Ultimate Hacking Guide
By Pac-Man

--------------------------------------------------------------------

Directory[/size]

1.Useing ps2dis for Begginners
2.How to hack a Code
3.Code Jokering
4.Sub Jumping Technique
5.How to use Float Values
6.Boolean Values
7.Offsetting PAL to NTSC
8.Perfect Animation Tutorial
9.Kill Mod, Death Mod, and Score Mod
10.Color Editing By Fusion
11.Hacking Programs
12.Disabling Code NOP
13.Other Handy Swapping Data
14.Scores/Radius/Speed Mods
15.Coding Encryptions
16.Socom 3 Beta Joker Address Tutorial
17.Socom 3 Beta Dynamics
18.Jumping and Branching instructions
19.A beginners guide to MIPS
20.Commands
21.Clipping Tutorial By Fusion
22.How to make r4 imposter
23.Blind's Ps2 Exploit Tutorial
24.Fr0st Monkeys Exploit and Cheating on International TuT
25.Dumping after a patch
26.Cheating Online
27.Porting NTSC to PAL
28.sceVU Tutorial
29.Ect. Infomation

--------------------------------------------------------------------

Credit

Credit for all these tutorials does to the following Teams: Team Bluefr0st, Team cYs, The Majic Team, Codemasters Project, Team CTD, Team cMf

Also the following individuals: Fusion, Dark Killer, HeXiFy, Uni-Terror, Stealth (UCI Nitwit), Blind, Blueman, utkhimself, BladeZ, HellShed00, Reel, Kong U Up, Driver, Fr0stmonkey, Robby 23, And PacMan

Edit if you see one of your tutorials and i didnt give you credit for it play aim me at cYs pacman thanks

--------------------------------------------------------------------

1.Useing ps2dis for Begginners

Click the link Provided Below thanks Blueman
Useing Ps2dis For Begginners

--------------------------------------------------------------------

2.How to Hack a Code

Instructions:

1. Download PS2dis PS2DIS - GETTING STARTED

2. Put the game you want to hack into your DVD-ROM Drive. Browse that drive and pull off the SCUS, SLUS, or SLES.

3. Open PS2dis and press \'Ctrl+O\' and select the file that you just got from the game.

4. Once opened, your screen will turn blue and will be filled with numbers and letters. Press \'Ctrl+I\' and it will ask you to invoke your analyzer. Invoke it and a menu will pop up. If you have the beta of the game you are hacking repeat step 2 but with the beta disc. Then select that file. If not, click cancel.

5. Press \'Ctrl+G\' to open up all your labels or strings. Strings will be in quotations (\"\'s) and labels will be regular (without quotations).

6. Find a label that looks interesting and double click on it. (An interesting label will be something like Update_Health or Take_Damage or anything that you could use to make a code out of.) If the label you found is in quotations press the spacebar. The line it brought you to after clicking the label should turn grey. Press F3. It should then take you to the general area of that label if not directly to it.

7. Depending on what your label is, you need to perform a command on your code. Press the Enter key to make a box pop up. On the bottom text box it shows your command. Depending on what your label is, you will perform a different command.
Ex: Your label is \'Update Health\' (without quotations). You press enter to bring the box up and drop down to the bottom text box where you can enter text. You want to perform an NOP command, so you are going to type \'nop\' into the text box (without the \'s around the word nop). Hit \'OK\'. On the left hand side of the screen look at your code. It should be something like 005A4E8C 00000000. (The 005A4E8C part is just random numbers, the 00000000 should always be 00000000 though.)


8. Add a 2 to the front of your code.
Ex: 005A4E8C 00000000 will become
205A4E8C 00000000
Just add a 2 instead of a 0


9. Using a code converter program, like this one, convert your code to whatever cheat device you are using.
To do this with the provided program:

Open the Program
On the top right corner of the program there is an encryption box.
Select \'BCA99B83\'.
Put your newly made code in the left box and on the right box select your cheat device.
Click the Arrow Button pointing to the right (>>)
On the right box, your code should come up. This is the code you enter into your cheat device to play using your code.


Tutorial By: fr0st m0nkey

--------------------------------------------------------------------

3.Code Jokering

Credit Goes to UCI NiT WiT and Team Blue Fr0st

Jokering A Code
By: UCI NitWit

For Further indepth questions on Jokering codes and wanting to know how to make them, Go to
CODE
http://www.codemasters-project.net/p...php?article.42


I Have noticed that alot of you are confused with knowledge of jokering a code. Well there is no need in that. Its simple and I will show you here. I will cover most of the aspects that are needed to jokering codes... So lets begin.

How To joker the code.

Using Socom II for this example


The Code I will use is

Start Game with 1 player
202C5A90 10008E4A
My version

First off we need to know what our joker address is... And since this code is for r0004 socom II I will take the r0004 joker address which is:

Joker Address
D045259C 0000????

Now that we have 2 parts of Jokering a code we need the 3rd part. The 3rd part is the \"Reverse\" Now What we do to find the reverse is:

1- Go to Scus/Dump
2- Hit G
3- Take the address of our code 202C5A90
4- Put it in Raw hex which is 002C5A90
5- Hit Go

-It will now bring you to the line and you will notice that it says this

002C5A90 24030003

That is the original code befor it was modded to do what we wanted it to do. See whats in blue. That is our reverse. Now what to do with the reverse.

Takeing our Joker address our Code and its reverse we put them together. Here is what it looks like all together.

D045259C 0000???? [On Joker]
202C5A90 10008E4A
D045259C 0010???? [Off Joker]
202C5A90 24030003

And for what goes in the ???? slots you can find in other topics/ post\'s on this site.

If you have any questions please feel free to pm me and ask And i will do my best to help.
-UCI NitWit

Hex Joker Commands
--------------------------------------------------------------------
4.Sub Jumping Technique

New Technique!

Sub Jumping

Ok well lets use Socom 2 as a example (one of many popular games to hack)

1.Press control + g to jump to a label

2.Ok lets pick a label here...(Ok well im picking \"Gravity_Acceleration\") then double click it now it will bring us the string label line and now we press ctrl+ F3 and it will bring us to this

3.Look through the area well within the label, Oh well here look do you see the 2 (lwc1 $f0, $afe0(at))\'s those are jumping you can tell by looking to the right of it like this

4.Now press right on your keyboard on that line and it will jump to this (cop0) $01200000 now we test this to see what it disables in this FNC, 003f0708 lwc1 $f0, $afe0(at) - does nothing now we test this next lwc1 $f0, $afe0(at) 003f0724 - this made my grenades float

5.Method 1 - Now lets see if anymore lwcl\'s in any other labels jump to this (cop0) $01200000 so we jump to that (cop0) $01200000 and label it something extrememly noticeable to you like hhhhhhhhhhhhhhh (like below)

6. Method 2 - e0 af 20 c4 now we take this pattern and click find as hex string then hit F5 to jump to the next pattern find as much as wanted now notice that it effects about 14 lines of jumps to it. So we may want to have one of those FNC\'s interfere with other things so this (cop0) $01200000 would affect about 14 things at once and we dont want that so we are going to have to redirect this jump.

7. Now look at this data of the pattern/command lwc1 $f0, $*a*f*e*0* (at) and the address the lwcl is jumping to is 0040*a*f*e*0*, now we are going to do my technique Sub Jumping, now scroll down till you see some blank area\'s of nops. Ok now that we found a line 0040b0b8 now take the last 4 digits of the address and turn it into the offset in this case the jump was lwc1 $f0, $afe0 (at), now our command is lwc1 $f0, $b0b8 (at), notice before it was a lwc1 $f0, $*a*f*e*0* (at) and the address the lwcl is jumping to is 0040*a*f*e*0* now it is lwc1 $f0, $b0b8 (at) and the address it is jumping to now is my nop I found lwc1 $f0, $*b*0*b*8 (at) >> 0040b0b8. Now it is disabled for now because it is jumping to nothing a nop. Now remember the (cop0) $01200000 it was originally jumping to we are going to take that and customize it to our own float affecting only this single line FNC. Well since this is default (cop0) $01200000 we are going to do this change the nop that our new jump is going to, to this lui zero, $0000 so it is practically going to make whatever this is not move or go very very slow. This is what the nop should be changed to (below).

