Help Imbedding Codes Into A Games SLUS

**02cali** · 02-01-2005,07:08 AM

I have a question that has really been bothering me

I would like to know if it is possible to write a raw hex code directly into the SLUS/SLES of a game

I attempted to do this by opening the slus file of Grand Theft Auto 3 and following a hacking guide explaining how to hack a code to gain free resprays.
I opened the slus file in ps2dis and found the lable "ReSpraysAreFree_8CGaragnop" I then jump 2 the address 00416F90 0000000 The guide says to get free re sprays the value needs to be changed to 0000001. 'thinking it should be a peice of cake' I then open a hex editor and use "Go To Offset" and type 00416F90 It jumps to the address..
But it looks completely different. where I'm expecting to find 00000000 I see 78512600 Why is this? I understand it may not work for some types of codes but I should be able to atleast find the address or offset right?
Can anyone please help me to understand what I need to do in order hack a code directly into a games elf file?

Edit: After further searching I found this post

http://www.psx-scene.com/forums/show...8&postcount=18

Originally Posted by Shabba

Load the SCUS (elf) file into PS2DIS, go to the address that is to be modified
Imagine the instruction at this address is sw v0,0x0(a0), which hex value is 0xAC820000.

I dont understand whare do I get "v0,0x0(a0)" from? and how do I convert that into hex value

**Shabba** · 02-01-2005,12:53 PM

The 'sw v0,0x0(a0)' is a mnemonic that represents the instruction 0xAC820000.

If you load your .elf into ps2dis you will see 3 columns, the 1st is the address, the second is the actual instruction value (the 0xac820000 bit) and the 3rd is the mnemonic for this value (the sw v0,0x0(a0) bit).

for example, if you had a mips assembler and you type in 'sw v0,0x0(a0)', it will assemble to the value 0xac820000.

**02cali** · 02-01-2005,05:42 PM

Ok let me see if I understand. the 'mnemonic' is the 3rd set of numbers in ps2dis, after the address (00416F90) and value (00000000) then the mnemonic (XXXX). SO I take the mnemonic. Open up a mips assembler and type in (XXXXX) then press assemble? then it should give me the the 8 digits of hex i need to look for and change in my hex editor?

Question: Is this hex code I get from the mnemonic = to the address 00416F90 or the value held at the adress 00000000

The code i am dealing with has no mnemonic, only this

00416F90 00000000 "ReSpraysAreFree_8CGaragnop"

so with no mnemonic how would i go about finding the address in winhex and changeing the value from 00000000 to 00000001

**Dark_Killer** · 02-01-2005,05:54 PM

make the ps2dis address data's byte order little endian and thats what you would search for in the hex editor.

ex:
00456784 12345678 beq s1, s4, $001159e4

"12 34 56 78" would become "78 56 34 12"

**02cali** · 02-02-2005,01:27 AM

Figured it out thanks!

**electric_jimi_** · 02-11-2005,06:52 AM

Originally Posted by 02cali

Figured it out thanks!

Hi, why don't you write a guide so other people will know how to do this?

Can you use any codes (Codebreaker, Action Replay, AR Max, etc) and convert them to a usable format for patching?

Vampmaster · 02-12-2005,01:06 PM

For jokers and things you need to write custom subroutines. What you do is find a blank space in the file usually before the entrypoint then overwrite the blanks something like this:

// Step 1: Raise the stack pointer by 16 giving you a place to put store your registers:
addiu sp, $FFF0(sp)

// Step 2: Do this for each register you need to use in your function:
sw v0, $0000(sp)
sw v1, $0004(sp)
sw a0, $0008(sp)
...

// Step 3: Replace the brackets and what's inside them with those parts of the joker:
lui v0, $(left half of joker address), zero
lw v1, $(right half of joker address)(v0)
lui a0, $(left half of the value to test for)
addiu a0, a0, $(right half of value to test for)
bne a0, v1, $(the address after the ones that constantly write)

// Step 4: Repeat this for every line in the jokered code:

lui a2, $(left half of the value to write)
addiu a2, a2, $(right half of value to write)
lui a1, $(left half of write address), zero
sw a2, $(right half of write address)(a1)

/* The bne address would be here. Repeat steps 3 and 4 for all the codes that either need jokers or need to be continually written to memory.*/

// Step 5: Do this for each register you used in your function:
lw v0, $0000(sp)
lw v1, $0004(sp)
lw a0, $0008(sp)
...

