Codehacking

 

 

First something about the structure of the codes. The codes we are talk about are HEX codes (decrypted), because it?s the original code. If you want to create codes for the AR2, you have to encrypt them, before you can use them, but if you?re the lucky owner of an XP2, you don?t have to. It works with decrypted and with encrypted codes. How to encrypt them is explained the Converting-Tutorial.
A normal one-rowed HEX code consists of three parts:

?Command? - the command line of the code
?Address? - it?s where you can find the code and it tells you what the code is doing
?Value/Digit? - together with the ?Command? it specifies how the code is working

C = Command
A = Address
D = Digit
C AAAAAAA DDDDDDDD

2 027A569 FFFFFFFF <----- this is a normal HEX/RAW code

There also are some other types of codes, but for now they aren?t important. (You can find them in the ?Code-Type? guide.)
First you have to download ?PS2Dis?, made by Hanimar. You can find it in the ?Tools? section of this website.
To create codes, you either have to own a DVD drive or know someone who does. You have to put the game DVD in the drive and copy the ELF file of the game. That?s the file where you can find the addresses to create codes. If you and your friends don?t have a DVD drive you have to ask somebody on the Internet to send you the file (it?s about 3MB).

SLES_###.##
SLUS_###.##
SCES_###.##
SCUS_###.##
SCPS_###.##
SLPS_###.##
PBPX_###.##

That?s how the files can look like.
When you have the file, open it with PS2Dis. Now you will see a lot of descriptions and numbers. In the very left column there are many numbers which look a little bit like codes. Those are the addresses of which you will create the codes. They all are in the HEX format.

__________________

Now let?s start creating codes ^^
But something you have to know: creating codes needs patience and time! But with some practice you will get faster, so don?t worry.
There are different ways of creating codes and the easiest of them I will explain you.

Hacking with Labels:

(That?s the easiest and fastest method of creating codes.)
Labels you can use without problems aren?t in "".

First example is GTA3
We open the file, start the Invoke Analyzer and look for some useful labels.
One of them is the label RespraysAreFree_8CGarages.
We cklick on the label and jump to the address.



Address: 00418490 00000000

The only thing we can do is to try some values out (But don?t change the address!)
00418490 0000000 0 --> nothing happens
00418490 0000000 1 --> Free Resprays
00418490 0000000 2 --> game freezes

So the code we?re looking for is 00418490 00000001.
(And remember: this is a HEX code. It works with the XP2, but if you use the AR2 you have to encrypt it first.)
You ask why the command is 0 and not 1 or 2?
That?s what I?m explain now. The command depends on the value.

If the value is less than or equal 0000 00FF, the command is 0.
If the value is less than or equal 0000 FFFF, the command is 1
If the value is less than or equal FFFF FFFF, the command is 2.

For better understanding here?s an example:

Tidus MAX HP (FinalFantasyX)
We have a working PAL version code for XP2 from xploder.net and decrypt it.

Tidus MAX HP
1031EAB8 0000FFFF
1031EAC0 0000FFFF

We look on the command of the code. It?s 1, so the value is limited. We know, that the maximum size of the value is 0000 FFFF if the command is 1. We know, that FFFF stands for the decimal digit 65535 (If you don?t know it, use the Calculator). But in FFX the maximum HP is 99.999.

We want Tidus to have 99.999 HP, so we change the command from 1 to 2.
The maximum value for this command is FFFF FFFF what is decimal 4294967295, so the limit is high enough now.
We only have to convert 99.999 in HEX now (1869F) and put the new value in the codes:

2 031EAB8 000 1869F
2 031EAC0 000 1869F

Don?t forget: the addresses are the same, we only changed the values/digits and the command!
That?s all to tell you about hacking with labels. Here are some labels you could look for in games.
Bypass
Disable
Enable
Free
Add
Remove
Get
Activate
Apply
cheat/ bcheat
Display


As an example for hacking with labels we will take the racing game GTC Africa.(Thanks to Nachbrenner)
We first start the "Invoke Analyzer". Now we?re looking for labels which sound useful for a racing game, e.g. car, lap, track, time, championship, AI and so on.
In the ELF file of GTC Africa we sound an interesting label named CheatUnlockAll.



When we choose the label, we?re jumping the addresses.
We double click on the lable.



001aa660:24050001 ,li a1, a1=0x00000001
001aa664:3c010028 ,lui at, at=0x00280000
001aa668:ac25a588 ,sw a1 ,[_0027a588]
001aa66c:3c010028 ,lui at, at=0x00280000
001aa670:ac25a594 ,sw a1 , [_0027a594]
001aa674:3c010028 ,lui at, at=0x00280000
001aa678:ac25a598 , sw a1 ,[_0027a598]

Now we look to the "sw", 3 times they link to other Adresses. But how we get the Digit?

Normally Unlock - Codes have the Digit 00000001 so we test this first.
The Codehacker who make this code (Nachbrenner) take the Command "1" and let run the Code in 16 Bits (dont know why he takes this command cause normally when you dont know in how many bits the address runs you choose the command "2" which runs the code in the normal 32 Bit but maybe he test it out this way)

So we get these codes:
1 027A588 00000001
1 027A594 00000001
1 027A598 00000001

Try the codes one after another. We find out that the codes are:

Unlock All Challenges
1027A588 00000001

Unlock All Championships
1027A594 00000001

Unlock All Single Races
1027A598 00000001

In this case we find in PS2Dis what to do with the code and what value it has. But sometimes we don?t get that much help.


Hacking with Labels in quotes:


Not every game has labels which even look like codes. Most labels are in " " and let us jump to a so called byte routine. A byte routine only shows how the name of the label is built and are useless for us. But we?re lucky to have ps2dis, which helps us out.

