EXT Gaming
Welcome to EXTPortable, Guest!

At the moment, you are viewing the forum as a guest. As a guest you can't make post and participate in discussions. You need to register and become a member of the forum. Click the register link below and become a part of this forum. But please, don't become part of the site just for the Downloads, If you Register, do it because you want to have fun and get to know people, if NOT then don't Register at all.

Thank You,

Bou

Join the forum, it's quick and easy

EXT Gaming
Welcome to EXTPortable, Guest!

At the moment, you are viewing the forum as a guest. As a guest you can't make post and participate in discussions. You need to register and become a member of the forum. Click the register link below and become a part of this forum. But please, don't become part of the site just for the Downloads, If you Register, do it because you want to have fun and get to know people, if NOT then don't Register at all.

Thank You,

Bou
EXT Gaming
Would you like to react to this message? Create an account in a few clicks or log in to continue.
Latest topics
» [Forum Game]Yum or Yuck
Black_Wolf's "Final Guide" to PSP Hacking EmptySat Aug 09, 2014 2:10 am by AvieD1ne

» True or False
Black_Wolf's "Final Guide" to PSP Hacking EmptySat Aug 09, 2014 1:53 am by AvieD1ne

» EXT
Black_Wolf's "Final Guide" to PSP Hacking EmptyFri Aug 08, 2014 7:30 pm by AvieD1ne

» 'Ello there!
Black_Wolf's "Final Guide" to PSP Hacking EmptyFri Aug 08, 2014 6:49 pm by AvieD1ne

» Sup son! What You Doing Now 2
Black_Wolf's "Final Guide" to PSP Hacking EmptyFri Aug 08, 2014 6:38 pm by AvieD1ne

» What are you currently playing?
Black_Wolf's "Final Guide" to PSP Hacking EmptyFri Aug 08, 2014 6:31 pm by AvieD1ne

» Hai :3
Black_Wolf's "Final Guide" to PSP Hacking EmptyThu Aug 07, 2014 11:40 am by Neff Anselmo

» Anime Ramen
Black_Wolf's "Final Guide" to PSP Hacking EmptyFri Jan 31, 2014 5:58 am by Bou

» Happy New Year
Black_Wolf's "Final Guide" to PSP Hacking EmptyMon Jan 27, 2014 8:26 am by Ziyi

Who is online?
In total there are 4 users online :: 0 Registered, 0 Hidden and 4 Guests

None

Most users ever online was 256 on Sun Apr 11, 2021 10:10 pm

Black_Wolf's "Final Guide" to PSP Hacking

Go down

Black_Wolf's "Final Guide" to PSP Hacking Empty Black_Wolf's "Final Guide" to PSP Hacking

Post by Guest Thu Dec 22, 2011 12:28 am

Well guys i decided to release to the public after all. I think, if anything, this will help the hacker/leecher ratio so that seems worth it to me. I don't make many codes any more, so this is my way of ensuring quality codes continue to be made. Here it is: enjoy

Hacking has been an incredibly enjoyable part of my life, although I don't contribute much to the scene anymore, I have learnt many things, and taught myself other things throughout my time as a RAM Hacker. This guide will be every bit of knowlege summed up into a guide for all trusted members and coders to view. -Black_Wolf


CONTENTS:
1. Universal Methods
a) Pointers how to use them
b) Co-ordinate hacking
c) Mips Subroutines
d) CW Cheat/DarkCheat subroutines

2. Specific Methods
a) Finding multilevel pointers
b) Finding hooks
c) Finding controller addresses
d) Logikz/Brett111's method (floating point searching)
e) Black_Wolf's method (spawn searching)

3. Conclusion



SECTION 1 - UNIVERSAL METHODS

1a) Pointers and how to use them

Before I go on to pointers, it is essential that anyone reading this guide has a clear understanding of the next paragraph. Cheat format and Real format are terms that are incredibly important and I'll just give a quick definition now. Basically whats REALLY going on in your game's ram, starts at the address 0x08800000 (0x08804000 to be precise) now this is the kinds of addresses that the assembly uses, as they are the REAL locations in the ram. To save some room however, and provide some space for code types, cheat devices on the psp are generally handled in CHEAT format, this is basically the REAL address MINUS 0x08800000. It is essential that you remember this when writing subroutines or converting codes to be compatable with a cheat device. So 0x08C054A8 , in cheat format, would be 0x004C054A8. Use a hex calculater if you need to. Ok so on to the important stuff.

