Your code won't work for a number of reasons. Your started off fine with address 0x0025D4E4 (not where you jumped to, though).

- You are making your hook jump into RAM. Don't just use any row of nops you see fit. You never know how the game occupies that space of memory. Hook your code into the kernel memory instead (somewhere between 0x000C0000 - 0x000FFFFF). Be careful, as ESR occupies the area in 0x000C0000. Every time I used this area for subroutines, my games always crashed during the color test (I don't recall the exact name for this). I changed my code to use the 0x000FFFFF region instead, and the code/game worked fine.

- Your mod code looks odd to me. It can be coded in a number of ways and you can achieve the same result of the RAM code with a simple ASM patch (the area of coding that writes to the address). Something like this should work (I grabbed the file real quick to give you a test code):

0025D4E4 0803FFCO
000FFF00 3C010044
000FFF04 8C21A9B4
000FFF08 24030000
000FFF0C A423FBA4
000FFF10 03E00008

I did a lot of fiddling around to find the offset used in the above code (a bit rusty with the PS2). I'm too tired to explain how I came to said value, but you should be able to figure it out on your own. You can also try hard-coding the value that writes to 0x0043AAB4 by pressing space bar on it, then F3 to trace all referrers to it. Modify the "li, register, $FFFFFFFF" addresses before it to store 0000 instead (modify the FFFF part of them). That should work.

I don't know if you missed this, but Gtlcpimp wrote a guide on this here: http://www.thegshi.org/vb/threads/44...evice-required

Pyriel wrote one of the best guides to date on the CMP that covers subroutines: http://www.gshi.org/vb/threads/1587-...om-Subroutines

You can also check out a text file with info on the PS2 memory map here: http://psx-scene.com/forums/f19/ps2-...-layout-64760/

I'm out...

Why do you need a hook, isn't it just loading a modified ELF? also why jr ra and not jal?

I need to constantly write a value at a specific RAM address. The hook is there to call my "write function" constantly. Maybe I should explain the thoughts behind my code:

lui t0, $0x0000
-write zeros into the temporary register t0
-I use temporary registers, because I use a "jump to return address" (jr ra) at the end of my code, and afaik that means I can safely use the temporary registers without corrupting the game

li t0, $0x0000
-after reading up on the lui command, I think this line is redundant
-I wasn't sure if the lui command writes the zeros in the upper and lower bits, I wanted to be sure that t0 is now 00000000

lui t1, $0x0043
-now I want to get the upper bits of the RAM address into t1, t1 should now be 00430000

nop
-I wanted to wait, because I read that load commands take a while to execute

sw t0,$AAB4(t1)
-this is the line where I want to overwrite the RAM address (0043AAB4) with 8 zeros
-the value at the RAM address 0043AAB4 should now be 00000000

nop
-I just wanted to leave some space in case I have to add a line

jr ra
-jumps back to the return address, which I didn't change anywhere, so I hope this resumes the game as usual


A jal changes the "ra" register, I didn't want to overwrite its contents, so that I can simply return and jump back savely at the end of my code.



Thx, let me try to figure out what your code does, line by line (I decompiled with Code Designer).

j $000FFC30
-the jump to the function at fff00
-problem: this address is the very beginning of the ELF file and I would destroy the header if I'd inject the function into this part of the ELF file

lui at, $0044
-the value 0044 is shifted left 16bits and stored in the register "at", the lower 16 bits are set to zeros ("at" is now 00440000)
-why are you using "at", isn't that reserved by the assembler?

lw at, $A9B4(at)
-the value at the address 0044A9B4 is loaded into the register "at"
-why would you load a word into "at", thus overwriting its value?
-you also don't know what value the address 0044A9B4 holds, doesn't this mean that the value in "at" is now unknown?

addiu v1, zero, $0000
-v1 is zero + 0000, the const 0000 is sign-extended to 32bit (I guess that means v1 is now 00000000)

sh v1, $FBA4(at)
-I think v1 is written to an unknown address (because the value in at is unknown)
-why only store a half word, I need to write a word (00000000) in RAM and not only half (0000) of it

jr ra
-jump back, no prob here

Excuse my explanation on the subject, as I never really had to explain it to others in much detail. I just retain (to an extent) what I learn from other hackers codes and the guides written on making ASM codes.

I really don't know why you're talking about "jumping into memory". I'm jumping into other parts of the ELF file, namely the part where I injected my own function. I should've asked this before, when you said this in your first post.

I didn't make my hook jump into RAM, I jumped to another address within the ELF file.




This also contradicts what Gtlcpimp wrote in his tutorial on Disc Mods.




But all of this is unnecessary, because I know the exact location that I want to write to already. There is no need to retrieve a pointer. You're overcomplicating things.




Thx for bringing this to my attention, because that is it! That's the problem with my code. If I want to write to the RAM address 0043AAB4 I have to write to 0044AAB4. The correct offset for that part of the RAM seems to be 0x00010000. PS2DIS shows the adress after the analyzer is invoked. How could I miss that? It's even visible in the screenshot in my opening post.



