..:: PCSX2 Forums ::..

(02-02-2020, 12:45 AM)jaceleon Wrote: [ -> ]So, it seems that the problem is that the anticheat mechanism is not 100% disabled, it still reads the crystal count and they seem to have a final trap on Anarchic Entity (Lezard Valeth Boss Fight). If that trap address could be found and patched, it will pass the Game Protection when you convert it. My suggestion is perhaps to edit the cheat value as to only give the value of the most expensive sealstone and add 200 to it, perhaps maximizing the crystal count to 99999 is what triggers the address.

There are 2 approaches to this to maximize the crystal count, either patch the unknown trap address, or to give the game protection an optimal value of crystal that will not trigger the trap address.

I tried converting values from the cheats and these are the outcomes, in order of the max crystals cheat's lines: 4589788, 1006728229, 874610688, 2902524024, 65011720, 2366308356, 201523336, 4096, and 2903179288. My speculation is that the crystal count kill switch won't be triggered if the Crystal counter is only at 30000+ (Value of Sheathed Power Wrath and Dark Night Law is 30000). Since the Max Crystal cheat changes the value of our Crystal to one of of the 9 values indicated above, but the game can only display "99999", this triggers the kill switch, since the game protection knows that no Crystal count can go beyond 99999. Thus if we can only change the value of the cheat as to give only, say, 31000 or 30001 (hex value is 7594 for 30100), it will not trigger the kill switch at all, even if you freeze the value as to assure that you could restore any sealstone you could see. I already know that Line 8 (patch=1,EE,104608EE,extended,00001000 [NTSC Code]) is not the value setter, lest the crystal count becomes only 4096.

Moreover, the cheat I gave you gives this error after crashing:

Code:

