Everything you need to know
SneakyCodes Gaming Forum
Welcome to SneakyCodes. Contrary to what some may want you to think, SneakyWorld.forumotion is IN NO WAY affiliated with SneakyCodez. Anyone who tries to tell you different, is a lying piece of shit.

SneakyCodes is in the process of an entire site reboot, with no sections, topics, forums, and users. Feel free to sign up, and check back regularly for updates.

Thank you,
SwoRNLeaDejZ


SneakyCodes Gaming Forum

The Evolution Begins...
 
HomePortalRegisterLog inSneakyCodes RSS Feed
Everyone go to SneakyWorld! Link on the home page!
Sneaky Generators

Sneaky Image Editor
The Walking Dead Game

All Generators By SwoRNLeaDejZ


FTB3 Room Generator
FTB3 Name Generator
FTB2 Tag Generator
FTB2 Name Generator
FTB2 Room Generator


Donate to SneakyCodes Today!
Affiliates
Please Join and Visit the SneakyCodes Affiliates




We Love A-G!!!!

Join TheUnseenCoders.com Today!!


Free Forumotion Designs


kHaoZ is a frickin beast :)

Tech Support Guy
Latest topics
» Deepest regards to the Sneaky Community
Tue Oct 28, 2014 5:42 am by _-_EVIL-LOCO_-_

» damn sneaky, RiP. It was fun
Sat Oct 11, 2014 1:25 am by Sylen7Nato

» Just Another Blonde Joke xD FUNNY AS FAWK
Mon Mar 03, 2014 5:37 pm by Rossy Redness

» Hey it's Skinny107
Tue Dec 03, 2013 8:24 pm by o5Gz

» ps3 hacking!
Mon Jun 10, 2013 9:42 pm by Sylen7Nato

» PSP ISO List
Mon Jun 10, 2013 9:28 pm by Sylen7Nato

» tiger render
Fri May 10, 2013 3:11 pm by mk7

» SWORN.
Sun Dec 09, 2012 6:25 am by EverEffects

» homefront redeem code
Fri Nov 30, 2012 1:32 am by EverEffects

» Calling Sworn
Tue Nov 20, 2012 4:34 pm by EverEffects

» Thought Id Stop By And Say Hi
Thu Nov 15, 2012 3:40 am by HappySnacks69

» An Introduction
Tue Nov 13, 2012 2:33 am by Ace700

Views
Powered by web analytics software.
Statistics
We have 4719 registered users
The newest registered user is CraftPR

Our users have posted a total of 13085 messages in 2891 subjects
Who is online?
In total there is 1 user online :: 0 Registered, 0 Hidden and 1 Guest

None

Most users ever online was 59 on Sat Dec 03, 2011 5:04 pm
Facebook Stream
Top posters
SwoRNLeaDejZ
 
blckhwksfan
 
-Ch33zy-
 
EverEffects
 
l7annylvlex
 
+Elegance
 
Whiteyy
 
JZydex
 
PumaSnIpejZ
 
kHaoZ
 






Share | 
 

 Everything you need to know

View previous topic View next topic Go down 
AuthorMessage
+Elegance
Super 1337
Super 1337
avatar

Posts : 638
1337ness : 34
Join date : 2010-09-17
Age : 21
Location : Houston

PostSubject: Everything you need to know   Tue Oct 05, 2010 9:18 pm


Credit-iUnReaL-TaLenT

ADVANCED HACKING (Talking about hooks.)


Hooks-Calls (Jumps) to a certain address. The reason we need a hook
is because, when you use a routine, your in a NOP's area. NOP
area isn't in the games CPU, which means it isn't called upon
to be executed by the game.
The hook is what makes the game read it. Without it
you just have a routine that isn't even read by the game.


HOOK EFFECTS
Also something else that you should know that
some codes, only rely on hooks to give effects, for ex.

A health code would have a hook that jumps to the health
function. If you used a hook that is something for like
reloading the gun, you would only have infinite health
when you reload.
Hooks are either JR RA, or JAL, commands.

JAL hooks-Are hooks you use, instead of the JAL jumping to it's
normal address, it will jump to your routine's address instead.

JR RA hooks-Instead of ending the function, it starts a new function
which is your routine.


Off codes with Hooks,

To make an off code when you make a routine,

Just take the JAL's orginal address it jumps to.

And with the JR RA, just make the off code with the hooks
data as JR RA.


Hook examples,


ORIGINAL HOOK

Jal, $0012d4ac


ROUTINE HOOK

Jal, $Your routines address.


JR RA HOOK,

Jr ra

ROUTINE
Jal, $Your routine.


For the off of the JAL

d04cca0c 00007FFF
2010ca2c Then the original JAL data


JR RA OFF


d04cca0c 00007FFF
2010ca2c 03e00008

JR RA data is easy to remember, JAL data varies with your address.
__________________________________________________ ________________________

. Advanced Routines

Now that you understand functions, we are going to specifically look into branches.

The example to show branches I will use how the game detects when you press a button,

If you get this idea, then you will understand branches and how they work.

Beq-Branches when two registers are equal.

Bne-Branches when two registers are not equal.

Now I will create the routine to load you pressing the X button.


Lui t0, $00dc
Lhu t0, $4cb3(t0)
Ori t1, zero, $7FFF
beq t1, t0, $ Branch to blue
addiu s0, v0, $005f
bne t1, t0, $Branch to the jr ra.
jr ra.




Lui t0, $00dc<--Loads the first four digits of the controller address into t0.


Lhu t0, $4cb3(t0)<--Loads only the first four digits of the controllers address data, into t0.


