HAcking With Ps2Dis

L1+R1 Clan Well Kick Ur A$$

| | | | | | | |

HAcking With Ps2Dis

The Guide to PS2DIS…
What Do I Need?
Basic Knowledge or Understanding of R5900 machine code language or mips64r5900 (EE or EL), and asm5900 (if you can assemble the codes then you can also disassemble)
EE Core Instruction Set Manuel
MIPS: Assembly Language Programmer’s Guide
A Hex Editor (PS2DIS or IDA Pro)
Encoders and Decoders (PS2 Code Decoder Beta v.X and Fullcodes’ Multi-Line Converter v.X)
Most importantly TIME and Patience! I can not stress on PATIENCE!

History:

=-=-=-=-=-=--=
What Do I Need?
-=-=-=-=-=--=-
What file do I need to load from my PS2 Game to hack codes?
Look for these files type names...
SLUS_###. ##
SCES_###. ##
SCUS_###. ##
SCPS_###. ##
SLMS_###. ##
SLPS_###. ##
PBPX_###. ##

#= Represents Numbers
And in some cases there is game that has multiple Elves
Some are shown as
. elf
. ntgui

Examples:
King of Fighters 2000 (JAP)
Slps_251.56

Yu-Gi-Oh!: Duelist of The Rose (USA)
Slus_205.15

Dead Or Alive 2 (JAP)
Pbpx_925.01

How do I look for codes?
-The easiest way is to look at labels, but they are not
Always the easiest to read like the labels in GTA3.

To find the "Labels" click Edit
Then click Jump to Labeled
Or just hold Control and press G
In a few seconds a list of labels should pop up
The best bet is to look for Labels that don’t have
QUOTES in front of them
Quotes- "..."

When you edit the labels in quotes your basically
Editing Words.

But you NEED a Master Code for the Codes to Work! So we will start this guide off with putting together
A Master Code.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
How to Create A Playstation 2 Master Code
=-=-=-=-=-=-=-==-=-=-=-=-=--=-

Courtesy of Nachbrenner@XploderFreax.de

This tutorial requires basic knowledge of R5900 machine code language.
Stop reading if you don't know what that means :D

Following examples are based on the game GTC Africa PAL SLES_504.72
-----------------------------
Method 1 "HandleCmdLineArgs":
-----------------------------

Search for "jal HandleCmdLineArgs".
jal 0x0010a7b0 # 00109d94:0c0429ec v HandleCmdLineArgs

-> Master Code 1
F0109D94 0000000E
------------------------
Method 2 "MainGameLoop":
------------------------

Search for "jal MainGameLoop".
jal 0x001085c0 # 0010a140:0c042170 ^ MainGameLoop

-> Master Code 2
F010A140 000001FD

--------------------------------------------
Method 3 "Entrypoint / Memcpy +3":
--------------------------------------------

This method is not compatible with PAL2NTSC and Y-Fix codes!
Search for "entrypoint", which is mostly 00100008 or 00200008.
Search for "jal memcpy" inside the "scepadread" routine. Add +3 to that address.

ENTRYPOINT:
lui v0, 0x0027 # 00100008:3c020027 v0=s_pInput
...
jal 0x0011e620 # 0011fc58:0c047988 ^ memcpy

-> Master Code 3
F0100008 0011FC5B
----------------
Method 4 "Main":
----------------

Search for "jal main".

ENTRYPOINT:

lui v0, 0x0027 # 00100008:3c020027 v0=s_pInput
syscall (00000) # 00100058:0000000c
or sp, v0, zero # 0010005c:0040e825 sp=oldGameMode
lui a0, 0x0063 # 00100060:3c040063 a0=0x00630000
lui a1, 0x0000 # 00100064:3c050000
addiu a0, a0, 0x9880 # 00100068:24849880 a0=__bss_end
addiu a1, a1, 0xffff # 0010006c:24a5FFFF a1=_heap_size
addiu v1, zero, 0x003d # 00100070:2403003d v1=0x0000003d
syscall (00000) # 00100074:0000000c
jal 0x001354b0 # 00100078:0c04d52c v _InitSys
nop # 0010007c:00000000
jal 0x0012da60 # 00100080:0c04b698 v FlushCache
or a0, zero, zero # 00100084:00002025
ei # 00100088:42000038
lui v0, 0x005f # 0010008c:3c02005f v0=0x005f0000
addiu v0, v0, 0x3580 # 00100090:24423580 v0=_args
lw a0, 0x0000(v0) # 00100094:8c440000 a0=_args
jal 0x00109d70 # 00100098:0c04275c v main
addiu a1, v0, 0x0004 # 0010009c:24450004 a1=0x005f3584
j 0x0012d400 # 001000a0:0804b500 v Exit

