Max Payne 3 save editor?

[Jones man]

hi all, does anyone know of a save editor for mp3 on ps3? Mainly ones to help make ny minute and ny minute hardcore much easier? thanks in advance!

 

[bucanero]

hi all, does anyone know of a save editor for mp3 on ps3? Mainly ones to help make ny minute and ny minute hardcore much easier? thanks in advance!

Max Payne 3 saves on Xbox and PC are heavily (probably "insanely" is more accurate) encrypted, so I assume that PS3 saves are also following the same insanity.

Anyways, if your PS3 has CFW or HEN I think you'll have a better chance using in-memory cheats with Artemis or NetCheat, than trying to modify the Mp3 save.

For the record, the crypto notes from the authors of the Xbox/PC save decrypt tool:

Cryptoanalysis by Vulnavia
x86-Codeanalysis by Vulnavia
PPC-Codeanalysis by Philymaster and Vulnavia
//------------------------------------------------------------------------------
Endianess = Mainly Little_Endian (AES is Endianless), PC-Header different
also great care must be applied for the Salts, they need to be Endianswapped
for the PC-Version but not for Xboxversions.
//------------------------------------------------------------------------------
AES-Mode = ECB, Blocksize 16, nonpadded
StaticAES = '1AB56FED7EC3FF01227B691533975DCE47D769653FF775426A96CD6D5307565D'
Salt1 = '0FC919E89A17C45FE716D46C3A159C75'
Salt2 = 'E109A542F60A133B81AC0255CC39401B'
Salt3 = '1508E96F47B847D13A658C71' + Integer_7 (see Fileformat.txt)
SpecialKey(PC) = 'C436F327FAEA192AB7A5D8ED51315730E9086624A74A8DA67BEA08B5FAE20189'
//^^^The SpecialKey has been extracted while tracing trough the DLL Calls and
//probably is only static for the RLD Version
InitKey1 = 'XEN43156A' (XBOX)
InitKey2 = 'PCgh64rwA' (PC)
//------------------------------------------------------------------------------
InitialKey1(Xbox)[50] = InitKey1 + Version1 + Version2 (padded with 0x00)
InitialKey1(PC)[50] = InitKey2 + Version1 + Version2 + SpecialKey (padded with 0x00)
InitialKey2[50] = Initialkey1 + Integer_7 + Long_1
//------------------------------------------------------------------------------
Decrypt:
01. Double HMACSHA1: Key=InitialKey1, Data1=Secblock, Data2=Secblocksize(binary)
02. PKDF2RFC2898: Password=HMACResult, Salt=Salt1, Iterations=2000, dkLength=32
03. AES-Decrypt(16x): Buffer=0x18~0x43, Key=PKDF2Key1
04. PKDF2RFC2898: Password=0x18~0x43, Salt=Salt2 Iterations=2000, dkLength=32
05. AES-Encrypt(16x): Buffer=PKDF2Key2, Key=StaticAES
//-- Step 6 is only needed if SecblockSize-((SecblockSize SHR 4) SHL 4)) is <> 0
06. AES-Decrypt(16x): Buffer=SecblockSize-16, Key=(Encrypted PBKDF2 Key)
07. AES-Decrypt(16x): Buffer=Secblock, Key=(Encrypted PBKDF2 Key)
//-- Secblock is now fully decrypted! But there is still the last HMACSHA1
08. Double SHA1: Data1=InitialKey1, Data2=SecBlockLength(binary)
09. HMACSHA1: Key=DoubleSHA1, Data=Secblock
10. PKDF2RFC2898: Password=HMACResult+Initialkey2, Salt=Salt3+Integer7 Interations=2000, dkLength=32
11. AES-Decrypt(16x): Buffer=0x18~0x43, Key=StaticAES
12. AES-Decrypt(16x): Buffer=0x18~0x43, Key=PKDF2Key3
//-- The 0x18~0x43 is now fully decrypted too and reveals the HMACSHA1 to verify
//------------------------------------------------------------------------------
// From here everything is decrypted, but still compressed with an proprietary
// LZW/LZRW1/LZSS Variation which i rebuilded as InMemory Version and is
// too complicated to explain here
//------------------------------------------------------------------------------

- 0x0~0x3 = Integer_1, Magic
- 0x4~0x7 = Integer_2, Version1 (0x1A=26 or 0x1B=27)
- 0x8~0xB = Integer_3, Length of Secure Block
- 0xC~0xF = Integer_4, Length of Secure Block + Version
- 0x10~0x13 = Integer_5, Checksum(Sum32) of Secure Block
- 0x14~0x17 = Integer_6, Version2 (0x06 or 0x07)
- 0x18~0x37 = Blob_1, HMACSHA1(0x14), Integer_7, Long_1 [encrypted]
- 0x38~0x3B = Integer_7, Salt (The manipulated Nanoseconds Part of Time/Date)
- 0x3C~0x43 = Long_1, Time/Date (Unixtime Integer only the other Part is 0)
- 0x44~Integer_3 = Blob_2, Secure Block [encrypted]
- After the Secure Block file is padded with 0x00

Notes:
Integer_7 can NOT be calculated back the manipulation is oneway and not reversible
and because of that it is impossible for nobody to check if it is the original or not.
Which means you can put there what you want after decryption as long as you change both,
it will remain valid, because not even the Game can know what was the original Value and
will simply read what is there and use it as a part of a Salt.