Ori t1, zero, $7FFF<--Loads the X button value into t1.

beq t1, t0, $ Branch to blue <--When t1, and t0, are equal branch to increment,

which is saying when you press the X button then increment, when X is loaded from the controller

address. This address has all the button values.

addiu s0, v0, $005f <--This is just something you can do when you press X. This

loads current value into v0, then add 005f into it then store the result into s0.

bne t1, t0, $Branch to the jr ra.<--When t1, and t0, are not equal branch to the jr ra.

Which means when your NOT pressing X end the routine

jr ra.<--This just ends the routine.



Now after reading this, it should help you a little bit with functions. And branching in functions.

Thank you for reading hope this helped you guys out there.


Credit:Th3Jok3r (Unknown)
-------------=-=-==-=============-=-=-=============-=-=--=-=-=--=-=-=-

ROUTINES


Branches are common in routines. They check the result of something.
They check if your out of ammo. Out of health ETC. If a value is
equal or not equal to something they would use a branch to check.
Addiu increments and that means it adds to a register. SW stores
the result into a register. LW loads a address and data, and you
need a lui also. Jr ra exits the loop so it doesn't keep reading
the routine over and over.


OK, to make like a coordinate loader the correct way you are going to
read this. OK, for EXAMPLE, out of my head I'm going to use
005c12ac as our hook. And 006cda2c as our player coordinate,
and 000f1c00 as our routine address.


Read this carefully. Floats- Something that controls something like color
and numbers are sometimes used as floats. They also control how big
or small something is.

Routine- Small function to cary out something.

MIPS- Language we will be using to make tbis code.

LUI- Loads first four digits of something into a register.
NOTE: Also used as floats.

LW- Loads last four digits into a register and the data of the address.
EX, if you had a LUI on the line above it, then LW at the bottom.

lui t1, $000c
LW t5, $1234(t1)

Now those TWO lines load address 000c1234. Also the LW loads the data.
Of that address So T1 is NOW equal to that. And t5 holds our address.
So if address 000c1234 had data 12344321 as the data then T1
is NOW equal to 12344321 data wise.

Addiu- Adds values into a register. *Also used to increment.*

Beq&&Bne- Beq branches when equal, Bne branches when NOT equal.

Lwc1&&Swc1&&add.s- Lwc1 loads offset as a float value, Swc1 stores the
offset, add.s adds the floats and stores them into a register.

Nop- NO OPERATION Basically disables something.

Jr ra- Jump to return address used for exiting functions and routines.
__________________________________________________ ____________________


OK, here is our routine commands,

lui t0, $006c
lw t1, $da2c(t0)
lwc1 $f0, $0002(a0)
swc1 $f0, $0002(a0)
lwc1 $f1, $0004(a1)
swc1 $f1, $0004(a1)
beq t1, zero, $ (SEND TO RED)
nop
add.s $f3, $f1, $f0
swc1 $f3, $da2c(t1)
nop
addiu t9, t9, $0004
bne t1, t3, (SEND TO GOLD)
sw t9, $da2c(t1)
nop
j $ (SEND TO gold)
nop
nop
Jr ra


OK, thats how you would add coordinates saying as 0004 is equal to
the terrists coordinates then you would teleport to them.
Now the a0 and a1 registers are just arguement registers, usually
used into floats.


lui t0, $006c<-- Loads first four digits of player coordinates into t0.

lw t1, $da2c(t0)<-- Loads last four digits and the data. t1= 006cda2c. t0= Whatever data the example address holds.

lwc1 $f0, $0002(a0)<-- Loads $0002 into $f0.

swc1 $f0, $0002(a0)<-- Stores $0002 into $f0.

lwc1 $f1, $0004(a1)<-- Loads $0004 into $f1.

swc1 $f1, $0004(a1)<-- Stores $0004 into $f1.
NOTE: The a0-a1 argue the data, therefor determining if this is equal to this or this or if this isn't equal to this or this.

beq t1, zero, $ (SEND TO RED) <-- When t1 equals zero, increment the routine, In other words when the address is NOT being loaded increment the routine to load it.

nop<-- Skip line.

add.s $f0, $f1, $f3<-- Adds $f0, and $f1 and stores the result into $f3.

swc1 $f3, $da2c(t1)<-- Store the result of $f0 and $f1's sum into t1, thus changing the coordinates.

nop<-- Skip line.

addiu t3, t1, $0004 <-- Increments the routine. Adding $0004 the coordinate into t3 that increments the routine.

bne t1, t0, (SEND TO GOLD) <-- When t1 is NOT equal to t0 end the routine. Otherwords when the player coordinates are NOT incremented end the routine.

sw t3, $da2c(t1)<-- Stores modded value of increment rate into t1, our coordinates address.

nop<-- Skip line.

j $ (SEND TO GOLD) <-- Jump to JR RA since there is no other line to load, we already have our branches to it so this line will JUMP to it.

nop<-- Skip line.

Jr ra <-- Jump to return address, other words leaves the routine.


