Code Injection into Existing PS-X EXE files

Miscellaneous and un-categorized content regarding the PlayStation 1
Post Reply
User avatar
zanneth
What is PSXDEV?
What is PSXDEV?
Posts: 4
Joined: Sep 04, 2018
I am a: Programmer, Reverse Engineer
PlayStation Model: sys573
Contact:

Code Injection into Existing PS-X EXE files

Post by zanneth » September 4th, 2018, 8:54 am

I'm working on a project to patch an existing PS-X EXE file so that I can inject code into the game binary.

The game in particular is the arcade version of Dance Dance Revolution EXTREME. This game runs on a hardware platform called the System 573, which is based on the original PS-X hardware.

My goal is to interpose a handful of functions in the game with my own functions, cross-compiled for the r3000 and appended to the end of the EXE file.

My strategy is as follows:
1. Reverse engineer the game using a disassembler to find the code that needs to be patched. I chose to use IDA Pro for this.
2. Setup a toolchain in Linux to cross-compile C code for the r3000 and produce a relocatable ELF executable.
3. Since I'm working on an embedded system without a dynamic loader, I need to write a static loader that takes my ELF object and relocates it on-disk to prepare for injection into the game binary.
4. Test and debug using the MAME debugger. Using the MAME debugger I can inject code by loading the ELF binary into RAM. There is no memory protection on the PSX OS so I can overwrite an existing JMP/JAL instruction with one that jumps to my payload in RAM instead.
5. Modify the original PS-X EXE file to inject my code and patch the necessary functions using a binary patcher.

I've already done steps 1 and 2 (major thanks to the PSXDEV community for the helpful resources). I now have a relocatable ELF executable that I want to try injecting into RAM using MAME. Currently I am working on the loader so that it can take the destination virtual address in RAM as input, and use this to generate a Global Offset Table and compute the offsets from the various relocation entries in the ELF binary. The GOT will then be added as another section to the ELF file, and the offsets will be overwritten in-place.

My questions is: is this the right approach? Is there precedent for injecting code into an existing PSX game? While working on the loader, I realized that an alternative approach would be to separate out global variables (data) and helper functions into distinct objects and load these independently. The problem with this is that I would need to hardcode the destination addresses for these variables in my code, which would be fragile if I ever moved these around or wanted to add new functionality later.

I'd appreciate someone's help on this topic. Thanks!

User avatar
Shadow
Verified
Admin / PSXDEV
Admin / PSXDEV
Posts: 2670
Joined: Dec 31, 2012
PlayStation Model: H2000/5502
Discord: Shadow^PSXDEV

Post by Shadow » September 4th, 2018, 11:51 am

Why not just make a PS-EXE that loads before the 'Dance Dance Revolution EXTREME' PS-EXE, do your hacks, and then execute the 'Dance Dance Revolution EXTREME' from your PS-EXE as a new process?

As for injecting the code, what you want is a trainer. There is one on the forums here that you can use.
Development Console: SCPH-5502 with 8MB RAM, MM3 Modchip, PAL 60 Colour Modification (for NTSC), PSIO Switch Board, DB-9 breakout headers for both RGB and Serial output and an Xplorer with CAETLA 0.34.

PlayStation Development PC: Windows 98 SE, Pentium 3 at 400MHz, 128MB SDRAM, DTL-H2000, DTL-H2010, DTL-H201A, DTL-S2020 (with 4GB SCSI-2 HDD), 21" Sony G420, CD-R burner, 3.25" and 5.25" Floppy Diskette Drives, ZIP 100 Diskette Drive and an IBM Model M keyboard.

User avatar
zanneth
What is PSXDEV?
What is PSXDEV?
Posts: 4
Joined: Sep 04, 2018
I am a: Programmer, Reverse Engineer
PlayStation Model: sys573
Contact:

Post by zanneth » September 5th, 2018, 5:32 pm

Thanks for the reply Shadow.

As for your first point, I'm not exactly sure what you mean. What is the advantage of patching in a PS-EXE running on the arcade hardware before the game boots, when I can do it on my PC instead?

A trainer is not quite what I'm looking to build. This is not a program that is running alongside the game—instead I want this code to run as if it was part of the original game binary. For example, I want to change existing features in the game to behave in a slightly different way. I am not necessarily adding new menus or levels.

User avatar
Shadow
Verified
Admin / PSXDEV
Admin / PSXDEV
Posts: 2670
Joined: Dec 31, 2012
PlayStation Model: H2000/5502
Discord: Shadow^PSXDEV

Post by Shadow » September 6th, 2018, 12:48 am

zanneth wrote: September 5th, 2018, 5:32 pm Thanks for the reply Shadow.

As for your first point, I'm not exactly sure what you mean. What is the advantage of patching in a PS-EXE running on the arcade hardware before the game boots, when I can do it on my PC instead?

A trainer is not quite what I'm looking to build. This is not a program that is running alongside the game—instead I want this code to run as if it was part of the original game binary. For example, I want to change existing features in the game to behave in a slightly different way. I am not necessarily adding new menus or levels.
There isn't any advantage, other than it's much easier thank hacking the binary itself because it can be a little bit tricky.
Development Console: SCPH-5502 with 8MB RAM, MM3 Modchip, PAL 60 Colour Modification (for NTSC), PSIO Switch Board, DB-9 breakout headers for both RGB and Serial output and an Xplorer with CAETLA 0.34.

PlayStation Development PC: Windows 98 SE, Pentium 3 at 400MHz, 128MB SDRAM, DTL-H2000, DTL-H2010, DTL-H201A, DTL-S2020 (with 4GB SCSI-2 HDD), 21" Sony G420, CD-R burner, 3.25" and 5.25" Floppy Diskette Drives, ZIP 100 Diskette Drive and an IBM Model M keyboard.

Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests