39w ago - This weekend
Oct0xor (aka
Mr. DongleBreaker) has followed up his
previous release with PS3UserCheat PS3 Cheat Dongle v2.3 update which features Cheatlist.dat v6.1 as outlined below.
Download:
PS3UserCheat PS3 Cheat Dongle v2.3 Update /
PS3UserCheat PS3 Cheat Dongle v2.3 Update (Mirror) /
PS3UserCheat PS3 Cheat Dongle v2.3 Update (Mirror #2) /
PS3 Cheats Editor Installer (by
aldostools) /
PS3 DEX 3.55 Cheat Pack by
technodon
From his Tweet: Release: Custom ps3usercheat v2.3 + cheatlist.dat v6.1
Finally releasing what I have many times asked for
Now everyone can make their own AR cheats for PS3.
I hope that in one day PS3 will have so much cheats like Nintendo DS
Thanks to
HeroQ8 for support.
!!! Never use this for cheating in online games !!!
This would help you making your own cheats: pastebin.com/tsD7wKv7
In related news
Tetzrep has made available (via psx-scene.com/forums/content/even-2606/) a
PSUserCheatfile MK9 Multiplayer NPC (Password: tetzrep)
This time allowing for mulitplayer and tag team use of the NPC's that were unlocked last month. A few other nice touches in this update include:
- The ability to morph Shang Tsung into other characters, as he does in the arcade ladder. This is nice considering all you can do with the move is take a bit of their life bar away. Now with certain button combos, you can pretty much morph into any character on the roster, and the NPC's to boot. All of this selectable through ps3usercheat, and the same directions from last months post applies also.
- The ability in the challenge tower on challenge 227 (Cyborg-Absorb) to not just play as Cyber-Reptile in this challenge, but to give the cyborg character in that challenge the fighting styles and any character, including the bosses.
- Other cheats added allow you to speed up and slow down gameplay.
There is a very nice jpg packaged in with the .dat file which gives specific instructions on how to get this to work, and the button combos needed.
Also from
Hero Q8 (aka
ueess via codemasters-project.net/vb/showthread.php?13123-Cheat&p=132900#post132900) comes some PS3 CFW 4.21+ Only Cheat Packages below, as follows:
Installation Instructions
1. Unrar The Rar File
2. Copy the pkg file to your USB
3. Install Package from "Install Package Files".
4. Choose The Game from Multiman or any other Manager (Must Have Any Disc In The Drive)
5. Boot the game from installed pkg not the disc icon it will start the game with the codes
NOTE 1: Some Games Needs Files from USRDIR to be moved to PKG dir (Minus Eboot) after install i will add Note 1 for these Games
NOTE 2: Some PKG are Just Update Install It and Boot The Game Normal i will add Note 2 for these Games
All Cheats For 4.21+ Only - For People who are on 3.55 CFW use PS3UserCheats (free) Which Has all codes converted to be used on that divice (Same ones you find in All Old and Current Eboot PKGs)
2nd Super Robot Taisen OG BLJS10133
1. Infinite Money
2. Infinite PP
3. Infinite SP
BLJS10133
http://www.putlocker.com/file/31B61E77E1AD8976
NOTE 2: This Is Update PKG Just Boot The Game Normal After Install
Borderlands 2 BLUS30982
1. Max Money on Buy
2. Max Badass Token & Skills
3. Max Level [NO EXP REQUIRED]
4. Infinite Ammo
BLUS30982
http://www.putlocker.com/file/EB1CB757807F469B
NOTE 2: This Is Update PKG Just Boot The Game Normal After Install
Darksiders 2 BLUS30829 and BLES01597
1. Infinite Skill Points Have at least 1
