PS2 Hacking: Using PS2Dis - by 1Up

[Lazy Bastard]

Another very good FAQ on hacking with PS2Dis, written by 1Up. (this is also up, with slightly better formatting, in the Hacking FAQs section of the main site - http://GSHI.org/faqs/1UpPS2Dis.html)
______________________________________________



Introduction

In this tutorial, I will explain the methods of making codes for a PS2 game, using the disassembling program, PS2DIS. It will teach you the methods of making codes using the MIPS commands.

Frequently Asked Questions
Table of Contents

• What do I need to make codes?
• What do I do once I have what I need?
• Where can I find the location of a particular code I’m looking to make?
• Once I’ve found a label pertaining to my idea, what do I do?
• I have the label/file, but now what do I do?
• Ok I’m ready to make a code, but how do I do that?

What do I need to make codes?
In order to make codes a game, you will need the disassembling program, PS2DIS, you can pick up your free copy here: http://www.btinternet.com/~ps2rippin...sassembler.zip . You will also need the scus/slus file contained on the disc, the method for obtaining this is using a DVD rom drive. You simply place the disc in the DVD rom drive, and open the DVD up through the location of your DVD rom drive, in the icon “MY COMPUTER.” The file will be labeled scus/slus, followed by numbers. Once, open, you may drag the file to the desktop, where it will save to. If you do not have a DVD rom drive, often you can find people hosting the file for download, or many people will send it to you, via email.

What do I do once I have what I need?
Once you have your scus/slus file, and the PS2DIS, you want to open PS2DIS, and then click File, and then open, the file browser will pop up. Find the location where you saved your file to, and then highlight it, and click open. Once open, you will see the screen has now changed colors and the files have popped up, along with many labels next to them. Next you will want to invoke analyzer, in order to do this, click the analyzer choice, where a drop down menu will appear, next select invoke analyzer. This process will take a little while, depending on the size of the file. If the game your making codes for contains, another file you have gotten from another means, I.E. a demo disc, you can import this file to be added to the list of labels. The method for doing this is clicking the analyzer choice again, and then clicking Import labels from other file (Ctrl-I). The file browser will pop up once again, where you select your file from its saved location, just as you did the previous file. The program will look as if it froze, but give it a few minutes or so and it will be back to normal, and then your ready to hack, once the file you imported is loaded, there is no need to invoke the analyzer again.

Screenshot:


Where can I find the location of a particular code I’m looking to make?
Though it is not as always as easy as just doing this, but the method for finding the location of your is by browsing the labels. You may browse the labels by selecting edit, and then jump to labeled (Ctrl-G). A pop up will then appear containing all labels contained on the scus/slus file. You can use the scroll bar and move up and down the page, or you can type what your looking for into the search field, because the files usually begin with numbers, symbols, or quotes and so on, your not likely to find what your looking for, but some times you will, but the best way is to just use the scroll bar. All files are grouped according to their keywords, so you should be able to find what you need pretty easily.

Screenshot:


Once I’ve found a label pertaining to my idea, what do I do?

Highlight the label and double click it or hit enter. The program will now go directly to the label you selected, where you are ready to browse the files surrounding it, or hack the file itself.

Screenshot:



I have the label/file, but now what do I do?

Most code makers will begin, by browsing the surrounding files/labels, to get an idea of what the code could be doing, many times you will go to the label you have selected and end up in the middle of the full process, which is the reasoning, behind going up or down the page viewing all previous labels and labels to come. You can either mess with the label you have selected/the surrounding labels or the labels you find around it.

[Lazy Bastard]

Ok, I’m ready to hack a code, but how do I do that?

You will need the general idea of understanding MIPS.

MIPS

ADD -- Add
Description: Adds two registers and stores the result in a register
Operation: $d = $s + $t; advance_pc (4);
Syntax: add $d, $s, $t
Encoding: 0000 00ss ssst tttt dddd d000 0010 0000

ADDI -- Add immediate
Description: Adds a register and a signed immediate value and stores the result in a register
Operation: $t = $s + imm; advance_pc (4);
Syntax: addi $t, $s, imm
Encoding: 0010 00ss ssst tttt iiii iiii iiii iiii

ADDIU -- Add immediate unsigned
Description: Adds a register and an unsigned immediate value and stores the result in a register
Operation: $t = $s + imm; advance_pc (4);
Syntax: addiu $t, $s, imm
Encoding: 0010 01ss ssst tttt iiii iiii iiii iiii