Here is what the code will look like when done,

205c12ac 000f1c00
200f1c00 3c08006c
200f1c04 8d09da2c
200f1c08 c4800002
200f1c0c e4800002
200f1c10 c4a10004
200f1c14 e4a10004
200f1c18 11200004
200f1c1c 00000000
200f1c20 460008c0
200f1c24 e523da2c
200f1c28 00000000
200f1c2c 25080004
200f1c30 15280005
200f1c34 ad28da2c
200f1c38 00000000
200f1c3c 0803c712
200f1c40 00000000
200f1c44 00000000
200f1c48 03e00008
__________________________________________________ ____--

Hey there me again guys. Today I will be teaching you about boot codes
and what they do the history of them and how to make one. So generally
by the end of this lesson you should learn the basic idea of how to make
a boot code.
__________________________________________________ ______________________




TABLE OF CONTENTS


1. BOOTS WHAT THEY DO
_____________________

2. THE HISTORY OF "BOOTS"
_________________________

3. HOW TO MAKE ONE.
_________________________


4. LAST FEW WORDS
_________________________

__________________________________________________ _____________________
1. "BOOTS"
__________


Ok so many of you may not know what a boot is or what it does. Well a
boot is a code that disconnects or "boots" a person out of a specific
place such as the lobby or the game. They are a simple code to make if
you understand the basic idea of there job and what they do. Basically
to make one just jump to boot function and routine the addresses. If you
wish to learn more please, continue reading.
__________________________________________________ ______________________
2. History of "boots"
_____________________


Well believe it or not, boots have actually been out since SOCOM 1 all
the way to SOCOM Combined-Assault but SONY was finnally smart enough
to move on to the ps3. Most people use boots to boot unwanted players
out of the room such as glitchers, coders, etc. Or some people just
boot to piss off people for no reason. So thats basically the history
of boot codes.
__________________________________________________ ____________________



3. HOW TO MAKE ONE.
___________________

WARNING:
Ok so your now this far into understanding boots. But before you read
this you would probally want to read up on MIPs language so you dont
get lost in all the things we are going to do.
__________________________________________________ ___________________


Ok so now that you know your MIPs very well you will be able to make
a boot code. And I will take you step by step on this. Ok to make a
boot code open PS2DIS and take the game dump to make the boot for.
In this lesson I will use SOCOM Combined-Assault. First start by ivoking
the dump, (THIS MAY TAKE AWHILE!!). Then go and look around until you
find the line that controls "boot-fucntions" for example you may find
00651ac1 3c00012d, which is a example line that it could be but probally
not since its a LUI. We are mostly looking for a LI or otherwise
known as LOAD-IMMEDIATE. but for now we will use the example line. Ok
once that line is found copy and paste it into a notepad it is a important
line. Read on to PART 2 to learn more!
__________________________________________________ ________________________


PART 2.
_______


WARNING:
If you didnt get the part above then you need to read more about MIPs
because this part is the hooks and you probally wont understand none
of it.
__________________________________________________ ____________________


Ok once you have the "boot-function" line then, you will want a hook
to call it. a example of a hook could be 006adac2. Then you can choose
if the hook is direct or indirect. Direct is either using A JAL
command to jump to the boot-function line. A indirect you use the
address of the line for the data, kinda hard to explain. so example


INDIRECT HOOK WAY: 006adac2 00651ac1


DIRECT HOOK WAY: 006adac2 0c1946b0
__________________________________________________ ___________________


PART 3.
_______


Ok so when you get the hook where you want it to go you will need a
delay line to insure that the line that loads the boot function doesnt
get read at same time the line that calls the routine does. So a NOP
line would be fine. Ok then we need another hook to call the routine
usually I just use a JAL (DIRECT) Hook to call the routine. And for
the routine address I will use 000c0000. Which is a NOP area. But
we still ned to get a hook to call the routine. Example 006bda0c
was a hook, then the hook will look like,


006bda0c 0c030000
__________________________________________________ ___________________


PART 4.
_______


Now that we have the hook to the routine, we need to create our routine.
Ok first go to a NOP area. I use 000c0000. Ok then the first thing we do
is perform a LUI command. That LUI line loads the first four digits of
our boot function address into a register. So the first line will look
like this when done.

000c0000 3c080065.

The command I used for it was a lui t0, $0065. Which loads 0065 into
register t0.


Ok now, we need to load last for digits into another register. Ok so
a loading comes into mind. Usually LW which means load word. But not
this time, we just need to load last four digits. LW loads them all.
So with that being we need to use a load half word. LH. This is what
the line should look like when finished.



000c0004 85091ac1.

The command used was lh t1, $1ac1(t0). Which loads 1ac1 digits into
register t1.


Now we need to load the boot value for example if boot value was
0000000f. Then we would use a LI which means load immediate. So
we would load that value on the next line. This is what your code
should look like when done.


000c0008 240a000f.

The command used is addiu t2, zero, $000f which loads $000f into t2.


Now with that done we need to have a comparison branch. Which is
like say you got value for the X button into register t0, and value
for clicking the X button which boots room into t1.. Then you would
use a branch on the line after the X button value to when t0 holds
X is being pressed it branches to address held in t1. To do that
operation. So we need a branch to when address in t1 is used it
branches to another line. We are going to use BEQ command. Which
means branch if two registers are equal to eachother. So here is
what your line should look like when done.

000c000c 112a0017.

The command used is beq t1, t2, $000c006c. Which branches to 000c006c
which branches when t1 is equal to t2. Otherwise branches when t1 which
holds our boot address, has $000f added to it.


Now we need to add a value to another register. So we are going to add
the value one into register t3. with a addiu command. so here is what
the line should look like when done.

000c006c 256b0001.

The command for this line is addiu t3, t3, $0001 which adds 0001 into
t3.


Now we need a storing command. to store the values givin into the register
that holds our boot function. So we will use a SW storeword command to
do this. Here is what the line should look like when done.

000c0070 ad0b1ac1.

The command used for this is sw t3, $1ac1(t0). Which stores $0001
into t0 which holds our boot fucntion.


Now we need another branch but this time it is a unconditional branch
that branches when zero is equal to zero. So here is what it should like
when done

000c0074 10000003

The command for this line is beq zero, zero, $000c0084. Which branches
to 000c0084 when zero equals zero.


Almost done but we still need to load another value and store it. So
again we load 1 into another register. So we need a adding command.
Which is used in a addiu. So here is what the line should look like
when done.

000c0084 240c0001

The command used is addiu t4, zero, $0001. Which loads value 1 into
register t4.


Now we need another SW storeword command to store t4 into t1.
So this is what that line will look like when done.

000c0088 ad2c1ac1.

And the command for this line is sw t4, $1ac1(t1). Which stores
1 into t1.


Now we need to use a jr ra to leave the routine when deativated.
So here is what the last line should look like this.

000c008c 03e00008

And this line exits the routine when hook is deactivated.
__________________________________________________ __________________


So when your done this code should look like this,


206adac2 0c1946b0
2061cac1 00000000
206bda0c 0c030000

200c0000 3c080065
200c0004 85091ac1
200c0008 240a000f
200c000c 112a0017
200c006c 256b0001
200c0070 ad0b1ac1
200c0074 10000003
200c0084 240c0001
200c0088 ad2c1ac1
200c008c 03e00008
_________________

Hope this helps you guys with boot codes.
__________________________________________________ ________________________

Basic routines

Hello Unknown again Who wants to learn codes? ME!!! You damn noob .
But it's OK, I am going to teach you . What do you want to learn damnit?
Um? Idk? Zoom teleport? Yea OK, I am teaching on that . Noob open your
dump.


I am going to start at 0009ac20 <-- Routine address.


Q: Whats a routine?
A: It's a small function silly.

Q:Whats a function?
A:STFU!


OK, now we going to use a hook to give us an effect.

Q:Whats a "hook"?
A:A hook can be a jr ra, or a jal.

Q:Whats a "jr ra" or a "jal"?
A:


So for this tutorial I am going to use a JAL hook.


Q:Why do you need a hook?
A:Because the area you do a routine in is all NOP's. It's a blank
area to the CPU. You need to change that so your routine is loaded
into the game.


So here is a random JAL address that I'm going to use to hook with.
Now I'm using a SOCOM 2 dump. So that address in the dump looks like
this.


JAL address: 003e6b84 0c09ab88.


Now we need to change that data. So on that line highlighted in the
dump, The command part looks like this.


Original data: jal $0026ae20


Q:What do we do now?
A:Change the pointer it jumps to.


Now take the original data and save it as it is used for the off code.
Now change the command from
jal $0026ae20, to jal $0009ac20.
Now the code should look like this.

Hook, 003e6b84 0c026b08.

^^ Notice the ONLY thing that changed was the data.


Q:What now?
A:Time for some routine fun.


OK, now hit G and paste in 0009ac20. Hit enter. Now were going to
make a player storer. It stores the coordinates of were your planning
on teleporting to. OK, now on address 0009ac20, hit enter and on the
command section type in this.

lui t0, $000c.

So now the code should look like this.

0009ac20 3c08000c.

Q:What does that do?
Aoads $000c into register t0.

Q:Whats a register?
A:Used to hold things or store things.

Q:Why did you use $000c?
A:Because I like that address.

Q:But it's a NOP?
A:I know but we already have our hook, so we don't
need to load any addresses into our routine.


OK, now we need to rely on our MIPS. What command stores?
SH, SW, SWC1, SB, SD. Etc. OK, but we are going to use a SW.


Q:Why a SW?
A:Were not using to store floats, double words, half words,
or bytes. We want a full eight digit word.


So go under the address 0009ac20, and it's address
0009ac24. Go on the command box and paste this,


sw a0, $0000(t0)

Q:What the **** does that do?
Aumb ***** it stores a increment rate.


Why did I store $0000? Because it's storing at 000c0000.
0000=Last four digits of 000c >0000<

Q:What kinda register is a?
A:A stand's for arguement. So it's an arguement register.

Q:Whats the (t0) mean in sw a0, $0000(t0)?
A:That means that t0 now equals the data at the address 000c0000.
And it's loading the last four digits from $000c.


So that code will look like this.

0009ac24 ad040000


Go under that line then on the command box and paste this,

sw a1, $0004(t0)


^^That stores $0004 into a1. Storing at address 000c0004.


Q:Why are you using $0004?
A:Because were going to increment by $0008, so we need to store the
highest increment counting by 4. So it's $0000, $0004, $0008.


So now that code should look like this,


0009ac28 ad050004.


Now were going to store the highest increment rate.


sw a2, $0008(t0)


^^Stores $0008 into a2. Storing at address 000c0008.


Q:Why are you using $0008?
A:Because we need to store all of our increments so we don't freeze.


Now that that is done. Go to the next line and type jr ra.

So that line should look like this when done.


0009ac2c 03e00008.


^^Exits routine when turned off.


Q:What does "jr ra" stand for?
A:Jump to return address. It ends functions.

So now here is our code all together.


203e6b84 0c09ab88
2009ac20 3c08000c
2009ac24 ad040000
2009ac28 ad050004
2009ac2c ad060008
2009ac30 03e00008


Q:Why did you change the 0 to a 2?
A:Because silly all MIP instructions are run as 32byte.
The 2 changes it to 32byte. 0 is 8byte. And 1 is 16byte.
Every word and process and all that is all 32bytes.



OK, now you have the coordinates storer lets make our zoom teleport.






OK, now lets get a hook. For this tut I'm going to use 007aca48.