2. Infinite Wrath
3. Infinite Reaper Gauge
4. Max Yellow Coins after Save
5. Max Blue Coins after Save
BLUS30829
http://www.putlocker.com/file/16A1AAF26AC0AB47
BLES01597
http://www.putlocker.com/file/7BCE345B19B1F135
NOTE: For Yellow and Blue Coins Load Game with code save game, quit game & reload
NOTE 2: This Is Update PKG Just Boot The Game Normal After Install
Devil May Cry 4 BLUS300920
1. Infinite Health
2. Infinite Devil Trigger
3. Infinite Exceed
4. Always SSS Style
BLUS300920
http://www.putlocker.com/file/B28AB14D1635C8CB
NOTE 2: This Is Update PKG Just Boot The Game Normal After Install
Far Cry 3 BLUS30687
1. Max Money on Buy/Sell
2. Max Skill Points on Use
3. Max Exp on Gain
4. Infinite Ammo
BLUS30687
http://www.putlocker.com/file/2E1D1E00B3E0465C
NOTE 2: This Is Update PKG Just Boot The Game Normal After Install
Medal of Honor Warfighter BLUS30990
1. Infinite Ammo
BLUS30990
http://www.putlocker.com/file/FE8FCF2C2CA5499F
NOTE 2: This Is Update PKG Just Boot The Game Normal After Install
Need for Speed Most Wanted BLUS31010
1. Infinite Nitros
2. Infinite SP
BLUS31010
http://www.putlocker.com/file/F2D114D7ABA60F82
NOTE 2: This Is Update PKG Just Boot The Game Normal After Install
Never Dead BLES01303
1. Infinite Ammo
BLES01303
http://www.putlocker.com/file/4E52BC166CC88799
NOTE 2: This Is Update PKG Just Boot The Game Normal After Install
Ni no Kuni Wrath of the White Witch BLES01555
1. Max Money On Gain
BLES01555
http://www.putlocker.com/file/F359211A87282361
NOTE 2: This Is Update PKG Just Boot The Game Normal After Install
Sleeping Dogs BLES01661
1. Infinite Money
BLES01661
http://www.putlocker.com/file/E186D51F97DDAC28
NOTE 2: This Is Update PKG Just Boot The Game Normal After Install
Soul Calibur V BLUS30736
1. Infinite Health
2. 1 Hit Ko
BLUS30736
http://www.putlocker.com/file/822992CFA5A437BB
NOTE 2: This Is Update PKG Just Boot The Game Normal After Install
Spec Ops The Line BLUS30531
1. Infinite Ammo
BLUS30531
http://www.putlocker.com/file/C3322E0AF43DCA0D
NOTE 2: This Is Update PKG Just Boot The Game Normal After Install
Tekken Tag Tournament 2 BLES01702
1. Max Money on Buy
BLES01702
http://www.putlocker.com/file/E71CC5B09949270F
NOTE 2: This Is Update PKG Just Boot The Game Normal After Install
The Darkness II BLUS30743
1. Max Essences on Gain
BLUS30743
http://www.putlocker.com/file/9E0BCFF14D17E781
NOTE 2: This Is Update PKG Just Boot The Game Normal After Install
Twisted Metal BCUS98106
1. Infinite Health
2. Infinite Ammo
BCUS98106
http://www.putlocker.com/file/76E57141489BBBAA
NOTE 2: This Is Update PKG Just Boot The Game Normal After Install
Below is a Tool To Apply PS3UserCheat Hacks on Eboots from
KDSBest (via twitlonger.com/show/kigtsr):
Download:
Patch-ELF-PS3UserCheat.rar
// Patch PS3UserCheat Cheat to an ELF File
// 1. Decrypt EBOOT.BIN to EBOOT.ELF
// 2. Provide PATCH.TXT with the following Format (From PS3 Cheats Editor)
// Example PATCH.TXT
//00002000 0002A878 33FE034C
// Another Example of PATCH.TXT
//00002000 010AF534 00000000
//00002000 010AF538 00000000
//00002000 010AF53C 00000000
//00002000 010AF540 00000000
// 3. Run this Code
// 4. Rencrypt EBOOT.KDSBest.ELF to EBOOT.BIN
// 5. Replace EBOOT.BIN of your game with the new one
// Sorry I couldn't provide a One Click Tool I lack in time 
// the 0000c001 patches are button mapping for cheat pkgs, since we fixed patch it this isn't supported.
