[Tutorials] Written by me

[gangstamalu]

ps2dis is free but it's not as informative as IDA. works well though.

[4m8IoN]

hmmm never heard of that one.

but if it can do the job for free (even a bit) it's definetly worth a try

I'm currently working on rev'ing the source of existance of this forum.
Just as a sideproject 'though.
I'm still unsure if I can pull it off ... but it looks very promising so far
(to say the least...)

I never knew that you can influence the start behaviour of cwcheat
with the L&R Triggers...
then again... I never actually read weltall's readme's...

[Alexander Blade]

Im working in IDA Pro for a four years =)
It works with PS2 ELF's but not with PSP games main executables
I don't know the main executable file and i didn't find any ELFs
BOOT.BIN/EBOOT.BIN/DATA.BIN it's not decrypted/decompressed ELF
so the question is how to get ELF from BOOT.BIN/EBOOT.BIN/DATA.BIN/*.*

[4m8IoN]

To work with PSP Files in IDA either set the processor type to mipsl
or get the allegrex plugin

Concering the specified files:
While analyzing the Memdump of MHFU
I used those Files to generate an IDC script
It helps you see where stuff gets stored in RAM

I never actually reversed those
but they should allready be in elf format

If I recall correctly boot.bin was usually
an unencrypted version of eboot.bin
(at least it was that way in the old devhook days)

There is not that much in there. it loads the gamefiles
into RAM. binds in syscalls and sets global variables, etc.
And then starts executing it from there.

[Alexander Blade]

so ... the best solution is to look inside the jpcsp sources

Edit: EPIC FAIL , jpcsp doesn't work with encrypted executables (with "~PSP" magic)

Edit2: Do u know any tools for PSP to dump running executables (not firmware) ?

[4m8IoN]

If you are interested how UMDs are booted and read by GameOS, than yes.

I'm not sure what it is that you actually want to achieve here.
Maybe learn about the Game Boot Process of the PSP???
If yes, than the src of this emu might give you some answers.

If it is just about getting newer games to work on older firmwares,
you might aswell forget about it and wait for/start developing a new CFW.

(lol, forgot to post this one for 3 days... ^^ better late than never )

Now for the edits...
You could use the psp to get rid of the encryption.
It obviously is able to do that
I don't think this would be much of a coding effort.
Someone probably already created an elf decrypter

You could also try using PSPLink to observe the machine
while it's processing your 'magic' ELF.

[Alexander Blade]

thx

[nick5201990]

Citazione:

Originalmente inviato da hackerkts

Tutorial: Hacking fixed value DMA games
Tool(s) used: CWCheat 0.2.1 REV.A, DMA hunter from nitePR Rev K STABLE

DMA stands for dynamic memory allocation, if a game is DMA, the address will change. "When will the address change?" It can be on when you go to different map, reload the game, load/save the game, bought someone in-game ects. DMA games are really a pain in the donkey if you don't know how to hack it, once you know how to find pointer and offset you can kick DMA games' donkey ;D

"What's pointer and offset?" Well, you only need to know pointer and offset will point to the right address, maybe a story will helps you understand more about it. As the story goes...

You had a crush with a girl(I will name her Grace) in your class, she sit on the front row first seat. The seat is the address. You don't dare to approach her and ask for her name and number, you only know where she seat.

One day, she was transferred to another class which you don't know which. What you're going to do to locate her? First you will need to know her name, you went to ask your teacher the girl name, so now you have her name, Grace. The name is actually the pointer, now you know her name, and her precious class (her precious class is just some bits of information, which is the offset). now with her name and some bits of information, you're able to find her even if next time she transfered to another location.

Let's get started, I will use a easy dma game to hack
Objective: Find the pointer and offset for instant win
Game used: DownStream Panic [US] (ULUS-10322)
Requirement(s): Make sure your memory stick has some space, at least 100mb. Change the time of the menu pop out to 0 second (instant), you can do that at "Setting", "Controller check delay".

I assume at this step you already know how to hack a non-dma games(if you haven't read my previous tutorials, please do so before you continue), so let's get started. Starts the game, search the address for the amount of fishes you saved.

Ok, I have found the address, jot down the address!
Level 1 - 0x00D88D88 (first address)

Now you'll need to make a dump, go to the cheat menu, "Enable dump function", go back to the game and press Square button. The game will pause and wrote "Dumping", once it's done the game will start again. Now your have your first dump.

Now you will need to make the address change, for this game each level has different address so let's proceed to level 2. Search for the address for the number of fishes you saved.

I've found it, jot down the address!
Level 2 - 0x00E88E68(second address)

Make a dump again, now you have your second dump.

Optional(but it's recommend to follow):
Make the address change again by going to next level, search and jot down your third address, make your third dump.

Let's check what you have in your hand now, you can find your dumps at your memory stick root,

Codice:

first address - 0x00D88D88
second address - 0x00E88E68
third address - 0x00E802A8
dump 1 - MEMDUMP0.dmp
dump 2 - MEMDUMP1.dmp
dump 3 - MEMDUMP2.dmp

Extract nitePR_revK_STABLE.zip to a folder, I will name it "nitePR revK", run DMAhunter.exe

Press enter and select dump 1 and dump 2, now enter your first address, followed by your second address.

Wow, it found so many pointers, don't worry. That's why I asked you to make 3 dumps. Now save all the informations down. Right click on it, "Select All" and right click again. Now it's save to your clipboard, open up a notepad and paste everything in.

Remove,
and also,
Save it as 1&2.txtdon't ask me why, just do it okay? You will know later.

Now repeat the step, but this time we choose dump 2 and 3. And put in second and third address. It found one pointer, that's great! Save it as 2&3.txt

Repeat it again, now use dump 1 and 3, first and third address, save it as 1&3.txt

Remember to remove those words I said, now proceed to Compare 3 Memory Dumps paste in all the informations in 1&2.txt, 2&3.txt and 1&3.txt and click "Submit"

Take note: that link will be there until 1st of June 2008 when my domain expired, OHG will be hosting those scripts .

You should saw this
That script will helps you determine which pointer shown on all 3 dumps, now it's easy. We one pointer, so let's try to use it.

Go back to any text file you made just now, copy the information down.
0E040 is the pointer
0X9688E50 is value 1
0X9680290 is value 2

Let's get to the calculation part

Method 1:

Step 1: Convert value 1 into cheat format, minus 0x08800000 from value 1
0X9688E50 - 0x08800000 = 0x00E88E50

Step 2: Calculate the offset, minus the address 1 with the result you found on Step 1(minus from bigger value to a smaller value).
0x00E88E68 - 0x00E88E50 = 18

Method 2:

Step 1 : Convert value 2 into cheat format, minus 0x08800000 from value 2.
0X9680290 - 0x08800000 = 0x00E80290

Step 2: Calculate the offset, minus the address 2 with the result you found on Step 1(minus from bigger value to a smaller value).
0x00E802A8 - 0x00E80290 = 18

That's it, you found the pointer (0E040) and calculated out the offset (18).

Actually I had make a script to calculate them out at Calculate pointer and offset

Now you can kick dma-games' donkey! ;D

ok maybe im missing something but how do i save the file from the dmahunter.exe cause when i hit continue the widow shuts down.nvm its select all and paste hehe.simpler than i thought.

[xblackdrag0nx]

how can i find the the max value for gold?? need help..