ADDU -- Add unsigned
Description: Adds two registers and stores the result in a register
Operation: $d = $s + $t; advance_pc (4);
Syntax: addu $d, $s, $t
Encoding: 0000 00ss ssst tttt dddd d000 0010 0001

AND -- Bitwise and
Description: Bitwise ands two registers and stores the result in a register
Operation: $d = $s & $t; advance_pc (4);
Syntax: and $d, $s, $t
Encoding: 0000 00ss ssst tttt dddd d000 0010 0100

ANDI -- Bitwise and immediate
Description: Bitwise ands a register and an immediate value and stores the result in a register
Operation: $t = $s & imm; advance_pc (4);
Syntax: andi $t, $s, imm
Encoding: 0011 00ss ssst tttt iiii iiii iiii iiii

BEQ -- Branch on equal
Description: Branches if the two registers are equal
Operation: if $s == $t advance_pc (offset << 2)); else advance_pc (4);
Syntax: beq $s, $t, offset
Encoding: 0001 00ss ssst tttt iiii iiii iiii iiii

BGEZ -- Branch on greater than or equal to zero
Description: Branches if the register is greater than or equal to zero
Operation: if $s >= 0 advance_pc (offset << 2)); else advance_pc (4);
Syntax: bgez $s, offset
Encoding: 0000 01ss sss0 0001 iiii iiii iiii iiii

BGEZAL -- Branch on greater than or equal to zero and link
Description: Branches if the register is greater than or equal to zero and saves the return address in $31
Operation: if $s >= 0 $31 = PC + 8 (or nPC + 4); advance_pc (offset << 2)); else advance_pc (4);
Syntax: bgezal $s, offset
Encoding: 0000 01ss sss1 0001 iiii iiii iiii iiii

BGTZ -- Branch on greater than zero
Description: Branches if the register is greater than zero
Operation: if $s > 0 advance_pc (offset << 2)); else advance_pc (4);
Syntax: bgtz $s, offset
Encoding: 0001 11ss sss0 0000 iiii iiii iiii iiii

BLEZ -- Branch on less than or equal to zero
Description: Branches if the register is less than or equal to zero
Operation: if $s <= 0 advance_pc (offset << 2)); else advance_pc (4);
Syntax: blez $s, offset
Encoding: 0001 10ss sss0 0000 iiii iiii iiii iiii

BLTZ -- Branch on less than zero
Description: Branches if the register is less than zero
Operation: if $s < 0 advance_pc (offset << 2)); else advance_pc (4);
Syntax: bltz $s, offset
Encoding: 0000 01ss sss0 0000 iiii iiii iiii iiii

BLTZAL -- Branch on less than zero and link
Description: Branches if the register is less than zero and saves the return address in $31
Operation: if $s < 0 $31 = PC + 8 (or nPC + 4); advance_pc (offset << 2)); else advance_pc (4);
Syntax: bltzal $s, offset
Encoding: 0000 01ss sss1 0000 iiii iiii iiii iiii

BNE -- Branch on not equal
Description: Branches if the two registers are not equal
Operation: if $s != $t advance_pc (offset << 2)); else advance_pc (4);
Syntax: bne $s, $t, offset
Encoding: 0001 01ss ssst tttt iiii iiii iiii iiii

DIV -- Divide
Description: Divides $s by $t and stores the quotient in $LO and the remainder in $HI
Operation: $LO = $s / $t; $HI = $s % $t; advance_pc (4);
Syntax: div $s, $t
Encoding: 0000 00ss ssst tttt 0000 0000 0001 1010

DIVU -- Divide unsigned
Description: Divides $s by $t and stores the quotient in $LO and the remainder in $HI
Operation: $LO = $s / $t; $HI = $s % $t; advance_pc (4);
Syntax: divu $s, $t
Encoding: 0000 00ss ssst tttt 0000 0000 0001 1011

J -- Jump
Description: Jumps to the calculated address
Operation: PC = nPC; nPC = (PC & 0xf0000000) | (target << 2);
Syntax: j target
Encoding: 0000 10ii iiii iiii iiii iiii iiii iiii

JAL -- Jump and link
Description: Jumps to the calculated address and stores the return address in $31
Operation: $31 = PC + 8 (or nPC + 4); PC = nPC; nPC = (PC & 0xf0000000) | (target << 2);
Syntax: jal target
Encoding: 0000 11ii iiii iiii iiii iiii iiii iiii

JR -- Jump register
Description: Jump to the address contained in register $s
Operation: PC = nPC; nPC = $s;
Syntax: jr $s
Encoding: 0000 00ss sss0 0000 0000 0000 0000 1000