// Example Tales of Grace F Move Fast Speed (Press []) is the following PATCH.TXT
//00002000 007DF6FC 3F800000
//0000C001 00000000 00000080
//00002000 007DF6FC 3FE00000
// If you don't want to patch the speed the PATCH.TXT you provide
//00002000 007DF6FC 3F800000
// If you want constant faster speed you provide
//00002000 007DF6FC 3FE00000
// It reads the following way
// 00002000 = Patch Memory (Eboot)
// 0000C001 = Button Event
// Look how easy
// If nothing is pressed
// {
//00002000 007DF6FC 3F800000 => Patch Memory At 007DF6FC to 3F800000
// }
//0000C001 00000000 00000080 => else If(Button Event(00000080)) => 00000080 = []
// {
//00002000 007DF6FC 3FE00000 => Patch Memory At 007DF6FC to 3FE00000
// }
// Why I write this tool
// I provided the patches by hand
// 1. Load ELF in IDA
// 2. Check bytes at Address
// 3. Search Bytes from IDA (Which can parse the elf header and knows the exact locations) in Hex Editor
// 4. Patch Bytes by hand
// 5. ....
// Why is this tool written like bullshit
// I don't have the mood to write it clean
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.IO;
namespace Patch_ELF_PS3UserCheat
{
class Program
{
public struct ELFLocation
{
public uint Offset;
public uint OffsetFile;
public uint Size;
}
public struct Patch
{
public uint Offset;
public uint PatchValue;
}
public static uint byteToUInt(byte[] b)
{
return byteToUInt(b, 0);
}
public static uint byteToUInt(byte[] b, int offset)
{
uint a = (uint)b[offset] << 24;
a |= (uint)b[offset + 1] << 16;
a |= (uint)b[offset + 2] << 8;
a |= (uint)b[offset + 3] << 0;
return a;
}
public static byte[] uintToByte(uint i)
{
byte[] b = new byte[4];
b[0] = (byte)((i >> 24) & 0xFF);
b[1] = (byte)((i >> 16) & 0xFF);
b[2] = (byte)((i >> 8) & 0xFF);
b[3] = (byte)((i) & 0xFF);
return b;
}
public static int LoadElfPHDR(BinaryReader br, List Elf, uint phdr_offset, uint phdr_size, uint i)
{
byte[] phdr = new byte[phdr_size];
br.BaseStream.Seek(phdr_offset + phdr_size * i, SeekOrigin.Begin);
br.Read(phdr, 0, phdr.Length);
ELFLocation elfLocation = new ELFLocation();
elfLocation.OffsetFile = byteToUInt(phdr, 0x0C);
elfLocation.Offset = byteToUInt(phdr, 0x14);
elfLocation.Size = byteToUInt(phdr, 0x24);
Elf.Add(elfLocation);
return 0;
}
public static ushort byteToUShort(byte[] b, int offset)
{
ushort a = (ushort)(b[offset] << 8);
a |= (ushort)b[offset + 1];
return a;
}
public static List LoadElf(string FileName)
{
List Elf = new List();
BinaryReader br = new BinaryReader(File.OpenRead(FileName));
byte[] elfMagic = new byte[4];
br.Read(elfMagic, 0, 4);
if (elfMagic[0] != 0x7F ||
elfMagic[1] != 0x45 ||
elfMagic[2] != 0x4C ||
elfMagic[3] != 0x46)
{
Console.WriteLine("Elf Magic Wrong (" + FileName + ")");
br.Close();
return Elf;
}
br.BaseStream.Seek(0, SeekOrigin.Begin);
byte[] eHDR = new byte[0x40];
br.Read(eHDR, 0, eHDR.Length);
uint phdr_offset = byteToUInt(eHDR, 0x24);
ushort n_phdrs = byteToUShort(eHDR, 0x38);
ushort phdr_size = byteToUShort(eHDR, 0x36);
for (ushort i = 0; i < n_phdrs; i++)
{
