Tweet
Yeah, I think there was also a big discussion about the ELF itself at the time.
-
I may be lazy, but I can...zzzZZZzzzZZZzzzZZZ... -
Use CodeBreaker v10, create a master hook code for it, enable all the patches you made via cheat code, start game with codes, but keep code breaker back in, then when it boots up it should load the valid but invalid PCB mod should it not?Originally posted by misfire View Post
Comment
-
I don't think it's that simple. First of all, is it even possible to launch a retail CodeBreaker CD from a retail CodeBreaker? Then, consider the side effects, e.g. CB would hook syscalls twice, memory areas (including cheat codes) are cleared, etc. Also, the patch itself won't be trivial, as it has to survive the "restart" (patching the kernel with CB codes is really ugly...).Comment
-
Yup, I do it all the time (and just did it again to be sure right after I made this edit lol). Just stick CB back in when it ejects and press X. All it does is load the SLUS and perform ExecPS2() syscall on it.Originally posted by misfire View Post
Would be a rather large code. Would contain a few functions, and / or hook replacements. Go like this:
Build master code -> hook from entry point (so the immediate load of the ELF executes the cheat engine, preferable after RFU060 is called so we have a valid Stack Pointer)
Code 1: Restore entry point value, clear master code off CB's cheat engine master code loader
Code 2: Full routine + Code List (our home made cheat engine with your patches) -> Write to say 0x000C0000? or maybe even 0x01D00000 (anywhere codebreaker doesn't use)
Code 3: Full routine (something to install hooks and our cheat engine to kernel) -> Write to same area as the other routine
Code 4: Patch a code write command branch to hook our install routine
Code 5: Use the patched code write command (Hooks the install routine, we install our engine to kernel and copy a code list attached with it)
Code 6: Patch the return mark in the cheat engine to jump back to where we got hooked from
Keep in order!
Would be pretty long, and I am not going to type it all in with CodeBreaker's menu... Do you have a utility that can take a custom cheat list and encrypt to the "cheats" file CBv10 loads / saves? All I can find on your CB2crypt / CB2util / etc. is decrypting options (only encrypting option is for pelican.bin). Would make it a LOT easier to build the cheat list with the patches in it, save in .CBS and transfer with USB drive. Honestly, if you have a Code Breaker I say to use that sob to exploit the ps2 and never have to go through this nonsense. The only reason why I am posting these thoughts and ideas, is because I like to fool around and hack a hackers program (and to see what all I can do with stuff)
Or to cut down on address dependencies, keep track of the static addresses the data gets thrown on the code stack:
Code 1: Restore entry point value, clear master code off CB's cheat engine master code loader
Code 2: Patch the return mark in the cheat engine to jump back to where we got hooked from
Code 3: Patch a code write command branch to hook our install routine
Code 4: Use the patched code write command (Hooks the install routine, we install our engine to kernel and copy a code list attached with it)
Code 5: Code Stopper (Prevent anything below this line from being used)
Code 6: Full routine + Code List (our home made cheat engine with your patches, no writes! Embed the routine directly)
Code 7: Full routine (something to install hooks and our cheat engine to kernel, no writes! Embed the routine directly)
When I say "no writes! Embed the routine directly" this is what I meant:
Writes:
Code chunk
200C0000 27BDFFF0
200C0004 7FBF0000
Embeded:
Code chunk
27BDFFF0 7FBF0000Last edited by Gtlcpimp; 11-22-2010, 03:40:23 PM.Comment
-
My ancient tool xp2cc (Xploder PS2 Code Compiler) can be used to create "cheats" files for CB V1-V6. With V7+, I don't know if it's enough to embed such a file in a CBS save, though.
IIRC, CB invokes LoadExecPS2() to start a game. This syscalls wipes all user-space memory above 0x82000 (which is why I contributed the function sbv_patch_user_mem_clear() to PS2SDK).
I'm not sure if the CB itself clears everything from 0x80000 to 0x82000. But I can remember that it installs a custom syscall to write to kernel RAM...
Comment
-
PS2 Save Builder can take care of the CBS file, just need something that can create the "cheats" file with the proper code format that CBv10 uses. Obviously CodeBreaker doesn't clear 0x80000 - 0x82000, it uses that for the cheat engine and code list! With the proper code patching involved, we can unlock something the makers of Code Breaker didn't want... More codes and kernel hooked engine! Hehe..Comment
-
Of course, but CB copies the engine to 0x80000, it's not a loadable ELF segment. While at it, CB might clear/overwrite codes and hooks too - I'm not sure.Last edited by misfire; 11-22-2010, 05:05:50 PM.Comment
-
Alright, look at it like this.
It loads the ELF, and writes the hook (master code). Now, the master code we will make, is going to be a direct hook off the ELF's entry point. Therefore, instead of the ELF booting when it performs ExecPS2(), it actually calls the engine directly. This will make our patch list activate instantly. Since we are patching the engine itself as well, we are able to force it to enter the ELF at it's entry point after restoring the original values. With our patches made that one time, we now have a fully kernel loaded and hooked cheat engine + CB patch listings
Comment
-
This could work, indeed.
I just had another idea: CB's A code type can do 32-bit writes after the ELF contents has been loaded and before it is executed via SetupThread(). It is run inside the syscall hook function* and therefore doesn't need a master code.
* I haven't tried it but being in kernel mode, should allow the A type to write to RAM below 0x80000...
Update: With the code A0070000 24020000, CB would write 24020000 to 00070000. But for kernel memory, the address needs to be 80070000 (kseg0) or A0070000 (kseg1). So my assumption was wrong, unfortunately.Last edited by misfire; 11-22-2010, 06:22:17 PM.Comment
-
How is that even possible? 0x00000000 - 0x0007FFFF doesn't exist, this is the reserved kernel space mapped to 0x80000000 mirrored 0xA0000000. However if what you say is correct that the A command writes before it even executes the ELF then you can do everything with the A comment, including patching the engine to hook a routine you just wrote. Use the command to patch itself!Comment
-
OK, I should have written "CB would try to write 24020000 to 00070000". This address is, of course, invalid and causes an exception. I just wanted to make clear that CB's code handler doesn't allow for kernel writes.Comment
-
That's where our install routine comes into play
Example:
CD2 Source:
RAW Code:Code:/* CodeDesigner v2.0 Created by: Gtlcpimp Official CheatersLounge Product Copyright © */ /* CodeBreaker False PCB Exploit v0.1a (Concept) Created by: Gtlcpimp - Change code output from '2' command to 'A' command */ address $000c0000 //======================================================= _ExploitInstall: //-------------------------------- Find Engine lui a0, $000c lui v0, $27BD ori v0, v0, $FE00 _EI_Loop00: lw a1, $0000(a0) beq a1, v0, :_EI_Exit00 nop addiu a0, a0, 4 beq zero, zero, :_EI_Loop00 nop _EI_Exit00: //-------------------------------- Enter Kernel Status mfc0 v1, $Status addiu v0, zero, -25 and v1, v1, v0 mtc0 v1, $Status sync.p //-------------------------------- Copy Engine lui a1, $8003 lui v0, $27BD ori v0, v0, $0200 _EI_Loop01: lw v1, $0000(a0) sw v1, $0000(a1) beq v1, v0, :_EI_Exit01 nop addiu a0, a0, 4 addiu a1, a1, 4 beq zero, zero, :_EI_Loop01 nop _EI_Exit01: //-------------------------------- Hook Engine lui a0, $8000 lui v0, $0C00 ori v0, v0, $C000 sw v0, $02FC(a0) //-------------------------------- Restore CB Hook lui a0, $0008 lui v0, $03e0 ori v0, v0, $0008 sw v0, $060c(a0) jr ra nop //======================================================= _ExploitEngine: addiu sp, sp, $FE00 sq at, $0000(sp) sq v0, $0010(sp) sq v1, $0020(sp) sq a0, $0030(sp) sq a1, $0040(sp) sq a2, $0050(sp) sq a3, $0060(sp) sq t0, $0070(sp) sq t1, $0080(sp) sq t2, $0090(sp) sq t3, $00a0(sp) sq t4, $00b0(sp) sq t5, $00c0(sp) sq t6, $00d0(sp) sq t7, $00e0(sp) sq s0, $00f0(sp) sq s1, $0100(sp) sq s2, $0110(sp) sq s3, $0120(sp) sq s4, $0130(sp) sq s5, $0140(sp) sq s6, $0150(sp) sq s7, $0160(sp) sq t8, $0170(sp) sq t9, $0180(sp) sq k0, $0190(sp) sq k1, $01a0(sp) sq fp, $01b0(sp) sq gp, $01c0(sp) sq ra, $01d0(sp) // Install CB Patches nop nop nop nop nop lq at, $0000(sp) lq v0, $0010(sp) lq v1, $0020(sp) lq a0, $0030(sp) lq a1, $0040(sp) lq a2, $0050(sp) lq a3, $0060(sp) lq t0, $0070(sp) lq t1, $0080(sp) lq t2, $0090(sp) lq t3, $00a0(sp) lq t4, $00b0(sp) lq t5, $00c0(sp) lq t6, $00d0(sp) lq t7, $00e0(sp) lq s0, $00f0(sp) lq s1, $0100(sp) lq s2, $0110(sp) lq s3, $0120(sp) lq s4, $0130(sp) lq s5, $0140(sp) lq s6, $0150(sp) lq s7, $0160(sp) lq t8, $0170(sp) lq t9, $0180(sp) lq k0, $0190(sp) lq k1, $01a0(sp) lq fp, $01b0(sp) lq gp, $01c0(sp) lq ra, $01d0(sp) jr k0 addiu sp, sp, $0200 //======================================================= // Patch Codes /* A008060c 08030000 */
Worth testing, however I don't want to sit here for 3 hours typing all that after encrypting it 1 by 1 into CBv10...Code:A00C0000 3C04000C A00C0004 3C0227BD A00C0008 3442FE00 A00C000C 8C850000 A00C0010 10A20004 A00C0014 00000000 A00C0018 24840004 A00C001C 1000FFFB A00C0020 00000000 A00C0024 40036000 A00C0028 2402FFE7 A00C002C 00621824 A00C0030 40836000 A00C0034 0000040F A00C0038 3C058003 A00C003C 3C0227BD A00C0040 34420200 A00C0044 8C830000 A00C0048 ACA30000 A00C004C 10620005 A00C0050 00000000 A00C0054 24840004 A00C0058 24A50004 A00C005C 1000FFF9 A00C0060 00000000 A00C0064 3C048000 A00C0068 3C020C00 A00C006C 3442C000 A00C0070 AC8202FC A00C0074 3C040008 A00C0078 3C0203E0 A00C007C 34420008 A00C0080 AC82060C A00C0084 03E00008 A00C0088 00000000 A00C008C 27BDFE00 A00C0090 7FA10000 A00C0094 7FA20010 A00C0098 7FA30020 A00C009C 7FA40030 A00C00A0 7FA50040 A00C00A4 7FA60050 A00C00A8 7FA70060 A00C00AC 7FA80070 A00C00B0 7FA90080 A00C00B4 7FAA0090 A00C00B8 7FAB00A0 A00C00BC 7FAC00B0 A00C00C0 7FAD00C0 A00C00C4 7FAE00D0 A00C00C8 7FAF00E0 A00C00CC 7FB000F0 A00C00D0 7FB10100 A00C00D4 7FB20110 A00C00D8 7FB30120 A00C00DC 7FB40130 A00C00E0 7FB50140 A00C00E4 7FB60150 A00C00E8 7FB70160 A00C00EC 7FB80170 A00C00F0 7FB90180 A00C00F4 7FBA0190 A00C00F8 7FBB01A0 A00C00FC 7FBE01B0 A00C0100 7FBC01C0 A00C0104 7FBF01D0 A00C0108 00000000 A00C010C 00000000 A00C0110 00000000 A00C0114 00000000 A00C0118 00000000 A00C011C 7BA10000 A00C0120 7BA20010 A00C0124 7BA30020 