Professional Documents
Culture Documents
1.
Q: What file do I use to hack?
A: SLUS_XXX.XX or SCUS_XXX.XX or a Memory Dump
2.
Q: How do I get these files?
A: Put your PS2 game into the DVD-ROM drive of your computer and wait for the files to come up. If
they do not come up, then
goto "My Computer" and double click the DVD-ROM drive. You should see the SLUS/SCUS file now, click
and drag it to your
desktop. You can take your PS2 game out of your drive now.(Assuming your using a PC and it has a DVD
drive)
3.
Q: What do I do with this SLUS/SCUS file?
A: Drag and drop it on the ps2dis icon to open it with ps2dis.
4.
Q: Now what do I do?
A: Now press ctrl-I to invoke the SLUS/SCUS.
5.
Q: I've done everything, where are the strings and labels?
A: Press ctrl-G to expose the string/label list.
Now you know how to open, invoke, and import labels to the SLUS/SCUS.
Things to know
==============
Referal: These are needed when hacking with strings alone, which is what your going to be doing in my
lessons.
How to: To get a referal, goto any "string" label and press space then F3. It can have multiple referals,
one referal, or no referals at all. Don't worry if you don't get a referal, there's probably 100s more strings
to play with.
1. Lesson 2 - Disabling
Q: What is disabling?
A: It is what it says, it disables something.
Q: How do I disable?
A: One word, nop.
Q: What is a "nop"?
A: A nop is a disable command in MIPs Assem Lang.
Let's start out by finding something we want to disable. We'll use SOCOM2(NTSC) for these lessons.
1. Open the SOCOM2 Memory dump. (Contact #$%# via aim to get the file)
2. Invoke the file and import SOCOM1 DEMO Labels. (Contact #^#%^ via aim to get the file)
3. Now find a string or label you want to disable. In this case, we're going to use the string
"mp_45_sec_clock"
4. Double click the string from the list box. You'll notice that when you try to get a referal, it'll say "no
referals
found". Before you think you've done something wrong, press ctrl-G and go back to "mp_45_sec_clock"
string. Notice there are
two "mp_45_sec_clock" strings, double click the bottom one this time, and get a referal. You should be at
the address
No 45 second countdown
202a915c 00000000
Description: In this lesson, you'll learn how to make a bullet count mod. This code will determine how
many bullets come out of the gun when you pull the trigger.
Go ahead and invoke the SOCOM2 Memory dump. After that, we have to find a label or string that has to
do with the number of bullets being fired. You have to think of different words that mean the same thing
for some codes. If you search for "bullet", you'll get a bunch of "bullet_hit" strings which isn't what your
looking for. Try searching for projectile now..... you may have noticed it has several referals, but none
are what we are looking for.
So far, none of those attemps have worked, so what now. How about we trying searching for terms like
"num" or "number"...... results: "NumProjectilesFired"
Get a referal on that string now, it should bring you to this address: 003f1200
Now comes your common sence, how many bullets is the gun shooting now? If you thought "1", then
your correct, anyways, now we need to find something registering "1". In this case, we need to find an
addiu (li) register of $0001. Now find something below the referal registering a $0001..... results:
003f120c
Your probably thinking "alright, I found it" but, you havn't, not yet. The register in that one is a "a3",
that's not what we want.
Now scan again for another address under that..... results: 003f1218 You have now found the correct
line.
Final Results:
Bullet Count
203f1218 2402XXXX
By: Harry
Description: You will be learning what and how to use float values in todays lesson.
::: Definition of "Float" :::
- A float is a number that is calculated by 4 bytes and can use decimal places. (ie: 123.456)
Now that we have some termanology down, we are going to hack a code that I made a while back for
SOCOM II. This code is known as "The Force Code", it allows 1 person in the room to green up and force
the game via the 10 second countdown clock.
Q: But harry, how do you make a code that lets one person do that?
A: It's actually really simple. SOCOM requires that 80% of the players in the room be greened up to force
a game, so we have to find a function in the dump file that controls that percentage.
Step 1: Open up the dump and invoke and/or import labels from socom 1.
Step 2: Go ahead and try to find a "string" that has something to with the keywords we discussed
earlier.
Step 3: Find a label? If so, get a referal on it and see if you come anywhere near this address:
002C5EE0 (NOTE: Don't worry about why I asked about this, you'll learn later on.)