. Here is our final result of this technique

Grenade Gravity Mod By b-L-u-3-m-4-n*
203F0724 c420b0b8
2040b0b8 ????????

--------------------------------------------------------------------

5.How to use Float Values

Hacking: The \"Easy Float\" Technique[/size]
By Wags

Hacking with floating points is relatively simple, and I have used this method of hacking myself to make some pretty cool codes such as rapid blood drip, step higher, bullet damage mod, and more. This method of hacking was also used by others to make codes such as the gravity mod, speed mod, and jump mod. In case you cant tell, it\'s an excellent way of making \"mods\". This is because a float value holds an easily changed decimal value which could possibly represent something important. Just think about it, some of the best codes that have been made were made by changing a simple float value.


Choosing a Label
The first step to this technique is choosing a label. Just scroll through the labels until you find anything at all that looks promising and go to that address. Look under your label for an \"ld ra\" command. This is commonly the command used for the end of a function. You will be searching the lines of code from the first address in your label to the \"ld ra\" at the end of it.

Recognizing a float value
So now you know where you will be looking. Good. But now you need to know how you could possibly locate a float value in this mess of adresses and values. Luckily, you will only be looking for one type of command. From my experience, float values are quite often held in \"lui\" commands and look something like this:

0029df60 3c034040 lui v1, $4040 (__40400000)

or this:

0032ec00 3c024160 lui v0, $4160 (__41600000)

Now let\'s take a closer look at one of those lines:

0029df60 3c034040 lui v1, $4040 (__40400000)

maroon - 8 digit float value (last 4 digits should always be 0\'s)
red - 4 digit float value (will always be the first 4 digits of the 8 digit float value)

Converting, Editing, and Converting again
Now you need to find out if your float value even represents a reasonable decimal number (i.e. 3, 100, -5, etc) or not (i.e. 4.865956892). Do this by typing in the 8 digit float value into the float-to-decimal converter. If your float value does not convert to a promising looking decimal value you should just forget about that line and find a new lui. But if it does convert to a reasonable number then you may be on to something. Whatever number it is, try making it something much higher or making it a negative number (ex. if it is 5, you might try making it 500 or -1). I recommend trying a negative value first just to see if it affects anything. Convert whatever decimal value you want to test back to float. You will get a new 8 digit float value. And since the 4 digit float value is always the first 4 digits of the 8 digit float value, you also have your new 4 digit float value (ex if your new 8 digit float value is BF800000 your new 4 digit float value will be BF80). Now you just need to replace your old 4 digit float value with your new one. After doing that, you are ready to test your new code. If your first test doesn\'t yield any results, try changing the float value once again to something completely different and then test it again.

--------------------------------------------------------------------

6.Boolean Values

Boolean Values In PS2 Games
======================
By: Dark Killer

This is going to be the first of many tutorials. In this tutorial I will show you how to modify boolean values in ps2 games.

What is a boolean value?
-=-=-=-=-=-=-=-=-=-=-

Boolean values are used to denote the result of a logical operation. A boolean value can be either true (1) or false (0).

How would I find a boolean value in PS2DIS?
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Some words to look out for in labels would be:

\"Toggle\"
\"Enable\"
\"Disable\"
\"Use\"

Dissasembly Examples:
-=-=-=-=-=-=-=-=-=-

Typically theres two ways boolean values work in ps2 games. There\'s the \"straight-forward\" way (which i\'ll cover in the latter half on this tutorial) and theres the function call way. In the form of a function call there will be a store instruction to an area high in memory which holds the result of some logical operation performed elsewhere. This is where either 0x01 or 0x00 is stored according to the result of said logical operation. To find this you want to be on the lookout for a store byte instruction (syntax: sb $t, offset($s)).

Ex: The Punisher
00151034 a022b9f8 sb v0, $b9f8(at) (__0053b9f8)
00151038 3c01005f lui at, $005f
0015103c 8c22b1f8 lw v0, $b1f8(at)
00151040 1040000d beq v0, zero, $00151078
00151044 3c060045 lui a2, $0045
00151048 3c040181 lui a0, $0181
0015104c 3c050045 lui a1, $0045
00151050 24c6c4c0 addiu a2, a2, $c4c0 (\"Big_head_mode\")

the first line is storing the least significant byte (read: the last byte in the address\' data) into v0. the address its calling is 0053b9f8. lets have a look at the data on that address:

0053b9f8 00000000 nop

the least significant byte is 0x00 which would mean that the logical operation returned a boolean false. we need to change that:

Enable Big Heads (Credit: delcano)
0053b9f8 00000001

now I know you\'re probably wondering \"why didn\'t you put a \'2\' in front of the address?\"

the reason is that we only need to write 1 byte (8-bits) to the address. \'20\' would signify a 32-bit write (although in most cases it wouldnt matter since the data is all zeros anyway, its just better to use the proper 8-bit write)

now onto the \"straight-forward\" way:

sometimes a label will bring you directly to the address holding the boolean value.

Ex: Grand Theft Auto 3
0041848C 00000000 nop BombsAreFree_8CGarages

Bombs Are Free
0041848C 00000001

--------------------------------------------------------------------

7.Offsetting PAL to NTSC

Offsetting Pal to Ntsc.

In this case Offsetting is takeing a code from a European/Other region such as Pal jap Ntsc deoending on where you are game and changeing it to work on a Ntsc version of the same game.

Tools You will need

Offset calculator

SiteSled.com - 100% Free Web Hosting

And a Calculator that has scientific mode on it.


Now first we need to find a code that is already in Ntsc and Pal to find the offset diffrence between the two. You can use any code that is already in Pal and Ntsc to find an offset difrence. for example.


Ntsc 205A1250 10000075 No Shock

Pal 202EDAB8 00000000 No Shock


Now that we have the two we can get started.

Address: An \"Address\" is the first 8 digits in a code example XXXXXXXX 00000000
the X\'s repersent the address of the code.

Data : The \"Data\" is the last 8 digits in a code example XXXXXXXX 00000000
The Zeros/0\'s repersent the data of the code.

Now Take the Address from the Ntsc code and put it into Ntsc slot on the Offset calculator

Then take the Pal Address and put it into the Pal slot on the offset calculator,and you will have something that looks like this

offset.jpg

Now Click the button that say\'s \"Get Offset\"

After You have done this u will have something like this

offset2.jpg

Check the hex box on the offset calculator and it will display the offset which for us is 2B3798 Now we have an offset diffrence between the two codes.

Now we need to open our computers calculator, for windows go to
Start/Programs/Accessories/calculator. Now we need to make the calculator use scientific mode, on the calculator go to view and click on scientific, now click the bubble next to Hex so the calculator will now recognize hex.

Ok find a code you want offset. Remember the code Needs to be in hex and it has to be Pal.

Now I\'m going to use No Fog

Pal No Fog
2020EF1C 00000000

Ok Take the address from the code and put it into the calculator as shown

cal.jpg

Now we add the offset diffrence we got which is 2B3798 to the address.
And this is what we get

cal2.jpg

So we get 204C26B4, Now we need to add the original data from the Pal version of this code

Pal No fog
2020EF1C 00000000

So the data for the code we have added the offset to will be 00000000

So our code will look like this

Ntsc No fog
204c26b4 00000000

Now were ready to test and see if our offset worked.If the code you have offsetted does not work, dont worry all you have to do is add 4 in Hex to it untill you find a working version of your code,

so 204c26b4 + 4 = 204c26b8

------------------------------------------
Doing multiline codes multi line codes are the same all u have to do is offset each address in the code

You can use the same offset for every code, You dont have to find a new offset everytime you want to change a code from Pal to Ntsc

--------------------------------------------------------------------

8.Perfect Animation Tutorial



9.Kill Mod, Death mod, And Score Mod

Kill Mod, Score Mod, Death Mod for Universal Hacking By
*B-L-u-e-M-a-N*



In this tutorial you will learn how to do easy string searches for variable modifications.