Pointers are a confusing aspect to many people. In the PSP scene, the words DMA and Pointers are thrown around like anything, but these terms are often misused, or even misused without fully understanding what they actually are, so before you can use them to hack a code, you must first understand what they are.

So on to pointers. I'm going to start in very simple terms, I'll use Syphon Filter as an example. Its one of the best games to start in, because it employs single level DMA.
Alright so you know how the RAM in a game is about 30mb, well think of the actual ISO size, its big right, nearly a GIG. Now obviously, this means that all the content on the disk can not be loaded at once, so the game only loads what is required for, lets say, a level. Now the order if what loads varies game to game, but for example lets say that the first level looks like this:

ENVIRONMENT
ENVIRONMENT
GABE
WEAPONS

Now as you can see, each area takes up a certain amount of room, but what if something ABOVE the weapons changes sizes. Moving on to the second level, where the environment is bigger, it looks more like this:

ENVIRONMENT
ENVIRONMENT
ENVIRONMENT
GABE
WEAPONS

Now THIS is what DMA essentially is. By only loading certain things into memory, the game is quicker, and more dynamic, BUT it also means that the weapons will be in a different place depending on the situation. For example, if in the first level, the environment takes 11mb of data, GABE will be located at the 12mb mark. But if in the second level, the environment takes up 22mb of data, GABE's data will be at the 23mb mark. But if this is changing, then how does the game know where GABE ends, and the weapons start? WELL this is where pointers come in

Pointers are located in a static area of code. Basically they are simply addresses with the VALUE of another address. For example
0x08800004 0x0880007C
This is a pointer, with a VALUE of the address 0x0880007C so we say this is a POINTER that POINTS to 0x0880007C
But how does this change anything, well using the first example again I'll add pointers in at the start

0x08840000 - 0x0884000C: POINTERS
0x0884000C - 0x088C0000: ENVIRONMENT
0x088C0000 - 0x088C5000: GABE
0x088C5000 - 0x088C8000: WEAPONS

Now notice how the pointer section is much smaller than the others but its FIRST, so this means that it is static (I'll reference this later, but TRUE pointers are located towards the start of the memory). Now seeing as its only 3 addresses, lets see what SPECIFICALLY is located inside the pointers section of this example.

0x08840000 0x0884000C
0x08840004 0x088C0000
0x08840008 0x088C5000

This is a very basic example, but this is basically what pointers do. There is one for each section, pointing to the START of the object block. Pointer 1 points to Environment, Pointer 2 points to Gabe and Pointer 3 points to Weapons.

Now all games that utilize Dynamic Memory Allocation (DMA) have, somewhere, a base pointer for each object. Now obviously we are not looking for the FIRST address in an object, so we add an offset, lets just say that GABE's health is at the address 0x088C01A0. Now to get there from a pointer, we load the one that points to the START of GABE (pointer 2) and add the offset that gets us to our health (0x088C01A0 - 0x088C0000) which equals 0x1A0. So looking at the second pointer, and adding 0x01A0 will ALWAYS lead us to GABE's health, not matter WHAT level we are in, because of this pointer. The correct way of writing this is
[0x08840004] + 0x1A0

BUT what is this "double dma" that everyone seems to whine about. Well its simple really. Instead of the pointer leading STRAIGHT to GABE, a "multi pointer" would lead to ANOTHER section of pointers, and then by adding an offset, you can follow the one that ACTUALLY leads to GABE. This is done when there is a lot of dynamic loading to be done, usually found in online games that need to constantly be streaming data, they have multiple levels of pointers for quicker and more organized access. I will explain how we find a multilevel pointer later on. Finding a single one is easy. You can use DMA Hunter or one of the many apps out there. Or if you want to apply this knowledge, you can actually manually search for them, with a variable search in Art Money or T Search which is basically like "Finding all the values from 1 - 3" so you can say "Find all the addresses with values between:" and then just write the address of your DMA code, + and - about - 0x1000. This will spit out all the possible pointers for your DMA code.