-> Master Code 4
F0100098 0000000E
Method 5 "Universal” Courtesy of GMO
----------------
This works with your Codebreaker2, Xploder2, and Gameshark2 v3
Load the SLUS on your PS2DIS, it’s automatically going to open up the Game’s "Entry Point"
You are going to change the ending to
0000000E
Or
000001DF
Example:
Grand Theft Auto 3 (GTA3)
00100008 3c020041 ENTRYPOINT lui v0, $0041
Take "00100008" and change it to "F0100008"
Then add a Universal ending to F0100008
it could be
F0100008 0000000E (Widely used with Xploder2/Codebreaker2)
Or
F0100008 000001DF (use with Gameshark2/Action Replay2)
ALL YOU NEED IS THE FIRST PART OF THE ENTRY POINT
PS some games will not have an entry point!
Look for the first lui MIP, unless you see a padduw MIP, then use the first padduw MIP, and then add the universal ending. THIS WILL NOT WORK ON ALL GAMES, BUT IT’S SOMETHING.
P.S. 0000000E works great with Kalisto Rips!
----------------
Method 6 "Universal Type 2” Courtesy of Ace1
----------------
Its Called type 2 causes it works on ALL CHEAT DEVICES!
The Scepadread Master Code
Example: Final Fantasy X NTSC

The scepadread jal
All you are going to do is take the address 002db32c
And make 2 copies of it, so your code will look like 002db32c 002db32c
Now you have an address and value. In the value add 3 002db32c + 3 = 002db32f
The Current code is 002db32c 002db32f, now in the address change the first Zero (0) to a F
002db32c becomes F02db32c

Final M Code
F02db32c 002db32f

Tester: GMO
Result: Works!

Example: The Getaway

M Code
F0310e2c 00310e2f
Result: Works!
Example: Grand Theft Auto 3 PAL (SLES_503.30)
M Code
F011f344 0011f347

Example: Enter The Matrix PAL
M Code
F03CA5EC 003CA5EF

Example: Red Faction (German)

M Code
F02664ac 002664af
-=-=-=-=-=-=-=-=-=
Xploder Multi Elf Master Code Explained By: GMO
=-=-=-=-=-=-=-=-=-
Example: 007: Agent Under Fire
Slus_202.65
action.elf
driving.elf
movie.elf

Lets start with the Elves since people want to know what is the deal with them. Lets start making a master code. What you want to do is find the Scepadread, and find the memcpy
1st elf... action.elf
0034539C 0C04EC72
2nd elf... driving.elf
00277E24 0C090ABB
3rd elf... movie Elf
00133734 0C049877

Now it’s time for the slus_202.65,
01F00008 < Entry Point
or you can use
01F000CC < main JAL
or Scepadread (007 had none so use initaldpad)
01F0976C (01F0976B)
Now you can Put your Master Code Together
first you need the slus 01F00008 01F0976B
put the F to make it Official
01F00008 01F0976B becomes F1F00008 01F0976B

M Code So far…
F1F00008 01F0976B
Now it’s time to put the Elves in
F1F00008 01F0976B
0034539C 0C04EC72 - Action elf
00277E24 0C090ABB - Driving elf
00133734 0C049877 - Movie elf

Instead of putting in a F, you are going to put in 9's
F1F00008 01F0976B
0034539C 0C04EC72
00277E24 0C090ABB
00133734 0C049877

Will become…

F1F00008 01F0976B
9034539C 0C04EC72
90277E24 0C090ABB
90133734 0C049877
YOU ARE FINALLY DONE!
Now convert it to Code Breaker2/Xploder2 Format.

Now that your brain is fired, we bring you a little treat…
Master 04 by Kuja, which finds you your Master code using the scepadread callback hook.
Its included in this Code Kit!!!
+=+=+=+
ROM Bypass (Under Construction)
=+=+=+=
Example: Jak & Daxter- The Precursor Legacy NTSC

Rom Bypass v1-4 (Made by CMX)
-2011C280 03E00008
-2011C288 3C032008
-2011C28C 3C028C44
-2011C290 344205B0
-2011C294 AC620008
-2011C298 3C0200A4
-2011C29C 3442082B
-2011C2A0 AC62000C
-2011C2A4 3C02108E
-2011C2A8 3442001D
-2011C2AC 03E00008
-2011C2B0 AC620040
+2010ABEC 0C0470A2

From what I understand and researched is the Rom Bypass comes from the PrintF, except the last code (+).