OK, so here is what it look like in the dump.

007aca48 0c6cab80.

The command is jal $01b2ae00.

Change that to jal $000a1000.

So the new data looks like this

007aca48 0c028400.


Now were going to use 000a1000 for our routine address.

First we going to start with a lui.

So on address

000a1000

Hit enter and paste in this on the command box.

lui t0, $000c.

Q:What does that do?
A:It loads $000c into t0.

Q:Why are you using $000c again?
A:Because were not storing it this time were loading it.


So that line now looks like this,

000a1000 3c08000c.


Now go to the next line and paste this into the command box,

lw a0, $0000(t0)


^^Loads $0000 into a0, loading address 000c0000.

Q:Why did you use $0000?
A:Because it's the last four digits of 000c0000.

So that line now looks like this,

000a1004 8d040000.


Now go to the next line and paste this into the command box,


lw a1, $0004(t0)

^^Loads $0004 into a1.

Q:Why $0004?
A:Counting by $0004 to the increment rate.

So here is what that line now looks like,

000a1008 8d050004.


Now go to the next line and paste this into the command box,

lw a2, $0008(t0)


^^Loads $0008 into a2.


Q:Why $0008?
A:Cause it's our increment rate.


So here is what that line looks line when done,

000a100c 8d060008.


Now lets load these line's as a floating point.


Q:Whats a float?
A:Used into decimals, colors, how fast or slow or big or small something
is.


Now go to the next line and paste this into the command box,


lwc1 $f0, $0000(a0)

^^Loads $0000 as a floating point. So address 000c0004 is now
change to a float.


Q:Why are you using $f0 and a0?
A:$f0 through like $f40 are floating register's. You can only
store floats into registers that are not $f0 through $f40.
I used a0, because it holds $0000 we need to count from there
to $0008 with $0004.


Now that line should look like this when done.

000a1010 c4800000.


Now go to the next line and paste this into the command box,

swc1 $f0, $0000(a2)

^^Stores $0000 into a2, a2, hold's $0008.


Q:Why use a2?
A:We want to make $0008 $0000, cause we don't want to skip anything.


OK, now go to the next line and paste in this,

lwc1 $f0, $0004(a0)

^^Loads $0004 into $f0.

Q:Why did you use $f0 again?
A:Cause were not stopping until we hit $0008.


So that line looks like this when done,

000a1018 c4800004.


Now go to the next line and paste this into the command box,

swc1 $f0, $0004(a2)

^^Stores $0004 into a2.


Q:Why are you using a0, then a2?
A:Because were adding $0000, $0004, $0008 at a time.
If you add $0008 at once it will probably freeze you.


So that code should look like this when done.

000a101c e4c00004.


Were almost done thank God,

Go to the next line and paste this into the command box,

lwc1 $f0, $0008(a0)

^^Loads $0008 into $f0.


Q:Why don't I have a question?
A:Cause this is to easy.


So that line should look like this when done.

000a1020 c4800008.


Now go to the next line and we got to store this.
So in the command box paste this into it.


swc1 $f0, $0008(a2)

^^Stores $0008 into a2.


Q:What's the $f0 for if it's storing into a2?
A:Cause you can only use those register's to load, then
it stores into a2. The $f0 it loads the $0008 from,
then it stores into a2. So now a2 equals $0008. Without
skipping $0000, or $0004.


Q:Are we done yet?
A:**** NO!

So that line looks like this when done,

000a1024 e4c00008.


Now go to the next line and paste in jr ra into the command
box, and that just turns the routine off when turned off.

So that line will look like this when done,

000a1028 03e00008.

^^Exits routine.



Hope this helps you guys with making codes and learning MIPS.


__________________________________________________ ________________________

Expert CODING

BRANCHING IN FUNCTIONS


OK, branching is just another term, of checking. To check when something is equal to something.

Or in other cases it checks when something is not equal to something, functions well they carry

out. Functions do things, functions to move the player, functions for shooting, functions for

ammunition, Basically the game is based on functions. Functions are loaded and stored at a

specific block of code...This block of code is called the stack pointer. Without the stackpointer

there woulden't be any functions, they can't be loaded into the game, or stored into the game.

Without the stack pointer.


Routines are for storing and loading functions into the stack pointer.

OK, JAL's are always used into functions, they hook to increment the stack, or jr ra, to end the function.

It's usually JAL's that are functions, but in some other cases..Addiu's, Lui's, etc, can be

used as functions. Now I'm going to show you a routine to store at the stack pointer.


Stack Storer

JAL $To the addiu of the stack, Another thing if you noticed most of the lines the JAL's jump

to are addiu's, usually..addiu sp, sp, $? The $? is the offset of the stack to add to,

or increment.

After the JAL you will find more addiu's to add to offsets, normaly loaded by LUI's. This will

increment your values to get stored into the stack pointer. This gets the storing ready.

Then you will find a couple more JAL's, to other functions.

Then you got the branches, they will check if the values are loaded or not. When there not

loaded, the branches will more then likely branch off to incrementing lines to get the values.

Once everything is loaded and ready for storing you will get storing commands like SW, SH,

or if it's using floats you'll find SWC1.

After the values are stored, then you will get the registers restored with the command lq.

This means that every register used with the stack gets reseted. Which allows the next

function to take place.

Then after the registers are restored, you will find a jr ra, this shows that the function

has ended on that line. This can be used for looking for functions

ETC.
__________________________________________________ ________________________

My MIPS dictionary.