1b) Co-Ordinate Hacking

Ah, here it is, Sketch's classic yet undeniably effective method of hacking around or on an objects Co-Ordinates. I'll briefly go over this, as I've made countless codes with this method and the pointer method combined.
So the theory behind this is that by finding an objects co-ordinates, we can find everything that can directly outer the outcome of a position AROUND the co-ordinates. i.e Speed, Size, Gravity, J umping Height, all that stuff. Now many find that co-ordinate hacking can be troublesome, and causes a lot of freezes, and this is essentially true IF you use the regular method. This is searching, moving, searching, not moving, searching and then testing results. Now its very hard to narrow down these results, because moving in this way causes a LOT of changes in the game, lighting, camera position, all that stuff. BUT there is an easier way.

By using the conventional method, you are finding the X and Y co-ordinates. The FLAT PLANE co-ordinates on a geometrical scale. BUT Z is a lot easier to alter, and also a lot easier to view the changes, because it is essentially your characters height, so why not use this instead? (its also the co-ordinate that is most impressive to work with in subroutines)
So to find the Z-co-ord in any 3d game, simply find yourself a hill and walk up and down it searching GREATER and LESS. You'll find that your results will narrow down a lot quicker than your conventional method, and locking the correct Z co-ord at 000000000 will generally send you through the floor.

Once you have the co-ords, start searching, look at you memory viewer for floats (Get darkcheat, its FLOAT viewer is invaluable) and modify them up by 2 or 3 and go back to the game for results. Floats like 1 2 or 3 are generally static values like speed size or gravity so keep your eye out for them. If you hate dark cheat these are 3f800000 (80 3f) 40000000 (40 00) etc.
Combining this method with some simple pointers if your game is DMA, allows for some great codes without much effort at all. Also, by expanding your knowledge, you can turn these co-ords into mark and recall, flight and jump routines with a simple MIPS or CWCHEAT subroutine.


1c) MIPS Subroutines

Wow, anyone who was lucky to be around when hackers like UniTerror first worked their magic on the psp scene is blessed. These kids stormed in with MIPS and routines and hooks coming out of their ears. Its a real shame that the two "sides" couldn't get along sooner, because its obvious now that both a combination of searching and routining produces the best codes of the lot. Now when the first subroutines were released by great hackers like Silo and Shroom on the socom scene, there was an influx of people desperate to learn mips. I rode the wave along with many, and created a few routines in my time. My best work being the Monster Hunter HP code for MHF2. This was a 50 line MIPS subroutine that found and pulled out every monsters health in the area and presented it on screen in a neat way, MIPS can do great things. Now I don't love MIPS, I don't even find it to be an especially useful language to learn, BUT it can be very useful, and it makes code making more exciting than a simple write code. Now I don't have every command and syntax memorized nor do I think its necessary, anyone can write a 20 line routine with CTRL F and a mips reference if they know exactly what they are trying to achieve and this is what I advice. Work out exactly WHAT you are going to do with your routine before you even start on it. Then you'll find that the routine comes a lot easier, just like following steps.

Now I'm just going to provide the template for the 2 most common routines you will see now. Sure there are going to be errors in these, but I will show how Jump and Mark and Recall work, and how to do it in theory. First your going to need a few things for both. A tutorial on finding most of these can be found later on in the guide. The Code Cave is simply a big section of 0's so open your dump in PS2DIS and go CTRL F tick Hex String and hold the 0 key for like a minute...

-Co-ordinate Locations
-A Code Cave
-A WORKING Hook
-A Controller Address

Thats about all for your basic routine, finding these can sometimes be the hardest part of a subroutine, but it is essential that you first have all the equipment before you start building. So lets start with the JUMP routine. This is really just a button controlled increase in the Z (height) co-ordinates, so think about how your going to do it in words, then worry about converting to the MIPS language. It would look something like this in my mind.

-Jump to code cave (hook)
-Load controller address's value into t0
-If its not equal to the button's value you want jump to the end
-ELSE: Load z-co-ordinates into register t2
-Load what you want to ADD to z-co-ordinates into register t4
-Add the two registers and store result in t6
-Store the modified Z-Co-ordinates back to their position
-Return to where you are meant to be

Ok, so grab a mips reference and i'll write an example here, we'll say that the code cave is at address 0x08900000, the controller address is at 0x08A00000 and the z-co-ords are at 0x08B00000

- j $08900000
- lui t0, $08A0
- lw t0, $0000(t0)
- li t1, $0100
- bne t0, t1, $08900030
- nop
- lui t2, $08B0
- lw, t2, $0000(t2)
- lui t4, $0001
- li t4, $3A4C(t4)
- add t6, t2, t4
- sw t6, $0000(t2)
- jr ra

And that is your basic template for a jump routine, there's probebly a load of errors because I can't be bothered checking out the syntaxes in PS2DIS but you get the idea of how to do it, its really not that hard. You can make a smoother routine by using float registers instead of standard ones but thats a little more detailed, and honestly I've never really bothered to learn it, but it involves moving the z-co-ords into a float register, as well as what you want to add, and THEN adding them for a smoother finish because co-ordinates are of course float values. If the co-ordinates were pointered, you would load the POINTERS value into a register, then do a lw $OFFSET(register) that way your getting the pointers value, and loading the a value into a register with the offset BASED on the pointer's value.

Now for Mark and Recall, now I'm a bit fuzzy on this one, as I've never really tested this template properly, but the theory behind it is still simple, think about it. You store your co-ords in a register when the controll address == what button you want. If its not equal to that it jumps to ANOTHER bne which says if your controller address equals some OTHER button, to store the co-ords back to their place in the memory. Ok so for this template I'll just use 1 storing register, you can however use multiple locations if you so desire. Now first lets think what we want to do on each line again.

Jump to code cave (hook)
Load controller address's value into t0
If its not equal to the STORING button, jump to the next IF
If it IS equal to the storing button:
Load the first 4 bytes of co-ords
Load each of the co-ords into t1, t2 and t3 respectively
If its not equal to the RECALL button, jump to the end
If it IS equal to the Recall button:
Store the co-ords from t1, t2, and t3 respectively
Return to where you are meant to be.

Ok so keep your MIPS reference handy and we'll take a look at what we should be writing. I'll use the same co-ords, hook and code cave from the last example

- j $08900000
- lui t0 $08A0
- lw t0, $0000(t0)
- li t6, $0100
- li t7, $0200
- lui t1, $08B0
- bne t0, t6, $08900038
- nop
- lw t2, $0000(t1)
- lw t3, $0004(t1)
- lw t4, $0008(t1)
- bne t0, t7, $0890004C
- nop
- sw t2, $0000(t1)
- sw t3, $0004(t1)
- sw t4, $0008(t1)
- nop

So there you have it, some basic MIPS in a nutshell, there is of course a lot more to it, but this is the general idea of how they work. If someone sees an error or an improvement to be made in the routines just give me a pm or something so I can fix it up. I did store my co-ords in an address here, however it is usually a lot safer to copy them to another blank address somewhere and use that, this is simply just after lw's, you put some sw's at a blank address, and then load these "blanks" and store them at the real co-ords for the RECALL function, this is simple though, and using an example contains too many hypertheticals for my liking!


1 d) CW Cheat/DarkCheat subroutines

Why fix something if its not broken right? Cwcheat provides some excellent code types that allows you to do pretty much anything you can do in mips. The only problem is that these routines generally don't work with pointers so these are ideal for games like Monster Hunter with no dma on important things like co-ordinates. You CAN however do a mix of the two, jokering a hook between accessing a routine and continuing on its normal path, that way you don't even need a controll address.

Ok so seeing as I'm sticking to these 2 routines, to demonstrate the difference to you, I'm going to write both Jump routine, and Mark and Recall using CW Cheat code types found at [URL='http://cwcheat.consoleworld.org/wiki/doku.php?id=english:code:psp_types']english:code:psp_types [CWCHEAT documentation][/URL]
So lets first write into words, just like the MIPS sub.

IF L_Trigger is held:
Increase Z Co-ordinates by 0x00013A4C

Wow, looks a lot simpler right? Its that easy, so basically we are looking at a JOKER(0xD) and an INCREMENT code type.(0x3) So remember, the Z-Co-ords are at 0x08B00000 which in CHEAT format (- 0x08800000) is equal to 0x00300000
Here's how the code would look:

_C0 Jump
_L 0xD0000001 0x100000100
_L 0x30500000 0x00300000
_L 0x00013A4C 0x00000000

And thats it, this code, on a non-dma'd game would have the exact effect as that MIPS subroutine shown in the previous section. So always think to yourself, is there an easier way to do it? But thats just jump right, I here you say, what about Mark and Recall. Well its a similar thing to the MIPS, except instead of using a register, we simply copy the co-ordinate values to a blank spot in the memory, and then copy them back when we want to.

IF L_Trigger is held:
Copy co-ordinates to code cave
IF R_Trigger is held:
Copy code cave values to co-ordinates

So we are simply going to use the Copy Bytes command, 0x5. And of course our standard joker. So the same as all our examples, co-ords are at 0x00300000(0x08B00000) and the 12(0xC) bytes after that, and the code cave is at 0x00100000(0x08900000).