I don't want to write to 0042aab4, I want to write to 0043aab4, thus the "lui" above has to be changed to take the offset into account.

The only change I had to make to my initial code, was to exchange this line
with this one.
I also deleted the redundant "li" and a nop line. The new code of my function thus looks like this:
(injected with Code Designer at 002d8b40)


I tested it and it seems to work fine now.

Too lazy to quote...

When I say memory, I mean a specific area of the PS2 executable. Each section is divided accordingly. Your code is indeed jumping into RAM. Any address not found in the ASM (the game's machine code. I.E., sceSifSendCmd) region, is RAM. I also noticed you did without even having the file at the time from this pic: http://img17.imageshack.us/img17/5209/ownfunction.jpg. The desolate area of nops and seeing 42B40000 gave it away.

Gtlcpimp, obviously didn't want to go into much detail about some things mentioned in his guide. Yes, he said and gave a specific area to look for null data (zeros), but some games might use the area chosen to write the routine in some way. It's best to just find a suitable area with PS2DIS than a hex editor. You can also write your code in it to make sure it is writing where you want it, too. Then, apply it to Code Designer.

As for my code, you have to remember that there is more than one way to handle the task at hand. I intentionally wrote it that way to show you this. Like I said before, the effect of a subroutine hack could be simply achieved with a tiny modification to the coding that controls your RAM address (0x0043AAB4).

As for your code, congrats on getting it to work. I can't explain what I wanted to say about your code, as I have to go. However, I will quickly say that you realized some things about it, but interpreted the info you got from it wrong.

I guess this means the executable is loaded into RAM?


How do I tell which section "is RAM" and which isn't?


That's exactly what I did.


I appreciate your help, but do you wanted to show me that it could be done in a much more complicated and harder to understand way?


I haven't found the code that controls my RAM address. I could search for it, and might be able to find and modify it accordingly, now that I know the correct offset and address to search for (0x0044AAB4) but why should I?


If you find the time, I'd like to know what I interpreted wrong, to not make the same mistake in the future.

Kernel is only 0x80000000 - 0x8007FFFF.
User space RAM is 0x00080000 - 0x02000000.


Correct.


RAM (Random Access Memory) is the memory where everything is stored when it is loaded "onto" the console. It's all RAM, no matter what address, it's still part of the RAM.



On a side note, the guide I wrote for full cheats via disc mod was a quick draft (I hate going into detail). Was more aimed towards people with knowledge at hand already than the beginners...

Thanks for the corrections and explanations, Gtlcpimp.

@ 1CC: I don't know when that will be, as some real life matters at hand need to be dealt with. I don't know when I'll be back. Some of the more advanced hackers here can help you out in the meantime.

That sounds a bit frightening. Doesn't it mean that a game could overwrite and completely alter its excutable at runtime? And doesn't it also mean that, without inspecting every part of the ELF, I can never be sure that the rows of nops I selected for my own subroutine won't be overwritten, after they've been loaded into RAM? Is there a way to quickly identify unused space?


If I replace my "game hook", with a "kernel hook", how does that help me with the location of my subroutine within the ELF? Or can I write the entire subroutine within that part of the ELF file, that will be loaded into "kernel memory"?

If so, where exactly is that space located in the ELF file? This would also answer the above question about quickly locating unused space.


Yes, it wasn't aimed at neither my skill level nor task, as I just wanted to do a rather simple disc modification. Is there a tutorial out there on how to make a patch, thus hardcoding a cheat? I had to string together bits and pieces from these two threads.

http://www.gshi.org/vb/threads/3638-...memory+scanner
http://www.gshi.org/vb/threads/1587-...om-Subroutines

It would've worked if the "hidden" offset wouldn't have gotten in the way. I can't remember reading about this 0x00010000 offset in a tutorial before, is it only in this particular game, or do all PS2 games use it?

If designed to yes. Most generally no the ELF will not, since the applications are normally written to allocate memory for read / writes outside of the space used by the file itself.

Yes, and flawless too. Read the header of the ELF file, it will tell you exactly what get's loaded to where. It will tell you what parts of the file is being loaded, so you can just consume the parts that aren't being loaded and add in another extension on the header to load it. In commercial games there is usually a large amount of blank space between the end of the header and the beginning of the function data. Most of the time the headers will show it starts loading from the point the function data is at, thus leaving the blank space between unused and untouched. You can put all the routines you want (that can fit) in that area, and then extend the header out to perform a load from that unused space to store to whatever memory address you want.

If you choose the route of the modded header, then the simplest way of installing a kernel hook would be to change the entry point to a start up function you have to make. Write out the start up function to install a kernel hook to execute your other function, and then jump back to the original entry point. Your functions don't have to be in kernel memory to be executed from the kernel.