https://www.youtube.com/watch?v=uRB7iUCX4KQ
Stopping the disc, no big deal. But this also allowed a disc swap then loading, thus burned discs load.
I wonder if this is similar code to the no cash unlock? The code would be interesting to dissect - if I knew how.
Interesting nevertheless.
Alien Ressurection has a cheat code to load code without a reset.
-
david4599
- Curious PSXDEV User
- Posts: 12
- Joined: Mar 20, 2022
- I am a: Programmer, RE enthusiast
- PlayStation Model: SCPH-5502
- Location: France
There is nothing related to the nocash unlock.
Basically, this is just stopping the disc with CdControlB() (CdlStop as 1st parameter), then loading SYSTEM.CNF from the swapped game to know its executable path and use LoadExec() to launch it. I guess that's exactly what are doing the boot discs like the PS-X Change.
For more details, I've mostly reversed the function and explained it in a Twitter thread:
Here is the function:
Basically, this is just stopping the disc with CdControlB() (CdlStop as 1st parameter), then loading SYSTEM.CNF from the swapped game to know its executable path and use LoadExec() to launch it. I guess that's exactly what are doing the boot discs like the PS-X Change.
For more details, I've mostly reversed the function and explained it in a Twitter thread:
Here is the function:
Code: Select all
unsigned int __fastcall LoadLevelStuff(unsigned int *a1, unsigned int a2)
{
int bootSwappedDisc; // $s4
int charCounter; // $a2
unsigned __int8 *pIndex; // $v1
char *pEncodedChar; // $a1
int bootStringOffset; // $s0
unsigned __int8 *pFileContent; // $s1
int charCounter2; // $a2
unsigned __int8 *pFileContent_; // $a0
unsigned int result; // $v0
bool bootStringNotFound; // dc
int psexePathOffset; // $s0
int psexePathOffset_; // $a2
unsigned __int8 *currentChar; // $v1
unsigned int v17; // $s2
char filename[16]; // [sp+10h] [-38h] BYREF
char encodedFilename[16]; // [sp+20h] [-28h] BYREF
unsigned __int8 filenameShuffledIndexesList_[10]; // [sp+30h] [-18h] BYREF
u_char param; // [sp+40h] [-8h] BYREF
unsigned __int8 res[7]; // [sp+41h] [-7h] BYREF
if ( !isSuperSecretSwapMethodEnabled ) // If the super secret cheat code is not entered
goto CONTINUE_GAME_AND_LOAD_LEVEL; // Do not trigger the swap mode and continue the game (which will start the selected level)
qmemcpy(encodedFilename, "$2$.1Y:4#9", 10); // Obfuscation of "SYSTEM.CNF" string, see below for decoding
*(_DWORD *)filenameShuffledIndexesList_ = *(_DWORD *)filenameShuffledIndexesList;
*(_DWORD *)&filenameShuffledIndexesList_[4] = *(_DWORD *)&filenameShuffledIndexesList[4];
filenameShuffledIndexesList_[8] = filenameShuffledIndexesList[8];
filenameShuffledIndexesList_[9] = filenameShuffledIndexesList[9];
bootSwappedDisc = 0;
if ( (unsigned __int8)gameLevel != 6 ) // If the 6th level is not selected (in the cheat menu)
goto CONTINUE_GAME_AND_LOAD_LEVEL; // Do not trigger the swap mode and continue the game (which will start the selected level)
charCounter = 0;
// Decode the "SYSTEM.CNF" string
// 1. Set the characters in the right order using the list of indexes
// 2. XOR each character with 0x77 as key
do
{
pIndex = &filenameShuffledIndexesList_[charCounter];
pEncodedChar = &encodedFilename[charCounter++];
filename[*pIndex] = *pEncodedChar ^ 0x77;
}
while ( charCounter < 10 );
filename[10] = 0; // Add the NULL character to the filename string
TurnOffAudioCDAndPauseCD();
param = 0;
res[0] = 0;
CdControlB(CdlStop, ¶m, res); // Stop the disc allowing to swap
VSync(3);
do
{
VSync(3);
if ( (unsigned __int16)(padBuffer & (PAD_SQUARE|PAD_TRIANGLE)) == (PAD_SQUARE|PAD_TRIANGLE) )// If Square and Triangle buttons are pressed
bootSwappedDisc = 1; // Set boot disc flag
HandlePadState(0);
HandlePadState(1);
}
