Hex editor hacking

[DataSlayer v9.6]

Hi.

I hope I am right here. After 5 minutes of thinking I decided to post here.

I am planning to hack a PS2 game. I am neither real hacker nor do I claim to be one. However I am still very sophisticated in computer science and an enthusiastic gamer. So if you help me I will help you and offer the PS2 community my projects in the future.

Right now I am analyzing how to edit text and graphics. Here is the way I came up with and would like to hear if there are better ways to do it.

Attention: All those are ideas by me that I have never tested or were tested by people I know. I do not know if they are correct, incorrect or both. This is not for teaching others but to learn something myself. I do not want to waste your time, so if you are not willing to help this thread might not be best for you. But if I still should be correct with my ideas feel free to use these informations.

Also excuse my bad english. Thanks.

1. Extracting the ISO.

2. Open the files with some hex editor.

3. Search for known values like character names. You also could search for numbers but strings will offer better search results because they are unique. But since PS2 files are most likely compressed or encrypted, the chance is almost zero that it works that easy. Just added this step in the hope that you guys tell me that it is really that easy...

4. Now we need to search for headers of know file structures. But if we previously did not find any known text in the file, we do not need to look for text file headers. So we only look for multimedia headers. If we find something we could manipulate it. We also could extract them completely. That way the file size becomes smaller and it becomes easier to work with if we want to analyze the rest of the data in the hex editor or in assembler or if we want to use the data in scripts, then the CPU workload will be smaller since we just work with the really important data.

5. If we did not find anything then we should look for compression headers. Then we isolate them, extract, manipulate, compress and re-include.

6. But if we did not find anything again the headers are either unknown or the file is encrypted. This is a nightmare. Because we now could waste our lives to analyze the expected file structures or we could try to decrypt the file. Anyway let's start to waste our lives.

6.1 If the headers are unknown we could search for repeating structures. Since a game is full of multimedia files there should be many of them. We also could guess which header belongs to which media. The largest are videos. The rest are sound and graphic. But since they are in the same size class we get problems to guess. We now could manipulate a lot of either the or the other structure and check if the game has changed sound or graphics. Now we know which file type we got there. And now we could program an editor for those file formats. First we need to analyze the file types we already know, like jpg or mp3. Then we could compare the known formats and the unknown formats and guess the differences. Now we got an editor and can start to manipulate the game as we wish. However I doubt that developers would waste their time in creating new file formats, so I expect only known file formats.

6.2 If the file is encrypted we would have to use any key we can think of on this file. Somehow I doubt that the files are encrypted, but I do not know. The key would either be stored in the PS2 itself, which means that the key was all the years the same and was already spread around the internet or the key is stored somewhere on the game disc. If it is stored on the game disc we should be able to find it. But this concept sounds stupid, as well. Because if you encrypt something you do not want to store the key right next to the encrypted file. But then again it is still a method to slow down a hackers work or even prevent them from proceeding entirely. The solutions I can think of to get the key are:

6.2.1 PS2 games got a standard place for key file storage. Now we just need to know where and we can use it.
6.2.2 We use assembler and look for the decryption structure which contains the address of the key.
6.2.3 Cracking by brute force. This can take ages. Basically we use the keys on the file and check if the encrypted file now contains any known data mentioned before. We repeat that until all keys of all known encryption algorithms and algorithms cascades were used.

6.3 But what if only parts of the file are encrypted? How should we know what is encrypted and what is an unknown file structure? What if encryption and unknown file structures are mixed? Well, in that case I cannot think of any solution. But I doubt that it occurs that way.

Well, this is it. Again I am no hacker and I do not know many about this stuff. This thread is just about telling me what ideas are wrong and what are right. I hope for your comments that save me time I could spend on my projects.

Now I still got some questions:

Are there common data structures? Like common files in the ISO? Common data types? Common encryption keys? And any other common stuff?

How do i know if the data structure does end? Is there something like a file tail? Because if not then maybe an unknown file structure directly follows that I accidentally take for a part of the image. But when I want to view the image in an editor the image would be corrupted because data was included which was not meant to be part of the image. But I just had the idea that the file size would be stored in the header, right?

Is there a program that searches for any known file structure headers?

