Ok, this tutorial will show you how to joker a code via buttons..
To start it off, load your dump
then, jump to where you want to do it at.
We are going to joker a simple code, hmm.. I'm going to let it be
Where 10000010 (modded) is when the code is on and 1c800005 (original) is when its off.
The controller address is 09b65d54, and we are going to joker it with L+up, so the value of the controller address will be 0110, because L is 100, and up is 10, so when you add then, it = 0110.
Next, add the follow commands
lui t0, $088b
lui t1, $09b6
lw t2, $5d54(t1)
ori t3, zero, $0110
bne t2, t3, $08cf0f10
It should look like
What all of those did: The first lui loaded the first part of instant respawn, then the second lui loaded the first part of the controller address, while the lw loaded whats in the controller address. The ori loaded 0110, then the bne made it branch to jr ra if the controller address=nto 0110, and 0110 translates to L+up. We don't know where the beq will be just yet, so we will have to change the bne later on.
Skip a line, then add
lw t4, $ead0(t0)
lui t5, $1000
ori t5, t5, $0010
bne t5, t4, $08cf0f10
It should look like:
The lw loaded whats in the respawn address, then the lui and ori loaded 10000010 into t5, and then it branched if they arent equal to what will later be our function that stores it. We don't know what it will be yet, again, so we will edit it later.
Next, skip a line and add the following commands
lui t6, $1c80
ori t6, t6, $0005
sw t6, $ead0(t0)
beq zero, zero, $08cf0f10
It should look like:
What it all did: The first two lines loaded 1c800005 into t6, then the third line, sw t6, $ead0 stored it into instant respawns address. Then, the beq will jump to the jr ra(later on), seeing as we have no idea what the jr ra will be, once again we will edit it later.
Next, skip a line then add:
sw t5, $ead0(t0) skip another line then add a jr ra.
It should look like:
What it did: The sw stored what we loaded before, 10000010, to the instant respawn address, the jr ra told us the function ended.
Next, on to the edits. First off, change the first bne to
bne t2, t3, $08cf0f48
The second bne to:
bne t5, t4, $08cf0f50
The beq to:
beq zero, zero, $08cf0f58
It should look like:
Thought you were done? WRONG! But you are close. The last thing you have to do is find something that is a constant, usually a jr ra. I'm going to use the vericle clipping one, so jump to 089b7dc4.
Change it to j $08cf0f10, and you are done!
just copy and viola! You have your joker.
Part 2: Start menu
If you've ever wanted to joker a code from the start menu you've come to the right place! Who better to teach you than the great Silo right? Nah I'm just kidding, lets get started! But before we do, I want you to know that if you are just beginning with code hacking I advise you to stay away from this topic until you're more advanced. I have tried to make it as easy as possible but you will be confused, but, if you think you can do it, by all means go on.
What you'll need:
2. A Socom FTB2 Memory Dump
3. The newest Socom FTB2 Patch
4. General knowledge of MIPS
[You can find the ps2dis download here: [You must be registered and logged in to see this link.]
Mirror: [ [You must be registered and logged in to see this link.]
Now, I will be showing you how to do vertical clipping on / off from the start menu, we'll also be using the Compass hook, therefore, if you have something in your start menu that uses the compass hook, please remove it before you test your code.
Defination of hook: A hook is like a trigger, in this tutorial, we'll be using a non-constant hook, which basically means it's only called when we do something in the game such as pressing "Compass." A constant hook is called over and over repeatedly which isn't good for joker codes unless you do a button command which will be done in tutorial #2.
Now that you understand what a hook is, we shall begin our tutorial.
1. First things first, go ahead and open your Socom FTB2 memory dump in ps2dis, all you have to do is click the file tab, click open then find your memory dump and double click it. Make sure that the top box is 00000000 and the bottom box is 08800000. (They both start by default as 00000000)
2. Now, you need to invoke the analyzer. You can achieve this by clicking the "Analyzer" tab and then clicking "invoke analyzer"
3. Wait until it's about halfway done then you can go ahead and end it, you don't need to wait until the full thing invokes.