_C0 Mark and Recall
_L 0xD0000001 0x10000100
_L 0x50300000 0x0000000C
_L 0x00100000 0x00000000
_L 0xD0000001 0x10000200
_L 0x50100000 0x0000000C
_L 0x00300000 0x00000000

And there is your Mark and Recall CWCheat routine. In my opinion it is a lot quicker and easier to use this method, so if your game is not DMA'd then you should give this route a try.



SECTION 2 - SPECIFIC METHODS

2 a) Finding Multi-Level Pointers

Ahh, now on to the good stuff, the unique methods developed by myself and other well known hackers, these are the tips and tricks of the trade learned out of experience, by using the basic knowledge, and taking it to a new level through the tools available. Seeing as lots of other methods deal with codes AFTER you've found them, I think its about time to show how to get to the address in games that utilize multi-level DMA. This method originated from the hacker Sonnie, but has been refined and further explained by yours truly. I also will add some quick tips, based on the same principle, in order to speed up this sometimes slow process.

Ok so if you havn't read the details on what a pointer is, go back and read it all now, because this method relies on your knowledge of what a pointer is and how it works. You should know how to follow a pointer just by looking at it in the memory viewer, and have a clear understanding of what an offset is and why we use one. So, you know that a pointer is just and address with a VALUE of another address, right? And that by adding a number TO this value (usually under 0xFF) we can lead ourselves to a dma'd address? WELL think about it, you can use this knowledge in a reverse order to find your POINTER from your DMA'D ADDRESS. Think of double DMA as like 2 seperate codes. You have a pointer leading to your ammo (we'll use ammo as an example because its an easy word to type), AND you have a pointer leading to THAT pointer. So it goes like this.

Base pointer -> +OFFSET1 -> 1st Pointer -> +OFFSET2 -> AMMO ADDRESS!!!

Of course, there are sometimes more than 2 levels, in fact, games like Star Wars : Renegade Squadron have been known to use up to 5 levels of DMA. When this is the case, its sometimes easier to look for an alternate route if possible (not possible if you are wanting co-ordinates however) see later sections.

So here is the method in theory. By SEARCHING the ADDRESS of you're ammo code, as a VALUE, then minusing an offset, you can lead yourself to the first pointer. Then, in turn, by searching the POINTERS address as a value, and minusing and offset, you can lead yourself to the base, and thus have the pointer "path" to your code. The problem is, we have no idea what the offsets are, so it makes the process very grueling. Now the original way to do this was as follows:

- Search the ammo address as a value
- If there are no results, subtract 0x4 from your search (this is so we are scanning WHOLE addresses, ones that end with 4, 8, C and 0, not wierd half addresses)
- Continue this untill results are found
- Determine the offset between the search that yielded results, and the original ammo address, this will act as offset2
- Repeat the above steps using the 1st pointer address in place of the ammo address.

Now to be honest, this is a real pain in the ass to do, SO, instead, grab a PC based RAM searching app such as Artmoney, Tsearch or CheatEngine. Now, there should be a search option like "Search for a value within a range" range not being an ADDRESS range, but a VALUE range. This basically means you can say, give me all of the addresses, with a value between 40 - 85. So, using common sense, we can use this, lets say the ammo address is at 0x0131C664. So we put into the device:

-Find all addresses with a value = to 0x0131C500 - 0x0131C664.

This will probebly spit out a bunch of results, generally I test the ones with the lowest addresses first, as they tend to be working their way OUT of the heavy dma, so check the result with the lowest address in a similar manner. In this way, you can find yourself a multi-level pointer track that can be used with a simple subroutine to lock the value. These are simple once you have a guarnteed hook (see next section) its just a bunch of lui and lw, using offset(register) to its full potential.

- lui t0, $FIRST 2 BYTES OF BASE POINTER
- lw t0, $LAST 2 BYTES OF BASE POINTER(t0)
- lw t1, $OFFSET1(t0)
- lw t2, $OFFSET2(t1)

This little routine will put the ammo value into register t2. From there you can work with it however you want, just with the command of $OFFSET2(t1) because that is essentially your ammo code.