Do not use this tutorial unless you know what your doing and understand how Commands/Offset\'s work

In this tutorial we will be using a fully dumped copy of Socom II: US Navy Seals

1. Open up scus invoke, to maximum as usual.
[qimg]http://img70.echo.cx/img70/2820/invoke8ys.jpg[/qimg]
2. Hit Control + F to search for a hex string. Click \'yes\' to find hex string first off then do the next step. String searches can come in handy very well when porting, and searching for your exact data/ offset of your code.

3. 01 00 42 24 Is the pattern I found. To help you understand it easier- The first four digits of the pattern. 01 is for the last 2 digits of the offset, so put the in words this is what the first 4 parts of this pattern is $00 01 then with a addiu v0, v0, $0001 the tough part of this is knowing where your at. This is used for singular numbered variables, e.g. Deaths, Kills, Bullets etc.

Here is our raw code 00549cf8 *24420001*= Set of Kills per kill set as 1 now we change it to 20549cf8 2442****.

Here is Our Final Code

Kill Mod
20549cf8 2442****

Kills Neutral
20549cf8 2442f***

Credit to Stealth for the code above.

4. This pattern can be used in many different ways. Remember to think about the offset ($****). Now to find negative commonly used for reductions or negative variables. Now if youd like to use this pattern to find a deductive of -2. fe ff 42 24 this is a offset of $fffe which is a deduction in this case addiu v0, v0, $fffe this is our search. The tough part of this is testing between 4 lines.

Here is our raw code 0054a704 *2442fffe*= deduction of -2 for your own death or teamates now we change it 2054a704 2442****.

Here is Our Final Code

Deductions Neutral
2054a704 24420002

Deductions Mods
2054a704 2442****

Credit to Blueman for the code above.

Note: This Code can be Modded to your own settings...

I Hope this was of help to you.

Your Friend,
Blueman

--------------------------------------------------------------------

10.Color Editing By Fusion

Basically, when you can modify a color in a game, like fog, or hud text, or whatever, you will be modifying it in the EE memory. Look for a set of 3 marked empty areas in the EE memory. Mark the first one, check its refferer. If the function checks out, and you think it might be where the game grabs the color for something, then go ahead and give it a shot. If the game freezes, it is probably not where the game is grabbing a color. You need to input float values, so grab a float value converter. In general, most games will use RGB (Red Green Blue). The first line will be red. Games might work differently in what values to put in. In socom, it used the usual max amount of 255 for each color. The catch was that you had to slide the decimal over two points. So if you wanted maxed out red, you would actually type 2.55 into the float converter, and then put that value into the appropriate line.

Every game can be different though, and if your game does not have lables in the EE, then its very tough to work out. You can always pop in socom 1 and mess with these to get how to change the color around.

9:Colored Fog
20529eb0 00000000
20529eb4 00000000
20529eb8 00000000
Desc:
Using these lines of code, and editing the last 8 digits, will give you different colored fog. You can set the fog at whatever color you want. It uses RGB, so the first line controls red, the next controls greene, the last controls blue. You must use float values in the last 8 digits. And a decimal value of 2.55 converted to float=max (RGB\'s max value for a single color is 255)

10:Colored NVG/Full Scope NVG
2052a028 00000000
2052a02c 00000000
2052a030 00000000
Desc:
This is the same as colored fog, except instead of controlling the color of fog, it controls the color of your night vision.


And a float value of 40000000 = 2.0 in decimal

--------------------------------------------------------------------

11.Hacking tools and Programs

Originally Written By Hacka_Attack but additions made by Pacman
Win Rar

THE MOST USEFUL TOOL.This alows you to create RAR and ZIP archives and compresses better then ANYTHING ive ever seen.You will use this often after instalation trust me.

PS2 DIS

The main tool for dissasembling ps2 games.This allows you to alter data and give the game different effects in certain situations.Recomended that you learn MIPS assembly language before attempting to use this tool.

GameHax Tool

This is known as the gamehax tool coded by SPIT and IDOT.One of the most useful tools you can possibly use.It serves as a : Code Converter, Media Player, Calc Offseter, Imposter Maker, Float Conversions , Joker Maker, and includes a helper to help you with MIPS assembly. Very Nifty Tool

MaxConvert v0.17
This is a very useful converting tool and supports all current formats except the new versions of codebreaker and gameshark.THE BEST CONVERTER AROUND.For AR MAX you must enter a Game ID before you can convert though.

Lable Mates
A VERY useful tool.You import these into your ps2 dissasembler and you will have LOADS of more lables to use and hack codes with.

Memory Dump Code Search
A big thanks to Dark Killer for this one.All you merely have to do is load you ELF file into this and it will AUTOMATICLY search the dump codes for you.There are 2 methods so if one doesnt work use the other.

PCSX2 PS2 Emulator
This is the best tool to use when duping games if you ask me.It also function as a REAL ps2 playing device.This allows you to raw dump the game as you please and Debbug it as well.

Cheat Encryption Lookup
Yet again Dark Killer.This tool allows you if you dont know to look up the encryption of a code by simply inputting it.

NTSC to PAL and PAL 2 NTSC Video Mode Fixer
This is a handy tool which allows you to convert Y Fixes for games which are not of your Ps2 region.For example PAL games have finer signals then NTSC therefore do not appear normal on our screens.This allows you to fix that and view it more clearly.Same with PAL.

Socom 1 Imposter Maker
Used to make imposters for Socom I

Socom II Imposter Maker
Used to make imposters for Socom II

R33L's What-A-Joker
Used to make Joker's for any Playstation Game

cYs Joker Maker 1.0
Used to make joker's for any ps2 game.

Offset Calculator

Float to Decimal Program
Program used to convert float values to decimals.

Maxcyrpt To Convert to AR-Max
Converts Codes to AR-Max

Console Codes Imposter/Joker maker
MEGAUPLOAD - The leading online storage and file delivery service
-----------------------------------------------------------------------

12.DISABLING CODES NOP
13.Other handy Swapping Data
14. SCORES/RADIUS/SPEED MODS

http://img339.imageshack.us/img339/9...onecopy5fx.jpg
Part 1^^^^^^^^^^^
]http://img184.imageshack.us/img184/7455/hackingtutparttwocopy9um.jpg

-----------------------------------------------------------------------

1. search for the lable you want
2. i shall use socom 2 PAL v1 the negative points mod when you get a team kill
*note* you can usually change the last 4 digits on an addiu eg 2442fffe to a bigger/smaller number providing that is what you want to do if you want to go faster bigger slower smaller etc. but it can sometimes be not at the start,for example tis code is in the middle of nowhere i used a hex string search to find this search for -2 which is ff fe in hex so i searched for feff2442 (2442 because that is usually an addiu)
3. i get taken to
004e1438 2442fffe addiu v0, v0, $fffe
004e143c 2c420002 sltiu v0, v0, $0002 etc

ok so lets take the addiu which im taken to
004e1438 you want to change the last 4 digits of the data to the value you want, as i said this value ff fe is negative 2 and i want it to be 2745 (lol) that is ab9 in hex. so the code will be
004e1438 24420ab9
testing....works!!

this will be added to
thnx hope this helped


-----------------------------------------------------------------------
15.Coding Encryptions

To keep some repeating posts down, please read how to tell different codes for different game enhancers.

16-bit codes look like DE______ ________
16-bit coding is used for game shark 2 and action replay 2

32-bit game shark (all versions) looks like 24______ ________
Notice the 24 encryption, this does not allow use on codebreaker or any other g.e.

32-bit code breaker (all versions) looks like 2A______ ________
Again, the 2A encryption dissallows use on other g.e.