ADD – Add (with overflow)

Description:


Adds two registers and stores the result in a register

Operation:


$d = $s + $t; advance_pc (4);

Syntax:


add $d, $s, $t

Encoding:


0000 00ss ssst tttt dddd d000 0010 0000
ADDI -- Add immediate (with overflow)

Description:


Adds a register and a sign-extended immediate value and stores the result in a register

Operation:


$t = $s + imm; advance_pc (4);

Syntax:


addi $t, $s, imm

Encoding:


0010 00ss ssst tttt iiii iiii iiii iiii
ADDIU -- Add immediate unsigned (no overflow)

Description:


Adds a register and a sign-extended immediate value and stores the result in a register

Operation:


$t = $s + imm; advance_pc (4);

Syntax:


addiu $t, $s, imm

Encoding:


0010 01ss ssst tttt iiii iiii iiii iiii
ADDU -- Add unsigned (no overflow)

Description:


Adds two registers and stores the result in a register

Operation:


$d = $s + $t; advance_pc (4);

Syntax:


addu $d, $s, $t

Encoding:


0000 00ss ssst tttt dddd d000 0010 0001
AND -- Bitwise and

Description:


Bitwise ands two registers and stores the result in a register

Operation:


$d = $s & $t; advance_pc (4);

Syntax:


and $d, $s, $t

Encoding:


0000 00ss ssst tttt dddd d000 0010 0100
ANDI -- Bitwise and immediate

Description:


Bitwise ands a register and an immediate value and stores the result in a register

Operation:


$t = $s & imm; advance_pc (4);

Syntax:


andi $t, $s, imm

Encoding:


0011 00ss ssst tttt iiii iiii iiii iiii
BEQ -- Branch on equal

Description:


Branches if the two registers are equal

Operation:


if $s == $t advance_pc (offset << 2)); else advance_pc (4);

Syntax:


beq $s, $t, offset

Encoding:


0001 00ss ssst tttt iiii iiii iiii iiii
BGEZ -- Branch on greater than or equal to zero

Description:


Branches if the register is greater than or equal to zero

Operation:


if $s >= 0 advance_pc (offset << 2)); else advance_pc (4);

Syntax:


bgez $s, offset

Encoding:


0000 01ss sss0 0001 iiii iiii iiii iiii
BGEZAL -- Branch on greater than or equal to zero and link

Description:


Branches if the register is greater than or equal to zero and saves the return address in $31

Operation:


if $s >= 0 $31 = PC + 8 (or nPC + 4); advance_pc (offset << 2)); else advance_pc (4);

Syntax:


bgezal $s, offset

Encoding:


0000 01ss sss1 0001 iiii iiii iiii iiii
BGTZ -- Branch on greater than zero

Description:


Branches if the register is greater than zero

Operation:


if $s > 0 advance_pc (offset << 2)); else advance_pc (4);

Syntax:


bgtz $s, offset

Encoding:


0001 11ss sss0 0000 iiii iiii iiii iiii
BLEZ -- Branch on less than or equal to zero

Description:


Branches if the register is less than or equal to zero

Operation:


if $s <= 0 advance_pc (offset << 2)); else advance_pc (4);

Syntax:


blez $s, offset

Encoding:


0001 10ss sss0 0000 iiii iiii iiii iiii
BLTZ -- Branch on less than zero

Description:


Branches if the register is less than zero

Operation:


if $s < 0 advance_pc (offset << 2)); else advance_pc (4);

Syntax:


bltz $s, offset

Encoding:


0000 01ss sss0 0000 iiii iiii iiii iiii
BLTZAL -- Branch on less than zero and link

Description:


Branches if the register is less than zero and saves the return address in $31

Operation:


if $s < 0 $31 = PC + 8 (or nPC + 4); advance_pc (offset << 2)); else advance_pc (4);

Syntax:


bltzal $s, offset

Encoding:


0000 01ss sss1 0000 iiii iiii iiii iiii
BNE -- Branch on not equal

Description:


Branches if the two registers are not equal

Operation:


if $s != $t advance_pc (offset << 2)); else advance_pc (4);

Syntax:


bne $s, $t, offset

Encoding:


0001 01ss ssst tttt iiii iiii iiii iiii
DIV -- Divide

Description:


Divides $s by $t and stores the quotient in $LO and the remainder in $HI

Operation:


$LO = $s / $t; $HI = $s % $t; advance_pc (4);

Syntax:


div $s, $t

Encoding:


0000 00ss ssst tttt 0000 0000 0001 1010
DIVU -- Divide unsigned

Description:


Divides $s by $t and stores the quotient in $LO and the remainder in $HI

Operation:


$LO = $s / $t; $HI = $s % $t; advance_pc (4);

Syntax:


divu $s, $t

Encoding:


0000 00ss ssst tttt 0000 0000 0001 1011
J -- Jump

Description:


Jumps to the calculated address

Operation:


PC = nPC; nPC = (PC & 0xf0000000) | (target << 2);

Syntax:


j target

Encoding:


0000 10ii iiii iiii iiii iiii iiii iiii
JAL -- Jump and link

Description:


Jumps to the calculated address and stores the return address in $31

Operation:


$31 = PC + 8 (or nPC + 4); PC = nPC; nPC = (PC & 0xf0000000) | (target << 2);

Syntax:


jal target

Encoding:


0000 11ii iiii iiii iiii iiii iiii iiii
JR -- Jump register

Description:


Jump to the address contained in register $s

Operation:


PC = nPC; nPC = $s;

Syntax:


jr $s

Encoding:


0000 00ss sss0 0000 0000 0000 0000 1000
LB -- Load byte

Description:


A byte is loaded into a register from the specified address.