(EE pc:004607D4) TLB Miss, addr=0x1018 [store]
(EE pc:0047A7F0) TLB Miss, addr=0x218 [store]
(EE pc:0047A7F0) TLB Miss, addr=0x21c [store]
(EE pc:0047A7F0) TLB Miss, addr=0x2a0 [store]
(EE pc:0047A7F0) TLB Miss, addr=0x2b0 [store]
(EE pc:0047A7F0) TLB Miss, addr=0x2b8 [store]
EE: Unrecognized op 200d9dc
EE: Unrecognized COP0 op 43d80000
EE: Unrecognized COP0 op 43200000
EE: Unrecognized op 200d9dc
EE: Unrecognized COP0 op 43d80000
EE: Unrecognized COP0 op 43200000
(EE pc:00C516C4) TLB Miss, addr=0x1df [load]
(EE pc:00000000) TLB Miss, addr=0x0 [load]
(EE pc:00000000) TLB Miss, addr=0x0 [load]
(EE pc:00000000) TLB Miss, addr=0x4 [load]
(EE pc:00000000) TLB Miss, addr=0x8 [load]
(EE pc:00000000) TLB Miss, addr=0xc [load]
(EE pc:00000000) TLB Miss, addr=0x10 [load]
(EE pc:00000000) TLB Miss, addr=0x14 [load]
(EE pc:00000000) TLB Miss, addr=0x18 [load]
(EE pc:00000000) TLB Miss, addr=0x1c [load]
(EE pc:00000000) TLB Miss, addr=0x20 [load]
(EE pc:00000000) TLB Miss, addr=0x0 [load]
(EE pc:00000000) TLB Miss, addr=0x4 [load]
(EE pc:00000000) TLB Miss, addr=0x8 [load]
(EE pc:00000000) TLB Miss, addr=0xc [load]
(EE pc:00000000) TLB Miss, addr=0x10 [load]
(EE pc:00000000) TLB Miss, addr=0x14 [load]
(EE pc:00000000) TLB Miss, addr=0x18 [load]
(EE pc:00000000) TLB Miss, addr=0x1c [load]
(EE pc:00000000) TLB Miss, addr=0x20 [load]
EE: Unrecognized op 200d9dc
EE: Unrecognized COP0 op 43d80000
EE: Unrecognized COP0 op 43200000
(EE pc:00C516C8) TLB Miss, addr=0x1df [load]
EE: Unrecognized op 200d9dc
EE: Unrecognized COP0 op 43d80000
EE: Unrecognized COP0 op 43200000
(EE pc:00C516CC) TLB Miss, addr=0x1df [load]
EE: Unrecognized COP0 op 43d80000
EE: Unrecognized COP0 op 43200000
(EE pc:00C516D0) TLB Miss, addr=0x1df [load]
EE: Unrecognized COP0 op 43d80000
EE: Unrecognized COP0 op 43200000
(EE pc:00C516D4) TLB Miss, addr=0x1df [load]
EE: Unrecognized COP0 op 43d80000
EE: Unrecognized COP0 op 43200000
(EE pc:00C516D8) TLB Miss, addr=0x1df [load]
EE: Unrecognized COP0 op 43d80000
EE: Unrecognized COP0 op 43200000
(EE pc:00C516DC) TLB Miss, addr=0x1df [load]
EE: Unrecognized COP0 op 43d80000
EE: Unrecognized COP0 op 43200000
(EE pc:00C516E0) TLB Miss, addr=0x1df [load]
EE: Unrecognized COP0 op 43d80000
EE: Unrecognized COP0 op 43200000
(EE pc:00C516E4) TLB Miss, addr=0x1df [load]
EE: Unrecognized COP0 op 43200000
(EE pc:00C516E8) TLB Miss, addr=0x1df [load]
(EE pc:00C516EC) TLB Miss, addr=0x1df [load]
(EE pc:00C516F0) TLB Miss, addr=0x1df [load]
(EE pc:00C516F4) TLB Miss, addr=0x1df [load]
(EE pc:00C516F8) TLB Miss, addr=0x1df [load]
(EE pc:00C516FC) TLB Miss, addr=0x1df [load]
(EE pc:00C51700) TLB Miss, addr=0x1df [load]
(EE pc:00C51704) TLB Miss, addr=0x1df [load]
(EE pc:00C51708) TLB Miss, addr=0x1df [load]
(EE pc:00C5170C) TLB Miss, addr=0x1df [load]
(EE pc:00C51710) TLB Miss, addr=0x1df [load]
(EE pc:00C51714) TLB Miss, addr=0x1df [load]
(EE pc:00C51718) TLB Miss, addr=0x1df [load]
(EE pc:00C5171C) TLB Miss, addr=0x1df [load]
(EE pc:00C51720) TLB Miss, addr=0x1df [load]
(EE pc:00C51724) TLB Miss, addr=0x1df [load]
# Syscall: undefined (0)

I tested another code,

Code:

// View Camp Menu for Max Crystals
patch=1,EE,00085721,word,004608DC
patch=1,EE,000C0120,word,3C017425
patch=1,EE,000C0124,word,34218000
patch=1,EE,000C0128,word,AD010078
patch=1,EE,000C012C,word,03E00008
patch=1,EE,000C0130,word,8D0B0004
patch=1,EE,00460690,word,0C030088
patch=1,EE,004607EE,short,00001000
patch=1,EE,004607F0,word,AD0B0018

and it threw this smaller error:

Code:

iop heap service (99/11/03)
EE: Unrecognized COP0 op 43d80000
EE: Unrecognized COP0 op 43200000

but this code:

Code:

// View Camp Menu for Max Crystals
patch=1,EE,E0085721,extended,004608DC
patch=1,EE,200C0120,extended,3C017425
patch=1,EE,200C0124,extended,34218000
patch=1,EE,200C0128,extended,AD010078
patch=1,EE,200C012C,extended,03E00008
patch=1,EE,200C0130,extended,8D0B0004
patch=1,EE,20460690,extended,0C030088
patch=1,EE,104607EE,extended,00001000
patch=1,EE,204607F0,extended,AD0B0018

allows me to play with no errors at all, but this is not working.