2 b) Finding Hooks
Finding a constant and consistant hook used to be the one thing putting me off subroutines, but now, with a quick little method that guarentees one in about 2 minutes, subroutines can be used for anything, even just locking a code without cheat hz can be done simply and easily.

The hex for JR RA is 0x03e00008, now this command effectively "jumps" the memory to where it was before executing a function, this means, these places are ideal for injecting our subroutine, because as long as we don't touch the RA register (i.e use J not Jal) then a simple JR RA at the end of our subroutine will put the memory straight back to where it was meant to be, as if nothing ever happened.

This little trick was first suggested to me by WazGoingOn, great hacker, great friend. Now initially, the way to do this was to get out ps2dis and do a string search, or search manually for some jr ra... this is just plain boring, sure it works, but testing each one takes a while if you doing it one at a time, so I thought to myself, why not just use some good old trial and error or "mass searching". The method is as follows:

-Open up the cheat device of your choice. If it is DarkCheat or Cheatmaster set the RANGE to 0x00040000 - 0x00050000.
-If you have NitePR, you don't really need to worry, because it will display the first 100 results anyway, however, when the time comes, using cheatmaster/ darkcheat is a lot easier.
-Do a search for 0x03e00008. Add all results at a value of 00000000 but DON"T lock them yet.
-Now get to your cheat list, and one at a time, lock them and return to the game, be sure to remember the NUMBER of the code your on, or simply save the table after each test and delete the non working code.
-If you're game DOESN"T freeze, it is not a working hook, so delete the address and move on
-If the game DOES freeze, then your hook is CORRECT!

And thats all for the method, this makes hook finding considerably easier and a lot quicker too.


2 c) Finding Controller Address
This is a very short method, and isn't really anything special. A controller address is simply an address that contains the value of the button your pressing. Now you don't actually need this if you are using cwcheat/darkcheat, EVEN if you routining in mips. You can simply use a joker to turn the HOOK and and off, and lock the whole routine at the start. That way, whats in your routine only activates when you press the button that makes the hook jump to it. Regardless, some of you are probebly desperate for the "pure mips" routines so here is how to find that control address.

-Hold L
-Open cheat device and search 0x00000100
-Hold R
-Open cheat device and search 0x00000200
-Repeat

Now its very odd, but SOME games don't use this standard method of controls, I've known some to use FF in different positions etc. So if the above method shows no results, you're going to have to do a boring unknown value search holding different buttons and search unequal equal accordingly.

2 d) Logikz/Brett111's Method (mass float searching)

This method is fairly commonly used now, there are guides for this all over, however I remain respectful to these two hackers, as they were the first to release codes like this that I know of. It was also Logikz who showed me this method for the first time, and Brett had also developed the same sort of method as well. It involves mass searching the ram for FLOAT values, which store things like speed, size, graphics etc, so you can pretty much milk the game for a lot of codes with this method, and then move onto others for the more specific codes.

Its a lot easier to do this kind of method with Cheatmaster or Darkcheat, as they have an easy ADD ALL function, as well as an easy locking feature. Means you can add all results at a certain value, and then lock them bit by bit and check for results very effeciently.

So open up your device of choice and change the search range to something like 0x00100000 - 0x00200000. Search one of the 32bit values shown below, and lock results bit by bit, checking for changes in the game. Change the search range until you're results are under 500, and gradually work through the game in this way. Very simple, very effective.

Useful 32bit Values:

3f800000
40000000
40800000 (and any full float value really)
42c80000
3c043f80
3c044000
4c044080


2 e) Black_Wolf's Method (spawn searching)

Ah, the method used to find nearly all of my Star Wars codes, this is an incredibly varied method, but essentially it involves finding the value you SPAWN with, or the DEFAULT value as some call it. I'm aware that many probebly use a similar method to this, but I'll explain my way of doing it none the less. This method can be used to find any VARYING value that is dma etc. This includes your health, ammo, stamina, and anything else that changes in game. Ok I'll do one SEEN(ammo) example, and one UNSEEN(health) example.

Seen values are easy, because you already know what you're going to search, so lets say you spawn with 35 bullets in you're clip. This is the value we search, make sure you put it into 32 bit, and search 0x00000023. Now you just do the standard mass searching, where you add all results to a value, of say, 40, and then lock them 5 or 10 at a time. Make sure you RESPAWN after every change to test, becuase remember, this is how much ammo you SPAWN with, so you need to respawn when testing.