Operation:


$t = MEM[$s + offset]; advance_pc (4);

Syntax:


lb $t, offset($s)

Encoding:


1000 00ss ssst tttt iiii iiii iiii iiii
LUI -- Load upper immediate

Description:


The immediate value is shifted left 16 bits and stored in the register. The lower 16 bits are zeroes.

Operation:


$t = (imm << 16); advance_pc (4);

Syntax:


lui $t, imm

Encoding:


0011 11-- ---t tttt iiii iiii iiii iiii
LW -- Load word

Description:


A word is loaded into a register from the specified address.

Operation:


$t = MEM[$s + offset]; advance_pc (4);

Syntax:


lw $t, offset($s)

Encoding:


1000 11ss ssst tttt iiii iiii iiii iiii
MFHI -- Move from HI

Description:


The contents of register HI are moved to the specified register.

Operation:


$d = $HI; advance_pc (4);

Syntax:


mfhi $d

Encoding:


0000 0000 0000 0000 dddd d000 0001 0000
MFLO -- Move from LO

Description:


The contents of register LO are moved to the specified register.

Operation:


$d = $LO; advance_pc (4);

Syntax:


mflo $d

Encoding:


0000 0000 0000 0000 dddd d000 0001 0010
MULT -- Multiply

Description:


Multiplies $s by $t and stores the result in $LO.

Operation:


$LO = $s * $t; advance_pc (4);

Syntax:


mult $s, $t

Encoding:


0000 00ss ssst tttt 0000 0000 0001 1000
MULTU -- Multiply unsigned

Description:


Multiplies $s by $t and stores the result in $LO.

Operation:


$LO = $s * $t; advance_pc (4);

Syntax:


multu $s, $t

Encoding:


0000 00ss ssst tttt 0000 0000 0001 1001
NOOP -- no operation

Description:


Performs no operation.

Operation:


advance_pc (4);

Syntax:


noop

Encoding:


0000 0000 0000 0000 0000 0000 0000 0000


Note: The encoding for a NOOP represents the instruction SLL $0, $0, 0 which has no side effects. In fact, nearly every instruction that has $0 as its destination register will have no side effect and can thus be considered a NOOP instruction.
OR -- Bitwise or

Description:


Bitwise logical ors two registers and stores the result in a register

Operation:


$d = $s | $t; advance_pc (4);

Syntax:


or $d, $s, $t

Encoding:


0000 00ss ssst tttt dddd d000 0010 0101
ORI -- Bitwise or immediate

Description:


Bitwise ors a register and an immediate value and stores the result in a register

Operation:


$t = $s | imm; advance_pc (4);

Syntax:


ori $t, $s, imm

Encoding:


0011 01ss ssst tttt iiii iiii iiii iiii
SB -- Store byte

Description:


The least significant byte of $t is stored at the specified address.

Operation:


MEM[$s + offset] = (0xff & $t); advance_pc (4);

Syntax:


sb $t, offset($s)

Encoding:


1010 00ss ssst tttt iiii iiii iiii iiii
SLL -- Shift left logical

Description:


Shifts a register value left by the shift amount listed in the instruction and places the result in a third register. Zeroes are shifted in.

Operation:


$d = $t << h; advance_pc (4);

Syntax:


sll $d, $t, h

Encoding:


0000 00ss ssst tttt dddd dhhh hh00 0000
SLLV -- Shift left logical variable

Description:


Shifts a register value left by the value in a second register and places the result in a third register. Zeroes are shifted in.

Operation:


$d = $t << $s; advance_pc (4);

Syntax:


sllv $d, $t, $s

Encoding:


0000 00ss ssst tttt dddd d--- --00 0100
SLT -- Set on less than (signed)

Description:


If $s is less than $t, $d is set to one. It gets zero otherwise.

Operation:


if $s < $t $d = 1; advance_pc (4); else $d = 0; advance_pc (4);

Syntax:


slt $d, $s, $t

Encoding:


0000 00ss ssst tttt dddd d000 0010 1010
SLTI -- Set on less than immediate (signed)

Description:


If $s is less than immediate, $t is set to one. It gets zero otherwise.

Operation:


if $s < imm $t = 1; advance_pc (4); else $t = 0; advance_pc (4);

Syntax:


slti $t, $s, imm

Encoding:


0010 10ss ssst tttt iiii iiii iiii iiii
SLTIU -- Set on less than immediate unsigned

Description:


If $s is less than the unsigned immediate, $t is set to one. It gets zero otherwise.

Operation:


if $s < imm $t = 1; advance_pc (4); else $t = 0; advance_pc (4);

Syntax:


sltiu $t, $s, imm

Encoding:


0010 11ss ssst tttt iiii iiii iiii iiii
SLTU -- Set on less than unsigned

Description:


If $s is less than $t, $d is set to one. It gets zero otherwise.

Operation:


if $s < $t $d = 1; advance_pc (4); else $d = 0; advance_pc (4);

Syntax:


sltu $d, $s, $t

Encoding:


0000 00ss ssst tttt dddd d000 0010 1011
SRA -- Shift right arithmetic

Description:


Shifts a register value right by the shift amount (shamt) and places the value in the destination register. The sign bit is shifted in.

Operation:


$d = $t >> h; advance_pc (4);

Syntax:


sra $d, $t, h

Encoding:


0000 00-- ---t tttt dddd dhhh hh00 0011
SRL -- Shift right logical

Description:


Shifts a register value right by the shift amount (shamt) and places the value in the destination register. Zeroes are shifted in.