int error = LoadElfPHDR(br, Elf, phdr_offset, phdr_size, i);
if (error == 1)
Console.WriteLine("Didn't Load phdr " + i + " of File " + FileName);
}
br.Close();
return Elf;
}
public static List LoadPatchFile(string FileName)
{
List patches = new List();
StreamReader sr = new StreamReader(File.OpenRead(FileName));
string input;
while(!string.IsNullOrEmpty(input = sr.ReadLine()))
{
string[] vals = input.Split(new char[] { ' ' });
if (vals.Length != 3 || vals[0] != "00002000")
{
Console.WriteLine("This is not an ELF Patch!");
patches.Clear();
return patches;
}
Patch p = new Patch();
try
{
p.Offset = uint.Parse(vals[1], System.Globalization.NumberStyles.AllowHexSpecifier);
p.PatchValue = uint.Parse(vals[2], System.Globalization.NumberStyles.AllowHexSpecifier);
patches.Add(p);
}
catch (Exception)
{
Console.WriteLine("Patch file wrong!");
patches.Clear();
return patches;
}
}
return patches;
}
static void Main(string[] args)
{
if (!File.Exists("EBOOT.ELF"))
{
Console.WriteLine("Couldn't find EBOOT.ELF");
Console.ReadLine();
return;
}
if (!File.Exists("PATCH.TXT"))
{
Console.WriteLine("Couldn't find PATCH.TXT");
Console.ReadLine();
return;
}
if (File.Exists("EBOOT.KDSBest.ELF"))
File.Delete("EBOOT.KDSBest.ELF");
List locations = LoadElf("EBOOT.ELF");
List patches = LoadPatchFile("PATCH.TXT");
for(int i = 0; i < patches.Count; i++)
{
ELFLocation? locationForPatch = null;
Patch p = patches[i];
for (int ii = 0; ii < locations.Count; ii++)
{
if (p.Offset >= locations[ii].Offset && p.Offset < locations[ii].Offset + locations[ii].Size)
{
locationForPatch = locations[ii];
break;
}
}
if (locationForPatch == null)
{
Console.WriteLine("Patch is not for this ELF!");
Console.ReadLine();
return;
}
else
{
p.Offset = p.Offset - locationForPatch.Value.Offset + locationForPatch.Value.OffsetFile;
patches[i] = p;
}
}
Console.WriteLine("Patching ELF...");
File.Copy("EBOOT.ELF", "EBOOT.KDSBest.ELF");
BinaryWriter bw = new BinaryWriter(File.OpenWrite("EBOOT.KDSBest.ELF"));
foreach (Patch p in patches)
{
bw.Seek((int) p.Offset, SeekOrigin.Begin);
bw.Write(uintToByte(p.PatchValue));
}
bw.Close();
Console.WriteLine("DONE!");
Console.ReadLine();
}
}
}
Also (via twitlonger.com/show/kjc7cn) We all love assembler or? And working with magic numbers. Try to hook GamePad System Wide. I do, but it is harder than thought. It's not working pretty well. We will see. Code is for REX (4.21) as CEX. If you change something in the setup it won't work LV2 Addresses are different. And my payloads like to jump around in LV2 in the right addresses.
To make things clear again. This is not fully working. Read below.
Looking forward to deliver the community a project CWcheat for PSP. I am up 20 hrs now. Go to bed.
Getting where I am now with a ps3 dev wiki which is not reachable and totally poor documentation of the ps3 scene was a lot screams and red bull.
Stay tuned, KDSBest
// The full Code for the hack
// It doesn't work yet, because of the 2. stage
// shellcode crash on read sometimes.
// Have to check things out
// Next I start to bring up a working version.
