Rewriting JAL/JMP Instructions To Execute Custom MIPS Assembly In Games With GameShark Codes

Members research, findings and information that can be useful towards the PlayStation 1.
Post Reply
alexfree
Verified
Extreme PSXDEV User
Extreme PSXDEV User
Posts: 221
Joined: Oct 21, 2021
I am a: Programmer, Gamer
PlayStation Model: SCPH-1000
Location: USA
Contact:

Rewriting JAL/JMP Instructions To Execute Custom MIPS Assembly In Games With GameShark Codes

Post by alexfree » January 12th, 2023, 12:59 pm

https://alex-free.github.io/tonyhax-int ... -code.html

Last week I had this crazy idea. For some context, this is how a save game exploit roughly works to start the Tonyhax loader:

1) A file on a PS1 memory card contains the Tonyhax International PS-EXE as well as a save game (which is disc-specific). The save game file contains a small stage 1load written in MIPS assembly which has one job: load a specific PS-EXE file off of the memory card in slot 1.

The original Tonyhax's stage 1 loader is a tiny bit bigger then the `standard` stage 1 loader in Tonyhax International due to the difference in the file name that is loaded from the memory card (bu00:HAX is shorter).

Tonyhax International has a special 'bare-bones' version of the stage 1 loader that is much smaller then even the 'standard' stage 1 loader in Tonyhax International, for certain save game exploits that simply can not use the larger 'standard' stage 1 loader during exploitation. This `bare-bones` loader is a mere 0xb5 bytes in size (181 bytes in decimal).

2) In the specific game, you load the save game exploit file and do something specific to trigger the exploit.

3) The exploit's end goal is to change the return address to an available area in RAM which contains the stage 1 loader. When the save game exploit file is loaded into memory, the stage 1 loader is transferred from the memory card to the console RAM.

Once the return address is changed the CPU will start executing the instructions in the stage 1 loader and will start the Tonyhax International PS-EXE file on the memory card in slot 1, transferring control.

=======================
Now, to the idea. The GameShark cheat devices were originally cartridges that plugged into the back of the PSX console. The problem with this was that eventually in the SCPH-900X and SCPH-10X console models this cartridge port disappeared. Another obvious thing is that the PS2 can't use such a device. In response, the cheat device makers switched to a CD based cheat system. The GameShark CD versions can work on all USA PS1s and early PS2s since it is seen as a real licensed SCEA disc by the console.

The best thing about the old cheat cart GameSharks was the swap trick that they had. GameShark v2.0-v3.2 all had an easy swap trick that involves no hot-swapping of a moving disc. GameShark CDX v3.3 and the GameShark Lite are CD versions which had no such ability. The GameShark CD v4.0 and newer actually restored this ability in a new swap trick method: http://www.psxdev.net/forum/viewtopic.p ... 157#p22157 .

While this still means that the first GameShark CD versions do not have a built in swap trick back door (specifically the GameShark Lite and GameShark CD X v3.3) these versions do obviously have the ability to enter cheat codes. By using an `80` type code, a cheat code can do a constant write of 2 bytes to anywhere in RAM. So if you find a large section of empty, zeroed out, unused RAM in a running game, you can just write whatever you want to that part of RAM. By using 90 `80` type codes, the entire `bare-bones` stage 1 loader can be arbitrarily placed into RAM. You'd think it would be 91 codes since the loader is 0xb5 bytes, however the last byte is 00 in the `bare-bones` loader to terminate the file name to load off of the memory card. Since the entire stage 1 loader is placed into an already zeroed out area of RAM, we don't actually need a code to set that last byte.

So this works, the whole stage 1 loader is in RAM. Now for changing the return address like the save game exploit does. What I did was started a game and pressed start at the title menu. I noted the return address displayed in my emulator's debug output. I found the exact return address in RAM before entering the title screen after resetting the console to boot the game again. I then simply created 2 `D0` compare codes. These codes can change 2 bytes in RAM as soon as it detects 2 specific bytes at a specific RAM address. By creating 2 `D0` codes, I changed one of the functions that has to do with the start screen to instead return into the `bare-bones` stage 1 loader address in unused RAM.

After a few seconds, it works. Tonyhax International loads off a memory card file, and resets the whole console/BIOS state removing the GameShark codes that were enabled to bring it up.
Last edited by alexfree on March 29th, 2023, 10:22 am, edited 3 times in total.

alexfree
Verified
Extreme PSXDEV User
Extreme PSXDEV User
Posts: 221
Joined: Oct 21, 2021
I am a: Programmer, Gamer
PlayStation Model: SCPH-1000
Location: USA
Contact:

Post by alexfree » January 28th, 2023, 11:57 am

With the help of @MottZilla, I have reversed engineered the GameShark Lite save game file format and have created a tool which can automatically create valid GameShark Lite save game files containing custom GameSharkHAX codes.

This same tool can also simply output GSHAX codes to a plain old .txt file. I have written some documentation explaining how to find and create new GSHAX codes using this tool at https://alex-free.github.io/gshax-tool .

alexfree
Verified
Extreme PSXDEV User
Extreme PSXDEV User
Posts: 221
Joined: Oct 21, 2021
I am a: Programmer, Gamer
PlayStation Model: SCPH-1000
Location: USA
Contact:

Post by alexfree » March 10th, 2023, 9:58 am

v1.0.1 has been released, which includes a new 'Mode 1'. This allows a different exploit vector that enabled me to make a GSHAX code for my favorite game, Parasite Eve ;)

https://github.com/alex-free/gshax-tool ... e-code.txt

alexfree
Verified
Extreme PSXDEV User
Extreme PSXDEV User
Posts: 221
Joined: Oct 21, 2021
I am a: Programmer, Gamer
PlayStation Model: SCPH-1000
Location: USA
Contact:

Post by alexfree » March 29th, 2023, 10:11 am

v2.0 has been released, which uses an entirely new more powerful method. This now works by rewriting a jump or jump and link instruction to go to a custom free RAM address which contains the stage 1 loader. This can now essentially work with any game (in theory).

I wrote a lot about how to make codes at the homepage: https://alex-free.github.io/gshax-tool .

https://alex-free.github.io/gshax-tool/#downloads

alexfree
Verified
Extreme PSXDEV User
Extreme PSXDEV User
Posts: 221
Joined: Oct 21, 2021
I am a: Programmer, Gamer
PlayStation Model: SCPH-1000
Location: USA
Contact:

Post by alexfree » April 4th, 2023, 7:03 am

v2.0.1 update:

The MIPS assembly binary padding offset is now calculated automatically by the tool itself, which means GSHAX Tool now requires 7 arguments instead of 8.

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest