Announcement

**Hacc** · 07-31-2014, 12:47:14 AM

EIP! I announce you as the ambassador of Cheat Engine. You've been ESP active with it lately. <- CE what I did there! :P

All joking aside, a nice little guide you have there. I think that ESI register is the RA in MIPS. You subtract 8 from the RA after the game halts, and it's usually a JAL, too. You do know that there is a debugger in PCSX2 now, right? I haven't tried it yet. Still static debugging over here.

**47iscool** · 07-31-2014, 10:28:17 AM

Originally posted by Hacc View Post

EIP! I announce you as the ambassador of Cheat Engine. You've been ESP active with it lately. <- CE what I did there! :P

All joking aside, a nice little guide you have there. I think that ESI register is the RA in MIPS. You subtract 8 from the RA after the game halts, and it's usually a JAL, too. You do know that there is a debugger in PCSX2 now, right? I haven't tried it yet. Still static debugging over here.

I'm assuming you mean real address right?

Anyways, the great thing about pcsx2 is that the RAM addresses never change so if it freezes you can get right back to it after restarting or reloading a save state. And no I didn't know that that it had a debugger now.

Honestly though if I could use CE's debugging features on every emulator I would.

**Hacc** · 08-01-2014, 01:12:04 AM

No; RA for Return Address.

Indeed it is. The new debugger was released a few months ago and is updated over time (check the Orphis SVN page for PCSX2).

I'm certain that you would.

**lee4** · 08-01-2014, 02:31:12 AM

can post a link to this debugger build?

I see no debugger on Orphisbot page

**47iscool** · 08-01-2014, 03:04:28 AM

Originally posted by Hacc View Post

No; RA for Return Address.

Indeed it is. The new debugger was released a few months ago and is updated over time (check the Orphis SVN page for PCSX2).

I'm certain that you would.

I doubt theirs can beat CE's debugger, no offense to them as it is a great emulator. Dolphin on the other hand while it runs faster on some games it isn't to stable when loading save states for some games. Namely those that use the mmu.

**Hacc** · 08-01-2014, 04:23:08 PM

Originally posted by lee4 View Post

can post a link to this debugger build?

I see no debugger on Orphisbot page

PCSX2 needs to be compiled with the "DEBUG" flag from the source. I'll link one a bit later from a friend. You can request one from Blyss over at the PCSX2 forums, though: Source:

Code:

http://forums.pcsx2.net/Thread-PCSX2-GIT-Weekly-Builds

Originally posted by 47iscool View Post

I doubt theirs can beat CE's debugger, no offense to them as it is a great emulator. Dolphin on the other hand while it runs faster on some games it isn't to stable when loading save states for some games. Namely those that use the mmu.

It seems to work pretty fine. koolaidman over at Jul has had success with it so far:

Code:

http://jul.rustedlogic.net/thread.php?id=17183

That thread reminded me about some MMX7 hacks I made long ago.

**lee4** · 08-01-2014, 04:50:49 PM

Originally posted by Hacc View Post

PCSX2 needs to be compiled with the "DEBUG" flag from the source.

That is useless then.

Originally posted by Hacc View Post

I'll link one a bit later from a friend.

Please do

Originally posted by Hacc View Post

You can request one from Blyss over at the PCSX2 forums.

No thanks.

**Pyriel** · 08-02-2014, 09:59:42 AM

How does the VEH debugger work? What I'm seeing in your screen shots leads me to believe that the data being communicated back is passed out of their exception handler, and you're not actually peeking into PCSX2 directly when the breakpoint hits. If that's the case, you're viewing a snapshot of information that's 2-3 degrees removed from what would actually happen on a PS2. It seems useful in this context, I'm just thinking there might not be an easy way to use this technique for more complex codes. Certainly you've had to resort to a small amount of targeted hunting-and-pecking to make a simple code.

How do you know what you're replacing is "usually a JAL"? I don't see anything that resembles a PS2 write operation in the screenshots, nor do I see an x86 op that immediately screams store. Can you provide a shot of the PS2 memory indicated by the PC/ESI register, i.e., +/- about 40 bytes around 0x20120010?

**47iscool** · 08-02-2014, 10:42:02 AM

Originally posted by Pyriel View Post

How does the VEH debugger work? What I'm seeing in your screen shots leads me to believe that the data being communicated back is passed out of their exception handler, and you're not actually peeking into PCSX2 directly when the breakpoint hits. If that's the case, you're viewing a snapshot of information that's 2-3 degrees removed from what would actually happen on a PS2. It seems useful in this context, I'm just thinking there might not be an easy way to use this technique for more complex codes. Certainly you've had to resort to a small amount of targeted hunting-and-pecking to make a simple code.