The game has the Cheat Devices disabled/written out. Who would of thought to write over the code? CMX!
-=-=-=-=-
PAL2NTSC By Godshin Translated by GMO
=-=-=-=-=
-What is a PAL2NTSC Code?
It allows you to play your PAL games at the same Hz as NTSC Games!

The Process is fairly simple.
Open PS2DIS
Upload a PAL Elf file.
My Example will be 'Marvel Vs. Capcom 2'
Once the elf is uploaded click Edit
Now click Find a Pattern
Put a check next to As Hex String
In the Box Above type 0394
Click OK or Press Enter
It will take you to 00100308 00069403 sra s2, a2, 16
Change the value to 24120002
Your Code should look like
00100308 24120002
Don’t forget to change the first Zero (0) to a Two (2)
Final Code
20100308 24120002 - PAL2NTSC

All you have to remember is put
Find a Pattern as 0394 with a check on As Hex String
And change the value to 24120002
Remember 00069403-sra s2, a2, 16

-+-+-+-+
NTSC2PAL (Optional)
=-=-=-=-

It is exactly the same as PAL2NTSC
The Only difference is the value. Change the value to 24120003

Example: Legacy of Kain: Defiance (made by GMO)
NTSC2PAL
2013F9F4 24120003

Example: Kingdom Hearts (made by Nachbrenner)
NTSC2PAL
2025F840 24120003=-=-
Y Fix By: Godshin Translated By: GMO
-=-=
Q. What is a Y-Fix?
A. It fixes the Y-axis on your PAL Television so NTSC games are not jumping around on the screen.

Example Game:
Final Fantasy X

The Stings we are looking for are…
26430032 addiu v1, s2, $0032
26430048 addiu v1, s2, $0048
26450019 addiu a1, s2, $0019
26450024 addiu a1, s2, $0024

The Procedure is actually the same as PAL2NTSC except you are going to find a different pattern and your value will be changed to 00000010 and the first Zero (0) stays Zero (0).
Upload the elf and click 'Edit' on top
Now click Find a Pattern
Put a check next to As Hex String
In the Box Above type 4326

Now you are going to press F5 till you come to the string
26430032 addiu v1, s2, $0032

You should of came to 002D9B80 26430032-addiu v1, s2, $0032
Now you are going to replace 26430032 with 00000010
You first code should be 002D9B80 00000010
Press F5 and you should come to the next string
26430048 addiu v1, s2, $0048 and replace the value with 00000010
Your second code should be 002D9C28 00000010

Code So Far
002D9B80 00000010 - first
002D9C28 00000010 - second

For the third and fourth Y Fix you are going to look for a different pattern. Set your Pattern to 4562. Press F5 till you come to 002D9BE0 26450019 addiu a1, s2, $0019. Replace the value with 00000010 giving your third code 002D9BE0 00000010. Now press F5 again give you your last code 002D9CA8 26450024-addiu a1, s2, $0024. Replace the value with 00000010 giving your fourth and final code
002D9CA8 00000010.

Y-Fix
002D9B80 00000010 - first
002D9C28 00000010 - second
002D9BE0 00000010 - third
002D9CA8 00000010 – fourth

-=-=-=-=-=-=-=-=
Basic Code Condensing
=-=-=-=-=-=-=-=
Condensing Multi-line codes is a pretty easy task, especially if you caught onto it early in the PS2 days.
You’re going to be taking
0xxxxxxx xxxxxxxx
and change it to
2xxxxxxx xxxxxxxx
If you didn’t understand that you are going to be changing a Zero (0) to a Two (2)
Example: Soul Caliber 2 JAP

The following codes
Unlock Characters...
Sophitia
003FBF60 00000003
Seung Mina
003FBF61 00000003
Yoshimitsu
003FBF62 00000003
Charade
003FBF63 00000003
Cervantes
003FBF64 00000003
And condense it to

All Characters
203FBF60 03030303
003FBF64 00000003

You are going to take the first line
003FBF60 00000003
and change the Zero (0) to a Two (2)
203FBF60 00000003

Now you are going to break up the value into
Four parts 00000003 becomes 00 00 00 03
If you noticed the pattern in the values of each code
you realize that each one ends in 03
now plug in 03 into the broken up value to
give you 03 03 03 03 (03030303)
Your code now is 203FBF60 03030303