// Maybe someone finds a trick or has a tip in the // mean time
#define uint64_t unsigned long long
register uint64_t r3 __asm("r3");
register uint64_t r4 __asm ("r4");
register uint64_t r11 __asm ("r11");
uint64_t firstStageSC[] = {
// blr PREVENT SYSCALL 900 FROM DESTROY INFORMATION
// blr PREVENT SYSCALL 900 FROM DESTROY INFORMATION
0x4E8000204E800020ULL,
//li %r3, 0x80
//rldicr %r3, %r3, 48,15
0x38600080786383C6ULL,
//addi %r3, %r3, 0x7FFF
//rldicr %r3, %r3, 8,55
0x38637FFF786345E4ULL,
//addi %r3, %r3, 0xC0
//std %r5, 0(%r3)
0x386300C0F8A30000ULL,
//li %r3, 0
//b
0x38600000480345D0ULL
};
int firstStageSCLen = 5;
/*uint64_t secondStageSC[] = {
0xF821FFA1F8610058ULL,
0xFB21005038600080ULL,
0x786383C638637FFFULL,
0x786345E4386300C0ULL,
0xEB2300002FB90000ULL,
0x419E003CE8790000ULL,
0x786300222FA30000ULL,
0x419E002CA0790008ULL,
0x5463073E2FA300FFULL,
0x409E001C38600100ULL,
0x3880000038A00000ULL,
0x38C000003960017BULL,
0x44000002E8610058ULL,
0xEB210050E8210000ULL,
0x4E8000204E800020ULL
};*/
uint64_t secondStageSC[] = {
0xF821FFA1F8610058ULL,
0xFB210050F8810048ULL,
0x38600080786383C6ULL,
0x38637FFF786345E4ULL,
0x386300C0EB230000ULL,
0x388000017884C1E4ULL,
0x7FB92040409D0038ULL,
0x7C641B78A0790008ULL,
0xF8640010F8840020ULL,
0x5463073E2FA3000FULL,
0x409E001C38600100ULL,
0x3880000038A00000ULL,
0x38C000003960017BULL,
0x44000002E8610058ULL,
0xEB210050E8810048ULL,
0xE82100004E800020ULL
};
int secondStageSCLen = 16;
#define SCStartFirstStage 0x800000000008FC2CULL
#define SCStartSecondStage 0x800000000008FC8CULL
int __volatile__ main(int argc, const char* argv[])
{
for(int i = 0; i < firstStageSCLen; i++)
{
r4 = firstStageSC[i];
r3 = SCStartFirstStage + (8*i);
r11 = 0x07;
__asm("sc");
}
for(int i = 0; i < secondStageSCLen; i++)
{
r4 = secondStageSC[i];
r3 = SCStartSecondStage + (8*i);
r11 = 0x07;
__asm("sc");
}
// Patch li r3, 0 to first Stage Payload
r4 = 0x4BFCBA18FB410080ULL;
r3 = 0x80000000000C421CULL;
r11 = 0x07;
__asm("sc");
// Patch blr to second Stage Payload
r4 = 0x4BFCB9C07C7F07B4ULL;
r3 = 0x80000000000C42CCULL;
r11 = 0x07;
__asm("sc");
return 0;
}
// Shellcode development
// First Stage does it's job just well
// Saves the parameter to a memory adress lv2 will find
// but we need to save more parameters to precisly pick
// the package we want
// Second Stage crashes often on the read of userland
// data. And the check isn't right yet. I lack of time
// like always
// PS: Ignore the main Function it is just for
// compiler to have sth todo
// I copy the instructions with a IDA out of the ELF
#define uint64_t unsigned long long
register uint64_t sp __asm("r1");
register uint64_t r3 __asm("r3");
register uint64_t r4 __asm ("r4");
register uint64_t r5 __asm ("r5");
register uint64_t r6 __asm ("r6");
register uint64_t r7 __asm ("r7");
register uint64_t r8 __asm ("r8");
register uint64_t r9 __asm ("r9");
register uint64_t r11 __asm ("r11");
register uint64_t r25 __asm("r25");
void __volatile__ FirstStage()
{