Step 4: If you are within a few lines of that address, you have found the correct string that I used. If
you don't find it, continue to step 5 anyways.
Step 5: If you found it, you should be at the string "MP_EIGHTY_READY". If you didn't find it, then goto
"MP_EIGHTY_READY" right now!!!
Q: I went to the string but I'm no where near that address, what did I do wrong?
A: You did nothing wrong, but if you noticed, there are 2 strings with the name of "MP_EIGHTY_READY".
Just goto the next one and that should be the correct one.
Step 6: Now we need to look for something that is controlling 80% in this function. In this case, our
80% is being held in float form. The following is what a float looks like: 002C5EE0 3c023f4c
Step 7: Lets take the data and break it down: (Command: 3c02) & (Float: 3f4c)
-Step 7 (Advanced only): The line below the float is adding that float to what it already has which is
why it comes out to 0.800000011920929 instead of 0.796875.
Step 8: If you take the float and convert it, you get this value: 0.796875 or 0.800000011920929 if you
convert it the advanced way.
Step 9: Now all you have to do is change that float to 0.01 which is: 3C23
Step 10: Now build your code up:
Simple Way
Force Code (Only 1% of the people in the lobby have to green up to force)
202c5ee0 3c023C23
Advanced Way
Force Code (Only 1% of the people in the lobby have to green up to force)
202c5ee0 3c023C23
202c5ee4 3442D70A
Review: Today you have learned how to mod simple Float values and very simple advanced Float
values.
:::Final Code:::
Simple Way
Force Code (Only 1% of the people in the lobby have to green up to force)
202c5ee0 3c023C23
Advanced Way
Force Code (Only 1% of the people in the lobby have to green up to force)
202c5ee0 3c023C23
202c5ee4 3442D70A
Safe.
Credit for codes used in this tutorial goes to those who created them.
Description: We are going to be finding floats that are stored outside of the function we will be working
with. We will be working with this string: "ArmingDistance"
:::To do List:::
2. Get a referal for this string, you should come out at this address: 003f09a4. You should see the
following code:
Code:
3. Before you become overwelmed, just don't worry about all that code right now. Now you may be
thinking you see the float as this addess: 003f09c0, but that line is only be added to another line like we
saw in Lesson 04. It just so happens that:
Code:
lui at, $0041 # 003f09c0:3c010041 // Notice that $0041 is
stored into at
lwc1 , $00fc(sp) # 003f09c4:c7ac00fc
daddu a0, s3, zero # 003f09c8:0260202d
lwc1 , (at) # 003f09cc:c420afe0 // Adds to at which ==
0040afe0
Q: Why doesn't it come out as 0041afe0 since $0041 is being stored into at?
A: It calulates the highest address under 00410000 registering $afe0.
4. Now we want to jump to that address (0040afe0). You can achive this by pressing the right arrow on
address(003f09cc).
5. You'll notice that the data of this address is (41200000). This is a 32bit float, it is more precise than
the 16 bit floats in lesson 04.
is equal to
16 bit
2aaaaaaa 3c023ccc
2aaaaaaa 3442cccd = 3ccccccd
(This is only an example)
6. You can now edit this line if you'd like to, but you may notice that almost every string around it is also
calling on this same address.
7. We are going to redirect this code so we can edit the float without harming any other strings. We take
this address and data: 003f09cc c420afe0. Like before, we know $afe0 is part of the address being
created that is redirected. Lets change $afe0 to $afe4. Now the code should read as:
Code:
003f09cc c420afe4
8. Now the code redirects to 0040afe4 instead of 0040afe0. This makes our final code come out to:
203f09cc c420afe4
2040afe4 XXXXXXX - Float
9. If you havn't guess already, this code affects the minimum distance rockets can explode at which is 10
ft.
:::32-Bit:::
(NOTE: We're starting off with 32 bit since it's what most people are custom to.)
:::16-Bit:::
A better example for this code would be a lui command like so:
20123456 3c023f80 (where 3f80 is the float we want to mod, so our code could be:
10123456 00004120 (where 4120 is the modified part.)
:::8-Bit:::
__________________________________________
Final Codes:
20123456 2442000a - 32-bit
10123456 0000000a - 16-bit
00123456 0000000a - 08-bit
10123456 0000safe