How do you know what you're replacing is "usually a JAL"? I don't see anything that resembles a PS2 write operation in the screenshots, nor do I see an x86 op that immediately screams store. Can you provide a shot of the PS2 memory indicated by the PC/ESI register, i.e., +/- about 40 bytes around 0x20120010?

The VEH debugger can be selected in CE's options.

How do I know it's a JAL? Well the JAL value on MIPS is usually starts with "0C"

Also yes, sometimes I have to go a good bit back to find what I'm after. Only in small cases though. Way of The Samurai's walk though walls code I made is one example of going back a good bit to get something that works.

And a shot of some addresses:

And another...

The hardest code I've ever made was a walk though walls and on air at the same time. If not for the walk on air code you would fall right through the ground because of the way the game handles clipping. And that code was made using this method.

It may not be spot on, on what address it gives you, but it's one way of making ASM codes for PS2. And it's pretty simple for someone like me who's only been hacking for a few years now.

**Pyriel** · 08-02-2014, 11:20:11 AM

Yeah, I wasn't asking how to find the VEH debugger in the menus, and I asked, "how do you know it's usually a JAL?" not, "how do you identify a JAL?" When you say "usually", it sounds like you've done some sort of analysis on at least dozens of games.

Here's why I'm questioning it. Quickly glancing through your memory dump, there's not a single write operation there until 0x201200AC. It's possible that the break occurred while emulating inside the MIPS function called two ops before the value in ESI, but you've not done any analysis to know that's true. Furthermore, there's an access (LHU) at 0x20120004, so I'm wondering if the emulator isn't storing back to the address for some reason, and the break is actually occurring after 0x20120004 is interpreted and before 0x2012000C for some reason. (Possible lag in the exception handling?) Or that your screenshot is inaccurate and you set a read breakpoint.

Like I said before, I don't see anything in the x86 disassembly that seems to be storing the new value of ammo at the address you discovered. Maybe it broke after writing, but it give me pause.

If you can provide the ELF, I or someone else can possibly check into it. My thinking at this point is that this method might be inconsistent, depending on how accurate your screenshots are.

**47iscool** · 08-02-2014, 11:27:21 AM

Resident Evil 4 SLUS-21134 ELF file:https://www.firedrive.com/file/76B26703B1D803D7

Anyways, I'm not as experienced as much as you and others are. If it works on a real PS2 then it's a method worth using right?

Also I don't understand what you mean by this:

depending on how accurate your screenshots are

**Pyriel** · 08-02-2014, 11:50:26 AM

Well, your screenshot shows you setting a write breakpoint, but if you actually set an on-access breakpoint, then most of my confusion about the debugger is unwarranted. It's still providing somewhat inaccurate information, but not by as much as it would seem at first glance.

Generally speaking, if it works, it's useful. However, if it's not repeatable then it's not very helpful as a guide for others. Like the guy on CMP back in the day who was using byte and halfword commands to overwrite operations, inadvertently replacing mundane stuff with multimedia operations. For some reason it worked and produced some novel effects, but I wouldn't recommend it as a method.

**47iscool** · 08-02-2014, 11:59:08 AM

Originally posted by Pyriel View Post

Well, your screenshot shows you setting a write breakpoint, but if you actually set an on-access breakpoint, then most of my confusion about the debugger is unwarranted. It's still providing somewhat inaccurate information, but not by as much as it would seem at first glance.

Generally speaking, if it works, it's useful. However, if it's not repeatable then it's not very helpful as a guide for others. Like the guy on CMP back in the day who was using byte and halfword commands to overwrite operations, inadvertently replacing mundane stuff with multimedia operations. For some reason it worked and produced some novel effects, but I wouldn't recommend it as a method.

Why not try it out yourself?

Well I noticed Nolberto82 has made a few ASM PS2 codes. Maybe he found another method that were not aware of. Maybe you should ask him since he's one of the top hackers and knows a lot more about hacking than me.

**lee4** · 08-02-2014, 01:25:45 PM

you are disputing to the one of greatest PS2 ASM hacker Pyriel

he just inquiring about your irregular method ps2 hacking

Announcement

Tutorial for creating ASM codes for PS2 with Cheat Engine and pcsx2

Tutorial for creating ASM codes for PS2 with Cheat Engine and pcsx2

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment