I want to learn how to create correctly CWCHEATS for PSP avoiding "decoy" addresses.
|
11-23-2023, 04:44 PM
(This post was last modified: 11-23-2023 04:47 PM by juanjose123422.)
Post: #1
|
|||
|
|||
I want to learn how to create correctly CWCHEATS for PSP avoiding "decoy" addresses.
Questions about creating cwcheats and decoy addresses?
SORRY IMAGES DIDN'T LOAD ENGLISH:https://docs.google.com/document/d/15rVK9tBWqTojB7b0Lpq65iYom4eh2tZD/edit?usp=drive_link&ouid=107037169011478760000&rtpof=true&sd=true SPANISH:https://docs.google.com/document/d/1YZcVlFtND-nBWfIlTO0DEPULTlZiGigt/edit?usp=drive_link&ouid=107037169011478760000&rtpof=true&sd=true Hello community of ppsspp forums, cheat engine and others, I created this post because as I progress in creating cheats for psp games, more and more new questions arise, to the point of creating confusion due to my little or no knowledge in the topic, since when creating a cheat you must know a little logic to find the direction of the cheat we are looking to create, for most this is something simple and I believed the same until today when I came across With certain doubts when analyzing one of the tricks that were created a long time ago by an unknown person, well without further ado I'm going to get straight to the point. I think that, all this time, I and most of the people who create psp cheats have been creating psp cheats the wrong way. What I mean by this? Allow me to explain why I came to this conclusion, and I clarify that I do not know if I am correct or not, that is why I turn to you who have a huge advantage over me on this issue and help me solve these doubts. So to put them in context I will show the ones that I usually use when creating cheats, something like a mini tutorial. 1. I open cheat engine previously configured to be able to interact with the emulator, that is. (In my case I prefer to use the 32-bit version) a. I go to cheat engine settings - scan settings - MEM_MAPPED- and check it ✔ b. I go to cheat engine settings – Extra – and check the first 3 options ✔ 2. I open the PPSSPP emulator in its 32-bit version and configure it as follows. The emulated PSP model is 1000 since, as most of you know, its memory range was shorter therefore the search range is smaller. As you can see in my debugging options, the option to ignore readings is not activated, and I do not usually activate it, since this way I know that when I activate a cheat that I have created, it is detected or not, if erroneous writes are generated when activating a cheat, I can know if it is a cheat that will damage my game or crash my game, if it is not detected and does not cause erroneous writing, then that is the cheat that works for me. 3. Now I am going to use the game God of War: Chains of Olympus for this example. The European version UCES00842, but also applies to the American version UCUS98653 4. Now I press the copy button on the base memory address. 5. I open the Windows 10 calculator and put it in programmer mode 6. 18000000 <<< is the address that we copy to it and add + 8800000 And it will give us 20800000 as a result. 7. This result will be the start address in cheat engine 20800000. 8. We add + 1800000 to the start address and it will give us 22000000. 9. This result will be the stop address in cheat engine 22000000. 10. We select the process and add the addresses. 11. Why is 8800000 added to the base address in the first place? That's because the emulator emulates a physical psp and the memory range where the addresses on a physical psp start to execute is 08800000 12. Why is 1800000 added at the end? It is to limit the search range, but it is not necessary, it works perfectly with FFFFFFFF as well, only the range is wider in this case. 13. Now let's look for Kratos' life address, usually it is a floating address. In my case I already know that the value of life is 100. We just have to wait for it to decrease and filter the addresses that appear. 14. In this case 21E3D1A4 is the direction of Life. 15. I select the address and press the F6 key 16. This will show what directions they write to Kratos' life. 17. We press the stop button, then we select the address that appeared as you will see below. 18. We click on the more information button. 19. The extra information box appears. Which will tell us that the probable pointer address is 09E3D140 20. We return to the previous box and click to show disassembly. 21. It will show us the following information 22. We select it and replace it with code that does nothing (NOP) 23. We click OK 24. By noping life is no longer affected, we can also see that it remained at 98.5 from the first time we filtered. 25. I restore the original code, freeze life on cheat engine and continue the game. 26. Now we are looking for a “POINTER” or a static address, in the case of ppsspp there are no pointers, there are external tools that calculate pointers through memory dumps, but those pointers are dynamic addresses so it is NOT what we are looking for. 27. So if there are no pointers, how do you do it? The closest thing to a pointer in an emulator is to search for the origin of the address that has the value of life. To do this we doing the next Previously we had a box where it showed us extra information, which gave us the result that the probable pointer address is 09E3D140. 28. We'll use that address to find out if it's true. We select the emulator, pause the game and then do the following command, without leaving the emulator. CTRL+D 29. This box will open. Here is a broader example. 30. We paste the address 09E3D140 in the go to box and press enter. As you can see the address is in formatNOPEnothing is executed in it, the same with the next address which is 09E3D144, therefore, if we try to make a breakpoint either reading or writing nothing will happen, therefore, the cheat engine was wrong. 31. Then all that remains is to try to do the same with the address that we found in the cheat engine, that is, with this one: 32. We challenge that address with the start address: 21E3D1A4 – 20800000 = 163D1A4 33. To that result we add 8800000: 163D1A4 + 8800000 = 9E3D1A4 34. The address 9E3D1A4 is equivalent to 21E3D1A4 since 21E3D1A4 is cheat engine format and 9E3D1A4 is disassembler format. 35. Now we paste the address into the disassembly tool and press enter. 