Tweet
Originally posted by cYs Driver
View Post
-
Kool, working on that now........as for those encrypted files I dunno. I don't know enough about encryption to even know where to start messing with those. Although, I havn't found any references to them yet from the ELF files. -
well the only way your really going to get the data from them is by a dump but as of now thats not possible yet. And you wouldnt know where in memory they are loadedComment
-
Files of that size have been known to contain, for example, all of the game's CG videos, or 3D models for characters. They've also been known to be dummy files, heh. They could be encrypted, encoded without respect to encryption, or randomly generated, most likely one of the latter.
Today's friday, so if I don't end up tied up with something else, I'll do some work on this, that Bleach game, CCheat, and a few other things.I may be lazy, but I can...zzzZZZzzzZZZzzzZZZ...Comment
-
Yea, wonder why noone reversed libmc2. A simple in-game mem viewer would be nice about now but I'm not sure how this game prints to the screen yet. As far as I can tell there is no sprintf, so I can't use that. Now that I think about it...those files could store this games massive amount of text data. There are no labels in either file that refer to text spoken by characters or even strings that are printed on-screen.Originally posted by cYs Driver View Post
Me aswell....I'm completely free(far as I know) this weekend. I'm having too much fun doing this as it is, plus I'm learning alot. Gotta thank you both for all help and prompt responses thus far.Originally posted by Lazy Bastard View Post
Anyway here is the code to the file that might be getting loaded from the slus.
Function it jumps to makes absolutely no sense to. Never seen a function like it before.Code:__0014a29c: # lui s5, $001d # 0014a29c:3c15001d s5=gmail_cur_posx addiu a1, zero, $1000 # 0014a2a0:24051000 a1=$00001000 addiu s5, s5, $9a70 # 0014a2a4:26b59a70 s5="cdrom0:\ERX\PSU_US.GZ;1" daddu a2, zero, zero # 0014a2a8:0000302d jal $001399b0 # 0014a2ac:0c04e66c ^ FNC_001399b0 daddu a0, s5, zero # 0014a2b0:02a0202d a0="cdrom0:\ERX\PSU_US.GZ;1" FNC_001399b0: # break (00001) # 001399b0:0000004d addiu zero, zero, $0008 # 001399b4:24000008 break (00001) # 001399b8:0000004d addiu zero, zero, $0009 # 001399bc:24000009 break (00001) # 001399c0:0000004d addiu zero, zero, $000a # 001399c4:2400000a break (00001) # 001399c8:0000004d addiu zero, zero, $000b # 001399cc:2400000b FNC_001399d0: # break (00001) # 001399d0:0000004d addiu zero, zero, $000c # 001399d4:2400000c break (00001) # 001399d8:0000004d addiu zero, zero, $000d # 001399dc:2400000d break (00001) # 001399e0:0000004d addiu zero, zero, $000e # 001399e4:2400000e break (00001) # 001399e8:0000004d addiu zero, zero, $000f # 001399ec:2400000f FNC_001399f0: # break (00001) # 001399f0:0000004d addiu zero, zero, $0010 # 001399f4:24000010 break (00001) # 001399f8:0000004d addiu zero, zero, $0011 # 001399fc:24000011 break (00001) # 00139a00:0000004d addiu zero, zero, $0012 # 00139a04:24000012 break (00001) # 00139a08:0000004d addiu zero, zero, $0013 # 00139a0c:24000013 break (00001) # 00139a10:0000004d addiu zero, zero, $0014 # 00139a14:24000014 break (00001) # 00139a18:0000004d addiu zero, zero, $0015 # 00139a1c:24000015 FNC_00139a20: # break (00001) # 00139a20:0000004d addiu zero, zero, $0016 # 00139a24:24000016 break (00001) # 00139a28:0000004d addiu zero, zero, $0017 # 00139a2c:24000017 break (00001) # 00139a30:0000004d addiu zero, zero, $0018 # 00139a34:24000018 break (00001) # 00139a38:0000004d addiu zero, zero, $0019 # 00139a3c:24000019 break (00001) # 00139a40:0000004d addiu zero, zero, $001c # 00139a44:2400001c break (00001) # 00139a48:0000004d addiu zero, zero, $0020 # 00139a4c:24000020 nop # 00139a50:00000000 nop # 00139a54:00000000 nop # 00139a58:00000000 nop # 00139a5c:00000000 nop # 00139a60:00000000 nop # 00139a64:00000000 lui v1, $001d # 00139a68:3c03001d v1=gmail_cur_posx jr ra # 00139a6c:03e00008
Last edited by -MIPs-; 10-27-2006, 03:24:25 PM.Comment
-
"s5=gmail_cur_posx" ?
