Post by dlevere on Sept 17, 2014 3:37:41 GMT -4
By Nachbrenner
Courtesy of Nachbrenner@XploderFreax.de
This tutorial requires basic knowledge of R5900 machine code language.
Stop reading if you don't know what that means
Following examples are based on the game "GTC Africa PAL SLES50472".
-----------------------------
Method 1 "HandleCmdLineArgs":
-----------------------------
Search for "jal HandleCmdLineArgs".
jal 0x0010a7b0 # 00109d94:0c0429ec v HandleCmdLineArgs
-> Mastercode 1
F0109D94 0000000E
------------------------
Method 2 "MainGameLoop":
------------------------
Search for "jal MainGameLoop".
jal 0x001085c0 # 0010a140:0c042170 ^ MainGameLoop
-> Mastercode 2
F010A140 000001FD
--------------------------------------------
Method 3 "Entrypoint / Memcpy +3":
--------------------------------------------
This method is not compatible with PAL2NTSC and Y-Fix codes!
Search for "entrypoint", which is mostly 00100008 or 00200008.
Search for "jal memcpy" inside the "scepadread" routine. Add +3 to that address.
ENTRYPOINT:
lui v0, 0x0027 # 00100008:3c020027 v0=s_pInput
...
jal 0x0011e620 # 0011fc58:0c047988 ^ memcpy
-> Mastercode 3
F0100008 0011FC5B
----------------
Method 4 "Main":
----------------
Search for "jal main".
ENTRYPOINT: #
lui v0, 0x0027 # 00100008:3c020027 v0=s_pInput
syscall (00000) # 00100058:0000000c
or sp, v0, zero # 0010005c:0040e825 sp=oldGameMode
lui a0, 0x0063 # 00100060:3c040063 a0=0x00630000
lui a1, 0x0000 # 00100064:3c050000
addiu a0, a0, 0x9880 # 00100068:24849880 a0=__bss_end
addiu a1, a1, 0xffff # 0010006c:24a5ffff a1=_heap_size
addiu v1, zero, 0x003d # 00100070:2403003d v1=0x0000003d
syscall (00000) # 00100074:0000000c
jal 0x001354b0 # 00100078:0c04d52c v _InitSys
nop # 0010007c:00000000
jal 0x0012da60 # 00100080:0c04b698 v FlushCache
or a0, zero, zero # 00100084:00002025
ei # 00100088:42000038
lui v0, 0x005f # 0010008c:3c02005f v0=0x005f0000
addiu v0, v0, 0x3580 # 00100090:24423580 v0=_args
lw a0, 0x0000(v0) # 00100094:8c440000 a0=_args
jal 0x00109d70 # 00100098:0c04275c v main
addiu a1, v0, 0x0004 # 0010009c:24450004 a1=0x005f3584
j 0x0012d400 # 001000a0:0804b500 v Exit
-> Mastercode 4
F0100098 0000000E
-----------------
Also some games seem to be protected against cheat code devices.
These ones need a more sophisticated MC varying from game to game.
Study the codes for RECVX and Jak&Daxter.
Courtesy of Nachbrenner@XploderFreax.de
This tutorial requires basic knowledge of R5900 machine code language.
Stop reading if you don't know what that means
Following examples are based on the game "GTC Africa PAL SLES50472".
-----------------------------
Method 1 "HandleCmdLineArgs":
-----------------------------
Search for "jal HandleCmdLineArgs".
jal 0x0010a7b0 # 00109d94:0c0429ec v HandleCmdLineArgs
-> Mastercode 1
F0109D94 0000000E
------------------------
Method 2 "MainGameLoop":
------------------------
Search for "jal MainGameLoop".
jal 0x001085c0 # 0010a140:0c042170 ^ MainGameLoop
-> Mastercode 2
F010A140 000001FD
--------------------------------------------
Method 3 "Entrypoint / Memcpy +3":
--------------------------------------------
This method is not compatible with PAL2NTSC and Y-Fix codes!
Search for "entrypoint", which is mostly 00100008 or 00200008.
Search for "jal memcpy" inside the "scepadread" routine. Add +3 to that address.
ENTRYPOINT:
lui v0, 0x0027 # 00100008:3c020027 v0=s_pInput
...
jal 0x0011e620 # 0011fc58:0c047988 ^ memcpy
-> Mastercode 3
F0100008 0011FC5B
----------------
Method 4 "Main":
----------------
Search for "jal main".
ENTRYPOINT: #
lui v0, 0x0027 # 00100008:3c020027 v0=s_pInput
syscall (00000) # 00100058:0000000c
or sp, v0, zero # 0010005c:0040e825 sp=oldGameMode
lui a0, 0x0063 # 00100060:3c040063 a0=0x00630000
lui a1, 0x0000 # 00100064:3c050000
addiu a0, a0, 0x9880 # 00100068:24849880 a0=__bss_end
addiu a1, a1, 0xffff # 0010006c:24a5ffff a1=_heap_size
addiu v1, zero, 0x003d # 00100070:2403003d v1=0x0000003d
syscall (00000) # 00100074:0000000c
jal 0x001354b0 # 00100078:0c04d52c v _InitSys
nop # 0010007c:00000000
jal 0x0012da60 # 00100080:0c04b698 v FlushCache
or a0, zero, zero # 00100084:00002025
ei # 00100088:42000038
lui v0, 0x005f # 0010008c:3c02005f v0=0x005f0000
addiu v0, v0, 0x3580 # 00100090:24423580 v0=_args
lw a0, 0x0000(v0) # 00100094:8c440000 a0=_args
jal 0x00109d70 # 00100098:0c04275c v main
addiu a1, v0, 0x0004 # 0010009c:24450004 a1=0x005f3584
j 0x0012d400 # 001000a0:0804b500 v Exit
-> Mastercode 4
F0100098 0000000E
-----------------
Also some games seem to be protected against cheat code devices.
These ones need a more sophisticated MC varying from game to game.
Study the codes for RECVX and Jak&Daxter.