-
Notifications
You must be signed in to change notification settings - Fork 2
Zero1UP/SOCOM-2---r0005-Patch
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
--- Credits 12-15-2018 --- gtlcpimp - code designer 2.3, kernel hook. various socom hackers - various codes, exploits, etc. ---------------------------------------------------------------------- To get started ---------------------------------------------------------------------- Extract the r0005.zip folder to C:/ *** example: C:/r0005 *** Most up to date patch info: http://update.ps2.host/r0005/ ** r0005 folder root ** - C_source: source for ELF - MIPs_source -- 059: Version 59 source files ---- debug: Debug files for generating checksums - Programs: Various programs needed to convert code quickly. -- Code Designer: Needed for opening/compiling .cds files. ---------------------------------------------------------------------- How the patch works ---------------------------------------------------------------------- 1. - ELF writes Patch kernel and user memory functions. **NOTE: ELF is nothing more than a capsule for injecting the patch code. The included ELF source does not work on all PS2s. You can also try the "auto updating" ELF @ https://github.com/Based-Skid/Ps2-Remote-ASM 2. - Patch kernel checks to see if SOCOM LAN is loaded. Once LAN loads it writes all the user memory hooks. - On LAN load the patch will start scanning functions for invalid checksums. On finding an invlalid checksum the game will freeze. This is known as the kernel scanner. 3. - When creating or joining a patch game the password key will be decrypted and overwritten. - This key is always encrypted as it is the main security for patch games. 4. - Once in game(map loaded) a user memory code scanner will start. This scanner is faster than the kernel scanner but is more vulnerable. This scanner will be idle when returning to the game lobby. ---------------------------------------------------------------------- New patch game password method ---------------------------------------------------------------------- --Address create game key: 0030D278 join game key: 002BC7D0 rejoin game key: 0030D43C hashed password location: 0045A1A8 --Values Default Key: 7F0000FE Example Patch Key: 592501D2 Patch Key setup(this is backwards for the sake of reading left to right) 1st byte: Patch version # ex: 59 2nd byte: Patch build # ex: 25 3rd byte: Can be anything. ex: 01 4th byte: Can be anything. ex: D2 Assuming a patched game is created(ex: example password = !123456): 1. The 2nd char of the password is changed to a char that can not be typed. 2. The rest of the password is XOR'd with a simple key. 3. The password key is changed in 3 locations(join game, create game, rejoin game). Knowing the password at this point will not help. The player must also have the patch key. ---------------------------------------------------------------------- When creating a new patch revision: ---------------------------------------------------------------------- 1. Change the patch game password key. - Do note the password key is located in the "join patched games.cds" file. 2. Change patch version in "r0005_crypto" and "patch_display". (optional) Change "Master Functions Start" address. (optional) Change master functions order. ---------------------------------------------------------------------- When compiling new patch ---------------------------------------------------------------------- .CDS File Notes r0005 crypto.cds - This file contains all kernel code and will include all code from functions_write.cds. You must run all the hooks/variables from functions_write.cds through the Encryptor program. Take the output and paste it under the "kernal__data:" label. - These encrypted hooks/variables are wrote on LAN connect. functions_write.cds - The top of this file contains all hooks and variables for all functions. Do not change these. - The bottom of this file contains imports of all patch functions. All other .cds files: - These are all functions for the patch. They will be stored in memory at the "Master Functions Start" address which is 0xD0000 by default. 1. Compile "functions_write.cds". 2. Copy all hooks from the compiled code of "functions_write.cds" and run those through the encryptor. 3. Paste encryptor output in "r0005 crypto.cds" code stack section at the bottom under "kernal__data:" label. Note: This is done so the hooks are constant write. SOCOM 2 will overwrite these on main load so they must be written constantly. 4. Compile "r0005 crypto.cds". Copy compiled code. You can now run this code through the "MIPS to C" program and paste it in the default ELF file or you can create an update file for the auto updating ELF with instructions below. ---------------------------------------------------------------------- Creating an update file ---------------------------------------------------------------------- 1. Follow the instructions above to compile the patch. 2. Run the "Patch Compiler.exe" and paste the compiled code from "r0005 crypto.cds". 3a. (OPTIONAL) Enable the "Encryption" checkbox. This will XOR the patch with a key. 3b. Encryption Key: FED04AC6D427C07904E76226D8A47F92059DC5AAF0347664D1A4FA22542AFFCD. 