Announcement

Collapse
No announcement yet.

NetCheat - Net-based PlayStation 2 Cheat Device

Collapse
X
Collapse
 
  • Page of 3
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 template Next
  • #1

    NetCheat - Net-based PlayStation 2 Cheat Device

    Source code available on my GitHub.


    NOTE: NetCheat requires a PS2 and a PC with an internet connection. Please read the readme.txt for details on how to setup the network configuration.

    I began working on this thing July of 2012 and was incapable of completing it due to lack of programming knowledge. After 2 months I stopped working on it and began working on CL-LiveDebug. Now I've taken a break from CL-LiveDebug to finish NetCheat. The goal was to create something far superior to CodeMajic in code types, number of codes, and compatibility with ESR and OPL. Now that I have reached those goals, I have decided to release this as an open source cheat device for anyone to touch and use.

    The code types, for the most part, follow that of CodeBreaker. I have made a few changes to a couple and added a few as well. The largest change to take note of is the mastercode implementation. Since NetCheat is hooked to the syscall handler and not to the game itself, mastercodes serve no purpose. However I have created a use for the conditional mastercode (9) which can be read in the list below. If you would like this to execute close to the game loop I would suggest adding this to the top of your codelist: B0000000 0000000E. That forces everything below to only be executed 1 out of 0xE times. That value may differ per game.

    I'd like to thank Pyriel for such a thorough guide publish on the CMP.net guides. For all code types not listed below, please refer to that guide.
    Code:
    NOTE: NetCheat only takes RAW codes.

Conditional Types::
0 - Equal-to (value = xxxx).
1 - Not equal-to (value != xxxx).
2 - Less than or equal (value <= xxxx).
3 - Greater than or equal (value >= xxxx).
4 - Mask unset (value AND xxxx = 0). Test to see if particular bits are unset (all bits must be unset). Useful for joker codes.
5 - Mask set (value AND xxxx != 0). Test to see if particular bits are set (any of the bits). Useful for joker codes.
6 - Similar to 5, except all the bits in the mask must be set for the next codes to execute ([value AND xxxx] - xxxx = 0).

------------------------- Code Type 4
Multi-address Write (slide-fill code)
4aaaaaaa wcccssss
xxxxxxxx iiiiiiii

a: 25-bit address.
w: Width (0 = 32 bit, 1 = 16 bit, 2 = 8 bit)
c: Number of times to write.
s: Step value (w = 0: s = (s * 4), w = 1: s = (s * 2), w = 2: s = s.
x: 32-bit value.
i: 32-bit value increment.

By Pyriel:
The 32-bit value xxxxxxxx will be stored at the address given by aaaaaaa.
The count ccc will be decremented.
The step value ssss will be multiplied by (w = 0:4; w = 1:2; w = 2:1) and added to the address.
The value xxxxxxxx will have iiiiiiii added to it.
This process will continue until cccc reaches zero.
Basically, write to ccc addresses, while jumping ssss * (4 - (w * 2)) addresses in between.

Example:
40EE7174 00060002
00000063 00000001
------------------------- Code Type 9
Conditional mastercode
9aaaaaaa vvvvvvvv
a: Address
v: 32-bit value

NetCheat will read the value at aaaaaaa and compare it with vvvvvvvv.
If they are equal, NetCheat will execute it's engine.
Otherwise it will not and no cheats will run.
If you do not include a 9 type mastercode, NetCheat will run the moment it is hooked and a syscall is called

Example:
9013BA48 00832021
------------------------- Code Type A
Kernel write
Aaaaaaaa vvvvvvvv
a: Address
v: 32-bit value

The value v will be stored at 0x8aaaaaaa (KSEG0)

Example:
A0070000 1337D00D
------------------------- Code Type B
Delay
B0000000 0vvvvvvv

v: 28-bit value

The engine will execute all the codes above vvvvvvv times before executing the one below

Example:
B0000000 00000100
------------------------- Code Type F1
Execute Data / Hook - Idea by Gtlcpimp
F10000dd 0aaaaaaa

a: Address
d: 8-bit value

The engine will run dd times before executing a jalr to aaaaaaa

Example:
F100000E 000C0000

------------------------- Code Type F2
Switch Conditional
F200nnnn taaaaaaa
xxxxxxxx yyyyyyyy

n: number of lines to execute under it if on
t: comparison type (0 = 8 bit, 1 = 16bit, 2 = 32bit)
a: address
x: off value
y: on value

Example:
F2000001 101EE682
0000FFF9 0000FFF6
20347E8C 00000000

------------------------- Code Type F3
Find Replace (should always be jokered)
F30wcccc 00000000
xxxxxxxx yyyyyyyy
aaaaaaaa bbbbbbbb


c: number of times to replace
w: width (0 = 8, 1 = 16, 2 = 32)
x: find
y: replace
a: address 1
b: address 2