Hex- universial coding, works on almost all enhancers, looks like 20______ ________.
Most codes found on cheating websites like this of socom codes use hex.
A hex code works universial EXCEPT for 16-bit codes.

00- Raw 8bit hex
10- 16bit hex
20- 32bit hex
2A- Codebreaker
24- GameShark v.3
DE- GameShark v.2

-----------------------------------------------------------------------

16.Socom 3 Beta Joker Address Tutorial

Using Socom 3 Beta

This is a method that i belive Code hax found can't really recall but i have my own little twist to it. To view it more carefully u will need the dump


Starting with String label-


"sceDbcSetWorkAddr: rpc error\n"

Find the refer of that label and Scroll down from it..

In Socom 3 its


004d2584 24848f48 addiu a0, a0, $8f48


Scroll Down from there and Find the cmd storing a2, or s2 register.

In most case's its the sw using my method.


004d2600 ae320028 sw s2, $0028(s1)


That sw is jumping to:
007814e8 007d5440 sll t2, sp, 17

Taking the data of that line 007d5440 We jump to that by hitting G and typing the code in there. Doing this leads us to

007d5440 00000017 dsrav zero, zero, zero

In most case's its a bltzall cmd line. But not in s3... Now here is where You would need to scroll down to an lwl and that is your joker address. ( Due to me not having the complete dump I can not continue this method)

Method 2. Using the above infromation instead of finding the sw calling 007814e8 Above it there is an addiu with registers a2, a0 That can also be used as a joker address...

004d25f4 26060014 addiu a2, s0, $0014

Socom 3 Joker address #2

D04D25F4 0000????


Note not all of this may work due to S3 being completly different. This method does work for s2 if you would like to check it. I hope this helps you guys..

-Stealth

-----------------------------------------------------------------------

17.Socom 3 Beta Dynamics

I guess posting Some tutorials now won't hurt.. Just so you all can get an idea on how to do it yourself. Now just a heads up on this. You may wanna get the dump to see it more clearly.

From The Start of just 1 method to find it. Here is the .rdr method (theres a lil more left out but not really needed)

"Dynamics.rdr"

Pass the first jal that is a sub function

2nd Jal Jumps to label dynamics. such as gravity and damage to newtons
002CB908 jal $00317450

Start of Label Function for Dynamics
00317450

3rd is a sub funtion reverseing back to original function

4th Jal jumps to the dnymaic ascii
002CB918 jal $0032B7E0


Dynamics

0032B7E0 27bdfff0 addiu sp, sp, $fff0 <--- Start Function
0032B7E4 3c040063 lui a0, $0063
0032B7E8 3c050069 lui a1, $0069
0032B7EC 3c060069 lui a2, $0069
0032B7F0 ffbf0000 sd ra, $0000(sp)
0032B7F4 24847b30 addiu a0, a0, $7b30 <--- Start of Call to Dynamics

^^^ --00637B30 3f267914 lui a2, $7914

Scroll Down alittle Next Call-
0032B810 24847ac0 addiu a0, a0, $7ac0

^^^ --00637AC0 3ea065d8 lui zero, $65d8

Scroll Down alittle 3rd Call-
0032B82C 24847a50 addiu a0, a0, $7a50

^^^ --00637A50 40528527 (cop0) $00528527 (Co Operation Dynamics above and below)

Scroll Down alittle 4th Call-
0032B848 248479e0 addiu a0, a0, $79e0

^^^ --006379E0 c00176ab (ll) at, $76ab(zero)

I Belive that ^^ is a Flash Dynamic. Just a hunch on registers and above .byte routine

IF you have anyquestions guys just post away we will help out.. Thanks guys and hope this helps you all in hacking

-Stealth

-----------------------------------------------------------------------

18.Jumping and Branching instructions

Jumping and Branching instructions guide by uni-terror

Branches are the way the PS2 is able to make decisions, should I enable this or not? Is this value equal to this register? Without them your game couldn't decide anything (well there's other conditionals but branches are the most common). For the most part if the condition is true, they branch or skip to the specified address. Jumps are also important as they allow subroutines to be run inside functions and can be disabled accoridngly to only disable one aspect of a function.

Jump instructions
j jump (jumps to address specified)
jal jump and link (jumps to another function and returns when it's done executing)

Branch instructions
b branch (branchs or skips to address without checking a condition)
beq branch on equal (branch or skip to address if the two registers given are equal)
bne branch on not equal (branch or skip to address if the two registers are NOT equal)
comparing registers seeing if register 2 is greater than register 1
bgt branch on greater than
bge branch on greater than or equal
bgeu branch on greater than or equal unsigned
bgtu branch on greater than unsigned
comparing registers seeing if register 2 is less than register 1
blt branch on less than (not bacon lettuce and tomatoe)
ble branch on less than or equal
bleu branch on less than or equal unsigned
bltu branch on less than unsigned
comparing register to zero
beqz branch on equal to zero
bgez branch on greater than or equal to zero
bgtz branch on greater than zero
bgezal branch on greater than or equal to zero, and link
bltzal branch on less than zero and link
blez branch on less than or equal to zero
bltz branch on less than zero
bnez branch on not equal to zero

feel free to comment, i know this isn't a full list (i left out the 'if likely' conditionals because they are never used), but if you see any mistakes let me know.

next tutorial write will be floating point math instructions or just regular math isntructions.

-----------------------------------------------------------------------

19.A beginners guide to MIPS

Written by: Codemasters Project Codehacker Team

This article's for the beginner game hackers (or advanced game hackers who dont know anything about MIPS) who need help understanding the MIPS assembly language.

This section gets into some more complex stuff as you will learn about the MIPS assembly programming language (the language in which all PS2 games are written in), but is still meant for the beginners who want to understand the code they see in the ps2dis... lets get started.

when it comes to programming in 'assembly', there is NOT one type of assembly. ALL assembly languages are programming languages in which the source code deals directly with the processor chip. the PS2 runs off of a MIPS processor chip, and for this reason all PS2 games must be written in the MIPS assembly language. there are more than just MIPS assembly however... all of the types of processors have their own assembly language. MIPS assembly is the code you see when you open a slus file in the ps2dis. because assembly languages interact directly with the processor chip, they are EXTREMELY fast when it comes to program execution. in fact... when you read about a computer that has, lets say, a 2.4 GHz processor... this is telling you how fast the processor works. the 2.4 GHz is how many processes the processor chip makes per second... lets think about that. theres hertz, mega hertz, and giga hertz. about 1000 hertz in a mega hert and about 1000 mega hertz in a giga hert. that many processes per SECOND... thats REALLY fast. anyway, back to the part that matters.

there are some complex and key points to the MIPS assembly language which MUST be taken into account when reading MIPS assembly source code (or even more so... writing MIPS assembly source). ill start from the beginning.

each and every action done by the processor is done by a line of code called an 'instruction'. EVERY instruction in the MIPS assembly language is a 32-bit process. now, a single bit is a single binary digit that can be either '0' or '1' standing for 'false' and 'true'. there are 32 bits (or on/off digits) in every instruction. there are 8 bits in a single byte... and the 8 hex valued digits that make up an address are made up of 4 bytes. you can test this theory by multiplying 4 by 8. in other words you mulitply the 8 bits that make up a byte by the number of bytes... the answer is 32, where you have 32 bits (hence the '32-bit' instructions).