====== Now that that's done, we can go ahead and start working on our code! ======
4. We need to look for a label that deals with turning the compass on and off. So, lets open our list of labels, you can achieve this by pressing "Ctrl + G" or by clicking the "Edit" tab and clicking "jump to labeled." You should have this now:
5. And now we have to find something that is related to using the compass, lets scroll through and look. Compass: On (or off will do too) is what we're looking for, since it's quicker scrolling jump to the label "Compass: Off" WITH THE QUOTES otherwise it will not work! This is what you should have:
Now, double click this label and you should come to this:
Now, press space and then F3 and you should come to this:
Now, this may be very confusing to you at this point and I'm not going to explain what everything does but I will explain different things.
Scroll up the this address: 089825f4 (which is 201825f4 in game), this is the start of the Compass on / off function, if you jr ra this you will either freeze when you press Compass or it won't do anything at all. Most likely it won't do anything at all. If you're confused, here's a picture of where we are.
Note: Yours will not have the comment to the side, that was just to show you where the start of the function is.
Now, scroll down to the address 08982610 (which is 20182610 in game) and this is our hook's address. As you can see it's a jal, now, instead of jumping to the function it's supposed to, lets make it jump to our own function, now comes the fun part, ACTUALLY MAKING OUR CODE!
To begin, go ahead and open notepad so we can copy our code in line by line. In order for this code to work, we have to jump somewhere in the memory where nothing is going on. The easiest place to do this is at 08cf0400, now, a lot of the subs I write go at 08cf0400 and I always use the compass hook. As you get more into MIPS you will be able to find your own hook (zooming, firing, reloading etc.) and you will write your sub where you KNOW you can. For now, we will do as I always do for my test subs. Go ahead and press ENTER on the hook's address and you should see this pop up:
You see the command box on the very bottom? We're going to change this up a little bit. Currently, it says "jal $0899d410", we don't want it to jump there, we want it to jump to 08cf0400, so, go ahead and change that to "jal $08cf0400" and you will see the numbers change. Go ahead and press enter and you'll see this:
If you don't see this you did something wrong and you should go ahead and reread the tutorial to see where your mistake was.
If you do see that, press right on our new jal and it should take you right to "08cf0400" and it should be a big area of nothing but nops. Now, it's time for us to write our code!
------ Quick Note ------
This is something that you have to work at to understand, it is very basic but most of you are still very new to the code making world. This is in fact a subroutine, you're implementing your own function in the game. Now, don't run around bragging all day and all night because you did this successfully. That would be too annoying, but if you do this correctly with a different code, congratulations.
Time to start, the first thing we want to do is find vertical clipping, which is:
It's better to nop what calls to this address rather than jr ra the top line and then store zero at the bottom, it's also quicker. So, basically we'll jump to "08a57fac" and press space + F3... I already did this for you to speed things up. This is what we get: 089e81ec
Now, if you're not at 08cf0400 go there now and press enter on that address. A command box will pop up just like the jal earlier. In the command box go ahead and enter the following, "lui t0, $089f" and press enter. It will now say "lui t0, $089f" (FNC__089f0000)
The next line, 08cf0404, is where we will be writing our next command which is an LW which also stands for load word. Press enter on this address and enter this into the command area of the box, "lw t1, $81ec(t0)"
The first command we entered is an lui which stands for load upper immediate. Description: The immediate value is shifted left 16 bits and stored in the register. The lower 16 bits are zeroes. So it means the register t0 is now 089f0000. The data on the address 08cf0400 is 3c08089f, the first four characters are just based on the command and the register, if we had said, "lui t9, $089f" the data would be "3c19089f" rather than "3c08089f" so don't worry about the first four characters. Now, we see that the lower 16 bits are 089f, so that is shifted LEFT 16 bits... Or four spaces. So now we have 089f0000 since the command says the lower 16 bits (or last four characters) are zeroes.
Hopefully that didn't confuse you too much. Now, the next command we have entered is lw which again, stands for load word. Description: A word is loaded into a register from the specified address. What that's basically saying is load the data at the specified address into a register. Since we entered "lw t1, $81ec(t0)" it will load the data from the address 089e81ec which is the vertical clipping jal. (which if nop'ed = vertical clipping) You're probably confused as to why it's not 089f81ec since that's what's in t0. Well, we are loading a negative amount so we must subtract one, it's just like subtraction, you borrow. So it becomes 089e81ec that we're loading from. So now we have the data loaded from the vertical clipping jal into register t1.
If that confuses you, I'm sorry because I can't think of any other way to explain it to you. You must learn to use EE Emulator for help, but that is not for this tutorial. I will explain it at a later time.