Example:
F3020000 00000000
4D554C54 41414141
00100000 00600000


------------------------- Code Type F4
Address Compare
F400nnnn 00000t0w
aaaaaaaa bbbbbbbb


n: number of lines to execute under it if on
t: comparison type (refer to conditional types above)
w: width of comparison (0 = 8bit, 1 = 16bit, 2 = 32bit)
a: address 1
b: address 2


Example:
F4000001 00000002
000FFFF4 000FFFF0
20347E8C 00000000
    Miscellaneous:
    Code:
    Estimated code limits:
OpenPS2Loader:         8192 lines of code
ESR:                Unknown (probably the same as a disc)
Disc:                18944 lines of code
DEBUG mode:        2832 lines of code

0x80050000 - 0x80075000 - Code range. When running with another app that will vary.
0x80079000 - ~0x800E0000 - Code range DEBUG mode.
0x80047000 - ~0x80048000 - Engine install location
    Included with NetCheat is "Joker That" which is a complete knock-off of Joker It! by Rathlar. The difference is that Joker That supports 8 and 16 bit options and all the comparison types.

    Image spoilers:
    Spoiler Alert! Click to view...



    A video I made to explain a few things:



    Both the source of NetCheat and NetCheat PC Manager can be accessed at my GitHub. If you want to read through the Engine and possibly correct any errors made, here is a direct link: https://github.com/Dnawrkshp/NetChea...s/NCEngine.cds

    Credits:
    Berion: GUI related functions
    misfire: cb2util
    ORCXodus: CBUtil (a GUI for cb2util) and the GUI of the manager
    Dnawrkshp: Engine, PS2 side code, network part of the manager
    Gtlcpimp: Execute Data code type

    If you have an suggestions for code types or additions to already implemented code types, please reply below with a description of how it works and its format.

    Special thanks to bungholio for beta testing.

    Other programs by ORCXodus and Dnawrkshp
    Attached Files
    Last edited by dnawrkshp; 09-24-2016, 03:03:24 PM.
    Tags: None
  • #2
    So this is like a CodeMajic replacement? I made RemotePS2 to replace CodeMajic It works as a cheat device and FTP.

    Comment

    • #3
      Originally posted by Gtlcpimp View Post
      So this is like a CodeMajic replacement? I made RemotePS2 to replace CodeMajic It works as a cheat device and FTP.
      I would like to be able to use RemotePS2, but I was never able to get it to work. It always froze while in the process of connecting.

      Yeah I think we can both agree CM was more of a working concept. I love the idea of sending codes from the PC to the PS2 but I still want the full command list that a commercial cheat device would have. I've noticed that I can never be pleased with another's work and that I have to create my own to please myself. At least when I make it open source others won't have to follow my footsteps .

      Comment

      • #4
        Originally posted by dnawrkshp View Post
        I would like to be able to use RemotePS2, but I was never able to get it to work. It always froze while in the process of connecting.
        Common issue when operating through a router. Though the issue doesn't apply to everyone using a router, but is always fixed when you connect ps2 directly to the pc. The way it worked was to prevent having to remember or write down IP address, it used broadcasts. The PC would broadcast a command, which is picked up by the PS2 listening for broadcasts. The PS2 would broadcast back with a command followed by it's IP address, which the PC is supposed to pick up and connect to. It needs to be adjusted so that the PC broadcasts it's IP and the PS2 simply connect to it (would solve the issue you are having), but I haven't changed that yet. The reason why you experience that issue is because some how the broadcast of the PS2 sending it's IP shows up as a pass-through broadcast, which for some reason isn't picked up by the PC when listening. Connect your PS2 directly to the computer and it should connect flawlessly every time (as long as you set up the connection sharing properly).

        Comment

        • #5
          Originally posted by Gtlcpimp View Post
          Connect your PS2 directly to the computer and it should connect flawlessly every time (as long as you set up the connection sharing properly).
          I use a crossover cable but I couldn't get my connection to be shared with my PS2. So I bridged the two together and it works fine for everything but RemotePS2. I just tested sharing the connection and it still froze on "Waiting For Connection..."

          Comment

          • #6
            Probably don't have the connection sharing set up properly?

            Comment

            • #7
              Added some code type options. I might think of how to do the 5 code type with copying bits instead of just bytes, but I wouldn't expect it.
              Attached Files
              July 7, 2019

              https://www.4shared.com/s/fLf6qQ66Zee
              https://www.sendspace.com/file/jvsdbd

              Comment

              • #8
                What situation would that be valuable in? I can't even think of an obscure, single use that would have in a game.