No problem; the little I know I'll gladly spread in return for both the knowledge anyone else has, and the experience I gain from each thing I toy with for or with them. Things would move a lot more quickly around here if we could grab some more PS2Dev guys, but we're beginning to assemble, and that's pretty cool.I may be lazy, but I can...zzzZZZzzzZZZzzzZZZ...Comment
-
Yes, definitely ^_^Originally posted by Lazy Bastard View Post
That label came from the second label mates file. Might not even be relevant. That file labeled the address 001d0000 as gmail_cur_posx.
I havn't been able to find where that file might be loaded into memory but I'm still working on it.
*EDIT* Hmmmm....Wouldn't it be possible to find some of the codes CMX posted in our elf and and adjust the addresses as neccessary to make our own codes? Might be kinda hard unless I can come up with a good enough pattern. Or maybe Ill get lucky and find one that has some obvious labels next to it ^_^.... Worth a shot.
*EDIT 2* Just remembered that the PSU_US file was stored on the cd in a compressed .GZ archive. I'm not sure how the ps2 handles compressed data on disc but I would assume that it gets decompressed into memory. Maybe I'm looking for the wrong function?Last edited by -MIPs-; 10-27-2006, 05:24:21 PM.Comment
-
ive looked through that looking at the calls to any labels with mc2 inside them and there's a function which looks like its either initialising and reading or just initialising the library for mc2. and its somewhere there but i closed the dump a while ago...
btw
EVERY game has a sprintf function its just not always labels as it comes in slightly different forms
the label "gmail_cur_posx" basically has no relevance at all to anything in any game to do with the codes you are hackingLast edited by cYs Driver; 10-27-2006, 05:38:20 PM.Comment
-
Sweet, thats good to know. Another thing to add to my "look into" list. Once I can get over this current hump then maybe i can write a simple mem viewer sub to research even further.(fun! fun!) I should be able to find Sprintf() near all those format strings then.Originally posted by cYs Driver View Post
Yea I figured that. I've seen that label appear in a few of my elfs after loading the second label mates file. Wasn't that function that it called weird tho. It didn't even do anything till the end when it loaded that address in v0.Originally posted by cYs Driver View Post
Also, I noticed just now that when I load PSU_US.erx in ps2dis it starts the cursor at address 002df590. Which Im gonna assume is main() of this file. And there are functions all the way up to 00000000. Still haven't been able to resolve the relevant address in mem tho.
*EDIT* Those big *.afs files I mentioned before are archives I believe. There are a ton of labels referencing all types of sound, movie models and texture data files that aren't visible on the disk. ^_^
*EDIT* " Known Developer Formats
Sega games use ADX format, AFS is an archive of ADX files. a lot of Microsoft Game Studios games use WMA ( what else :P ) Most games uses XWB ( Xbox Wave Bank ) with a couple different formats that could be inside WMA, ADPCM I've seen so far. XSB contain the file names for the XWB files in the archive. SFD is CRI MiddleWares video Codec. " Got a program called Game Extractor that open these with no problem. All the game event videos were in here. CVM file was a no go.
