Announcement

Collapse
No announcement yet.

Timesplitters 2(NTSC-US) Challenge Time Code

Collapse
X
Collapse
 
  • Page of 2
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 template Next
  • #1

    Timesplitters 2(NTSC-US) Challenge Time Code

    I'm trying to hack the elapsed time in the TimeSplitters 2 Challenges.

    I already figured out that the time is simply the number without the decimal multiplied by 6 and I found the address where it's stored (2059EF8C), but it will not freeze.

    So I attach my debugger to the PCSX2 process and trace back to the instruction that writes there, but the instruction address is outside the normal memory range (3XXXXXXX) and it changes every time and so I need guidance from here. It even keeps writing to the target address even after I change to nop.

    I tried to use ps2dis to find the instruction in the ELF file, but every time I look, the addresses in ps2dis skip over the one I'm looking for and the target address doesn't appear in the file anywhere either.

    How do I find these instructions so that I can modify them and then how can I find the pointer for this instruction so it stops moving around on me?
    Last edited by jbarker2160; 07-14-2013, 02:43:58 AM.
    Tags: asm, mips, ps2dis
  • #2
    I remember finding the same code for Timesplitters Future Perfect. It wasn't hard. I think all I did was use ps2rd with ps2cc to do a couple of scans for the decreasing timer and whatever I found did the trick.

    For pcsx2, are you using the "dev" version modified by hyper2k? It's under the lounge section on these forums I think, or somewhere here. That version always has ps2 addresses at the same exact addresses every single time you use it so things are much easier to find. You could start a game with the dev version of pcsx2, find the address, and make an EE Memory Dump for PS2Dis to make things far easier as long as you make it while playing in challenge mode with the timer counting down.
    July 7, 2019

    https://www.4shared.com/s/fLf6qQ66Zee
    https://www.sendspace.com/file/jvsdbd

    Comment

    • #3
      Not an answer.

      Originally posted by bungholio View Post
      I remember finding the same code for Timesplitters Future Perfect. It wasn't hard. I think all I did was use ps2rd with ps2cc to do a couple of scans for the decreasing timer and whatever I found did the trick.

      For pcsx2, are you using the "dev" version modified by hyper2k? It's under the lounge section on these forums I think, or somewhere here. That version always has ps2 addresses at the same exact addresses every single time you use it so things are much easier to find. You could start a game with the dev version of pcsx2, find the address, and make an EE Memory Dump for PS2Dis to make things far easier as long as you make it while playing in challenge mode with the timer counting down.
      Timesplitters and Timesplitters 2 use a different engine than TS:FP. It's not as easy to cheat in those. And you didn't really answer the question I had. I'm not so much interested in the specific code as finding a method for obtaining it.

      Like I said, I found the "code," but it won't freeze because there's an instruction that is writing to it far faster than Codebreaker or Gameshark or Pro Action Replay can keep up. And the pointers are outside the writable memory range and the addresses for those nor the instructions appear in ps2dis...

      I'd just like to find out the way to hack this code so that I can do the same in the future on other games.

      Comment

      • #4
        Originally posted by jbarker2160 View Post
        And the pointers are outside the writable memory range and the addresses for those nor the instructions appear in ps2dis...
        That's the part you are saying that is making me very confused. It's a PS2, there is no "outside of writable memory range". Do you mean it's in a very blank white area when you open the elf file in PS2Dis?

        Second, are you sure you are finding the correct address? There are those rare moments with games where you'll find something but it is wrong and only affects something displayed.

        If you are saying "outside of writable memory range" being that large amount of empty white space you see in the elf file, it's writable. Do whatever you do to find the memory address on your computer while using the dev version of pcsx2, and once you've found that memory address, select the option to dump EE Memory with pcsx2. Find that 32MB dump, open it with PS2Dis, Invoke the analyzer, and you should get much better references for the code. If it fails, you can send me the dump and the address it was at and I can try some things.
        Last edited by bungholio; 07-14-2013, 03:16:10 PM.
        July 7, 2019

        https://www.4shared.com/s/fLf6qQ66Zee
        https://www.sendspace.com/file/jvsdbd

        Comment

        • #5
          I couldn't fine the "dev" version of PCSX2, but the current version makes everything static just like on the PS2 console.

          What I mean by not being able to find it in ps2dis is that the address in the far left column where the debugger says the instruction should be just simply does not exist(there are addresses before and after) and all of the instructions around it are nop. The address for the "code" is 2059ef8c. When I attach the debugger to it I get that an instruction at some 3XXXXXXX location is doing the writing most recently the addresses for the instruction were 317867DF and 306C09AF both of them were mov [ecx],edx.

          Or maybe I'm just not even on the right path. I know this is a difficult code because no one else has found it and posted it anywhere.

          I can give you a saved state if that would work.
          Last edited by jbarker2160; 07-14-2013, 04:33:05 PM.

          Comment

          • #6
            here pcsx2

            3XXXXXXX location
            if I remember correctly its RAM accelerate uncached

            317867DF and 306C09AF
            cached version 017867DF and 006C09AF
            lee4 Does Not Accept Codes Requests !
            When lee4 asks a question it does not mean lee4 will look at your game
            *How to create and use SegaCD codes >click here<*
            >)

            Comment

            • #7
              Originally posted by lee4 View Post
              here pcsx2

              3XXXXXXX location
              if I remember correctly its RAM accelerate uncached

              317867DF and 306C09AF
              cached version 017867DF and 006C09AF
              Thanks for the info, but how can I use this info to create a cheat from it?

              Comment

              • #8
                Upload a EE memory dump with the address you found. I'm curious and want to look at it.
                Last edited by bungholio; 07-15-2013, 07:57:41 AM.
                July 7, 2019

                https://www.4shared.com/s/fLf6qQ66Zee
                https://www.sendspace.com/file/jvsdbd

                Comment

                • #9
                  Taking a dump on you

                  Here is the dump. It is a full-range EE dump.

                  The address in question is 2059EF8C. I verified the address again after dumping it.

                  I think I could be wrong about the address, but this one is exactly 6 times the shown in-game time every time!

                  But I'm open to being wrong if you can find a better code.
                  Attached Files

                  Comment

                  • #10
                    Are you sure you aren't making the mistake of the address being 0059EF8C without that "2" in front? Many many don't know that's just a code type for cheat devices and not a part of addresses. I'm at work at the moment but will be home in a couple hours to check.
                    July 7, 2019

                    https://www.4shared.com/s/fLf6qQ66Zee
                    https://www.sendspace.com/file/jvsdbd

                    Comment

                    • #11
                      Actually, I'm using Cheat Engine to find the codes, and the valid memory locations for PS2 DO begin with 2 it's just that cheat devices drop it to make codes shorter (and possible to parse easily using the PS2 hardware). So, I'm sure that the valid code isn't 0059EF8C. The memory addresses in PCSX2 (according to the supporting documentation provided on their site as well as this one) are exactly the same when found by an external debugger as they would be on the PS2 console.

                      Comment

                      • #12
                        because 2000000 is PC RAM location that PCSX2 v1.0 use, PS2 RAM starts at 00000000
                        lee4 Does Not Accept Codes Requests !
                        When lee4 asks a question it does not mean lee4 will look at your game
                        *How to create and use SegaCD codes >click here<*
                        >)

                        Comment

                        • #13
                          Originally posted by jbarker2160 View Post
                          Actually, I'm using Cheat Engine to find the codes, and the valid memory locations for PS2 DO begin with 2 it's just that cheat devices drop it to make codes shorter (and possible to parse easily using the PS2 hardware). So, I'm sure that the valid code isn't 0059EF8C. The memory addresses in PCSX2 (according to the supporting documentation provided on their site as well as this one) are exactly the same when found by an external debugger as they would be on the PS2 console.
                          Have a look at this http://gamehacking.org/vb/threads/76...2+cheat+engine
                          Last edited by 47iscool; 07-16-2013, 12:41:22 AM.

                          Comment

                          • #14
                            Originally posted by lee4 View Post
                            because 2000000 is PC RAM location that PCSX2 v1.0 use, PS2 RAM starts at 00000000
                            According to the RAM mappings that has been on PS2dev.org for quit a long time, the mapped addresses are:

                            0x00100000-0x01FFFFFF - Instructions
                            0x20100000-0x21FFFFFF - Data
                            0x30100000-0x31FFFFFF - Accelerated, Non-Cache

                            If you disassemble Codebreaker and look at how it pokes, it always pokes to a 2XXXXXXX memory address...maybe they got it wrong...

                            But that still isn't answering my question about how to actually write to those addresses. You can't do it on a PS2 and you can't do it on PCSX2 either...

                            I'm thinking that maybe the game files themselves need to be modified??

                            Comment

                            • #15
                              Code:
                              PS2 EE RAM
[FONT=Courier New]
Modes             Logical Address Range	  Physical Address Range  Size
----------------  ---------------------	  ----------------------  ----
Cached            0x00000000-0x01FFFFFF   0x00000000-0x01FFFFFF   32 MB
Uncached          0x20000000-0x21FFFFFF   0x00000000-0x01FFFFFF   32 MB
Uncached&
accelerated       0x30000000-0x31FFFFFF   0x00000000-0x01FFFFFF   32 MB[/FONT]
                              Codebreaker use Physical Address
                              Last edited by lee4; 07-16-2013, 03:16:05 AM.
                              lee4 Does Not Accept Codes Requests !
                              When lee4 asks a question it does not mean lee4 will look at your game
                              *How to create and use SegaCD codes >click here<*
                              >)

                              Comment

                              Previous 1 2 template Next
                              Working...
                              X