More on aesthetics, here are some (again, you may not bother with them since I like the performance as is):

1. On the Turgen mine 1st boss fight, boss is a bit bluish than normal.
2. Most enemy skills are now a bit inclined on the bluish tint.
3. Most open skyline areas are somewhat on the stormy weather (exception is the pass going back to Dipan).

As for the faulty Crystal cheat, could I have it as for me to debug the address? Also, is there a way for me to manually edit the exported save files asides from PS2 save builder, as to check under the hood for that faulty cheat check value? I would like to check my NTSC save for me to see that error. Also, If I have the cheat, I shall try to modify the value as to only get 30200 crystals.

In my experimentation with the cheat addressing, I found out that "word" is just ignoring the last byte if I recall correctly. "short" is used for only addresses with 1 at the beginning. And at some point, using extended throws me some errors in the debug screen, but game still plays as if there is no error, cheat just doesn't work.

This Game has a lot of Game Protections.They seem to have different categories if i can say that..The most i have disabled i think.
With my Patch you have 99 of all Items.If you reach Lezard Valeth you can save just before that encounter
and load the Game without the Patch.The Game should NOT freeze when you enter the battle.
This Protection to solve was very important to me because interested Gamer should be able to export the Save File to the real Playstation 2 now.
But as mentioned above the Crystal Cheat causes to trigger another trap.I will try to solve that later too.But for now i am mainly
focused on graphical Things.

Here is my sample important Deceiver Code Segment that keeps always the 4-bit Value C.So the Game does not freeze because of this.
Normally when Someone uses Cheats in the Game that Value would become E and if you reach Chapter 5 the Game would freeze.

Keep 4-Bit Value C and do not affect the upper 4-Bit Value of this overall 1-Byte Value:
003ad530 3c010037  // lui at, $0037
003ad534 8c24d700  // lw a0, $d700(at)
003ad538 8c85008c  // lw a1, $008c(a0)
003ad53c 90a40008  // lbu a0, $0008(a1)
003ad540 0004263c  // dsll32 a0, a0, 24
003ad544 0004273e  // dsrl32 a0, a0, 28
003ad548 00042138  // dsll a0, a0, 4
003ad54c 3482000c  // ori v0, a0, $000c
003ad550 a0a20008  // sb v0, $0008(a1)


Yes, here is my faulty Crystal Cheat which causes the Game to freeze when you are not using Game Protection Disable Code:

// View Camp Menu for Max Crystals
// [I converted from Ryudo's Patch the original US NTSC-Code to this UK PAL-Code]
patch=1,EE,00119654,word,087fff98
patch=1,EE,00119658,word,00000000
patch=1,EE,01fffe60,word,0040102a
patch=1,EE,01fffe64,word,38420001
patch=1,EE,01fffe68,word,3c050037
patch=1,EE,01fffe6c,word,8ca6d2ac
patch=1,EE,01fffe70,word,3c090c10
patch=1,EE,01fffe74,word,352ac234
patch=1,EE,01fffe78,word,10ca000b
patch=1,EE,01fffe7c,word,0000602d
patch=1,EE,01fffe80,word,3c050046
patch=1,EE,01fffe84,word,3c0c0c7f
patch=1,EE,01fffe88,word,358cffac
patch=1,EE,01fffe8c,word,acac08c0
patch=1,EE,01fffe90,word,3c0c1000
patch=1,EE,01fffe94,word,358c0003
patch=1,EE,01fffe98,word,acac0a1c
patch=1,EE,01fffe9c,word,3c0cad0b
patch=1,EE,01fffea0,word,358c0018
patch=1,EE,01fffea4,word,acac0a20
patch=1,EE,01fffea8,word,08046597
patch=1,EE,01fffeac,word,00000000
patch=1,EE,01fffeb0,word,3c017425
patch=1,EE,01fffeb4,word,34218000
patch=1,EE,01fffeb8,word,ad010078
patch=1,EE,01fffebc,word,03e00008
patch=1,EE,01fffec0,word,8d0b0004

For what it's worth, this is a code for crystals I used (along with individual item codes) that allowed me to play through the game with no freeze. There was however a pretty long master code that went with it. I don't know if the master had any disabling effects on the in game protections.