Looks like we were right on the money with this one. The .CVM should be a archive with the rest of the data files. ^_^ Might even be worth looking into decompressing later down the road(for models and such) when I'm done figuring out how this game works.
P.S. Please excuse all my edits lol. Just tryin to keep up to date. Like a virtual notepad ^_^Last edited by -MIPs-; 10-28-2006, 04:00:20 PM.Comment
-
nice research keep it up mateComment
-
New Info!!
Thanks man. ^_^
Ok...so that code I posted on the last page that I said looked weird, actually serves a purpose!! Functions inside of IRX(assuming ERX aswell) files are listed as offsets inside the modules function list. So this is how specific functions are imported from IRX/ERX files.
jr ra
li zero, 00000004 - loads function in the 4th position of the list.
One small step closer to understanding this game. ^_^ And the ps2 for that matter.
Where the module is to load is also specified somwhere. Not exactly sure yet.(In its stub maybe?)
Credit to Oobles from ps2dev for writing "Hello IOP!!".Last edited by -MIPs-; 10-28-2006, 06:34:58 PM.Comment
-
Nice documentation; this could end up being a useful piece of reference to everyone. I guess I should become unlazy for a while and check it out a little more in-depth myself
I may be lazy, but I can...zzzZZZzzzZZZzzzZZZ...Comment
-
Thnx ^_^, definately feel free to jump in when you get some free time. I can use all the help and experience I can get. It stills bugs me that I havn't been able to find out where in memory the PSU_US file loads. Or maybe the slus just references functions out of this file as neccessary....BUT that would still mean it has to be loaded in mem somwhere...or atleast a function table..(head spinning)....IDK!! lolOriginally posted by Lazy Bastard View PostNice documentation; this could end up being a useful piece of reference to everyone. I guess I should become unlazy for a while and check it out a little more in-depth myself
I took a break Sunday and did some packet captures instead....I was able to decode the first 5 bytes of data...but the rest is encrypted(new project!! ^^) It uses 3 bytes for wat seems to be a message ID and 2 bytes for size of data. Size of data doesn't include first 5 bytes. But thats another matter. Just thought I would share.
Last edited by -MIPs-; 10-30-2006, 04:30:11 PM.Comment
-
so your capturing the packets out of the ps2 for this game online??
if you are the easiest way to start determining what the packets are for would be to try different things like
go into a room, stand still shoot a bullet capture the packets, shoot another n compare ids etc but this will take some time to narrow down the packets buts its good since they have IDs unless they are unique IDs
Comment
-
Yea, I have the ethernet adapter(on laptop) bridged to the wireless card. The PS2 connects in on the ethernet card and the wireless card connects to the net.Originally posted by cYs Driver View Postso your capturing the packets out of the ps2 for this game online??
if you are the easiest way to start determining what the packets are for would be to try different things like
go into a room, stand still shoot a bullet capture the packets, shoot another n compare ids etc but this will take some time to narrow down the packets buts its good since they have IDs unless they are unique IDs
HaHa ^_^...thats exactly what I did. You get your own personal room in that game. I have a couple files I made of seperated(noted) hex dumps of the games packets. I did a couple of chat test, a step forward, email send and status request. I did all of this from my room so I wouldn't be interrupted by everyones elses traffic. The only other traffic in your room are the sync/keepalive packets. And thats only a 4 packet event every so often. So far the first 3 bytes of these have been 17 00 00(packet id/type). I haven't done any battle packets yet.
I'm probably not going to be able to decode anything else passed the first 5 bytes. I'm pretty sure everything after that is encrypted because I can't see any readable data in the dumps, its all junk. So I'm hoping for maybe a symmetric key encryption. That way I have a chance of pulling the key out of the slus/.erx . Or maybe its a simple XOR! LOL yea right...Comment
-
Looking at these two files a little more, I'm really interested in how this game works...I should probably pick it up. Has anyone hacked this game yet?I may be lazy, but I can...zzzZZZzzzZZZzzzZZZ...Comment
Comment