Operation:


$d = $t >> h; advance_pc (4);

Syntax:


srl $d, $t, h

Encoding:


0000 00-- ---t tttt dddd dhhh hh00 0010
SRLV -- Shift right logical variable

Description:


Shifts a register value right by the amount specified in $s and places the value in the destination register. Zeroes are shifted in.

Operation:


$d = $t >> $s; advance_pc (4);

Syntax:


srlv $d, $t, $s

Encoding:


0000 00ss ssst tttt dddd d000 0000 0110
SUB -- Subtract

Description:


Subtracts two registers and stores the result in a register

Operation:


$d = $s - $t; advance_pc (4);

Syntax:


sub $d, $s, $t

Encoding:


0000 00ss ssst tttt dddd d000 0010 0010
SUBU -- Subtract unsigned

Description:


Subtracts two registers and stores the result in a register

Operation:


$d = $s - $t; advance_pc (4);

Syntax:


subu $d, $s, $t

Encoding:


0000 00ss ssst tttt dddd d000 0010 0011
SW -- Store word

Description:


The contents of $t is stored at the specified address.

Operation:


MEM[$s + offset] = $t; advance_pc (4);

Syntax:


sw $t, offset($s)

Encoding:


1010 11ss ssst tttt iiii iiii iiii iiii
SYSCALL -- System call

Description:


Generates a software interrupt.

Operation:


advance_pc (4);

Syntax:


syscall

Encoding:


0000 00-- ---- ---- ---- ---- --00 1100
=-=-=-=-=-=-------------=-=-=-=-=-=-=--=-=-=-=-----=-=-===========-=-=-

BASIC HACKING (Label style)


Aight, you got your basic mips down. Mostly label hacking relies on
function hunting.

Functions-Lines to carry out a specific task.

Ex (CUSTOM FUNCTION)

This could be to load health (FUNCTION)

(Load byte)
function
function
increment
load
end

Everything in the game runs from a function, the stack pointer is
where the functions are stored at.

OK enough bullshit lets get down to it now. get your idea of code you
want to create. This tutorial I'll use a simple health line.

Open label box, and go to "HEALTH_FX" NOTE:This game im using is SOCOM3
(PS2.)





Hit enter on it on the byte lines hit space on it then hit f3 to get the line that
loads the byte.






NOW, see the JAL's. Don't bother checking the others, the rest are just
addiu's to increment the stack. Instead lets try our luck with floats.
The JAL that is highlighted in gray. Go to it and hit the right arrow
key.





now when you get to the addiu, notice the area is storing to the
stack. NOW right after that 006fea28 is being loaded. from line
004d4bc0. looks interesting so lets look in there,




the line it brings
you to is the sll, ok now were not done yet go down until you see this

lui zero, $0000.




NOW, thats a float, in the health area. so lets see where and what is
loading that line so hit space and f3 on it.

then it will bring you to a lwc1, so i done checked the functions
which the routines are in floats so this line should be controling
something with your health.

Q:How could it be floats?
Aecimals are used in floats.

Well if thats the line we are going to NOP it so it doesnt do anything.


old code: 006feb84 3f800000

new code: 006feb84 00000000
__________________________________________________ ________________________


In depth explination of MIPS

These arent all of the MIPS commands, but its the most common
ones that are used..


Nop- no operation.

ex. health hook is 002c12ac. then nop that hook so it dont call the
health function. which gives you inf health
data= 00000000


j- jump to address.
ex. jumps to certain addresses.
if you wanted the health function to be called into a code then
you can jump it to the health function line.


jal- jumps and links address.
ex if you wanted to hook a routine to actvate it get a hook
and jal to your routine address.


addiu- add unsigned immediate
ex used to increment
if you wanted to add a boot value then use addiu then boot value
hex. also increments if you wanted to change the loading address
addiu to the register with the address.


ori- same thing as addiu except its not used to increment.
ex if you wanted to load a joker value use ori then the value.


lui- loads four digits
ex in a routine if you wanted to load address 00c1da20 then you would
use a lui then first four digits of the line.


lw- loads four digits and data.
ex in the lui above this you would use lw then last 4 digits of address
then the register you used now equals the data of that address.
and the address itself.


lwc1- loads float point.
ex if 0004 hex equals your player coordinates then you use this to
load that as a float.


swc1- stores float value.
ex if you loaded the coordinates then you would need to store them
into your routine.


beq- branch if 2 registers are equal.
ex if you needed to check if your out of ammo and 1 equals full
and 0 equals out then you would use beq to see if 1 is equal to
0 which means you are outta ammo.


bne- branch if 2 registers are NOT equal.
ex if you had ammo 1 equaling full and 0 equals out then you use
a bne to check if your not outta ammo and load the line that
gives the value of how many ever bullets you got left.


jr ra- jump return address.
ex if you wanted to exit a function if you had a jal to hook to the function then you would jr ra at the end of it to jummp to the return address.
__________________________________________________ __________________________________________________ _____________________________________________


.






My Gifts
DaBigBoss l Syldavi l Echoes Of Life l Tormented
Back to top Go down
 

Everything you need to know

View previous topic View next topic Back to top 
Page 1 of 1

Permissions in this forum:You cannot reply to topics in this forum
SneakyCodes Gaming Forum :: PSP Section :: PSP Tutorials-
Jump to:  





SneakyCodes.tk | Sneaky-Media.com


Free GeoHot NOW!
I support George Hotz and
the FREEDOM OF INFORMATION

Forumotion.com | © phpBB | Free forum support | Contact | Report an abuse | Free forum