's one, not CellOS one), also do decryption.

Could you elaborate exactly what is to be decrypted (a certain file, a certain set of data like maybe hex values, or something else), and how?

you'll need to decompile and reverse engineer the game EBOOT code to find out how the checksum is generated

I understand the EBOOT is akin to the game .exe. I'm probably asking way above my head, but how do you obtain this, and how do you decompile and reverse engineer it?

Still you need IT knowledge for that.

Yeah, that figures. I'll admit that all this seem above my skill to figure out, which makes me wonder if it's better to adequately pay someone more skilled to do it. But where would I find expertise like that? Is the IT skill required to make PS3 cheats at the level where I could likely find someone viable on Fiverr or similar websites, or even right here on PSX-place? If anyone wants to negotiate, step right up...

 

[create961]

First of all, I know next to nothing of PS3 or PS3 cheats (but I am a professional programmer if that counts for anything). You seem very committed to this endeavour which is cool, my question to you is why do you want to edit the save games specifically? You want to unlock "folks" but that should be possible using the kind of running memory hacks, which should be easier as they bypass any kind of protection once you know the correct addresses. Just curios as for me as game player, it would be more useful to have a running game cheat, as results would be instant, and there is also a tool to apply those.

 

[ElevenCloud72]

why do you want to edit the save games specifically?

Good point. It's only because it's easy to find info about this kind of hack and that this gave the impression it could be a feasible method of unlocking game content. As you say, a memory hack would probably work better. What is the tool you're referring to?

 

[create961]

Good point. It's only because it's easy to find info about this kind of hack and that this gave the impression it could be a feasible method of unlocking game content. As you say, a memory hack would probably work better. What is the tool you're referring to?

Sorry I am not referring to any tool, as I said I don't know much about the PS3. I am just referring to the general concept of using a running memory patch instead of a save game. I assume, since a safe file is at rest, it is protected from tampering by encryption and other mechanisms. But those should be lax within running memory (although you have other difficulties) since the game designers did not expect anyone to have access to the RAM, and also the PS3 needs that data un-encrypted in RAM to be able to use it.

As for tools, I am only guessing, but I think RPCS3 is probably the thing to use, you would run your game, and I assume it has some sort of memory snoop tool, you would then search for specific things that you are seeing on screen, say the HP, or something else, something easily searchable, then when it changes in game check if it also changes in memory, if it does then you would try and manually modify that and go from there. I am guessing that is one way it might work.

Another, harder but potentially more rewarding approach is to extract out the binary of the game, load it into an analysis tool like ghidra, and again search for things that are well known, and then follow the logic, which is hard since its such low level assembly / C. But with this approach you can instead of patching simple values like HP, change logic or the flow, so that you can change a condition like if not to an if. Both techniques can be used to get closer to what you want, for example if you know the game displays a message such as "You died" when you hit some condition, and you don't know where the address for that condition value is, you can just find where the message "You died" is used, then before it is invoked there must be check for the condition, which then must check some address for the value, once you know the address you can create a simpler patch just to patch it.

This is of course overly vague and general and in practice it is more harder than this.

 

[ElevenCloud72]

RPCS3 is probably the thing to use, you would run your game, and I assume it has some sort of memory snoop tool

That's pretty clever actually. It would not require a jailbroken PS3 either, like the DEX console approach. Online results readily suggest the "Cheat Engine" software can be used for memory snoop/modification in RPCS3, so I'll give that a try. Thanks for the tip!