Testing....
Testing Results...
the code 203FBF60 03030303 gives you Sophitia, Seung Mina, Yoshimitsu, & Charade, but you still have Cervantes 003FBF64 00000003
which is only one line just add the one code
to the existing code you have.
Giving you Your Final Code
Unlock All Characters
203FBF60 03030303
003FBF64 00000003

=-=-=-=-=-=-=-=-
Advanced Code Condensing Super Codes
-=-=-=-=-=-=-=-=
Example: Soul Caliber 2 JAP
Working with…
4aaaaaaa xxxxyyyy
dddddddd 00000000

Raphael 003FBF73 00000003
Talim 003FBF74 00000003
Yunsung 003FBF75 00000003
Cassandra 003FBF76 00000003
Mitsurugi 003FBF77 00000003
Taki 003FBF78 00000003
Voldo 003FBF79 00000003
Nightmare 003FBF7A 00000003
Astaroth 003FBF7B 00000003
Ivy 003FBF7C 00000003
Kilik 003FBF7D 00000003
Xiaghua 003FBF7E 00000003
Maxi 003FBF7F 00000003
Necrid 003FBF80 00000003
Heihachi 003FBF81 00000003
Sophitia 003FBF82 00000003
Seung Mina 003FBF83 00000003
Yoshimitsu 003FBF84 00000003
Charade 003FBF85 00000003
Cervantes 003FBF86 00000003

Nineteen (19) Codes total
lets turn it into…
All Characters (Demo Theater)
403FBF74 00040001
03030303 00000000
203FBF84 00030303
003FBF73 00000003

Doing the condensing for these codes are exactly the same as the Basic Condensing. The only difference is the extra code line. Why? It’s a 32-bit Multi-Address Write.

Take Talim's Line 003FBF74 and change the first Zero (0) to a Four (4)
003FBF73 00000003 becomes 403FBF74 00040001
And each character code ends with 03, so lets put it in the 2nd line.
03030303 00000000

Now test it
403FBF74 00040001
03030303 00000000

Results…
403FBF74 00040001
03030303 00000000
The code gives you Talim Yunsung Cassandra Mitsurugi Taki Voldo Nightmare Astaroth Ivy Kilik Xiaghua Maxi Necrid Heihachi Sophitia Seung Mina

Still have 3 more characters to go
Yoshimitsu, Charade, & Cervantes

Since Yoshi’s address comes next in line we'll use it
003FBF84 00000003
Remember Basic Condensing Guide from Earlier? Use it. 203FBF84 00030303
Code So far
403FBF74 00040001
03030303 00000000
203FBF84 00030303

Wait! We are missing one person! Raphael (003FBF73 00000003) Just input his code in and you got yourself a final code.

403FBF74 00040001
03030303 00000000
203FBF84 00030303
003FBF73 00000003

If you would of done basic condensing your code would look like
203FBF73 03030303
203FBF77 03030303
203FBF7B 03030303
203FBF7F 03030303
203FBF83 03030303

Original Soul Caliber 2 codes By CMX of CMGSCCC
Basic Condensing Code By GMO of iN tHE mIND…

*Important Note.
Please Keep in mind... when condensing
0xxxxxxx 00000003
1xxxxxxx 00000303
2xxxxxxx 00030303
2xxxxxxx 03030303
=-=-=-=-
General info
-=-=-=-=
First, the Things that you see on PS2DIS from the Left to the Right
Address Digit Label systemcall Label2 descriptions
Systemcall is this in " () "
+0000 - RFU000_FullReset
+0001 - ResetEE
+0002 - SetGsCrt
+0003 - RFU003
+0004 - Exit
+0005 - RFU005

+0006 - LoadPS2Exe
+0007 - ExecPS2
+0008 - RFU008
+0009 - RFU009
+0010 - AddSbusIntcHandler
+0011 - RemoveSbusIntcHandler
+0012 - Interrupt2Iop
+0013 - SetVTLBRefillHandler
+0014 - SetVCommonHandler
+0015 - SetVInterruptHandler
+0016 - AddIntcHandler
+0017 - RemoveIntcHandler
+0018 - AddDmacHandler
+0019 - RemoveDmacHandler