A00C0128 7BA40030 A00C012C 7BA50040 A00C0130 7BA60050 A00C0134 7BA70060 A00C0138 7BA80070 A00C013C 7BA90080 A00C0140 7BAA0090 A00C0144 7BAB00A0 A00C0148 7BAC00B0 A00C014C 7BAD00C0 A00C0150 7BAE00D0 A00C0154 7BAF00E0 A00C0158 7BB000F0 A00C015C 7BB10100 A00C0160 7BB20110 A00C0164 7BB30120 A00C0168 7BB40130 A00C016C 7BB50140 A00C0170 7BB60150 A00C0174 7BB70160 A00C0178 7BB80170 A00C017C 7BB90180 A00C0180 7BBA0190 A00C0184 7BBB01A0 A00C0188 7BBE01B0 A00C018C 7BBC01C0 A00C0190 7BBF01D0 A00C0194 03400008 A00C0198 27BD0200 A008060c 08030000
Oh, and one more thing misfire. I read in one of your older posts that you have to recompile the ELF's to 0x01000000 for it to work in the counterfeit PCB file. You don't have to
A while back I was ripping apart the un-packer ELF that is produced when you pack an ELF with PS2Packer. I rebuilt the whole setup so it can be relocatable to my desires. I even wrote a program that takes a packed ELF, rips everything apart, and relocates it all for me. I was reading through the decrypted SMS from the PCB file, and I noticed this is the exact same concept the makers of CB did. They took SMS, embeded it in an extractor ELF. The extractor elf gets loaded to 0x01000000, and then executed. Upon execution it immediately copies the full SMS ELF to 0x00100000 and executes it. Same concept, only we can do it with compression. Take any ELF you desire, pack it with PS2Packer, and then run it through my utility (will have to upload it some time) to relocate it to 0x01000000. That way, it will do the exact same job that the ELF they wrote does without requiring re-compiling of the ELF you want to embed
However all of this in terms of patching CB with CB's cheat engine is all in theory at the moment, technically should work. Need to do more digging in their ELF to ensure they don't have a safety feature to prevent it...Last edited by Gtlcpimp; 11-23-2010, 02:41:57 AM.Comment
-
iv loaded CB on to CB but the Cheat hooks gets Trunced .. when u do this even if u activate codes the codes would be Killed on reload of the Elf this was something put into CB so it would not be used to hack it self .. ( iv had some fun messing with it)
right when the Elf loads it kills everything that was there from the Codebreaker before..
but doin this i did find that u can load the CB on the ps1 games lol but it dont help u much :P using a cracked version and having it load u back to say FMCB then loading a ps1 game from there keeps the codehander still active ....
(nothing to do with what ur talking above that part)
it be nice to see an offical release of the day1 makers and Upgrade.bin/Pelican.bin ..
For If you like what i do
Comment
-
Only when it loads up! However the actual entry point of the ELF doesn't, it is before all this occursOriginally posted by Skiller View Post Now just need to start looking into how they set their master codes up... Do they manually load the ELF and patch it first then ExecPS2() the ELF... Or do they use the Syscall hook they generated with SetSyscallAddress() to process the master code upon ELF execution...
Last edited by Gtlcpimp; 11-23-2010, 02:45:19 AM.Comment
-
Right, IIRC you can tell ps2-packer a specific address to put the data at, see https://github.com/ps2dev/ps2-packer...EADME.txt#L135Comment
Comment