MIPS assembly uses 'registers' to store data for operation in program execution. there are 31 general purpose registers, 30 double float registers, and 31 single float registers (if you dont know what i mean by 'float', read up on some c++... specifically the types of variables). the general purpose registers are broken down even more though... for instance, there are certain general purpose registers that should be used for certain things. (have you ever seen a register in the ps2dis that was identified with a 't'... i.e. t0, or t1??? these are 'temporary' registers and should ONLY be used within a function.) also, there are 2 (i believe) registers that are not meant to be used to store information... the zero register (known as $0 or zero) ALWAYS holds the value zero. so if you try to store data in it for an important comparison or for a branch... itll compare the other register with the value zero instead of what you tried to store into register $0. and register 'ra' (i think) is the other register that is a special register. this register is used to hold the address for jumps and jump returns and things like that... not to hold values for comparison or anything else.

there are also little rules that one MUST abide by when using MIPS assembly. the first of the two major issues ill talk about is: the 'PC' (think of this as the 'program counter' which keeps track of which line the program is on) is incrimented by 4 durring the execution of each instruction (it increases by 4 because of the four bytes that make up an address). the PC in increased by four durring the MIDDLE of the instruction... so when the program comes accross a 'j' or jal' or any kind of jump, the PC is increased THEN it executes the line of code which contains the jump instruction. because of this, the program runs and executes the line of code after the line with the jump instruction. and, in the middle of that lines execution, the PC is finally set to the address in which the jump referred to. this is NOT a big deal at all... in fact, because of the one line delay, you can make good use of its time and put an important instruction after the jump. if you dont have an instruction after the jump... who knows what could happen (the program would crash most likely). this is why when you are viewing the code for the games, there is ALWAYS a line of code after the jump, even if its just a 'nop' (nop or no-op stands for 'no operation').

the second of the two key issues is the 'load/store delay time'. the MIPS assembly language (because it is 32-bit based) has addresses that range from 00000000 all the way to FFFFFFFF. BUT, the MIPS processor sections off certain ranges of addresses for certain usages... one of these usages is memory. MIPS has a section of addresses where you can store data and call upon it at a later time (if you are using the pcSPIM MIPS simulator, the 'memory' range starts at 10000000). there is, however, a delay time when it comes to loading or storing information in the memory. the delay time is only one instruction long... which is NOTHING considering how fast the programs execute. but, due to the delay time... you SHOULD NOT use the register for ANY reason after loading or storing information until at least one more instruction has already been executed. you will also see this in the ps2dis... there is always time between a load and store instruction, and an instruction that uses the registers that held (or hold) the data for loading or storing.

now ill go over a couple commands for the MIPS assembly language which should really help you when it comes to hacking ps2 games...

Part 2:
the 'ori' command (or 'logical OR immediate') will 'logical OR' two values and catch the result in the specified register. 'immediate' means that you are going to give a value straight up... one thats not in a register... but just give a value to compare with. the other value, however, must be in a register. for instance, you can do this: ori t0, t1, 0x0008. this would compare the bit patterns (remember that all MIPS instruction are 32 bit, it compares the bits of the two given values) held in register t1 with the bit pattern that represents the value 8 (or 8... the 0x means its a hex value, which in this case doesnt make a difference, but if you were to give it 0x0010, it would be different than to give it 0010). the result of the ori instruction would be caught in register t0. you can also have a value in t0, and do: ori t0, t0, 0x0008. this does the same thing, only spares us the use of another register. if you dont give the 'immediate' instruction, you have to use 2 registers... like this: or t0, t0, t1... which does the same thing, only it compares the value of 2 registers (registers t0 and t1). this instrucion can also be used to simply assign a value into a register... for instance: ori t0, zero, 0x0008... this would compare 0x0008 with zero, and simply assign the 8 to register t0.

next is the sl's and sr's. you may have seen an instruction in which the command was 'sll'. these are 'shift left' instructions. there are other commands that start with 'sl' and 'sr' like slt (and they are differnet the 'sll'), but generally, when you see a 'sl' or a 'sr', they are shift commands ('l' for left, and 'r' for right). what these do is shift the bit pattern specified to the direction specified and the result is caught in the specified register. for instance: sll t0, t1, 4... this would shift the bit pattern held in register t1 to the left 4 bits and catch the result in register t0. if the value in register t1 is 0008, the result that is caught in t0 after the shift would be 0080 (remember that there are 8 bits in a byte... this 8 moved over half a byte). this can be very useful in many situation (especially for game programs), but as you get more advanced, you will realize that the 'sll' command can be used to simply multiply a value (hint- shifting left 1 bit multiplies by 2, shifting 2 bits multiplies by 4, 3 bits multiplies by 8...). you can also use the same register in these commands... like this: sll t0, t0, 4... in which the value already held in t0 would shift left 4 bits and would then be stored in t0 (in which case the value in t0 would have been multiplied by 16).

and, as i spoke of earlier, there is a 'slt' command. my may also see it ass 'slti', but remember that the 'i' or 'immediate' only means that you are using a specific value (like $0004 is ALWAYS gonna equal $0004). im not quite sure what the 's' in 'slt'/'slti' stands for, but i do know that the 'lt' stands for 'less than'. this command tests to see if a value is 'lt'/'less than' another, and if so it puts the value '1' into the specified register... otherwise, the specified register will catch '0'. it looks like this: slti t0, t1, 0x0004... this would catch the value '1' in register t0 if the value in t1 is less than 4... if the value in t1 is equal to or greater than 4, zero will be caught in register t0. you can also catch the value in one of the registers being compared like this: slt t0, t0, t1... which will catch '1' in register t0 if the value in t0 is less than the value in t1, otherwise t0 will be assigned the value 0.

next there are a whole bunch of add, subtration, multiplication, and division commands. these simply carry out the math... add t0, t0, t1 (this would add the values held in t0 and t1 and store the result in t0). there is also an addui (or 'add upper immediate'). normally when adding or subtraction, the values are held in the last four digits of the data... but if you want to add to the first four digits... you use the 'upper' instruction, and once again you can use the 'immediate' to give a constant value. note, however, that addui and addiu are different, and only the addui will work with the first four digits. there are also multiplication and division commands, but these are pretty straight forward as the command is something like 'mult' (which is ovbiously multiply) and div (which is obviously divide). however, with multiplication and division, the answer is stored in something called mfhi and mflo. the values must be called from these to be stored into a register... and im not sure, but i think you must retrieve the values before you carry out another mult. or div. instruction.

next, we have the load and store commands. there are load and store instructions for bytes, half-words, and words (lb, lh, lw and sb, sh, sw). a word is is the full 00000000 value (address 00000000, where the 0's make up the word). a half word is... well... half of a word. and a byte is simply 00. these are commonly used to set up a call to a desired location in memory, and often coincide with a 'lui' ('load upper immediate') instruction. for instance, you can do this:
lui t0, 0x0040
lw t1, $240c(t0)
the end result would be... the value stored at 0040240c would be stored into register t1. the (t0) part tells the program to load the full word value from the address starting with (t0) and, to be exact, load from 240c (which together equals 0040240c). you can also use 'lb' the same way... and same with the 'lh'.

well, thats pretty much it... you should now have a pretty good start on understanding a little bit of MIPS assembly. this, of course, is NOWHERE near knowing the language, but when you are hacking, if you keep all these things in mind, you should understand the code a lot more... happy hackin.

