PS2 Game Hacking - Finding instructions in binary

[MichiS97]

Hi all,

tl;dr: Shadow of the Colossus main binary doesn't seem to contain the entire code of the game...where else can I look?

I'm a bit stumped with a technical question regarding PS2 games right now and I'm hoping somebody here can help me.
I love writing assembly based cheat codes for games and I have a ton of experience doing just that on Nintendo systems but I'm kinda new to the Playstation side of things.
Anyway, right now I'm trying to hack Shadow of the Colossus for the PS2 to give myself infinite health and infinite stamina. (Yes, of course, cheats like this definitely already exist but I want to do it myself )
Using the debugger in PCSX2 I was quickly able to determine the function which calculates the player's health and stamina and I was able to patch two branch instructions so that the current max health and stamina values that a player can have at any point in the game are always written into the offsets for the current values, so the game literally always stores the max values instead of a subtracted value. So that's nice. I was then able to write a pnach file for PCSX2 which handles that exact patch and I'm pretty sure I have also made a correct CHT file for OPL to play the game using my cheats on real hardware, which is always my goal. So far so good.
However, my end goal would be to patch those two instructions directly in the executable of the game, allowing myself to burn a copy of the game using my hack and it would immediately work on all systems that are able to run backups without having to rely on ps2rd or anything.
My problem is: I cannot find the instructions that I found in RAM with PCSX2 and that I modify for my cheats anywhere in the game's binary (SCES_533.26) nor anywhere else in the entire ISO.
Are some PS2 executables compressed? I don't think so because I couldn't find anything about that online but that's the only explanation I have left.
Binwalk tells me that IOPRP300.IMG also contains ELFs but those also don't seem to contain the bytes that I'm looking for?
I know that there are ways to basically hardcode pnach patches directly into a game by basically hardcoding in a patch handler into the game but this really isn't what I'm looking for. I know that the type of mod that I'm looking to do isn't necessary or the only way to achieve playing a game with cheats but I'm just trying to learn from this.

Any help?

 

[Agrippa]

Looks like the game does use code overlays. They could be loaded from anywhere on the disc. Moreover, they could be stored (in fact, they are likely most of the time), in the encrypted/packed/obfuscated form. You have to reverse engineer the function responsible for loading and unpacking the overlay (or look for the information in the web, if the game is popular between the hackers). I am a lazy guy, so I write a hook for runtime code patching usually.

 

[wisi]

As Agrippa says, SotC uses relocatable binaries in the XFF custom SotC format (not used anywhere else). XFF (maybe eXecutable / eXtensible File Format) is just a converted relocatable ELF. I have made a converter for ELF relocatable object files to XFF for the purposes of adding code to the game in 2016. It has similar structure to ELF but some structures are different, carrying similar information in a bit different form.

SotC uses three main types of data:
- executable - in xff2 format (same as XFF basically), used to store executable code. All of them are in the disc filesystem of the game.
- data - Excel CSV sheets converted to C structures and then compiled as object files and converted to XFF format
- resources - some are again in XFF container (again structures inside + relocation) while others are bare structures with no container - depending on the developer who made them and dev decisions.
The resources and data sheet files are all stored in the NICO.DAT file (without exception) in a custom read-only filesystem (just mostly files grouped in per-stage segments and put one after another in NICO.DAT (called "merge file"). ICO on the other hand uses gzip compressed merge file in a different format.

BTW, all the above are only on the EE. On the IOP only IRX are used in the normal way.

Nothing in this game is protected and it does not include and encryption mechanisms. Thanks to XFF it is also very easily extendable and all named functions can be referenced (and called) by name, as long as their arguments and return are known.

The code from the game (as loaded in RAM) can be found in all XFFs in the files of the game on the disc filesystem. The reason a search won't find it in the XFFs is that instructions that are relocated (which includes most lui/addiu pairs, all references to addresses, all direct jumps and so on). They can in theory be found if a search is used for longer data blocks, with the parts altered by reloc. - masked (not compared). But also as relocation does change the addresses being referenced, one cannot patch those instructions on the disc, because their address-referencing fields will change on load, so the only way is a runtime patch. Also because files are relocatable, and due to some random memory alloc occurrences, the locations where the sections from the code XFFs are loaded, sometimes change on different resets. Somebody made cheats that patch the loader in such a way that those random changes are highly avoided so the code basically stays at the same addresses when the XFFs contents and sizes are not changed. I don't remember where those cheats are but a search on the net should find them. Do note that all chats change for the different game versions (as usual).

Shadow of the Colossus has a semi-active fan-games and modding community, so if you are interested you can join its Discord servers (there are a few). Sadly there are very very few people doing code modding on the game currently.

 

[MichiS97]

Thank you both for your answers! Really highly appreciated I'm going to try writing a hook myself. It won't have to be anything fancy anyway, I only need to NOP to jumps ^^