__asm("li %r3, 0x80");
__asm("sldi %r3, %r3, 48");
__asm("addi %r3, %r3, 0x7FFF");
__asm("sldi %r3, %r3, 8");
__asm("addi %r3, %r3, 0xC0");
__asm("std %r5, 0x00(%r3)");
__asm("li %r3, 0");
}
void __volatile__ SecondStage()
{
__asm("stdu %r1, -0x60(%r1)");
__asm("std %r3, 0x58(%r1)");
__asm("std %r25, 0x50(%r1)");
__asm("std %r4, 0x48(%r1)");
__asm("li %r3, 0x80");
__asm("sldi %r3, %r3, 48");
__asm("addi %r3, %r3, 0x7FFF");
__asm("sldi %r3, %r3, 8");
__asm("addi %r3, %r3, 0xC0");
__asm("ld %r25, 0x0(%r3)");
__asm("li %r4, 0x01");
__asm("sldi %r4, %r4, 24");
__asm("cmpld cr7, %r25, %r4");
__asm("ble cr7, 0x38");
__asm("mr %r4, %r3");
__asm("lhz %r3, 0x8(%r25)");
__asm("std %r3, 0x10(%r4)");
__asm("std %r4, 0x20(%r4)");
__asm("clrlwi %r3, %r3, 28");
__asm("cmpdi cr7, %r3, 0xF");
__asm("bne cr7, 0x1C");
r3 = 0x100;
r4 = 0;
r5 = 0;
r6 = 0;
r11 = 0x017B;
__asm("sc");
__asm("ld %r3, 0x58(%r1)");
__asm("ld %r25, 0x50(%r1)");
__asm("ld %r4, 0x48(%r1)");
__asm("ld %r1, 0x00(%r1)");
__asm("blr");
}
int main(int argc, const char* argv[])
{
FirstStage();
SecondStage();
return 0;
}
My last code is a PoC for hooking a button combo while a game is running in any Game/Homebrew or XMB
// Shutdown on Gamepad L3+R3+Start+Select by KDSBest
// ONLY press those 4 buttons to Shutdown
// Works on REX 4.21 with CEX LV2 KERNEL
// DON'T compile with make or libs or so else
// the funny gcc will optimize the poke and uses other register
// ppu-lv2-gcc KDSBestGamepadHack.c -o KDSBestGamepadHack.elf
#define uint64_t unsigned long long
register uint64_t r3 __asm("r3");
register uint64_t r4 __asm ("r4");
register uint64_t r11 __asm ("r11");
uint64_t sc[] = {
/* SAVE ALL REGISTER */
//stdu %sp, var_60(%sp)
//std %r3, arg_58(%sp)
0xF821FFA1F8610058ULL,
//std %r4, arg_48(%sp)
//std %r5, arg_50(%sp)
0xF8810048F8A10050ULL,
//std %r6, arg_38(%sp)
/* READ SRC OF MEMCPY FROM SC 502 */
//ld %r6, 0(%r19)
0xF8C10038E8D30000ULL,
/* CUT OUT OTHER BUTTONS */
//rldicl %r6, %r6, 48,16
/* MAKE COMPARE REGISTER */
//li %r3, 0x7C
0x78C684023860007CULL,
//rldicr %r3, %r3, 16,47
//addi %r3, %r3, 0xF
0x786383E43863000FULL,
/* COMPARE AND DO NOT SHUTDOWN ON MISS */
//cmpw cr7, %r3, %r6
//bne cr7, loc_106D8
0x7F833000409E001CULL,
/* SHUTDOWN */
//li %r3, 0x100
//li %r4, 0
0x3860010038800000ULL,
//li %r5, 0
//li %r6, 0
0x38A0000038C00000ULL,
//li %r11, 0x17B
//sc
0x3960017B44000002ULL,
/* RESTORE REGISTER */
//noShutdown:
//ld %r3, arg_58(%sp)
//ld %r4, arg_48(%sp)
0xE8610058E8810048ULL,
//ld %r5, arg_50(%sp)
//ld %r6, arg_38(%sp)
0xE8A10050E8C10038ULL,
//ld %sp, arg_0(%sp)
//mr %r4, %r28
0xE82100007F84E378ULL,
//mr %r4, %r28 (DUMMY TO LAZY TO CALC NEW ADDR FOR BACK JUMP)
//mr %r4, %r28 (DUMMY TO LAZY TO CALC NEW ADDR FOR BACK JUMP)
0x7F84E3787F84E378ULL,
//b back
//dummy
0x4BFE2C884BFE2C88ULL
};
int scLen = 14;
#define SCStart 0x800000000008FC8CULL
uint64_t test123;
int __volatile__ main(int argc, const char* argv[])
{
// Copy Shellcode
for(int i = 0; i < scLen; i++)
{
r4 = sc[i];
r3 = SCStart + (8*i);
r11 = 0x07;
__asm("sc");
}
// Redirect to Shellcode
r4 = 0x4801D3147D635B78ULL;