+0020 - _EnableIntc
+0021 - _DisableIntc
+0022 - _EnableDmac
+0023 - _DisableDmac
+0024 - _SetAlarm
+0025 - _ReleaseAlarm
-0026 - _iEnableIntc
-0027 - _iDisableIntc
-0028 - _iEnableDmac
-0029 - _iDisableDmac
-0030 - _iSetAlarm
-0031 - _iReleaseAlarm
+0032 - CreateThread
+0033 - DeleteThread
+0034 - StartThread
+0035 - ExitThread
+0036 - ExitDeleteThread
+0037 - TerminateThread

+0039 - DisableDispatchThread
+0040 - EnableDispatchThread
+0041 - ChangeThreadPriority
-0042 - iChangeThreadPriority
+0043 - RotateThreadReadyQueue
-0044 - iRotateThreadReadyQueue
+0045 - ReleaseWaitThread
-0046 - iReleaseWaitThread
+0047 - GetThreadId
+0048 - ReferThreadStatus
-0049 - iReferThreadStatus

+0050 - SleepThread
+0051 - WakeupThread
-0052 - iWakeupThread
+0053 - CancelWakeupThread
-0054 - iCancelWakeupThread
+0055 - SuspendThread
-0056 - iSuspendThread
+0057 - ResumeThread
-0058 - iResumeThread
+0059 - JoinThread
+0060 - RFU060
+0061 - RFU061
+0062 - EndOfHeap
+0063 - RFU063
+0064 - CreateSema
+0065 - DeleteSema
+0066 - SignalSema
-0067 - iSignalSema
+0068 - WaitSema
+0069 - PollSema

Now we can make a Code!
Searching in Labels, that sounds useful for a Racing-Game,
For example "car, lap track, times, champion-hip, AI (artificial intelligence", etc
A Label looks very interesting: CheatUnlockAll
If the label is chosen, PS2DIS jumps to the routine:
CheatUnlockAll: If you clicks on it, it jumps directly to the address and you see 3 lines witch are colored red. This means that there are 3 Codes behind.
addiu a1, zero, 0x0001 #001aa660:24050001 a1=0x00000001
lui at, 0x0028 #001aa664:3c010028 at=0x00280000
sw a1 , 0xa588 at, #001aa668:ac25a588 [0027a588]
lui at, 0x0028 #001aa66c:3c010028 at=0x00280000
sw a1 , 0xa594 at, #001aa670:ac25a594 [0027a594]
lui at, 0x0028 #001aa674:3c010028 at=0x00280000
sw a1 , 0xa598 at, #001aa678:ac25a598 [0027a598]
At the beginning you see how the value 1 is stored in three addresses. (Red color) In sum there are 3 Codes, sw = "store word" therefore 1xxxxxxx
a1 therefore always means in the case 00000001 (Digit) and sw = 1 at the beginning

Result:
1027A588 00000001
1027A594 00000001
1027A598 00000001
If what happens tries out the codes one after the other in order to see.

Testing Results:
1027A588 00000001 - Unlock universe Challenges
1027A594 00000001 - Unlock universe Championships
1027A598 00000001 - Unlock universe single Races
-=-=-=-=-=-=-=-=-=-=
Making a Code that uses “Quotes” By: GMO
=-=-=-=-=-=-=-=-=-=-
Not Every time you attempt to hack there will be labels. A lot of time it will be trial and error. I Hope this guide will cut your time down a lot! First you want to do as soon as you load your elf
Click Analyzer
Click Invoke Analyzer
Wait a few seconds for it to do its job

Example:
Zone of Enders 2 NTSC

Bring up the Labeled List, you should see a bunch of quotes. You do not want to edit these unless you want to edit words in the game like Names. I’ll use the Max Level Up code for an example.

Look at the labels and look for ("Player Level Up: % d/n”)
it should bring you to
Address 001e4358 Data 79616c50
Label "Player Level Up: %d\n"

Now press Space Bar on line 001e4358 79616c50
The line should turn gray. Now press F3

You should now be taken to
00169d54 24844358 li a0, $001e4358 ("Player Level Up :*d/n")
You think,”Oh Cool, I found a Code.” But you didn’t.
It doesn’t take you to the actually code but it takes you to the general area where to start looking. I suggest you should test each line under 00169d54, you might find some surprising results.
Testing results...
00169d78 24420001 < Level Up Code
You come to find out 00169d78 is the level up code, and you want to convert it to work on your selected cheat device.

00169d78 24420001- change the first Zero (0) to a Two (2) - 20169d78 24420001
Now convert it to your Cheat Device Encryption and enjoy the code.

NOTE: This will not work with all games!