36. This time it does have information that is executed in it, we click on the top button to make a breakpoint, to that breakpoint we add the address and we only select the write option, since we want to modify what is written in it, so that it stops it, and select on change and click OK, as follows. 37.We resume the game and wait for an enemy to hit us, so that before we get hit, the condition that we established at the breakpoint is executed. 37. 5 (IMAGE BEFORE BEING HIT AND EXECUTION OF THE BREAKPOINT) 38. The direction highlighted in red is the global direction of life, that is, the address088516D0 sets both the life of the player and the enemies,that is it, this address IT'S NOT WHAT I'M LOOKING FOR since by noping the direction Kratos is immortal but also are his enemies. 39. What I'm looking for is the direction that only maintains Kratos' life, but didn’t affect the enemies. IMPORTANT POINT AND THE QUESTION OF THIS FORUM. 40. So this is the important point as I believe the address we found in the first place was a decoy address. That is to say, it is not the direction of the original life, although it is associated with life in general. What we are looking for is Kratos' life and nothing more than that. As many of you already know, there is a file called cheat.db that contains the cheats for most PSP games, and this game is one of them. By doing a kind of reverse engineering of the cheats that come in that file, we find the following: _C0 Infinite Health _L 0x20365CC4 0x00000000 _C0 Infinite Magic _L 0x20365CCC 0x00000000 _C0 One Hit Kill _L 0x20365CC8 0x461C3C00 _C0 Orb Multiplier x4 _L 0x20365CC0 0x40800000 _C0 Orb Multiplier x16 _L 0x20365CC0 0x41800000 _C0 Orb Multiplier x64 _L 0x20365CC0 0x42800000 _C0 Orb Multiplier x128 _L 0x20365CC0 0x43000000 As you can see all the addresses are in really close ranges. If we convert the first _C0 Infinite Health _L 0x20365CC4 0x00000000 In cheat engine format and also in disassembler format we have the following addresses: The first bit of the address 20365CC4 is ignored 0365CC4 Cheat engine: 365CC4 + 20800000 = 20B65CC4 Disassembler: 365CC4 + 8800000 = 8B65CC4 As you can see in the disassembler all the addresses are in close ranges If we press the TAB key we see that its values are fixed floating And in the cheat engine the life value is 0.5 By modifying the life value to 0, Kratos' life is static, but the enemies life is not affected, that is it, the only one who has infinite life is Kratos, and his enemies can die. Therefore, the trick only affects Kratos' life and only his life,THIS IS WHAT I'M LOOKING TO DO. The million dollar question is...HOW THE PERSON WHO CREATED THESE TRICKS FOUND THOSE ADDRESSES? SINCE THEY ARE STATIC VALUES, WHEN YOU HIT KRATOS THE VALUE IS STILL 0.5 AND WHEN HE DIES IT IS STILL 0.5, IT DOES NOT CHANGE AT ANY TIME, HOW HE DID THE FILTERING TO REACH THOSE ADDRESSES?, WHAT PROCESS DID?, HOW HE DID IT IN GENERAL? I hope someone can answer this question for me, since that is why I made this guide as a question. |
|||
11-24-2023, 03:00 AM
Post: #2
|
|||
|
|||
RE: I want to learn how to create correctly CWCHEATS for PSP avoiding "decoy" addresses.
Your post is really long and hard to follow, some information is just incorrect/outdated(like PSP games not using pointers in emulator or PSP model setting limiting memory which is actually always limited and only extended with using a flag in homebrew game and a special exception list affecting only remasters and prototypes, recommending 32 bit version etc.) and you make simple things which can easily be automated into some sort of hard to follow guide. Also you use the term "replace it with code that does nothing (NOP)" which is used in cheat engine and you really don't want cheat engine to modify any of the code or even use it to view any game code since it doesn't support MIPS and can only view emulator's code which is not something you want to mess around, heck without disabling JIT it will not even be able to show real hexadecimal values of PSP game code as it will see JITted code instead. Ignore illegal reads/writes is also not way to ensure cheat is safe, there are plenty of ways to not only crash the game, but to completely mess your savedata by incorrect cheat which wouldn't count as "illegal read/write", in fact some PSP "legends" about "hackers" destroying people's savedata is nothing more, but a poorly made cheat like in some patapon game cheat which works as intended in one moment of the game, but if active in any other moment will silently break stuff in a way that's hard to notice until much later.
There's no such thing as "decoy" or really anything trying to make cheating harder, I mean sure rarely there are anti-cheating methods like hashing of memory in Final Fantasy Type 0, but those are obvious and easy to disable and they are very verbose about being intentional, everything else that makes your life harder is just basic optimizations of the code. If you have functions in your code that are doing roughtly the same thing, compilers will optimize that into one function and just call it from whenever other code that needs it. You need to trace the code back to whatever you want to find, same principle for finding constant values. Find something related to a constant which is variable, then trace the code to find that constant, for example to change LOD of some 3D game which will almost surely be constant, you can first look for your coordinates on the map which are variable and then trace the code until you find where they are used together. I can only recommend 2 things: - learning MIPS how to read and follow game's code, - opening your mind to programming and figuring out how game's work instead of looking at already created cheats trying to guess how others made it as there's plenty of ways to do the same things, but if you close your mind on some weird idea coming from your limited knowledge, you might not find any way to do anything. http://forums.ppsspp.org/showthread.php?tid=6594 - Custom PPSSPP Shaders! http://forums.ppsspp.org/showthread.php?tid=3590&pid=117172#pid117172 - simple CE scripts to help creating CWCheats, https://github.com/LunaMoo/PPSSPP_workarounds - CWCheat workarounds. |
|||
« Next Oldest | Next Newest »
|