while ( (padBuffer & PAD_L1) != 0 ); // Loop while L1 button is pressed
if ( !bootSwappedDisc ) // If Square and Triangle buttons were not pressed
goto CONTINUE_GAME_AND_LOAD_LEVEL; // Continue the game (which will start level 6 if the disc wasn't swapped)
enableResourcesFileReadingFromCD = 0; // Indicates to disable reading the PACK.BIN file (in sub_1E964()) since the CD is swapped
bootStringOffset = -1;
ResetScreenBufferingAndOtherStuff();
DoSomeSystemAndLevelStuff();
pFileContent = (unsigned __int8 *)GetMemoryPtrForFileContent();
GetFileFromCD(filename, pFileContent); // Get the content of SYSTEM.CNF, e.g.:
// BOOT = cdrom:\SLUS_006.33;1
// TCB = 4
// EVENT = 10
// STACK = 1FFF00
charCounter2 = 0;
pFileContent_ = pFileContent;
do
{
if ( *pFileContent_ == 'B' && pFileContent_[1] == 'O' && pFileContent_[2] == 'O' && pFileContent_[3] == 'T' )// Check for "BOOT" string in SYSTEM.CNF
bootStringOffset = charCounter2;
++charCounter2;
++pFileContent_;
}
while ( charCounter2 < 2048 ); // Loop to check the whole sector for the "BOOT" string
result = -1;
bootStringNotFound = bootStringOffset == -1;
psexePathOffset = bootStringOffset + 7; // Set an offset to get the beginning of the executable path, e.g.:
// cdrom:\SLUS_006.33;1
// TCB = 4
// EVENT = 10
// STACK = 1FFF00
//
// Note: this offset may be an issue if there are more or none space characters between the equal sign
if ( bootStringNotFound )
return result;
psexePathOffset_ = psexePathOffset;
if ( psexePathOffset < 2047 )
{
currentChar = &pFileContent[psexePathOffset];
do
{
// Set a NULL byte to terminate the executable path string at the end of the line
// ('\r' or '\n', both are less than 0x20 (space) in ASCII), e.g.:
// cdrom:\SLUS_006.33;1
if ( *currentChar < 0x20u )
*currentChar = 0;
++psexePathOffset_;
++currentChar;
}
while ( psexePathOffset_ < 2047 );
}
// Reinit some stuff
TerminateSoundProcessingWrapper();
ResetGraph(0);
VSyncCallbacks();
PadStopCom();
96_remove();
96_init();
// Finally, launch the executable at the specified path, e.g.:
// cdrom:\SLUS_006.33;1
LoadExec((char *)&pFileContent[psexePathOffset], 0x801FFF00, 0);
CONTINUE_GAME_AND_LOAD_LEVEL:
dword_A8800 = (int)"<default>";
dword_A8808 = (int)"<default>";
result = a2 < 29;
dword_A47F8 = 0;
dword_A47FC = 0;
dword_A8804 = -999;
dword_A880C = -999;
bootStringNotFound = a2 < 29;
v17 = a2 - 60;
if ( bootStringNotFound )
return result;
*a1 = v17;
a1[2] = 0;
a1[4] = 0;
a1[5] = 0;
dword_A87F8 = (int)a1;
dword_A87FC = (int)a1 + v17;
dword_A4808 = 1;
sub_3F23C((unsigned int)(a1 + 7));
result = v17 - 28;
dword_A4800 = v17 - 28;
return result;
}Awesome work! More than I could have hoped for. Is this similar to what UniROM does maybe? Just like the other swap disc you mentioned, I assume multi games burns would not work once the next disc is required.
-
david4599
- Curious PSXDEV User
- Posts: 12
- Joined: Mar 20, 2022
- I am a: Programmer, RE enthusiast
- PlayStation Model: SCPH-5502
- Location: France
Yeah, UniROM basically uses the same way to load the game executable (SYSTEM.CNF -> PS1 exe). It just doesn't need to stop the disc and instead applies the nocash unlock before loading the game (except for japanese PS1s where the unlock code doesn't work hence the stop disc option in the menu).
There is a workaround for some multi disc games as described here but it doesn't work every time: https://gamefaqs.gamespot.com/ps/916392 ... faqs/28350
There is a workaround for some multi disc games as described here but it doesn't work every time: https://gamefaqs.gamespot.com/ps/916392 ... faqs/28350
Who is online
Users browsing this forum: No registered users and 9 guests
, "PlayStation", 
, 
, "DUALSHOCK", "Net Yaroze" and "PSone" are registered trademarks of Sony Computer Entertainment Inc. 
.