Max 99999 Crystals
D049A844 000000FF
2049A844 24030000
Return a seal stone to max out crystals

(02-02-2020, 08:43 PM)Rebel521 Wrote: [ -> ]For what it's worth, this is a code for crystals I used (along with individual item codes) that allowed me to play through the game with no freeze. There was however a pretty long master code that went with it. I don't know if the master had any disabling effects on the in game protections.

Max 99999 Crystals
D049A844 000000FF
2049A844 24030000
Return a seal stone to max out crystals

That's interesting.Definitely worth to take a closer look what exactly this Code is doing.But i guess this is NTSC Code ?

Okay, things I noticed in the game (but I think this one is cool)

1. Sahma Desert's skyline is now overcast, when it is supposed to be sunset.
2. Background darkness of Turgen Mines when light is off makes it not visible, only you will see Alicia, as in she is bright while the place is dark.

As for the crystal cheat, I think the problem can be circumvented by doing something else, how about porting this code:

Max 99999 Crystals (US Version, codebreaker v7, pointed out by Rebel521)
Return a seal stone to max out crystals
Decrypted
D049A844 000000FF
2049A844 24030000
Encrypted
AC34C4D6 17D5E5C9
F0A20B2D 5BD7D061

or
patch=1,EE,D049A844,extended,000000FF
patch=1,EE,2049A844,extended,24030000

It does the following:
Conditional - Executes the next line if the value at 0x49A844 is equal to 0x00FF.
RAM Write - Constantly writes 0x24030000 to 0x49A844.

The shorter the code, the lesser addresses that it will trigger.

However, it comes with this master code

patch=1,EE,F0129B51,extended,800813BF
patch=1,EE,000FFFFE,extended,0000002D
patch=1,EE,000FFFFF,extended,0000002D
patch=1,EE,9013A550,extended,0C04E8FC
patch=1,EE,E0033B40,extended,0035EC8C
patch=1,EE,104234AA,extended,00001000
patch=1,EE,10423662,extended,00001000
patch=1,EE,1042382A,extended,00001000
patch=1,EE,E0027EC0,extended,0049550C
patch=1,EE,2049BCB0,extended,03E00008
patch=1,EE,2049BCB4,extended,00000000
patch=1,EE,E007E140,extended,0036D90C
patch=1,EE,203683D4,extended,00000000
patch=1,EE,103AD16A,extended,00001000
patch=1,EE,103AD61E,extended,00001000
patch=1,EE,10430B76,extended,00001000
patch=1,EE,10430BE2,extended,00001000
patch=1,EE,10431A66,extended,00001000
patch=1,EE,10431C1E,extended,00001000
patch=1,EE,D0397CAC,extended,0000102A
patch=1,EE,20397CB0,extended,00000000

and it does this:

Enabler - Changes the entry point value for new threads to 0x800813BF.
RAM Write - Constantly writes 0x2D to 0xFFFFE.
RAM Write - Constantly writes 0x2D to 0xFFFFF.
Conditional Cheat Enable - Values used to enable the cheat engine.
Conditional (Multi) - Executes the next 3 lines if the value at 0x35EC8C is equal to 0x3B40.
RAM Write - Constantly writes 0x1000 to 0x4234AA.
RAM Write - Constantly writes 0x1000 to 0x423662.
RAM Write - Constantly writes 0x1000 to 0x42382A.
Conditional (Multi) - Executes the next 2 lines if the value at 0x49550C is equal to 0x7EC0.
RAM Write - Constantly writes 0x03E00008 to 0x49BCB0.
RAM Write - Constantly writes 0 to 0x49BCB4.
Conditional (Multi) - Executes the next 7 lines if the value at 0x36D90C is equal to 0xE140.
RAM Write - Constantly writes 0 to 0x3683D4.
RAM Write - Constantly writes 0x1000 to 0x3AD16A.
RAM Write - Constantly writes 0x1000 to 0x3AD61E.
RAM Write - Constantly writes 0x1000 to 0x430B76.
RAM Write - Constantly writes 0x1000 to 0x430BE2.
RAM Write - Constantly writes 0x1000 to 0x431A66.
RAM Write - Constantly writes 0x1000 to 0x431C1E.
Conditional - Executes the next line if the value at 0x397CAC is equal to 0x102A.
RAM Write - Constantly writes 0 to 0x397CB0.

You might use this as a reference on how Codebreaker makes an entry point on the game.

I'm not sure but this can be the Code for VP2S, PAL UK:

// Max 99999 Crystals (VP2S, PAL UK)
patch=1,EE,D049a5e4,extended,000000FF
patch=1,EE,2049a5e4,extended,24030000

(02-02-2020, 08:49 PM)Maori-Jigglypuff Wrote: [ -> ]That's interesting.Definitely worth to take a closer look what exactly this Code is doing.But i guess this is NTSC Code ?

Yes NTSC

(02-02-2020, 09:19 PM)Rebel521 Wrote: [ -> ]Yes NTSC

OK, i have ported that Code to UK PAL.

(02-02-2020, 08:54 PM)jaceleona Wrote: [ -> ]It does the following:
Conditional - Executes the next line if the value at 0x49A844 is equal to 0x00FF.
RAM Write - Constantly writes 0x24030000 to 0x49A844.

The shorter the code, the lesser addresses that it will trigger.

However, it comes with this master code

patch=1,EE,F0129B51,extended,800813BF
patch=1,EE,000FFFFE,extended,0000002D
patch=1,EE,000FFFFF,extended,0000002D
patch=1,EE,9013A550,extended,0C04E8FC
patch=1,EE,E0033B40,extended,0035EC8C
patch=1,EE,104234AA,extended,00001000
patch=1,EE,10423662,extended,00001000
patch=1,EE,1042382A,extended,00001000
patch=1,EE,E0027EC0,extended,0049550C
patch=1,EE,2049BCB0,extended,03E00008
patch=1,EE,2049BCB4,extended,00000000
patch=1,EE,E007E140,extended,0036D90C
patch=1,EE,203683D4,extended,00000000
patch=1,EE,103AD16A,extended,00001000
patch=1,EE,103AD61E,extended,00001000
patch=1,EE,10430B76,extended,00001000
patch=1,EE,10430BE2,extended,00001000
patch=1,EE,10431A66,extended,00001000
patch=1,EE,10431C1E,extended,00001000
patch=1,EE,D0397CAC,extended,0000102A
patch=1,EE,20397CB0,extended,00000000

and it does this:

Enabler - Changes the entry point value for new threads to 0x800813BF.
RAM Write - Constantly writes 0x2D to 0xFFFFE.
RAM Write - Constantly writes 0x2D to 0xFFFFF.
Conditional Cheat Enable - Values used to enable the cheat engine.
Conditional (Multi) - Executes the next 3 lines if the value at 0x35EC8C is equal to 0x3B40.
RAM Write - Constantly writes 0x1000 to 0x4234AA.
RAM Write - Constantly writes 0x1000 to 0x423662.
RAM Write - Constantly writes 0x1000 to 0x42382A.
Conditional (Multi) - Executes the next 2 lines if the value at 0x49550C is equal to 0x7EC0.
RAM Write - Constantly writes 0x03E00008 to 0x49BCB0.
RAM Write - Constantly writes 0 to 0x49BCB4.
Conditional (Multi) - Executes the next 7 lines if the value at 0x36D90C is equal to 0xE140.
RAM Write - Constantly writes 0 to 0x3683D4.
RAM Write - Constantly writes 0x1000 to 0x3AD16A.
RAM Write - Constantly writes 0x1000 to 0x3AD61E.
RAM Write - Constantly writes 0x1000 to 0x430B76.
RAM Write - Constantly writes 0x1000 to 0x430BE2.
RAM Write - Constantly writes 0x1000 to 0x431A66.
RAM Write - Constantly writes 0x1000 to 0x431C1E.
Conditional - Executes the next line if the value at 0x397CAC is equal to 0x102A.
RAM Write - Constantly writes 0 to 0x397CB0.