LB -- Load byte
Description: A byte is loaded into a register from the specified address.
Operation: $t = MEM[$s + offset]; advance_pc (4);
Syntax: lb $t, offset($s)
Encoding: 1000 00ss ssst tttt iiii iiii iiii iiii

LUI -- Load upper immediate
Description: The immediate value is shifted left 16 bits and stored in the register. The lower 16 bits are zeroes.
Operation: $t = (imm << 16); advance_pc (4);
Syntax: lui $t, imm
Encoding: 0011 11-- ---t tttt iiii iiii iiii iiii

LW -- Load word
Description: A word is loaded into a register from the specified address.
Operation: $t = MEM[$s + offset]; advance_pc (4);
Syntax: lw $t, offset($s)
Encoding: 1000 11ss ssst tttt iiii iiii iiii iiii

MFHI -- Move from HI
Description: The contents of register HI are moved to the specified register.
Operation: $d = $HI; advance_pc (4);
Syntax: mfhi $d
Encoding: 0000 0000 0000 0000 dddd d000 0001 0000

MFLO -- Move from LO
Description: The contents of register LO are moved to the specified register.
Operation: $d = $LO; advance_pc (4);
Syntax: mflo $d
Encoding: 0000 0000 0000 0000 dddd d000 0001 0010

MULT -- Multiply
Description: Multiplies $s by $t and stores the result in $LO.
Operation: $LO = $s * $t; advance_pc (4);
Syntax: mult $s, $t
Encoding: 0000 00ss ssst tttt 0000 0000 0001 1000

MULTU -- Multiply unsigned
Description: Multiplies $s by $t and stores the result in $LO.
Operation: $LO = $s * $t; advance_pc (4);
Syntax: multu $s, $t
Encoding: 0000 00ss ssst tttt 0000 0000 0001 1001

NOP -- no operation
Description: Performs no operation.
Operation: advance_pc (4);
Syntax: nop
Encoding: 0000 0000 0000 0000 0000 0000 0000 0000

Note: The encoding for a NOOP represents the instruction SLL $0, $0, 0 which has no side effects. In fact, nearly every instruction that has $0 as its destination register will have no side effect and can thus be considered a NOOP instruction.
OR -- Bitwise or
Description: Bitwise logical ors two registers and stores the result in a register
Operation: $d = $s | $t; advance_pc (4);
Syntax: or $d, $s, $t
Encoding: 0000 00ss ssst tttt dddd d000 0010 0101

ORI -- Bitwise or immediate
Description: Bitwise ors a register and an immediate value and stores the result in a register
Operation: $t = $s | imm; advance_pc (4);
Syntax: ori $t, $s, imm
Encoding: 0011 01ss ssst tttt iiii iiii iiii iiii

SB -- Store byte
Description: The least significant byte of $t is stored at the specified address.
Operation: MEM[$s + offset] = (0xff & $t); advance_pc (4);
Syntax: sb $t, offset($s)
Encoding: 1010 00ss ssst tttt iiii iiii iiii iiii

SLL -- Shift left logical
Description: Shifts a register value left by the shift amount listed in the instruction and places the result in a third register. Zeroes are shifted in.
Operation: $d = $t << h; advance_pc (4);
Syntax: sll $d, $t, h
Encoding: 0000 00ss ssst tttt dddd dhhh hh00 0000

SLLV -- Shift left logical variable
Description: Shifts a register value left by the value in a second register and places the result in a third register. Zeroes are shifted in.
Operation: $d = $t << $s; advance_pc (4);
Syntax: sllv $d, $t, $s
Encoding: 0000 00ss ssst tttt dddd d--- --00 0100

SLT -- Set on less than (signed)
Description: If $s is less than $t, $d is set to one. It gets zero otherwise.
Operation: if $s < $t $d = 1; advance_pc (4); else $d = 0; advance_pc (4);
Syntax: slt $d, $s, $t
Encoding: 0000 00ss ssst tttt dddd d000 0010 1010

SLTI -- Set on less than immediate (signed)
Description: If $s is less than immediate, $t is set to one. It gets zero otherwise.
Operation: if $s < imm $t = 1; advance_pc (4); else $t = 0; advance_pc (4);
Syntax: slti $t, $s, imm
Encoding: 0010 10ss ssst tttt iiii iiii iiii iiii

SLTIU -- Set on less than immediate unsigned
Description: If $s is less than the unsigned immediate, $t is set to one. It gets zero otherwise.
Operation: if $s < imm $t = 1; advance_pc (4); else $t = 0; advance_pc (4);
Syntax: sltiu $t, $s, imm
Encoding: 0010 11ss ssst tttt iiii iiii iiii iiii