Hopefully you're not confused, and if you are continue going and then reread this tutorial over and over. Now, this is what you should currently have:
Now, the lw is going to load the following data the first time we use the hook to run our routine, "0e295feb" now, we have to implement a command that will say "If data at vertical clipping jal does NOT = 0e295feb then jump to [address], otherwise, keep going"
So, in order to do this we have to use the command "BNE" which stands for "Branch if not equal." It's referring to two registers, branch if register ? is not equal to register ? [where ? = whatever register] So, on the address 08cf0408 we ned to write the command "bne t1, zero, $08cf0424", I did the work for you, I wrote the function out ahead of time and found just the right place to jump to. So now we have our comparsion. Why bne t1 zero? If you remember, our lw command we have at 08cf0404 states "Load data into t1." The bne checks if the register t1 is not equal to zero.
LW = Load Word. Description: A word is loaded into a register from the specified address.
So, this now means the first time our subroutine runs or the first time we click the compass command, it will load the data 0e295feb into register t1 and then it will run the next command, the bne, and it will check if t1 = zero. (Since our command was bne t1, zero) and since it's not, it will jump to 08cf0424. It skips everything else and runs the commands starting at 08cf0424. Lets go ahead and make this simple, at 08cf0424, we are going to enter the following command in the command box (remember, press enter to access the command box) "sw zero, $81ec(t0)" You should have an idea of what this will do, if not, don't worry, I'll explain it now... The command sw will store whatever is in a certain register at an address' data. So, it's saying store 0 (ZERO, 00000000) at 81ec based on the register t0. Meaning, store a nop at vertical clipping's jal. We never changed t0 so we still have 089f0000 stored in t0.
SW = Store Word. Description: The contents of register (?) is stored at the specified address.
Now skip a line and open the command box (on address 08cf042c) and enter "jr ra" into the command line. Congratulations, you have just made your first ON code, now to make it have the ability to turn off and on. Here's a picture of what you should have so far:
Now move up to the address 08cf0410, we skip a line after the bne because there is a one line delay with ps2dis. So now, at 08cf0410 enter the command "lui t2, $0e29" we use t2 because we don't want to interfere with what's in t0 and we don't want to risk playing with t1. Though, you could since the registers are temporary anyway. So now, t2 = "0e290000" as you should know already. The next command we use on the line 08cf0414 is an ori. So go ahead and open the command box and enter "ori t2, t2, $5feb" which will now make t2 = 0e295feb which is the original data for vertical clipping's jal. Let me post a description now.
ORI = Or Immediate. Description: Bitwise ors a register and an immediate value and stores the result in a register.
This basically just loads the immediate value into the lower 16 bits without effecting the upper 16 bits or adding the same amount to the same amount.
So, again, t2 now = 0e295feb which is vertical clipping's original jal data. The next command we shall write is another SW. You should know how this works but I will show you what to enter in the command box. Press enter and enter the following, "sw t2, $81ec(t0)" which will take 0e295feb and store it at vertical clipping's jal and we will now have the original jal and vertical clipping will be on once again. You're almost done. The next and final command we shall write is on the address 08cf041c and that is a beq. Press enter and enter this command "beq zero, zero, $08cf042c" and that is just saying branch to 08cf042c if the register zero is equal to zero. The register zero is ALWAYS = to zero so it WILL branch to 08cf042c.
Beq = Branch if equal. Description: Branches if the two registers are equal
Congratulations! You have just finished the tutorial for how to joker a code in the start menu. It's the same thing for every code you just have to implement different checks. When you get advanced enough you can say "Load Flash's data and if it's greater than 5 then jump and store 10 to it's data, otherwise don't" or something to that effect. There's so many things you can do with this it just takes practice.
Here's what your final outcome should look like, I went ahead and put a note on each address that described what each did. It's not a big description but you get the idea if you missed something.
Also, don't let this tutorial get you feeling like it's extremely hard, it seems like it now but I can write one of these in about 10 seconds flat. Once you get the hang of it you'll be spitting jokers out like crazy. Also, be looking forward to another tutorial on how to do this with button commands and eventually more tutorials on other things.
Please tell me what you think! Constructive criticism is more than welcome.
Thanks to Andrew for looking it over for me constantly, great help.
This Turorial all credit goes to IM-3LITE of consolediscussions