You might use this as a reference on how Codebreaker makes an entry point on the game.

Again. for what it's worth, this is the master code I used (hacked by Skiller) for VP2:

9010025c 0c040330
E00202F8 00423648 
10423662 00001000
1042382A 00001000
E00302BC 0049BCEC
2049C0EC 00000000
2049BF84 00000000
2049BE1C 00000000
E003FFFA 00427e7c
20427e7c 00000000
203d939c 00000000
20384024 00000000
E00EFFFA 004360EC
20397ca8 00000000
203af464 00000000
203AF3A4 00000000
203AF20C 00000000
203ABF98 00000000
203ABFB4 00000000
203d4984 00000000
203d4e50 00000000
203d2d68 00000000
203d2714 00000000
203cff8c 00000000
203c5984 00000000
20430eec 00000000
20430e84 00000000

(02-02-2020, 09:25 PM)Rebel521 Wrote: [ -> ]Again. for what it's worth, this is the master code I used (hacked by Skiller) for VP2:

9010025c 0c040330
E00202F8 00423648 
10423662 00001000
1042382A 00001000
E00302BC 0049BCEC
2049C0EC 00000000
2049BF84 00000000
2049BE1C 00000000
E003FFFA 00427e7c
20427e7c 00000000
203d939c 00000000
20384024 00000000
E00EFFFA 004360EC
20397ca8 00000000
203af464 00000000
203AF3A4 00000000
203AF20C 00000000
203ABF98 00000000
203ABFB4 00000000
203d4984 00000000
203d4e50 00000000
203d2d68 00000000
203d2714 00000000
203cff8c 00000000
203c5984 00000000
20430eec 00000000
20430e84 00000000

OK, the ported Code alone does not Work.I think i have to port the Master Code as well.
But to have 99999 Crystals i am actually pursuing a different approach.

@Maori-Jigglypuff

I noticed that the default pnach for this game has a code to prevent freezing. It has what appears to be a couple of "syntax" errors. I don't know if you checked it out or not.

//Ignore GameGuard (prevents freezing)
//patch=1,EE,FE129B51,extended,800813BF
//patch=1,EE,000FFFFE,extended,0000022D -->should be 100FFFFE?
//patch=1,EE,000FFFFF,extended,0000022D -->should be 100FFFFF?
//patch=1,EE,9013A550,extended,0C04E8FC
//patch=1,EE,E0033B40,extended,0035EC8C
//patch=1,EE,104234AA,extended,00001000
//patch=1,EE,10423662,extended,00001000
//patch=1,EE,1042382A,extended,00001000
//patch=1,EE,E0027EC0,extended,0049550C
//patch=1,EE,2049BCB0,extended,03E00008
//patch=1,EE,2049BCB4,extended,00000000
//patch=1,EE,E007E140,extended,0036D90C
//patch=1,EE,203683D4,extended,00000000
//patch=1,EE,103AD16A,extended,00001000
//patch=1,EE,103AD61E,extended,00001000
//patch=1,EE,10430B76,extended,00001000
//patch=1,EE,10430BE2,extended,00001000
//patch=1,EE,10431A66,extended,00001000
//patch=1,EE,10431C1E,extended,00001000
//patch=1,EE,D0397CAC,extended,0000102A
//patch=1,EE,20397CB0,extended,00000000