SLTU -- Set on less than unsigned
Description: If $s is less than $t, $d is set to one. It gets zero otherwise.
Operation: if $s < $t $d = 1; advance_pc (4); else $d = 0; advance_pc (4);
Syntax: sltu $d, $s, $t
Encoding: 0000 00ss ssst tttt dddd d000 0010 1011

SRA -- Shift right arithmetic
Description: Shifts a register value right by the shift amount (shamt) and places the value in the destination register. The sign bit is shifted in.
Operation: $d = $t >> h; advance_pc (4);
Syntax: sra $d, $t, h
Encoding: 0000 00-- ---t tttt dddd dhhh hh00 0011

SRL -- Shift right logical
Description: Shifts a register value right by the shift amount (shamt) and places the value in the destination register. Zeroes are shifted in.
Operation: $d = $t >> h; advance_pc (4);
Syntax: srl $d, $t, h
Encoding: 0000 00-- ---t tttt dddd dhhh hh00 0010

SRLV -- Shift right logical variable
Description: Shifts a register value right by the amount specified in $s and places the value in the destination register. Zeroes are shifted in.
Operation: $d = $t >> $s; advance_pc (4);
Syntax: srlv $d, $t, $s
Encoding: 0000 00ss ssst tttt dddd d000 0000 0110

SUB -- Subtract
Description: Subtracts two registers and stores the result in a register
Operation: $d = $s - $t; advance_pc (4);
Syntax: sub $d, $s, $t
Encoding: 0000 00ss ssst tttt dddd d000 0010 0010

SUBU -- Subtract unsigned
Description: Subtracts two registers and stores the result in a register
Operation: $d = $s - $t; advance_pc (4);
Syntax: subu $d, $s, $t
Encoding: 0000 00ss ssst tttt dddd d000 0010 0011

SW -- Store word
Description: The contents of $t is stored at the specified address.
Operation: MEM[$s + offset] = $t; advance_pc (4);
Syntax: sw $t, offset($s)
Encoding: 1010 11ss ssst tttt iiii iiii iiii iiii

SYSCALL -- System call
Description: Generates a software interrupt.
Operation: advance_pc (4);
Syntax: syscall
Encoding: 0000 00-- ---- ---- ---- ---- --00 1100

XOR -- Bitwise exclusive or
Description: Exclusive ors two registers and stores the result in a register
Operation: $d = $s ^ $t; advance_pc (4);
Syntax: xor $d, $s, $t
Encoding: 0000 00ss ssst tttt dddd d--- --10 0110

XORI -- Bitwise exclusive or immediate
Description: Bitwise exclusive ors a register and an immediate value and stores the result in a register
Operation: $t = $s ^ imm; advance_pc (4);
Syntax: xori $t, $s, imm
Encoding: 0011 10ss ssst tttt iiii iiii iiii iiii

__________________________________________________ __________

I’ve overlooked the MIP’s, but how do I put this to use?

Using the Nop as an example, I’ll help make some sense of these MIPS

The type of MIP
NOP -- no operation

Brief description of what it does.
Description: Performs no operation.

The process that will take place.
Operation: advance_pc (4)

What to type as the command.
Syntax: nop

32bit Binary Reference
Encoding: 0000 0000 0000 0000 0000 0000 0000 0000

Screenshot:



The selected code, is a BEQ, if you wanted to NOP it, to make it have no operation in game, you double click the line, and then go down to the command, and type NOP, which is the syntax for NOP.

BEFORE
Screenshot:



AFTER
Screenshot:


*NOTE the changes of the data, the commands are what will give you your data or the 2nd half of your line of code, its very key of getting this correct.

Most common code making procedures

JR RA, this is the syntax for it
Screenshot:


Any time you use this, you will need to NOP the following line
Screenshot:



BEQ, this is the syntax for it, it will be followed by the variables

Before
Screenshot:



After
Screenshot:



*Note, I got my variables from another line of coding and entered them, by putting beq and then the variables.

There is an easy way to do the opposite of beq, and bne, which ill explain here.

If you come across a beq, and want it to do the opposite, simply double click it, and delete the beq, and replace it with bne, it now does the opposite.

If you come across a bne, and want it to do the opposite, simply double click it, and delete the bne, and replace it with beq, it now does the opposite.

More to come later

[LiquidManZero]

That's by far the best description of the various instructions I've seen. No others actually have the data layout in bits (or at least in a readable format like this).

[Lazy Bastard]

Yeah; it's pretty nice. I still really like the "Basic Code Hacking" FAQ by CMP, though, as well as a few others.