1.

PS2 Hacking - Lesson 1 - Basics by Harry

This was originally posted on CC way back in the day.

Lesson 1 - The Basics

1.
Q: What file do I use to hack?
A: SLUS_XXX.XX or SCUS_XXX.XX or a Memory Dump

2.
Q: How do I get these files?
A: Put your PS2 game into the DVD-ROM drive of your computer and wait for the files to come up. If
they do not come up, then

goto "My Computer" and double click the DVD-ROM drive. You should see the SLUS/SCUS file now, click
and drag it to your

desktop. You can take your PS2 game out of your drive now.(Assuming your using a PC and it has a DVD
drive)

3.
Q: What do I do with this SLUS/SCUS file?
A: Drag and drop it on the ps2dis icon to open it with ps2dis.

4.
Q: Now what do I do?
A: Now press ctrl-I to invoke the SLUS/SCUS.

Q: What does import labels mean?

A: You can choose another SLUS/SCUS to import labels from. (Only use games from the same series)

5.
Q: I've done everything, where are the strings and labels?
A: Press ctrl-G to expose the string/label list.

You don't like Q and A lessons? Don't worry, here it is in steps:

1. Put PS2 game into DVD drive of your computer.

2. Extract the SLUS/SCUS file to your computer.
3. Open the file in ps2dis. (I suggest drag the SLUS/SCUS on top of ps2dis)
4. Press ctrl-I to invoke the SLUS/SCUS and import labels from another game if you want to.
5. Press ctrl-G to view the "strings" and possibly Labels.

Now you know how to open, invoke, and import labels to the SLUS/SCUS.
Things to know
==============
Referal: These are needed when hacking with strings alone, which is what your going to be doing in my
lessons.
How to: To get a referal, goto any "string" label and press space then F3. It can have multiple referals,
one referal, or no referals at all. Don't worry if you don't get a referal, there's probably 100s more strings
to play with.

Buttons used: Spacebar and F3

You are now ready for Lesson 2.

ALSO: Don't worry about a memory dump for now.

1. Lesson 2 - Disabling

Description: In this lesson, you'll learn how to disable something.

Q: What is disabling?
A: It is what it says, it disables something.

Q: How do I disable?
A: One word, nop.

Q: What is a "nop"?
A: A nop is a disable command in MIPs Assem Lang.

Q: What is MIPs Assem Lang.?

A: STFU!

Let's start out by finding something we want to disable. We'll use SOCOM2(NTSC) for these lessons.

1. Open the SOCOM2 Memory dump. (Contact #$%# via aim to get the file)
2. Invoke the file and import SOCOM1 DEMO Labels. (Contact #^#%^ via aim to get the file)
3. Now find a string or label you want to disable. In this case, we're going to use the string
"mp_45_sec_clock"
4. Double click the string from the list box. You'll notice that when you try to get a referal, it'll say "no
referals

found". Before you think you've done something wrong, press ctrl-G and go back to "mp_45_sec_clock"
string. Notice there are

two "mp_45_sec_clock" strings, double click the bottom one this time, and get a referal. You should be at
the address

"002a915c". If so, proceed to the next step.

5. Now double click the referal or press enter, copy the address and paste it in a notepad or write it
down. Now type in

"nop" in the "Command" line. The "Data" should now be "00000000".

6. So your final code is 002a915c 00000000? Almost done, but not quite. you have to change the first
zero to a "2" so the

final code reads like this:

No 45 second countdown
202a915c 00000000

Next Lesson: Basic Modding

1. Lesson 3 - Basic Modding

Feel free to correct or help me with anything you see wrong :)

Description: In this lesson, you'll learn how to make a bullet count mod. This code will determine how
many bullets come out of the gun when you pull the trigger.

Go ahead and invoke the SOCOM2 Memory dump. After that, we have to find a label or string that has to
do with the number of bullets being fired. You have to think of different words that mean the same thing
for some codes. If you search for "bullet", you'll get a bunch of "bullet_hit" strings which isn't what your
looking for. Try searching for projectile now..... you may have noticed it has several referals, but none
are what we are looking for.
So far, none of those attemps have worked, so what now. How about we trying searching for terms like
"num" or "number"...... results: "NumProjectilesFired"

Get a referal on that string now, it should bring you to this address: 003f1200

Now comes your common sence, how many bullets is the gun shooting now? If you thought "1", then
your correct, anyways, now we need to find something registering "1". In this case, we need to find an
addiu (li) register of $0001. Now find something below the referal registering a $0001..... results:
003f120c

Your probably thinking "alright, I found it" but, you havn't, not yet. The register in that one is a "a3",
that's not what we want.