                If you putz with the format so that you can say, "start copying 255 bits at address X, from the 3rd most-significant bit on down, and copy that to address Y at the 4th most-significant bit", you'd just be accomplishing a weirdly long bit-shift. If you started on the same bit in both places, everything between the first byte and the last would just be outright byte copies.

                Your example isn't very logical to me. You want to tell it to start at address X, the third bit, but you mean to consider the whole bit string as one large value, and drop the three least-significant bits in it. Then you do something similar with the destination, but you get into masking out bits, and the shift seems even more bizarre. You're not so much doing a "copy bits", as some oddball manipulation on a bit string. Where it really goes off the rails is that you're expecting to tell the code you want the 9 most significant bits of the 16-bits at EE7175 "copied" into the middle of the 24-bits that start at EB00B5. I don't know what that's even about. If you had just showed me your example code, I wouldn't have guessed that the byte at EB00B7 should have factored in.
                Last edited by Pyriel; 05-13-2013, 08:00:00 AM.

                Comment

                • #9
                  That's the same thing that stopped me. I can't really think of anything that would ever use such a thing where it would really be useful. It would just seem like a pointless extra thing with an excessive amount of lines. I was kind of thinking about Disgaea, but I can't see an actual use for it. Why copy certain bits of a item or character to another in such an excessive way? Just use the 7-type and know the addresses, or use the option I added for the code type 4 that does OR & AND. I thought of the Dark Cloud game's items too, but if I were smart enough back then looking at labels you could just tell the game to apply the effects to the player without caring about what the weapon has. I see no use for it really. I just stopped thinking about it, and pondered a little trying to think of a very good use for it and can't think of any yet. It's a dead pointless idea.
                  July 7, 2019

                  https://www.4shared.com/s/fLf6qQ66Zee
                  https://www.sendspace.com/file/jvsdbd

                  Comment

                  • #10
                    Thanks bungholio, I will go over it and see if it will still work properly. Download at the bottom. Since I don't really want to make any codetypes to test the implementations just go over what I did and verify its validity.

                    First question, for the byte alignment, can't you simply do andi s1, s1, $FFFE? I've already gone ahead and changed it to that.
                    EDIT: That doesn't seem to work. I haven't update what's below but here is a fix:
                    addiu v0, zero, -2
                    and ?, ?, v0

                    Nice catch on the 16 bit decrement having a comment stating it was an increment. I had just copy pasted I bet.
                    In the same code type (3) you had said that I could move it up right after the beq t0, v0, ?, however t0 is used as a separate value in the comparison. If they were not to be equal the branch would execute the line under (lw t0, $0008(s7)) and ruin the check.

                    Now that you have made the C codetype a bit (<- heh) more complicated, I will add a 32bit option to Joker That. Since it already uses binary to set up everything it won't be an issue to append the 3 bits for the type.
                    Another thing with the C codetype, you didn't call ParseJokerType and pass t1 as a0. It was designed so that you can have multiple conditionals smaller by using the same function.
                    I am going to move the t from C(t&a)aaaaaa to cccccccc t0000000 (second line). That way it is much easier.

                    I changed the lb from ParseJokerType to a lbu. Thanks for the catch. I also changed the type 6 to what you said. I still don't understand what it is supposed to achieve...

                    Good catch on all my mistakes. Most of the example and comment mistakes were because I was racing through it.

                    P.S. CodeDesigner doesn't support tabs so I have to go in and delete each one. If you make another contribution add some sort of header and footer around the addition. Like this:
                    //----------------------- bungholio start
                    Some ASM Code
                    //----------------------- bungholio end

                    Once again thanks.
                    Attached Files
                    Last edited by dnawrkshp; 05-13-2013, 10:31:05 PM.

                    Comment

                    • #11
                      Originally posted by dnawrkshp View Post
                      First question, for the byte alignment, can't you simply do andi s1, s1, $FFFE? I've already gone ahead and changed it to that.
                      I haven't read beyond that little part, and don't know if I am able to due to drinking at the moment, but you probably nailed it. I'll see if I don't pass out and wake up a few days later remembering that I was trying to do something. GOD FORSAKEN BOOZE!!!!