4. Click "SAVE" button. A file called "update.dat" will be created in the same folder as the Patch Compiler program. ---------------------------------------------------------------------- NEW - variables and function locations ---------------------------------------------------------------------- Variables start @ 000f6000 old - new 00096000 - 000f6000 - textbox pointer used for passwords 00097000 - 000f7000 - Decrypted code output 000D17A0 - 000f7100 - CLANTAG: original player name 000D13A0 - 000f7140 - CLANTAG: clan tag 000D13D0 - 000f7180 - CLANTAG: modified player name 000C1FF0 - 000f71B0 - patched game BOOL 000C1FF4 - 000f71B4 - custom game BOOL 000C1FF8 - 000f71B8 - halo game BOOL 000D6124 - 000f71C0 - Death Camera Timer 000A0FA0 - 000f71D0 - Select Menu - output text 000A12D0 - 000f71F0 - Select Menu - s0 variable (used by text printing functions) 000D34C8 - 000f75B0 - CODE CHECK - Stored data location (4 bytes) 000CD0D0 - 000f7600 - Custom maps pointer stack Kernal Variables(stored in user memory, can not modify kernal during runtime): 000f8fe0 - Checksum stack position 000f8ff0 - CHECKSUM BOOL. Will = 1 if valid checksum. 000f8ff4 - MAIN CODES FNC BOOL. Will = 1 if checksum function is in tact. Will = 0 if check fnc is disabled or missing. 000f8ff8 - MAIN FUNCTION timer 000f8ffc - codes enabled BOOL Functions start @ 0x000D0000 Note: This can be changed in the "functions_write.cds" file. Functions can start anywhere between 0xA0000-0xE0000. Files to compile: 1. Functions Write: Contains all functions and hooks. 2. Put hooks in kernal function. ---------------------------------------------------------------------- Encrypted codes in CDS files ---------------------------------------------------------------------- __patchgame_codes: disable wall sliding new (r0004 style) 0057E348 0000102D disable multiplayer join game failure 003039E4 10000004 disable voice mod 003DF1A8 00000000 disable encryption and decryption 0062A79C 00000000 0062A838 00000000 password key join game 0030D278 3C035925 0030D27C 346301D2 password key initial join game 0030D43C 3C035925 0030D440 346301D2 password key create game 002BC7C0 3C035925 002BC7C8 346401D2 __prepatchgame_codes: enable wall sliding new 0057E348 8E2210AC enable multiplayer join game failure check 003039E4 10000004 disable voice mod(keep disabled) 003DF1A8 00000000 enable encryption and decryption 0062A79C 00C53026 0062A838 00832026 password key join game 0030D278 3C037F00 0030D27C 346300FE password key initial join game 0030D43C 3C037F00 0030D440 346300FE password key create game 002BC7C0 3C037F00 002BC7C8 346400FE ------------------------------------------------------------------------------- *** OLD COMPILE METHOD for v58 or older *** The "main.c" in the "r0005\C_source\058 folder" is nothing more than a capsule for the assembly code. 1. Open the "compile_normal.cds" located in "r0005\MIPs_source\058". It will have code that looks like this: import "C:\r0005\MIPs_source\058\small codes.cds" import "C:\r0005\MIPs_source\058\all maps respawn.cds" import "C:\r0005\MIPs_source\058\LAN Ranks.cds" import "C:\r0005\MIPs_source\058\clan tag.cds" import "C:\r0005\MIPs_source\058\day maps.cds" import "C:\r0005\MIPs_source\058\death cam.cds" import "C:\r0005\MIPs_source\058\select screen.cds" import "C:\r0005\MIPs_source\058\join patched games .cds" import "C:\r0005\MIPs_source\058\code check.cds" import "C:\r0005\MIPs_source\058\host.cds" ***NOTE: These import locations can be changed to anywhere.*** This code gathers all the assembly code for each function and compiles it in to one window. Makes it easier to copy all the code. 2. Compile the code with Code Designer. Now press the copy button. (Code designer v2.3 included) 3. Open "Code Stack Encryptor.exe" located in "r0005\Programs". - Paste the copied code from code designer in to the INPUT colum in "Code Stack Encryptor.exe". - Hit CONVERT button. - Copy code from OUTPUT Window. 4. Open "r0005 crypto.cds" located in "r0005\MIPs_source\058" with Code Designer. - Scroll down to the bottom of the window. You will see the following comments: //---------------- CODE STACK HERE //----------------- end code stack - Paste the OUTPUT code from the "Code Stack Encryptor.exe" program between the "CODE STACK HERE" and "end code stack" comments in the Code designer window. - Click "Compile" button in bottom right of code designer. - Click the "Copy" button in the bottom right of code designer. 5. Open "MIPStoC.exe" located in "r0005\Programs". - Paste copied code in INPUT column. - Press CONVERT button. - Copy code in OUTPUT column. 6. Open "main.c" located in "r0005\C_source\058" with a C editor such as Crimson Editor or Notepad. - Scroll down to line 488. You should see the following code: ee_kmode_enter(); // write kernal functions ee_kmode_exit(); - Paste the OUTPUT code from the "MIPStoC.exe" program directly below the "write kernal functions" comment. - Compile the main.C file using ps2sdk. I usually call the compiled ELF r0005.ELF. - Pack the compiled ELF with ps2_packer.exe(included in "r0005\C_source\058") and name the packed ELF something like "r0005v58.ELF". This is done so the ELF can't be opened with PS2DIs and easily read. It also eliminates all labels. 7. Test the ELF with PCSX2 or PS2.
About
Unofficial patch for SOCOM 2 (NTSC Version)
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published