ASM Hacking

[LiquidManZero]

An now, a list of the hex values for the opcodes...

These are just the lowest values. Up to the next opcode's hex is the same opcode...

00 - nop
01 - sll
04 - bltz
08 - j
0C - jal
10 - beq
14 - bne
18 - blez
1C - bgtz
20 - li/lui
21 - addi
24 - li/lui
25 - addi
28 - slti
2C - sltiu
30 - andi
34 - li/lui
35 - ori
38 - xori
3C - lui/lui
40 - mfc0
41 - ??? (labeled bc0f)
42 - c0
44 - mfc1
45 - ??? (labeled bc1f)
47 - cop1
48 - cop2
49 - bc2f
4C - cop1x
50 - beql
54 - bnel
58 - blezl
5C - bgtzl
60 - daddi
64 - daddiu
68 - ldl
6C - ldr
80 - lb
84 - lh
88 - lwl
8C - lw
90 - lbu
94 - lhu
98 - lwr
9C - lwu
A0 - sb
A4 - sh
A8 - swl
AC - sw
B0 - sdl
B4 - sdr
B8 - swr
C4 - lwc1
C8 - lwc2
CC - pref
D4 - ldcl
DC - ld
E0 - sc
E4 - swc1
E8 - swc2
F0 - scd
F4 - sdc1
FC - sd

This list is probably messed up in a few places...

You might want to look at this for more info: http://psx.rules.org/system.txt

[helder]

well i have found out that the n64 op codes are alomost identical to the psx CMX from cmgsccc told me,here is a link to a zip with the n64 op codes http://www.dextrose.com/index.php?s=...944#f944,there are quite alot of info there,now just need to know how to hack the damn codes as the opcodes are here.

[LiquidManZero]

Cool. I didn't know N64 used an R4000 processor... Only problem with that list, is if I remember right psx uses the R3000 instruction set, so there will probably be a few things that are on that list that aren't used.

The way I've been hacking asm codes, without a computer, is pretty simple. I find the address for whatever I'm messing with, convert the last 4 digits to decimal, search using the known search. I ignore any results that aren't evenly spaced for 32 bits, being addresses ending with either (0,4,8, or C) + 2 (that is, the results should fit that, the actual instruction is without the +2). After I've found something seemingly valid, I look around for either the first 4 digits of the address in an li/lui op, or those 4 digits + 1 as that might be what it ended up. Even if I don't find the rest of the address, I'll poke around with the op that gave a result. Or around that op.

The only problem with this is it doesn't work too often, and not very well sometimes when it does. There's a better way, involving a full ram dump, and opening it up in ps2dis. This is much better than doing a full ram disassembly with GSCC, as it won't take up 10-20+ MB of disk space as a text file.

If I can remember some of the details, I'll try to explain how CzarDragon's Analog codes can be made... I used to have a log of when he explained it to me... Oh well.

[helder]

yea that would ne helpful,im noth getting what you said in that post about looking for known values,isnt there a better way to look at this?it seems you would know what opcode your looking for b4 you can search it correct?

[LiquidManZero]

Knowing what opcode doesn't help in the search, because you won't know what registers it's using until you find it.

If the variable you're trying to mess with is 80048092, a store op to that address might be: '92 80 67 A5' in the ram... So the only part of the op you can search for is the address. I usually don't actually know exactly what I'm going to find when I go looking, other than if it'll probably be either a load or store op, but not which kind.

This is almost exactly what I tend to do, trying to see what does what to an address, in order:

I find something to search for... I'll just use my example from above: 80048092
I take the last 4 digits, convert it to decimal. So I'd be in this case using the built in known value search for: 32914
There might be no results, and if that's the case, I try changing the address by one or so and searching again... If there are any results, like these made up ones:

80010224 8092
80010422 8092 <-- There's no way in hell this one would be a valid piece of code.
80021008 8092
8005827C 8092

The two not marked have the right alignment to be possible asm. The one that I pointed out, might actually be asm, but only some random op that happened to have the same hex as the address I'm searching.

Right before 80010224 could be something like: 10 80 22 24, and that usually means that it'd be an op involving 80108092 and not 8004. If the lui op there had 8005 in it, that might be the one I'm looking for. I don't know enough about asm to have any idea why that happens sometimes...

80021008 might have 04 80 61 24 before it, and the op itself could be 92 80 62 AC, and I change that to 92 80 00 24 to stop it from doing much. If it does affect the variable, that's the code right there...

This is a really awful means of hacking asm, but it does work without having anything but a gspro as far as hardware.

Searching for an op like this can be useful to quickly check to see if the variable has any direct asm dealing with it, and to see if there's anything simple that might be done to it.

[helder]

ok boss man i get it now,good example and explanation,now applying it to a game is sumthing i will try when i have some time and its sum easy ass game to hack.

[LiquidManZero]

If you've got Chrono Cross, I could point out a really easy thing it has to try hacking like this. And you can get to it from a new game.

[helder]

yes my friend i do have it,as a matter of fact i have all usa Square games,wel with the exception of 1 or 2 (einhender).

[LiquidManZero]

Wow. Heh, if you ever want Einhander, I've got it.

In Chrono Cross, on the status screen, if you hit triangle you can move the character's model around and zoom in/out. But it's limited as to how far in any direction it'll go. Doing something like what I described, it's pretty easy to remove the limits.

[helder]

but first i would have to make a ram code or GS code before i go hunting it down in asm right?