USUALLY these will be non DMA and Universal, star wars is actually the exception here, the code locations change based on the SIZE of the iso, so while you're code may work for you, it won't work for someone with a smaller or bigger iso. There is a pointer that can find it, but its offset is HUGE so it doesn't get handled by nitepr, only cwcheat, you can however make a routine to wrtie infinite ammo and it would work in ANY device, it would go like this, and would work if attached to any constant hook (see above sections). This example is actually a valid code, not just a sample. The pointer is 0x00C5B274. Offseting with 0x232708 leads us to the shotgun (i think) ammo. Reason I havn't made the actual codes like this is the simple reason that I cannot be bothered, it would be fairly simple to do however, so go ahead if you want to try it out.


lui t0, $08C5
lw t0, $B274(t0) //t0 now has value of our pointer, the iso size pointer
lui t1, $0023
ori t1, t1, $2708 //t1 now has value of our offset to shotgun ammo
add t2, t0, t1 //t2 now has our shotgun ammo address
addi t3, zero, $FFFF
sw t3, $0000(t2) //Stores FFFF at the shotgun's address
jr ra

In this example our pointer is at 0x08C56B274 and the huge offset is 0x00232708. This is actually a true routine, infinite ammo for shotgun I believe. Adding other guns would be easy, Just the sw t3 $DIFFERENT VALUE (t2) to reach other guns in similar area would do fine.

Ok so how about health, stamina etc, well this is also relatively simple.
Remember we need to know how much health you SPAWN with, and then mass search this value. Ok so, start out by finding DMA health in the normal way (greater less etc) now get back to full health without dying, so like health droid or something, and now look at the health value in your memory viewer. It should be some sort of float like 42C80000 or something. Mass search this value and repeat the method for ammo increasing to like 70000000, and you should find have infinite health! Works for nearly any changing value, any game, no pointers necessary most of the time.


SECTION 3 - CONCLUSION

Well I have to say, its been fun, learning all this stuff and teaching myself, and its made for an incredibly enjoyable hobby. It is sometimes a shame that many take hacking for more than what it is, a hobby, with leakage and credit fuss etc ruining what has been a wonderful scene. I hope that some of this knowledge has helped you, and many of it applies to other consoles as well, proven by my new success in the wii scene. You may not see me around much anymore, but for those that do remember me, I thank you for what has been a great part of my life. If anyone bothers to read this conclusion, I would like to send a huge thank you to

Logikz - You were a great pal from the very beginning. You and Sketch were the first hackers I really talked to, and it was great sharing our information and interests. If you ever read this, I hope you understand how great of a hacker and friend you were.

WazGoingOn - By far my best friend in the hacking scene. We teamed up and had a great time making our codes together. We didn't care about credits or success, we just had a hell of an awesome time making some pretty crazy stuff together. Thanks a lot Waz!

OwnedYou - I actually wish I had of spoken with you more, you were one busy guy, and sometimes people don't realise the shear amount of effort you put into OHG. What time I did spend talking with you were a lot of fun and hope you continue the awesome work you do.

Scuzzy - Again, I wish I had of talked to you a little more, but I did however spend some time with you and Slynet working on that visual basic. People sometimes complain about you, but I have no idea why, you have done nothing but constantly help the scene and I wish you all the best.

k3s - If you ever read this, then this is one of my strongest thank you's here. For some reason I just knew that I chose the right person. When you first asked for help, I instead gave you my entire DB, and to repay you contributed a lot to the scene and became a great hacker by your own right! You were a great friend to me despite you're busy life, thanks!

Testbot/khoung - Legend in the X-Box scene, you briefly came to the psp scene, and I immedietly began talking to you, you taught me some of the best stuff out of all my mentors here, and its a shame you couldn't stay for a little longer. The most skilled hacker I've ever met, you will remain.

Sketch - Who else could be last on my list? The father of hacking lol. You were the guy that led me to hacking, and talking to you for the first time was awesome, we became great friends, shared methods and made codes. I hope you and your wife and kids do have a great life, thank you for everything!

There were of course many others, but the above had the biggest impact on my time here so I thank them all again.
I will of course still be around hacking, I've moved on to the wii scene now, and its a logical move forward. ASM reconstruction is a major there, and its a nice step up from the PSP scene, so I'll be making a lot of codes there. If you have any questions, or would just like a chat, just send me a pm and I'll do my best to answer.
Thanks for reading
-Black_Wolf
avatar
Guest
Guest


Back to top Go down

Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum