#nop 0x34e48c to load luabnds on m99s $path = "D:\Emus\PS3\dev_hdd0\game\NPUB30910\USRDIR\EBOOT.BIN" $size = (Get-Item $path).length $ba = [System.IO.File]::ReadAllBytes($path) ########################################## Function RBytes { Param ( $addr, $size ) [byte[]] $rb = [byte[]]::new(4) [System.Buffer]::BlockCopy($ba, $addr, $rb, 0, $rb.Length) $rb } ########################################## Function RUInt32 { Param ( $addr ) [bitconverter]::ToUInt32($ba,$addr) } ########################################## Function WBytes { Param ( $addr, $wb ) [System.Buffer]::BlockCopy($wb, 0, $ba, $addr, $wb.Length) } ########################################## Function WStrA { Param ( $addr, $str ) $wb = [System.Text.Encoding]::UTF8.GetBytes($str) [System.Buffer]::BlockCopy($wb, 0, $ba, $addr, $wb.Length) } ########################################## Function WStrU { Param ( $addr, $str ) $wb = [System.Text.Encoding]::Unicode.GetBytes($str) [System.Buffer]::BlockCopy($wb, 0, $ba, $addr, $wb.Length) } ########################################## Function WUInt32 { Param ( $addr, $val ) $wb = [bitconverter]::GetBytes($val) [System.Buffer]::BlockCopy($wb, 0, $ba, $addr, $wb.Length) } ########################################## Function XorBytes { Param ( [byte[]] $b1, [byte[]] $b2 ) [byte[]] $b3 = [byte[]]::new($b1.count) for($i=0; $i -lt $b1.count ; $i++) { $b3[$i] = $b1[$i] -bxor $b2[$i] } $b3 } ########################################## Function AreArraysEqual($a1, $a2) { if ($a1 -isnot [array] -or $a2 -isnot [array]) { throw "Both inputs must be an array" } if ($a1.Rank -ne $a2.Rank) { return $false } if ([System.Object]::ReferenceEquals($a1, $a2)) { return $true } for ($r = 0; $r -lt $a1.Rank; $r++) { if ($a1.GetLength($r) -ne $a2.GetLength($r)) { return $false } } $enum1 = $a1.GetEnumerator() $enum2 = $a2.GetEnumerator() while ($enum1.MoveNext() -and $enum2.MoveNext()) { if ($enum1.Current -ne $enum2.Current) { return $false } } return $true } ########################################## cls [byte[]] $newcode1 = 0x60, 0x00, 0x00, 0x00 #SDAT [byte[]] $oldcode1 = 0x40, 0x9e, 0x01, 0x20 [byte[]] $newcode1xor = 0x20, 0x9e, 0x01, 0x20 [byte[]] $newcode2 = 0x4b, 0xff, 0xfe, 0xe8 #SDAT [byte[]] $oldcode2 = 0x41, 0x9e, 0xfe, 0xe8 [byte[]] $newcode3 = 0x60, 0x00, 0x00, 0x00 #DCX [byte[]] $oldcode3 = 0x40, 0x9e, 0x00, 0xcc [byte[]] $oldcode4 = 0x40, 0x9d, 0x00, 0x64 [byte[]] $newcode4 = 0x48, 0x00, 0x00, 0x64 #m99s [byte[]] $logonewcode = 0x38, 0x80, 0x00, 0x00 #Logo Skip [byte[]] $logooldcode = 0x38, 0x80, 0x00, 0x01 [byte[]] $logocodexor = 0x00, 0x00, 0x00, 0x01 $logoloc = 0x189b38 - 0xF700 #$b3 = XorBytes $newcode1 $oldcode1 #[System.BitConverter]::ToString($b3) $diffTextLoc = 0x16f1d51 - 0xF700 $diffText = "Choose your difficulty" $diffTextOrig = [byte[]]::new($diffText.Length * 2) $ayeTextLoc = 0x16f1d91 - 0xF700 $ayeText = "Aye" $ayeTextOrig = [byte[]]::new($ayeText.Length * 2) #---------------------------- #dbgA hooks to call RInt $dbgAloc = 0x4392f0 -0xF700 [byte[]] $dbgAhook = 0x49, 0x70, 0xd4, 0xc2, 0x60, 0x00, 0x00, 0x00 [byte[]] $dbgAorig = 0x38, 0x60, 0xff, 0xff, 0x4e, 0x80, 0x00, 0x20 #rename GetDbgRandomA to RInt $dbgAorigNameULoc = 0x16e0fe0 - 0xF700 [byte[]] $dbgAnewNameU = 0x00, 0x52, 0x00, 0x49, 0x00, 0x6e, 0x00, 0x74, 0x00, 0x00, 0x00 [byte[]] $dbgAorigNameU = 0x00, 0x47, 0x00, 0x65, 0x00, 0x74, 0x00, 0x44, 0x00, 0x62, 0x00 $dbgAorigNameALoc = 0x16e3aa0 - 0xF700 [byte[]] $dbgAnewNameA = 0x52, 0x49, 0x6e, 0x74, 0x00 [byte[]] $dbgAorigNameA = 0x47, 0x65, 0x74, 0x44, 0x62 $RIntLoc = 0x170d4c0 - 0xF700 [byte[]] $RIntCode = 0x3c, 0x60, 0x01, 0xb4, 0x60, 0x63, 0x9c, 0x38, 0x80, 0x63, 0x00, 0x00, 0x80, 0x63, 0x00, 0x00, 0x4e, 0x80, 0x00, 0x20, 0x60, 0x00, 0x00, 0x00 [byte[]] $RIntOrig = 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 #------------------------------------------- #$dbgB hooks to call WInt $dbgBloc = 0x4392f8 - 0xF700 [byte[]] $dbgBhook = 0x49, 0x70, 0xd5, 0x02, 0x60, 0x00, 0x00, 0x00 [byte[]] $dbgBorig = 0x38, 0x60, 0xff, 0xff, 0x4e, 0x80, 0x00, 0x20 $dbgBorigNameULoc = 0x16e1000 - 0xF700 [byte[]] $dbgBnewNameU = 0x00, 0x57, 0x00, 0x49, 0x00, 0x6e, 0x00, 0x74, 0x00, 0x00, 0x00 [byte[]] $dbgBorigNameU = 0x00, 0x47, 0x00, 0x65, 0x00, 0x74, 0x00, 0x44, 0x00, 0x62, 0x00 $dbgBorigNameALoc = 0x16e3ab0 - 0xF700 [byte[]] $dbgBnewNameA = 0x57, 0x49, 0x6e, 0x74, 0x00 [byte[]] $dbgBorigNameA = 0x47, 0x65, 0x74, 0x44, 0x62 $WIntLoc = 0x170d500 - 0xF700 [byte[]] $WIntCode = 0x3c, 0x60, 0x01, 0xb4, 0x60, 0x63, 0x9c, 0x38, 0x80, 0x63, 0x00, 0x00, 0x3c, 0x80, 0x01, 0xb4, 0x60, 0x84, 0x9c, 0x3c, 0x80, 0x84, 0x00, 0x00, 0x90, 0x83, 0x00, 0x00, 0x4e, 0x80, 0x00, 0x20, 0x60, 0x00, 0x00, 0x00 [byte[]] $WIntOrig = 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 #------------------------------------------- #$ShowRankingDialog hooks to call SLoc $srdLoc = 0x0043e740 - 0xF700 [byte[]] $srdHook = 0x49, 0x70, 0xd5, 0x42, 0x60, 0x00, 0x00, 0x00 [byte[]] $srdOrig = 0x7c, 0x83, 0x23, 0x78, 0x7c, 0x08, 0x02, 0xa6 $srdOrigNameULoc = 0x016dfd08 - 0xF700 [byte[]] $srdNewNameU = 0x00, 0x53, 0x00, 0x4c, 0x00, 0x6f, 0x00, 0x63, 0x00, 0x00, 0x00 [byte[]] $srdOrigNameU = 0x00, 0x53, 0x00, 0x68, 0x00, 0x6f, 0x00, 0x77, 0x00, 0x52, 0x00 $srdOrigNameALoc = 0x016e3038 - 0xF700 [byte[]] $srdNewNameA = 0x53, 0x4c, 0x6f, 0x63, 0x00 [byte[]] $srdOrigNameA = 0x53, 0x68, 0x6f, 0x77, 0x52 $SLocLoc = 0x170d540 - 0xF700 [byte[]] $SLocCode = 0x3c, 0x60, 0x01, 0xb4, 0x60, 0x63, 0x9c, 0x38, 0x90, 0x83, 0x00, 0x00, 0x4e, 0x80, 0x00, 0x20, 0x60, 0x00, 0x00, 0x00 [byte[]] $SLocOrig = 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 #------------------------------------------- #$ShowRankingDataModel hooks to call SVal $srdmLoc = 0x00444598 - 0xF700 [byte[]] $srdmHook = 0x49, 0x70, 0xd5, 0x82, 0x60, 0x00, 0x00, 0x00 [byte[]] $srdmOrig = 0xf8, 0x21, 0xff, 0x81, 0x7c, 0x08, 0x02, 0xa6 $srdmOrigNameULoc = 0x016dfd58 - 0xF700 [byte[]] $srdmNewNameU = 0x00, 0x53, 0x00, 0x56, 0x00, 0x61, 0x00, 0x6c, 0x00, 0x00, 0x00 [byte[]] $srdmOrigNameU = 0x00, 0x53, 0x00, 0x68, 0x00, 0x6f, 0x00, 0x77, 0x00, 0x52, 0x00 $srdmOrigNameALoc = 0x016e3068 - 0xF700 [byte[]] $srdmNewNameA = 0x53, 0x56, 0x61, 0x6c, 0x00 [byte[]] $srdmOrigNameA = 0x53, 0x68, 0x6f, 0x77, 0x52 $SValLoc = 0x170d580 - 0xF700 [byte[]] $SValCode = 0x3c, 0x60, 0x01, 0xb4, 0x60, 0x63, 0x9c, 0x3c, 0x90, 0x83, 0x00, 0x00, 0x4e, 0x80, 0x00, 0x20, 0x60, 0x00, 0x00, 0x00 [byte[]] $SValOrig = 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 #------------------------------------------- cls if ($size -eq 9602848) { "EBOOT.BIN size too small, decrypt and decompress before running this script." } else { if ((RUint32 (0x66af08 - 0xF700)) -eq [UInt32]"0x20019e40") { "Original bytes found, patching out DCX/SDAT." WBytes (0x66af08 -0xF700) $newcode1 WBytes (0x66b024 -0xF700) $newcode2 WBytes (0x66aefc -0xF700) $newcode3 WBytes (0x417340 -0xF700) $newcode4 WBytes $dbgAorigNameULoc $dbgANewNameU WBytes $dbgAorigNameALoc $dbgANewNameA WBytes $dbgAloc $dbgAhook WBytes $RIntLoc $RIntCode WBytes $dbgBorigNameULoc $dbgBNewNameU WBytes $dbgBorigNameALoc $dbgBNewNameA WBytes $dbgBloc $dbgBhook WBytes $WIntLoc $WIntCode WBytes $srdOrigNameULoc $srdNewNameU WBytes $srdOrigNameALoc $srdNewNameA WBytes $srdLoc $srdHook WBytes $SLocLoc $SLocCode WBytes $srdmOrigNameULoc $srdmNewNameU WBytes $srdmOrigNameALoc $srdmNewNameA WBytes $srdmLoc $srdmHook WBytes $SValLoc $SValCode WStrU $diffTextLoc $diffText WStrU $ayeTextLoc $ayeText [System.IO.File]::WriteAllBytes($path, $ba) "Bytes written successfully" "" pause } else { if ((RUint32 (0x66af08 - 0xF700)) -eq [UInt32]"0x00000060") { "Patched bytes found, restoring DCX/SDAT." WBytes (0x66af08 -0xF700) $oldcode1 WBytes (0x66b024 -0xF700) $oldcode2 WBytes (0x66aefc -0xF700) $oldcode3 WBytes (0x417340 -0xF700) $oldcode4 WBytes $dbgAorigNameULoc $dbgAOrigNameU WBytes $dbgAorigNameALoc $dbgAOrigNameA WBytes $dbgAloc $dbgAorig WBytes $RIntLoc $RIntOrig WBytes $dbgBorigNameULoc $dbgBOrigNameU WBytes $dbgBorigNameALoc $dbgBOrigNameA WBytes $dbgBloc $dbgBorig WBytes $WIntLoc $WIntOrig WBytes $srdOrigNameULoc $srdOrigNameU WBytes $srdOrigNameALoc $srdOrigNameA WBytes $srdLoc $srdOrig WBytes $SLocLoc $SLocOrig WBytes $srdmOrigNameULoc $srdmOrigNameU WBytes $srdmOrigNameALoc $srdmOrigNameA WBytes $srdmLoc $srdmOrig WBytes $SValLoc $SValOrig WBytes $diffTextLoc $diffTextOrig WBytes $ayeTextLoc $ayeTextOrig [System.IO.File]::WriteAllBytes($path, $ba) "Bytes written successfully" "" pause } else { "Unrecognized bytes found hook at location, no changes made." "Has EBOOT.BIN been resigned as NONDRM?" "" pause } } } <# #https://shell-storm.org/online/Online-Assembler-and-Disassembler/ #0x1b49c38 = loc #0x1b49c3c = val #GetDbgRandomA -> RInt 0x004392f0: ba 0x170d4c0 nop 0x49, 0x70, 0xd4, 0xc2, 0x60, 0x00, 0x00, 0x00 0x0170d4c0: lis 3, 0x01b4 ori 3, 3, 0x9c38 lwz 3, 0x0(3) lwz 3, 0x0(3) blr nop 0x3c, 0x60, 0x01, 0xb4, 0x60, 0x63, 0x9c, 0x38, 0x80, 0x63, 0x00, 0x00, 0x4e, 0x63, 0x00, 0x00, 0x4e, 0x80, 0x00, 0x20, 0x60, 0x00, 0x00, 0x00 #GetDbgRandomB -> WInt 0x004392f8: ba 0x170d500 nop 0x49, 0x70, 0xd5, 0x02, 0x60, 0x00, 0x00, 0x00 0x0170d500: lis 3, 0x01b4 ori 3, 3, 0x9c38 lwz 3, 0x0(3) lis 4, 0x01b4 ori 4, 4, 0x9c3c lwz 4, 0x0(4) stw 4, 0x0(3) blr nop 0x3c, 0x60, 0x01, 0xb4, 0x60, 0x63, 0x9c, 0x38, 0x80, 0x63, 0x00, 0x00, 0x3c, 0x80, 0x01, 0xb4, 0x60, 0x84, 0x9c, 0x3c, 0x80, 0x84, 0x00, 0x00, 0x90, 0x83, 0x00, 0x00, 0x4e, 0x80, 0x00, 0x20, 0x60, 0x00, 0x00, 0x00 #ShowRankingDialog -> SLoc 0x0043e740: ba 0x170d540 nop 0x49, 0x70, 0xd5, 0x42, 0x60, 0x00, 0x00, 0x00 0x0170d540: lis 3, 0x01b4 ori 3, 3, 0x9c38 stw 4, 0x0(3) blr nop 0x3c, 0x60, 0x01, 0xb4, 0x60, 0x63, 0x9c, 0x38, 0x90, 0x83, 0x00, 0x00, 0x4e, 0x80, 0x00, 0x20, 0x60, 0x00, 0x00, 0x00 #ShowRankingDataModel -> SVal 0x00444598: ba 0x170d580 nop 0x49, 0x70, 0xd5, 0x82, 0x60, 0x00, 0x00, 0x00 0x0170d580: lis 3, 0x01b4 ori 3, 3, 0x9c3c stw 4, 0x0(3) blr nop 0x3c, 0x60, 0x01, 0xb4, 0x60, 0x63, 0x9c, 0x3c, 0x90, 0x83, 0x00, 0x00, 0x4e, 0x80, 0x00, 0x20, 0x60, 0x00, 0x00, 0x00 #GetSummonBlackResult ->GetChrInsFromWorldChrMan 004128c0 - GetSummonBlackResult lis 3, 0x01b4 ori 3, 3, 0x9c3c lwz 4, 0x0(3) lis 3, 0x01b3 ori 3, 3, 0xd6e0 lwz 3, 0x0(3) ba 0x296bb8 0x3c, 0x60, 0x01, 0xb4, 0x60, 0x63, 0x9c, 0x3c, 0x80, 0x83, 0x00, 0x00, 0x3c, 0x60, 0x01, 0xb3, 0x60, 0x63, 0xd6, 0xe0, 0x80, 0x63, 0x00, 0x00, 0x48, 0x29, 0x6b, 0xba #> <# #Create video with kden #convert to M2v with https://convertio.co/video-converter/ #Create PAM with PS3StreamComposer #ds_title, Demon's Souls title fadein #ds_advertise, Title video #menu.tpf, logo_3 #create breakobj #/chr/m09.chresdbnd #/map/breakobj/m09_00_00_00.breakobj #/map/m09_00_00_00/m09_00_00_00.arealoadlist #/map/m09_00_00_00/m09_00_00_00.mcg #/map/m09_00_00_00/m09_00_00_00.mcp #/map/m09_00_00_00/m09_00_00_00.nvmbnd #/map/m09_00_00_00/m09_00_00_00.tpf m2020B0 Tower 1 m2030B0 Tower 2 m2310B0 Wall + Tower m2501B0 Starting platform m9999B0 Skybox m9040b2 square model h1020B2 Square collision o2180 gate o2190 burning door o2191 door(fancy) o2200 portcullis o2221 Giantportcullis o2241 2 portcullis o2261 wooden door o2300 portcullis o2321 gateddoor o2472 damagedtower o2480 elevator o2750 penetratorstatue o2760 tower knight statue c2040 WolfWarrior c2050 BearWarrior c1020 Dragon God c1030 Vanguard 103000 NPCParamID 8_1_0, ID 300 c3040 Maneater 304000 NPC ParamID 4_1_0, ID 807, 817 c4050 Flamelurker c5001 Phalanx c5000 Hoplite c5010 TowerKnight c5020 Penetrator c5030 StormKing c5060 FoolsIdol c5080 DirtyColossus c5090 Leechmonger c5100 ArmorSpider c5120 BlueDragon c5130 RedDragon c6020 OldHero c6030 OldMonk c6040 MaidenAstraea c6050 DragonGod c7150 MaidenInBlack c7230 FalseKingAllant 723000, NPCParamID 2_3_0, ID 821 Possible hooks 2 params, no return ShowRankingDialog no params, returns value GetDbgRandomA GetDbgRandomB SosMsgGetResult_Tutorial IsRankingData GetPlayerId_Random no params, no return OpenPlayerAssessMenu_Tutorial PauseTutorial #>