Written by: Codemasters Project Codehacker Team

-----------------------------------------------------------------------

20.Commands

Command: add


Description: Adds two registers and stores the result in a register
Operation: $d = $s + $t; advance_pc (4);
Syntax: add $d, $s, $t
Encoding: 0000 00ss ssst tttt dddd d000 0010 0000


Command: addi


Description: Adds a register and a signed immediate value and stores the result in a register
Operation: $t = $s + imm; advance_pc (4);
Syntax: addi $t, $s, imm
Encoding: 0010 00ss ssst tttt iiii iiii iiii iiii

Command:addu

Description: Adds two registers and stores the result in a register
Operation: $d = $s + $t; advance_pc (4);
Syntax: addu $d, $s, $t
Encoding: 0000 00ss ssst tttt dddd d000 0010 0001

command: and

Description: Bitwise ands two registers and stores the result in a register
Operation: $d = $s & $t; advance_pc (4);
Syntax: and $d, $s, $t
Encoding: 0000 00ss ssst tttt dddd d000 0010 0100

Command :andi

Description: Bitwise ands a register and an immediate value and stores the result in a register
Operation: $t = $s & imm; advance_pc (4);
Syntax: andi $t, $s, imm
Encoding: 0011 00ss ssst tttt iiii iiii iiii iiii

command:beg

Description: Branches if the two registers are equal
Operation: if $s == $t advance_pc (offset << 2)); else advance_pc (4);
Syntax: beq $s, $t, offset
Encoding: 0001 00ss ssst tttt iiii iiii iiii iiii

command: Bgez

Description: Branches if the register is greater than or equal to zero
Operation: if $s >= 0 advance_pc (offset << 2)); else advance_pc (4);
Syntax: bgez $s, offset
Encoding: 0000 01ss sss0 0001 iiii iiii iiii iiii

command: bgezal

Description: Branches if the register is greater than or equal to zero and saves the return address in $31
Operation: if $s >= 0 $31 = PC + 8 (or nPC + 4); advance_pc (offset << 2)); else advance_pc (4);
Syntax: bgezal $s, offset
Encoding: 0000 01ss sss1 0001 iiii iiii iiii iiii

command:bgtz

Description: Branches if the register is greater than zero
Operation: if $s > 0 advance_pc (offset << 2)); else advance_pc (4);
Syntax: bgtz $s, offset
Encoding: 0001 11ss sss0 0000 iiii iiii iiii iiii

command blez

Description: Branches if the register is less than or equal to zero
Operation: if $s <= 0 advance_pc (offset << 2)); else advance_pc (4);
Syntax: blez $s, offset
Encoding: 0001 10ss sss0 0000 iiii iiii iiii iiii

command:bltz

Description: Branches if the register is less than zero
Operation: if $s < 0 advance_pc (offset << 2)); else advance_pc (4);
Syntax: bltz $s, offset
Encoding: 0000 01ss sss0 0000 iiii iiii iiii iiii

command:bltzal

Description: Branches if the register is less than zero and saves the return address in $31
Operation: if $s < 0 $31 = PC + 8 (or nPC + 4); advance_pc (offset << 2)); else advance_pc (4);
Syntax: bltzal $s, offset
Encoding: 0000 01ss sss1 0000 iiii iiii iiii iiii

command:bne
Description: Branches if the two registers are not equal
Operation: if $s != $t advance_pc (offset << 2)); else advance_pc (4);
Syntax: bne $s, $t, offset
Encoding: 0001 01ss ssst tttt iiii iiii iiii iiii

command:div

Description: Divides $s by $t and stores the quotient in $LO and the remainder in $HI
Operation: $LO = $s / $t; $HI = $s % $t; advance_pc (4);
Syntax: div $s, $t
Encoding: 0000 00ss ssst tttt 0000 0000 0001 1010

command:divu

Description: Divides $s by $t and stores the quotient in $LO and the remainder in $HI
Operation: $LO = $s / $t; $HI = $s % $t; advance_pc (4);
Syntax: divu $s, $t
Encoding: 0000 00ss ssst tttt 0000 0000 0001 1011

command:i

Description: Jumps to the calculated address
Operation: PC = nPC; nPC = (PC & 0xf0000000) | (target << 2);
Syntax: j target
Encoding: 0000 10ii iiii iiii iiii iiii iiii iiii

command:jal

Description: Jumps to the calculated address and stores the return address in $31
Operation: $31 = PC + 8 (or nPC + 4); PC = nPC; nPC = (PC & 0xf0000000) | (target << 2);
Syntax: jal target
Encoding: 0000 11ii iiii iiii iiii iiii iiii iiii

command:jr

Description: Jump to the address contained in register $s
Operation: PC = nPC; nPC = $s;
Syntax: jr $s
Encoding: 0000 00ss sss0 0000 0000 0000 0000 1000

command:lb

Description: A byte is loaded into a register from the specified address.
Operation: $t = MEM[$s + offset]; advance_pc (4);
Syntax: lb $t, offset($s)
Encoding: 1000 00ss ssst tttt iiii iiii iiii iiii

command:li

Description: A immedediate value is loaded into a register.
Operation: $t = zero + imm
Syntax: addiu $t, zero, offset
Encoding: ????????????

command:lui

Description: The immediate value is shifted left 16 bits and stored in the register. The lower 16 bits are zeroes.
Operation: $t = (imm << 16); advance_pc (4);
Syntax: lui $t, imm
Encoding: 0011 11-- ---t tttt iiii iiii iiii iiii

command:lw

Description: A word is loaded into a register from the specified address.
Operation: $t = MEM[$s + offset]; advance_pc (4);
Syntax: lw $t, offset($s)
Encoding: 1000 11ss ssst tttt iiii iiii iiii iiii

command:mfhi

Description: The contents of register HI are moved to the specified register.
Operation: $d = $HI; advance_pc (4);
Syntax: mfhi $d
Encoding: 0000 0000 0000 0000 dddd d000 0001 0000

command:mflo

Description: The contents of register LO are moved to the specified register.
Operation: $d = $LO; advance_pc (4);
Syntax: mflo $d
Encoding: 0000 0000 0000 0000 dddd d000 0001 0010

command:mult

Description: Multiplies $s by $t and stores the result in $LO.
Operation: $LO = $s * $t; advance_pc (4);
Syntax: mult $s, $t
Encoding: 0000 00ss ssst tttt 0000 0000 0001 1000

command:multu

Description: Multiplies $s by $t and stores the result in $LO.
Operation: $LO = $s * $t; advance_pc (4);
Syntax: multu $s, $t
Encoding: 0000 00ss ssst tttt 0000 0000 0001 1001

command:nop

Description: Performs no operation.
Operation: advance_pc (4);
Syntax: noop(no operation)
Encoding: 0000 0000 0000 0000 0000 0000 0000 0000

commandr

Description: Bitwise logical ors two registers and stores the result in a register
Operation: $d = $s | $t; advance_pc (4);
Syntax: or $d, $s, $t
Encoding: 0000 00ss ssst tttt dddd d000 0010 0101

commandri

Description: Bitwise ors a register and an immediate value and stores the result in a register
Operation: $t = $s | imm; advance_pc (4);
Syntax: ori $t, $s, imm
Encoding: 0011 01ss ssst tttt iiii iiii iiii iiii

command:sb

Description: The least significant byte of $t is stored at the specified address.
Operation: MEM[$s + offset] = (0xff & $t); advance_pc (4);
Syntax: sb $t, offset($s)
Encoding: 1010 00ss ssst tttt iiii iiii iiii iiii

command:sll

Description: Shifts a register value left by the shift amount listed in the instruction and places the result in a third register. Zeroes are shifted in.
Operation: $d = $t << h; advance_pc (4);
Syntax: sll $d, $t, h
Encoding: 0000 00ss ssst tttt dddd dhhh hh00 0000

command:sllv

Description: Shifts a register value left by the value in a second register and places the result in a third register. Zeroes are shifted in.
Operation: $d = $t << $s; advance_pc (4);
Syntax: sllv $d, $t, $s
Encoding: 0000 00ss ssst tttt dddd d--- --00 0100

command:slt

Description: If $s is less than $t, $d is set to one. It gets zero otherwise.
Operation: if $s < $t $d = 1; advance_pc (4); else $d = 0; advance_pc (4);
Syntax: slt $d, $s, $t
Encoding: 0000 00ss ssst tttt dddd d000 0010 1010

command:slti

Description: If $s is less than immediate, $t is set to one. It gets zero otherwise.
Operation: if $s < imm $t = 1; advance_pc (4); else $t = 0; advance_pc (4);
Syntax: slti $t, $s, imm
Encoding: 0010 10ss ssst tttt iiii iiii iiii iiii

command:slitu

Description: If $s is less than the unsigned immediate, $t is set to one. It gets zero otherwise.
Operation: if $s < imm $t = 1; advance_pc (4); else $t = 0; advance_pc (4);
Syntax: sltiu $t, $s, imm
Encoding: 0010 11ss ssst tttt iiii iiii iiii iiii