Q: Why isn't this the address for the code?

A:

Now scan again for another address under that..... results: 003f1218 You have now found the correct
line.

Q: Why is this the correct address?

A:
Quotes from DK posts pwn.

Final Results:
Bullet Count
203f1218 2402XXXX

1. Lesson 4 - Float Values

By: Harry

Description: You will be learning what and how to use float values in todays lesson.
 ::: Definition of "Float" :::

- A float is a number that is calculated by 4 bytes and can use decimal places. (ie: 123.456)

Now that we have some termanology down, we are going to hack a code that I made a while back for
SOCOM II. This code is known as "The Force Code", it allows 1 person in the room to green up and force
the game via the 10 second countdown clock.

:::Questions and Answers:::

Q: But harry, how do you make a code that lets one person do that?
A: It's actually really simple. SOCOM requires that 80% of the players in the room be greened up to force
a game, so we have to find a function in the dump file that controls that percentage.

Q: How do I find this function?

A: We are going to search for keywords such as: (80, eighty, force, ready.)

:::Let's get started:::

Step 1: Open up the dump and invoke and/or import labels from socom 1.
Step 2: Go ahead and try to find a "string" that has something to with the keywords we discussed
earlier.
Step 3: Find a label? If so, get a referal on it and see if you come anywhere near this address:
002C5EE0 (NOTE: Don't worry about why I asked about this, you'll learn later on.)
Step 4: If you are within a few lines of that address, you have found the correct string that I used. If
you don't find it, continue to step 5 anyways.
Step 5: If you found it, you should be at the string "MP_EIGHTY_READY". If you didn't find it, then goto
"MP_EIGHTY_READY" right now!!!

Q: I went to the string but I'm no where near that address, what did I do wrong?
A: You did nothing wrong, but if you noticed, there are 2 strings with the name of "MP_EIGHTY_READY".
Just goto the next one and that should be the correct one.

Step 6: Now we need to look for something that is controlling 80% in this function. In this case, our
80% is being held in float form. The following is what a float looks like: 002C5EE0 3c023f4c
Step 7: Lets take the data and break it down: (Command: 3c02) & (Float: 3f4c)
-Step 7 (Advanced only): The line below the float is adding that float to what it already has which is
why it comes out to 0.800000011920929 instead of 0.796875.
Step 8: If you take the float and convert it, you get this value: 0.796875 or 0.800000011920929 if you
convert it the advanced way.
Step 9: Now all you have to do is change that float to 0.01 which is: 3C23
Step 10: Now build your code up:

Simple Way
Force Code (Only 1% of the people in the lobby have to green up to force)
202c5ee0 3c023C23

Advanced Way
Force Code (Only 1% of the people in the lobby have to green up to force)
202c5ee0 3c023C23
202c5ee4 3442D70A

Review: Today you have learned how to mod simple Float values and very simple advanced Float
values.

:::Final Code:::

Simple Way
Force Code (Only 1% of the people in the lobby have to green up to force)
202c5ee0 3c023C23

Advanced Way
Force Code (Only 1% of the people in the lobby have to green up to force)
202c5ee0 3c023C23
202c5ee4 3442D70A

Safe.

1. Lesson 5 - Advanced Float Usage

By: Harry

Credit for codes used in this tutorial goes to those who created them.

Description: We are going to be finding floats that are stored outside of the function we will be working
with. We will be working with this string: "ArmingDistance"

:::To do List:::

-Open SOCOM II R4 dump and invoke it (optional: with s1 demo labels).

-Open up a notepad or w/e you use to write down your notes.

:::Lets get started:::

1. Go to this string: "ArmingDistance"

Q: Harry, what does this string affect?

A: Simple, you just have to look at strings around it and think of something in the game that arms itself
at a ceratin distance.