Where can I get more informations?

Thanks for taking your time to read!

[yoshi314]

if you are going against a difficult game, a disassembler and EE instruction reference is a must (and often VU instruction reference too).

there are apps that handle various game archives, you can find some on xentax.com, most games require individual manual approach.

you can also try using pcsx2 and do memory dumps and then analyze them. that's what some people do to extract 3d models from games.

[DataSlayer v9.6]

Ah yes, forgot memory dumps.

Btw if the game was an online game it should also be possible to sniff and decrypt the packets. The good thing about sniffing packets is that they are rather small which makes decrypting much easier. That also offers a hint which encryption algorithm the developer might used on other parts of the game.

[SP193]

Hi.
3. Search for known values like character names. You also could search for numbers but strings will offer better search results because they are unique. But since PS2 files are most likely compressed or encrypted, the chance is almost zero that it works that easy. Just added this step in the hope that you guys tell me that it is really that easy...

Sometimes, it really is that easy.

6.2 If the file is encrypted we would have to use any key we can think of on this file. Somehow I doubt that the files are encrypted, but I do not know. The key would either be stored in the PS2 itself, which means that the key was all the years the same and was already spread around the internet or the key is stored somewhere on the game disc. If it is stored on the game disc we should be able to find it. But this concept sounds stupid, as well. Because if you encrypt something you do not want to store the key right next to the encrypted file. But then again it is still a method to slow down a hackers work or even prevent them from proceeding entirely. The solutions I can think of to get the key are:

6.2.1 PS2 games got a standard place for key file storage. Now we just need to know where and we can use it.
6.2.2 We use assembler and look for the decryption structure which contains the address of the key.
6.2.3 Cracking by brute force. This can take ages. Basically we use the keys on the file and check if the encrypted file now contains any known data mentioned before. We repeat that until all keys of all known encryption algorithms and algorithms cascades were used.

6.3 But what if only parts of the file are encrypted? How should we know what is encrypted and what is an unknown file structure? What if encryption and unknown file structures are mixed? Well, in that case I cannot think of any solution. But I doubt that it occurs that way.

You are right about the usage of encryption by the PS2, but the keys are not stored in a ROM chip or anywhere accessible like in newer consoles like the PS3 and PSP.

The only encryption used by Sony is Magicgate, and everything related to Magicgate encryption is stored and processed by the drive MECHAnics CONtroller (MECHACON) of the PS2 (lol.... the CD/DVD drive hardware does a lot of things - other than just being a CD/DVD drive!).

But then again, the Magicgate encryption is only used by Sony to store important programs like the DVD Player and OSDSYS updates, and probably to encrypt some game save data too.

Some hacking has been done before, and some information on the system used by the MECHACON can be found on the Internet (Hint: FMCB, FreeVAST and the MCA project).

Any other system of encryption used by games is game-dependent, and the code for decrypting the encrypted data can be found somewhere in the game itself.

Are there common data structures? Like common files in the ISO? Common data types? Common encryption keys? And any other common stuff?

Yes. As for the ISO9660 structures, you can find information on the structures used in that standard by reading the ECMA-119 (ISO9660) specification.

Other structures can be found in the header files within the PS2SDK. Other stuff that is used by Sony might only be found in the official Sony PS2SDK.

How do i know if the data structure does end? Is there something like a file tail? Because if not then maybe an unknown file structure directly follows that I accidentally take for a part of the image. But when I want to view the image in an editor the image would be corrupted because data was included which was not meant to be part of the image. But I just had the idea that the file size would be stored in the header, right?

That is true. But the only way to find out where a piece of data ends is by using facts.
If you know the structure, you already know the length of the data.

Otherwise, you have to make a larger dump and ignore the trailing garbage.

Is there a program that searches for any known file structure headers?

It depends. I think that there were some programs that could rip out things like the TIM/TIM2-format graphics, but that was about it.

Where can I get more informations?

Unfortunately, a lot of it comes from your own research.
The PS2 isn't really newbie-friendly, as it's architecture is relatively different from a regular Intel PC's.

Remember: Google is your friend.

Just a tip: I think that you should familiarize yourself with PS2 programming first, before you start hacking anything. It will make your life a lot easier too.