command:sra

Description: Shifts a register value right by the shift amount (shamt) and places the value in the destination register. The sign bit is shifted in.
Operation: $d = $t >> h; advance_pc (4);
Syntax: sra $d, $t, h
Encoding: 0000 00-- ---t tttt dddd dhhh hh00 0011

command:srl

Description: Shifts a register value right by the shift amount (shamt) and places the value in the destination register. Zeroes are shifted in.
Operation: $d = $t >> h; advance_pc (4);
Syntax: srl $d, $t, h
Encoding: 0000 00-- ---t tttt dddd dhhh hh00 0010

command:slrv

Description: Shifts a register value right by the amount specified in $s and places the value in the destination register. Zeroes are shifted in.
Operation: $d = $t >> $s; advance_pc (4);
Syntax: srlv $d, $t, $s
Encoding: 0000 00ss ssst tttt dddd d000 0000 0110

command:sub

Description: Subtracts two registers and stores the result in a register
Operation: $d = $s - $t; advance_pc (4);
Syntax: sub $d, $s, $t
Encoding: 0000 00ss ssst tttt dddd d000 0010 0010

command:subu

Description: Subtracts two registers and stores the result in a register
Operation: $d = $s - $t; advance_pc (4);
Syntax: subu $d, $s, $t
Encoding: 0000 00ss ssst tttt dddd d000 0010 0011

command:sw

Description: The contents of $t is stored at the specified address.
Operation: MEM[$s + offset] = $t; advance_pc (4);
Syntax: sw $t, offset($s)
Encoding: 1010 11ss ssst tttt iiii iiii iiii iiii

command:SYSCALL

Description: Generates a software interrupt.
Operation: advance_pc (4);
Syntax: syscall
Encoding: 0000 00-- ---- ---- ---- ---- --00 1100

command:xor

Description: Exclusive ors two registers and stores the result in a register
Operation: $d = $s ^ $t; advance_pc (4);
Syntax: xor $d, $s, $t
Encoding: 0000 00ss ssst tttt dddd d--- --10 0110

command:xori

Description: Bitwise exclusive ors a register and an immediate value and stores the result in a register
Operation: $t = $s ^ imm; advance_pc (4);
Syntax: xori $t, $s, imm
Encoding: 0011 10ss ssst tttt iiii iiii iiii iiii

20. (Continued)Basic Commands


ADD - Add Word
ADDI - Add Immediate Unsigned Word
ADDIU - Add Immediate Unsigned Word
ADDU - Add unsigned Word
AND - And
ANDI - Add immediate
BEQ - Branch on Equal
BEQL - Branch on equal likely
BGEZ - Branch on Greater Than or Equal to Zero
BGEZAL - Branch on Greater Than or Equal to Zero and Link
BGEZALL - Branch on Greater Than or Equal to Zero and Link likely
BGEZL - Branch on Greater Than or Equal to Zero likely
BGTZ - Branch on Greater Than Zero
BGTZL - Branch on Greater Than Zero likely
BLEZ - Branch on Less Than or equal to Zero
BLEZL - Branch on Less Than or equal to Zero likely
BLTZ - Branch on Less than Zero
BLTZAL - Branch on Less than Zero and Link
BLTZALL - Branch on Less than Zero and Link likely
BLTZL - Branch on Less than Zero likely
BNE - Branch on Not Equal
BNEL Branch on Not Equal likely
BREAK - Breakpoint
DADD - Doubleword Add
DADDI - Doubleword Add Immediate
DADDIU - Doubleword Add Immediate Unsigned
DADDU - Doubleword Add unsigned
DIV - Divide Word
DIVU - Divide Unsigned Word
DSLL - Doubleword Shift Left logicial
DSLL32 - Doubleword Shift Left logicial Plus 32
DSLLV - Doubleword Shift Left logicial Variable
DSRA - Doubleword Shift Right Arithmetic
DSRA32 - Doubleword Shift Right Arithmetic plus 32
DSRAV - Doubleword Shift Right Arithmetic variable
DSRL - Doubleword Shift Right Logical
DSRL32 - Doubleword Shift Right Logical plus 32
DSRLV - Doubleword Shift Right Logical Variable
DSUB - Doubleword Subtract
DSUBU - Doubleword Subtract unsigned
J - Jump
JAL - Jump and Link
JALR - Jump and Link Register
JR - Jump Register
LB - Load Byte
LBU - Load Byte Unsigned
LD - Load Doubleword
LDL - Load Doubleword Left
LDR - Load Doubleword Right
LH - Load Halfword
LHU - Load Halfword Unsigned
LUI - Load Upper Immediate
LW - Load Word
LWL - Load Word Left
LWR - Load Word Right
LWU - Load Word Unsigned
MFHI - Move from HI Register
MFLO - Move from LO Register
MOVN - Move Conditional on Not Zero
MOVZ - Move Conditional on Zero
MTHI - Move to HI Register
MTLO - Move to LO Register
MULT - Multiple Word
MULTU - Multiple Word Unsigned
NOR - Not Or
OR - Or
ORI - Or Immediate
PREF - Prefetch
SB - Store Byte
SD - Store Doubleword
SDL - Store Doubleword Left
SDR - Store Doubleword Right
SH - Store halfword
SLL - Store Word Left Logical
SLLV - Store Word Left Logical Variable
SLT - Set on Less Than
SLTI - Set on Less Than Immediate
SLTIU - Set on Less Than Immediate Unsigned
SLTU - Set on Less Than Unsigned
SRA - Shift Word Right Arithmetic
SRAV - Shift Word Right Arithmetic Variable
SRL - Shift Word Right Logical
SRLV - Shift Word Right Logical Variable
SUB - Subtract Word
SUBU - Subtract Unsigned Word
SW - Store Word
SWL - Store Word Left
SWR - Store Word Right
SYNC - Synchronize Shared Memory
SYSCALL - System Call
TEQ - Trap if Equal
TEQI - Trap if Equal Immediate
TGE - Trap if Greater or Equal
TGEI - Trap if Greater or Equal Immediate
TGEIU - Trap if Greater or Equal Immediate Unsigned
TGEU - Trap if Greater or Equal Unsigned
TLT - Trap if Less Than
TLTI - Trap if Less Than Immediate
TLTIU - Trap if Less Than Immediate Unsigned
TLTU - Trap if Less Than unsigned
TNE - Trap if Not Equal
TNEI - Trap if Not Equal Immediate
XOR - Exclusive OR
XORI - Exclusive OR Immediate

21.Clipping Tutorial By Fusion

In general, there are many different ways to do it.

I made a verticle clipping for Syphon Filter : OS, and it took quite a while

Depending on your level of experience, i reccomend looking for a function that involves clipping (look for lables containing "Hit Detection" "Clip" ect (w/o the quotes ofcourse))

Then look through the function, find where it is calculating xyandz (yes, you will usually see "x" "Y" and "z" in the syntax.

Nope some of those lines, and go through, untill you find some clipping gettin screwy.

Now, at that point, you could have found Clipping that is just for the player (which is what your asking for) or clipping that is for everything (shoot blanks)

The only way to tell is alot of testing.

I hope that helps a lil bit.

If you have syphon filter : os

Here is my origional noclipping code (dont go through walls unless you know there is ground under where your going, black hole will suck ya in...lol

Vert Clip
203be10c 00000000
203be110 00000000

-----------------------------------------------------------------------

22.How to make an R4 imposter

All you need is Dark Killers R1 Imposter Maker.
http://dawn.cupload.com/eyemyourstal...rnameMaker.zip

Then, you plug in what you want for your name on the imposter maker.

You take the values from the imposter maker ONLY the LAST 8 digits/letters of each line and put them into the R4 Imposter name.

2041DF14 20202020
2041DF18 ????????
2041DF1C ????????
2041DF20 ????????
2041DF24 ????????


You take those values and put them into the ? marks. Then the imposter maker will limit you to 28 charcaters. If you want more, then delete whats on the imposter maker and continue again on it, but with what else you want. Then copy and paste that into the R4 code. If you have any space left that you just add 0's (zero's). Once you have that your done. Enter it into your Codebreaker/Gameshark and you have your imposter name for the 4th patch on LAN/Xlink.