                      Click image for larger version Name: Facepalm_facepalm.png Views: 1 Size: 8.8 KB ID: 162344
                      It's a wonder how I even manage to hit to post button. Ughhh........
                      Last edited by bungholio; 05-13-2013, 11:16:50 PM.
                      July 7, 2019

                      https://www.4shared.com/s/fLf6qQ66Zee
                      https://www.sendspace.com/file/jvsdbd

                      Comment

                      • #12
                        Originally posted by dnawrkshp View Post
                        I also changed the type 6 to what you said. I still don't understand what it is supposed to achieve...
                        The thing for the 6 type was to allow you to also be able to do OR, AND, & XOR writes for pointer codes too. Somebody might have bits they want to always set/unset that might change in memory. It also just occurred to me how useless XOR is. I never did know why codebreaker had it when you could just find the pad address for buttons in a game and then toggle something on/off with the press of buttons. That really could just be deleted, it truly is worthless. I'd even delete it even if it is there for codebreaker compatibility, nobody ever used it, it was stupid.

                        For a moment I was also thinking of doing the joker thing with pointer writes too, but the odds of any game on Earth ever needing it seems so slim I honestly can't imagine it being useful. If a game was ever made in such an odd manner that the pad buttons address changed randomly, then I could see it, but I've never heard of that. I remember they changed for Ratchet: Size Matters, but they are always the same different address for each level, so that's not worth caring about.


                        On an unrelated thing, for the next version of livedebug you should add a simple thing that shows the joker address when you enter the livedebug menu. There are those few games that nobody ever found them for.
                        July 7, 2019

                        https://www.4shared.com/s/fLf6qQ66Zee
                        https://www.sendspace.com/file/jvsdbd

                        Comment

                        • #13
                          Originally posted by bungholio View Post
                          The thing for the 6 type was to allow you to also be able to do OR, AND, & XOR writes for pointer codes too. Somebody might have bits they want to always set/unset that might change in memory. It also just occurred to me how useless XOR is. I never did know why codebreaker had it when you could just find the pad address for buttons in a game and then toggle something on/off with the press of buttons. That really could just be deleted, it truly is worthless. I'd even delete it even if it is there for codebreaker compatibility, nobody ever used it, it was stupid.

                          For a moment I was also thinking of doing the joker thing with pointer writes too, but the odds of any game on Earth ever needing it seems so slim I honestly can't imagine it being useful. If a game was ever made in such an odd manner that the pad buttons address changed randomly, then I could see it, but I've never heard of that. I remember they changed for Ratchet: Size Matters, but they are always the same different address for each level, so that's not worth caring about.
                          I was referring to the _PJT_6 label in ParseJokerType.
                          Forces a 16bit value with the shifts. Ands the 16bit value (t0) stored at the address passed in register s0. All of this seems the same as mask unset with the exception of the branch not being bne t1, zero, :_PJT_Exit.
                          Code:
                          sll s1, s1, 16
srl s1, s1, 16
and t1, s1, t0

bne t1, s1, :_PJT_Exit
nop

                          Originally posted by bungholio View Post
                          On an unrelated thing, for the next version of livedebug you should add a simple thing that shows the joker address when you enter the livedebug menu. There are those few games that nobody ever found them for.
                          It shall be done.

                          Comment

                          • #14
                            Oh, that. That makes the conditional option of allowing you to execute something only if all bits are set.
                            PJT 4, you only execute the next lines of code if all of the bits are unset.
                            PJT 5, you execute the next lines of code if any of the bits are set.
                            PJT 6, you execute the next lines of code only if all bits are set.

                            s1 is what you are comparing to, t0 is the current value at the address.
                            To check which bits they have on:
                            and t1, s1, t0
                            If all of the bits are on for both, then t1 should have the same exact value as either s1 or t0. If t1 isn't identical to either of them, then do the bne :_PJT_Exit.

                            I was looking at CMX's thing:

                            and t1, s1, t0
                            subu t1, t1, t0

                            bne t1, zero, :_PJT_Exit

                            It just looks like a longer way of doing the same thing as me. If those 2 are ANDed, and then the result has one of them subtracted from it and it not being 0 means it's just all a way of checking if all bits are set. I was getting it mistaken looking at it at the time. I thought it was incorrect because I could barely think and was drunk and remember an old page about it on Pyriel's site that I can no longer find that said something about there being some weird truth table that was incorrect and assumed this was the one. Looking at it now, it's correct and I accidentally stumbled on a way of getting the same thing with 1 less line of code.
                            July 7, 2019

                            https://www.4shared.com/s/fLf6qQ66Zee
                            https://www.sendspace.com/file/jvsdbd

                            Comment

                            • #15
                              Alright. When you can I'd like you to double check those changes I made. Ignore my alignment check because it doesn't establish the addiu v0, zero, -X. I had also changed the C command. You did something that made no sense to me. You set it up so that you could only have a multi-line 32 bit equal to conditional. The other comparison options were restricted to single line use. Other than that I'd assume the rest work as you intended.

                              Comment

                              Previous 1 2 3 template Next
                              Working...
                              X