2. Get a referal for this string, you should come out at this address: 003f09a4. You should see the
following code:

Code:

addiu a1, a1, $8b30 # 003f09a4:24a58b30

addiu a2, sp, $00fc # 003f09a8:27a600fc
jal $0034c0a0 # 003f09ac:0c0d3028
addiu a3, zero, $0001 # 003f09b0:24070001
bne v0, zero, $003f09c0 # 003f09b4:14400002
nop No Operation # 003f09b8:00000000
sw zero, $00fc(sp) # 003f09bc:afa000fc
lui at, $0041 # 003f09c0:3c010041
lwc1 , $00fc(sp) # 003f09c4:c7ac00fc
daddu a0, s3, zero # 003f09c8:0260202d
lwc1 , (at) # 003f09cc:c420afe0
jal $003f4290 # 003f09d0:0c0fd0a4
mul.s , , # 003f09d4:46006302
lui a1, $0043 # 003f09d8:3c050043

3. Before you become overwelmed, just don't worry about all that code right now. Now you may be
thinking you see the float as this addess: 003f09c0, but that line is only be added to another line like we
saw in Lesson 04. It just so happens that:

Code:
lui at, $0041 # 003f09c0:3c010041 // Notice that $0041 is
stored into at
lwc1 , $00fc(sp) # 003f09c4:c7ac00fc
daddu a0, s3, zero # 003f09c8:0260202d
lwc1 , (at) # 003f09cc:c420afe0 // Adds to at which ==
0040afe0

Q: Why doesn't it come out as 0041afe0 since $0041 is being stored into at?
A: It calulates the highest address under 00410000 registering $afe0.

4. Now we want to jump to that address (0040afe0). You can achive this by pressing the right arrow on
address(003f09cc).
5. You'll notice that the data of this address is (41200000). This is a 32bit float, it is more precise than
the 16 bit floats in lesson 04.

(This is only an example)

32 bit
2aaaaaaa 3ccccccd

is equal to

16 bit
2aaaaaaa 3c023ccc
2aaaaaaa 3442cccd = 3ccccccd
(This is only an example)

6. You can now edit this line if you'd like to, but you may notice that almost every string around it is also
calling on this same address.
7. We are going to redirect this code so we can edit the float without harming any other strings. We take
this address and data: 003f09cc c420afe0. Like before, we know $afe0 is part of the address being
created that is redirected. Lets change $afe0 to $afe4. Now the code should read as:

Code:
003f09cc c420afe4

8. Now the code redirects to 0040afe4 instead of 0040afe0. This makes our final code come out to:

203f09cc c420afe4
2040afe4 XXXXXXX - Float

9. If you havn't guess already, this code affects the minimum distance rockets can explode at which is 10
ft.

:::Examples of this code usage:::

1. Lesson 6 - 8, 16, 32 bit codes

By: Harry

MAIN CODE: 20123456 24420001

Definition: This is a very simple tutorial on making 8-32 bit codes.

Q: Why are we learning about the 8-bit nintendo?

A: We're not genius! We're going to learn how to edit 8-32 bit codes.

:::32-Bit:::

(NOTE: We're starting off with 32 bit since it's what most people are custom to.)

Here is a 32-bit code: 2aaaaaaa dddddddd

So... what do you notice about it? The first "2"? CORRECT! The 2 indicates that the code is a constant
32-bit write code.

Q: But Harry, where are you going with this?

A: Good question, just pay attention.

A 32-bit code is setup like this: 2aaaaaaa dddddddd

The code is modifiing the entire line of data, which is no big deal unless your trying to conserve space
for any reason.

Now let's mod our main code to register "10".

You should have 20123456 2442000a as your code now, GOOD JOB!
That's all you need to know about making a 32-bit code.

:::16-Bit:::

Here is a 16-bit code: 1aaaaaaa 0000dddd

Q: Why is there a 1 in place of the 2???

A: Because "1" indicates a constant 16-bit write code.

A 16-bit code is setup like this: 1aaaaaaa 0000dddd

The code is modifiing the last 2 bytes in the line of data.

Now let's mod our main to register "10".

You should have 10123456 0000000a as your code now, GOOD JOB!

A better example for this code would be a lui command like so:
20123456 3c023f80 (where 3f80 is the float we want to mod, so our code could be:
10123456 00004120 (where 4120 is the modified part.)

:::8-Bit:::

Here is an 8-bit code: 0aaaaaaa 000000dd

Q: Why is there a 0 in place of the 2???

A: Because "0" indicates a constant 8-bit write code.

A 8-bit code is setup like this: 0aaaaaaa 000000dd

The code is modifiing the last byte in the line of data.

Now let's mod our main to register "10".

You should have 00123456 0000000a as your code now, GOOD JOB!
That's all you need to know about making an 8-bit code.

__________________________________________

Final Codes:
 20123456 2442000a - 32-bit
10123456 0000000a - 16-bit
00123456 0000000a - 08-bit

Lesson 7 will probably introduce branches or something...

10123456 0000safe