Ok... lets take as example the Game "Guilty Gear XX US - SLPS_251.84"
We start "Invoke Analyzer" and look into the Labels. We see some trash in it... but then we find the Label "Player Load %d %d\n"
Press Enter and we come to the Address 0030b4c0



ok... now we see where the Label is locatet but this not our real Address...
this is just the part where name of the Label is build.
So we press Space Bar + F3. Now ps2dis brings us to address 0010589c



Ok.... now are in the right part. Directly below we see two addresses with the op "lh" (load halfword) which have a referer.
These referers links to other addresses which holds very often the effect we want. So we mark the addess 001058a0 with
spacebar and press "right" and come now to the address



Now you should ask you why ps2dis brings you to 00289c50 instead of 002892c52..... this is very easy cause ps2dis shows us the addresses in 32 Bit which mean that the addresses are always shown in "4" steps (0 -> 4 -> 8 -> C -> 0 ..... ).
Ok but how to choose now the right code.... you remember the two Addresses with the op "lh" (Load Halfword)? This op tell us that the address there runs in 16 Bits (cause the op "word" runs in 32 Bit and the "half" of a "word" is 16 Bits). So what we have to do now?

1.Referer:
00289c50
00289c51

2.Referer:
00289c52
00289c53

Easy we test the code in16 Bits too! For this we need the Command "1" (1 xxxxxxx 0000????).
"Player Load" means that something should be load into the game so it would be not that good when we disable it with "0000". Instead of 0000 we choose now "0001" and see what happens.....

10289c50 0000001 <--- Play Sol Badguy as Player 1
10289c52 0000001 <--- Play Sol Badguy as Player 2

When we change the value again (0002, 0003 you will get all the players which are availbel)
Cool we have found now our Player Mod :)

Hacking with Strings:

Now we come to an advanced part in the art of Code hacking. The first thing is that you get information about the game you want to hack.
For example with how many Health Points you start with and what is the maximum Number of Health etc. you can get.
This method is dealing with searching for strings/values which are sometimes written into ELF-Files and not just into the Ram.

Let?s for example take how the FFX-2 PAL Health Code was hacked.

Ok now comes the part where you have to get information about the game.
In FFX-2 your Health is shown as Health Points (HP). The minimum of HP you can get is 1 HP. The maximum is 9999HP but with a special Item you can get 99999 HP.
Let?s see how we can use this information for hacking a code.

First we load the FFX-2 PAL ELF into a dissembler (in this example I used ps2dis) and start Invoke Analyzer. Now we start with searching specific strings. We know that the maximum value is 99999 which is in Hex/Raw 1869F. Now we press Ctrl + F and enable Option "As hex string". When you don?t know exactly how the OP-Code is build but which value it has in the game we take the last 4 Digits. In this example it is 869F. But if we were to write this into the Search Box now it will not find the right results. We have to change the Bytes in these 4 Digits: 869F -> 9F86. If u notice all we did there was put the last 2 digits in front u do this with any hex value when using this method.



So we write 9F86 into the Search option and press ok. The first address where ps2dis brings is 001cf604.



This area with a bunch of Addresses doesn?t look that bad, look at the parts which stands in " ( ) " behind. We see some values which are often used in this game: "0001869f"; "0000270F"; "000000FF"
So we test the addresses in this aria with different values. But we see it doesn?t change anything or just freeze the game. We may have modified other Options in the game that we don?t see yet. But ok... we search again..... Press F5 to get the next result of search.



This brings us to the address "001d1564" (Now you can see why we just search for the last 4 Digits.... the op-code is 34c6869f so if we were to search for 1869f instead of 869f it wound not have shown us this address, and we could have missed it).
So we look into this cluster of Addresses and see that this Address is also not bad. Look at this....

lui a2, $0001
addiu v1, zero, $270f (shown as li)
andi v0, v0, $0001
ori a2, a2, $869f

This is the part where the where the Health Values are set.
lui a2, $0001 and ori a2, a2, $869f belongs together. this means that the value 0001 is stored in the first for Digits of a Value (0001xxxx), ori a2, a2, $869f stores 4 Digits (in this example 869f) in the last 4 Digits of a Value.... means (xxxx869f). We see that all results belongs to Register a2 so the Digits come together and build the Value 0001869f .
addiu v1, zero, $270f means that a value is stored in register v1 (v1 = 0 + 270f).
This was just a little Example which is for us not that really important. Now we came to the boring part..... Testing the Addresses with different Values...

For example:
"201d155c 2403270f" or 201d155c 240300FF or sth, like this... but damn... nothing seems to work for the described Addresses. Ok but we don?t give up and look to the addresses in this bunch and test them. So we come to the jal op on address 001d1570. But how to give a jal a constant value... we have to change the op code jal in something different. We want to store an address so we take the op "addiu". Now we have found a register where we can store the result, which is not used in this routine btw. Which the game allows us to use that it will not freeze. I choose Register v0. The op-code should like this addiu v0, zero, $270f ($270f for the value we want to get). Make a double-click on the Address and type this ( "addiu v0, zero, $270f" ) into the command line. It will give you now the value "2402270f". So we test the Code 201d1570 2402270f and see it brings us 9999 of Health Points :)
Now we have the Code for Health.... Another interesting thing is below we see the value $03E7 which is the maximum value from MP.... As far as we can tell is that the health code lies on a jal op we test the next jal too.....
We take the same op as before just with the value 03E7 to get the full 999 MP Points.... and after a quick test we see we got all 999 MP-Points...

Ok this was just a little example how to hack with Strings hopeful it will help you a little bit :)

 

_________________________________________________________________

Written by:
Codemasters Project Codehacker Team