/* Step 6: Lower the stack pointer by 16 to put it where it was before your function was called*/
addiu sp, $0010(sp)

// Step 7: Jump to memcpy like this:
j $(the address of memcpy)

/* Step 8: Find an AR2 type M code and replace the jal to memcpy with a jal to your custom function.*/

EDIT: Someone remind me to put that thing upon CMP.

**Pyriel** · 02-12-2005,03:51 PM

There are a couple of problems with this.

1. 0xFFF0 in this context is -16.
2. If you add something (rather than replace something) to an ELF file, you will need to update the header tables with new file locations. If it's done as you explained, every segment in the ELF that occurs after .text may need to have it's segment header entry updated to reflect its new location in the file (there may be some padding you can borrow, but you should really check first). Also, the .text segment will need to have its size attribute increased, as well as changing its memory address attribute. If the address attribute is left unchanged, the .text segment will be loaded normally, but your instructions will begin at or just prior to the entry point, instead of residing somewhere "above" it. Meaning if you just open up the ELF in a hex editor and start inserting bits of code, you're just going to make the ELF an unusable mess.
3. You can usually test controller data with a halfword.

Have you ever actually attempted this? I'm gathering you haven't, so I don't think this is exactly a guide as much as it is conjecture. I admit that I've never tried it either, but what I know about the structure of ELFs leads me to believe this explanation is either theory or extremely oversimplified.

**electric_jimi_** · 02-13-2005,06:02 AM

I have patched quite a few game roms with either PAR codes or Game Geine codes converted to hex (or search for my own) quite often (Sega Genesis, Super NES, Master System etc.) Even Turbo Grafx-16 roms recently.
Recently Tony Hedstrom wrote a guide on how to hex edit the Sonic CD Sega CD game with permanent codes.

There has to be an easy way to convert Codebreaker, Gameshark, Exploder to hex so you can change some line(s) of code (like infinte health, start with XX number of lives or whatever) in the elf (if it is even in the elf) for PS2 games.

Vampmaster · 02-13-2005,09:58 AM

Originally Posted by Pyriel

There are a couple of problems with this.

1. 0xFFF0 in this context is -16.
2. If you add something (rather than replace something) to an ELF file, you will need to update the header tables with new file locations. If it's done as you explained, every segment in the ELF that occurs after .text may need to have it's segment header entry updated to reflect its new location in the file (there may be some padding you can borrow, but you should really check first). Also, the .text segment will need to have its size attribute increased, as well as changing its memory address attribute. If the address attribute is left unchanged, the .text segment will be loaded normally, but your instructions will begin at or just prior to the entry point, instead of residing somewhere "above" it. Meaning if you just open up the ELF in a hex editor and start inserting bits of code, you're just going to make the ELF an unusable mess.
3. You can usually test controller data with a halfword.

Have you ever actually attempted this? I'm gathering you haven't, so I don't think this is exactly a guide as much as it is conjecture. I admit that I've never tried it either, but what I know about the structure of ELFs leads me to believe this explanation is either theory or extremely oversimplified.

My bad on the 16 instead of 15. Changed Step 6 to say addiu sp, $0010(sp). Is it corresponding to the $FFF0 at the top now?

I tried a code like that with a cheat device and it worked fine. I assumed that the chunk of empty space before the entrypoint where I stored my function would be present in the elf file. When I said add, I meant overwrite the 'padding' like you said. If it's not, then I suppose you could try looking for some unused functions to overwrite with stuff like that.

// Alternate Step 3 for 16 bit jokers: Replace the brackets and what's inside them with those parts of the joker:
lui v0, $(left half of joker address), zero
lh v1, $(right half of joker address)(v0)
addiu a0, zero, $(value to test for)
bne a0, v1, $(the address after the ones that constantly write)

I think I made a mistake in the original step 3:

addiu a0, zero, $(right half of value to test for)
should have been:
addiu a0, a0, $(right half of value to test for)

I edited the other post to match. Crap, and step 4:

addiu a2, zero, $(right half of value to write)
should have been:
addiu a2, a2, $(right half of value to write)

I edited it with that correction too.

EDIT: I'd love to be able to resize files like you mentioned but with PC games. Windows is always adding new features to prevent one program from interfering with another like the trainers I made, if I can just make the file bigger with a patch, then I'll be able to patch in codes for which I'd normally need to allocate extra memory using my trainer.

User Tag List

Thread: Help Imbedding Codes Into A Games SLUS

Tweet

LinkBack

Thread Tools

Display


	Would you like to get all the new info from PSX-Scene in your email each day? Subscribe to our Daily Digest! Want to learn more about the team keeping you up to date with the latest scene news? Read about them now! Check out our Developer bios, too!