If you are wanting an imposter name Online, im sorry you can use:

No Text Limits String
203BA77C 24420001

Use that for a long name and to do that you type in the code get online and type in your name, but you can make it more than 30 characters but ONLY 30 characters will show up. Once you save it,register it then TURN OFF your ps2 re-log on w/o the code on.Then just hop on and you have it. It has not been found how to do it with buttons besides the button codes. So only letters. Have fun.

-----------------------------------------------------------------------
23.Blind ps2 Exploit Tutorial.
Blinds Ps2 Exploit Tutorial

-----------------------------------------------------------------------

24.Fr0st Monkeys Exploit and Cheating on International TuT
Before we start this tutorial, you are going to need a way to get the files on your memory card. This means you are going to need a swap magic, a modchip, or a flash drive to get the files on your memory card.

Exploit Tutorial by fr0st m0nkey
Things needed:
PS1 game
Way to boot the given files
Free space on memory card

*Download this file. http://www.bluefr0st.com/exploit.zip
* Go to start> My computer>C:\ and right click. Highlight the 'new' section and click on folder. Name this folder 'mc' without the ''s.
*Unzip the file you downloaded in the first step into this section.
*Go to start>accessories>Command Prompt
*Get your PS1 game out and stick it in your CD-ROM. When the menu comes up asking you what you'd like to do with the files click view in folder.
Look for the SCUS/SLUS file. It should be called something like SLUS_049.00 or any other SCUS/SLES file.
*Go back to the command prompt you opened earlier. In the command prompt, type 'cd C:\mc' and hit enter (without the ''s) and it should change the working directory to C:\mc.
* Type 'titleman -a' and then the NAME OF THE SCUS/SLUS/SLES you got earlier. It should look something like this.

* It should say Adding 'YOUR SCUS HERE' to TITLE.DB....done.
* Next, open the C:\mc folder and double click on cdgenps2.exe
* Leave the mc folder open and drag the files onto the cdgenps2 program specifically as listed below:
o system.cnf
o expinst.elf
o cdvd.irx
o title.db
o the FILES folder.

* Now click on the icon in cdgenps2.exe that says IMG.
* It will bring up a menu for a place to save your image. Select your desktop.
* Now go open up your favorite burning program (I used Nero burning ROM which came with my DVD burner, but you can get the free demo here.
* Burn the image and boot it up using your swap magic or modchip.
* It should install the exploit.
* Turn your PS2 off then turn it on and put the PS1 game in. It should load a menu after a while.
* Press 'R1' and a menu will pop up in the corner of your screen. scroll down on the list to 'mc0'
* Press X and it will bring you to your main memory card folder. Highlight the folder 'BADATA-SYSTEM' and press X. It will bring you into another menu. Scroll down till you find 'cheatonline.elf' Highlight it and press X.
* It should load a new menu. This is the '######' program that cMf claims they made. THEY DID NOT MAKE THIS PROGRAM! IT WAS MADE BY SJEEP AS IT SHOWS IN THE TOP RIGHT CORNER!!!!
* Go to 'ARCODE' and press circle. Press circle again, then press circle again. It should say *Game*. Press circle, then turn on all the codes you want by pressing circle. When you're done selecting your codes, press X twice and scroll up to GAME.
* Press X. Wait a couple seconds and it will tell you to switch games. Insert your Game and press CIRCLE.
* It will boot the Game.
* Click online, pick your network setting, scan through DNAS, Select international, log on, PLAY!
-----------------------------------------------------------------------
25.Dumping After a Patch Useing PCXS2





Step 1: First, you need to establish a lan connection with your computer and ps2. If you don't know how to do that you can refer to here. Now download ps2link and put all those files in a folder titled "PS2LINK." Transfer that folder onto the root of your memory card. Load up ps2link.elf. Once that is all done open Xlink Beta. When it asks for your ps2 ip info just fill out what is needed. If you connected your ps2 and computer up correctly it should say that your online at the top.

Step 2: Put the dumpbios.elf on your desktop. Press Run in Xlink and select Dumpbios.elf. It should now dump your ps2's bios onto your desktop since it dumps to host0:. When its done dumping it should look something like this:

[qimg]http://img200.imageshack.us/img200/7973/dumpedbios6ia.png[/qimg]

Step 3: Put your bios into the pcsx2 bios folder.

Step 4: Now that that is done you will need to transfer your game save to your computer. I used Codebreaker to transfer my game save with the patch information onto my flashdrive and then I put that on my computer. When I was all done I was left with a file titled "SOCOM3_Update.cbs."

Step 5: Open up your game save in Ps2 Save Builder and it should look something like this:

[qimg]http://img425.imageshack.us/img425/5625/savebuild1mn.png[/qimg]

Step 6: Create a folder with the same name as the ROOT/ID of your game save. The folder I made is called, "BASCUS-97474SOCOM3P." Extract all the files in that game save into the folder you just made.

Step 7: Now open up an ISO making program. I used Magic ISO. Put the folder you just made in that ISO file and save it.

Step 8: Open up pcsx2 and go to Config>Configure. Set your plugins directory and your bios directory where your ps2's bios is located. For your Cdvdrom choose Linuzappz Iso plugin. Press configure under that and select the iso you just made. Once your done press OK and go back to pcsx2. If your new to pcsx2 take the time in setting all the controller settings and formatin your memory card.

Step 9: Press Config> CPU and put it on Interpreter. Then press File>Open Elf File and select your elf launching program that you downloaded. I used LaunchElf.

Step 10: Now in LaunchElf you want to be in FileBrowser and copy the folder from your disc to the root of your memory card.

Step 11: Once that is done press ESC and go back to Config>Configure. Select any regular Cdvdrom plugin. I used P.E.Op.S CDVD Driver. Put in the game that you want to dump in your dvd drive. Press File>Run Cd and let it run for a while. I usually let it go to the main menu of the disc.

Step 12: When it is done loading up to a point you desire press ESC and go to Debug>Memory Dump. Press Raw Dump at the to right. Make the start address 00000000 and the end address whatever you want (01000000 = 16MB and 02000000 = 32MB).


Your Done!! :D

Note: The only reason I transfered my game save through LaunchElf was becuase I couldnt find a working Usb plugin for pcsx2. If you want search for usb plugins and you can then transfer your game saves through codebreaker if you load a codebreaker.elf or the codebreaker cd in pcsx2.
-----------------------------------------------------------------------


26. Cheating Online Socom II

*************** PATCHED ***************
(Will be updated sometime in the near future.)

-------------------------------------------------------------------------
27.Porting NTSC to PAL

In this tutorial i will show you how to take a code from ntsc and port it to pal. Now this method can be used to port pal to ntsc or socom 1 to socom 2 by easily just useing the scus of the games u want to port between.

First things first open the scus/slus files for the 2 games your going to port between, Im doing ntsc to pal so i will have both of there scus files open in ps2dis.

Now from the region u want to port from get the code you want to port and jump to that address, Im going to port

Run With Turret: Handgun
205c4b58 10000004

So i jump to that address in the scus it was made in.

So Ntsc Run with turet handgun looks like this in ps2dis

[qimg]http://img.photobucket.com/albums/v195/duckhunt1987/tuts/ntscscus.jpg[/qimg]

Now i go to my Pal scus which is opend And i Go to Edit>find Pattern or Ctrl+F


[qimg]http://img.photobucket.com/albums/v195/duckhunt1987/tuts/findasstring.jpg[/qimg]

Now what we do is check the option "AS Hex String" now take a look at the ntsc scus the uper part Which looks like this


[qimg]http://img.photobucket.com/albums/v195/duckhunt1987/tuts/e51a81ac.jpg[/qimg]

Now this is all the data for every address wthin a givin ammount of lines,

Now notice the High lighted number "2d"