r3 = 0x8000000000072978ULL;
r11 = 0x07;
__asm("sc");
return 0;
} POC - Hooking A Button Combo During A Game / App Or On The XMB (via twitlonger.com/show/kjuoro):
// Shutdown on Gamepad L3+R3+Start+Select by KDSBest
// ONLY press those 4 buttons to Shutdown
// Works on REX 4.21 with CEX LV2 KERNEL
// DON'T compile with make or libs or so else
// the funny gcc will optimize the poke and uses other register
// ppu-lv2-gcc KDSBestGamepadHack.c -o KDSBestGamepadHack.elf
#define uint64_t unsigned long long
register uint64_t r3 __asm("r3");
register uint64_t r4 __asm ("r4");
register uint64_t r11 __asm ("r11");
uint64_t sc[] = {
/* SAVE ALL REGISTER */
//stdu %sp, var_60(%sp)
//std %r3, arg_58(%sp)
0xF821FFA1F8610058ULL,
//std %r4, arg_48(%sp)
//std %r5, arg_50(%sp)
0xF8810048F8A10050ULL,
//std %r6, arg_38(%sp)
/* READ SRC OF MEMCPY FROM SC 502 */
//ld %r6, 0(%r19)
0xF8C10038E8D30000ULL,
/* CUT OUT OTHER BUTTONS */
//rldicl %r6, %r6, 48,16
/* MAKE COMPARE REGISTER */
//li %r3, 0x7C
0x78C684023860007CULL,
//rldicr %r3, %r3, 16,47
//addi %r3, %r3, 0xF
0x786383E43863000FULL,
/* COMPARE AND DO NOT SHUTDOWN ON MISS */
//cmpw cr7, %r3, %r6
//bne cr7, loc_106D8
0x7F833000409E001CULL,
/* SHUTDOWN */
//li %r3, 0x100
//li %r4, 0
0x3860010038800000ULL,
//li %r5, 0
//li %r6, 0
0x38A0000038C00000ULL,
//li %r11, 0x17B
//sc
0x3960017B44000002ULL,
/* RESTORE REGISTER */
//noShutdown:
//ld %r3, arg_58(%sp)
//ld %r4, arg_48(%sp)
0xE8610058E8810048ULL,
//ld %r5, arg_50(%sp)
//ld %r6, arg_38(%sp)
0xE8A10050E8C10038ULL,
//ld %sp, arg_0(%sp)
//mr %r4, %r28
0xE82100007F84E378ULL,
//mr %r4, %r28 (DUMMY TO LAZY TO CALC NEW ADDR FOR BACK JUMP)
//mr %r4, %r28 (DUMMY TO LAZY TO CALC NEW ADDR FOR BACK JUMP)
0x7F84E3787F84E378ULL,
//b back
//dummy
0x4BFE2C884BFE2C88ULL
};
int scLen = 14;
#define SCStart 0x800000000008FC8CULL
uint64_t test123;
int __volatile__ main(int argc, const char* argv[])
{
// Copy Shellcode
for(int i = 0; i < scLen; i++)
{
r4 = sc[i];
r3 = SCStart + (8*i);
r11 = 0x07;
__asm("sc");
}
// Redirect to Shellcode
r4 = 0x4801D3147D635B78ULL;
r3 = 0x8000000000072978ULL;
r11 = 0x07;
__asm("sc");
return 0;
} Ni No Kuni Max EXP Cheat by
KDSBest
Ni No Kuni Max EXP ps3usercheat hack (You can use my Tool to apply it!): 00002000 006F96BC 38007FFE
Shortly following,
AnoRelease (aka
KDSBest and
CFWProphet) made available a
Ni No Kuni EXP Hack.pdf stating:
Hi, it’s me AnoRelease, look what I got hear for ya.
Greetings
AnoRelease
Below is a FAQ Interview from him as well:
Q.1) So it appears you are known by another name, what is it, who are you ?
A) I’m a Chinese hacker and yeah I’m known as different persons. I guess you have to read between the line. I get hacks from a Team and I release them for them. They want to stay underground. This is how this works after all. Who am I? A leaker with the permission to leak the stuff. I’m the Chinese hacker that never existed after all.
Q.2) Rumour has it that you also released the Cex > Dex method, is that true ?
A) Yeah I wasn’t able to register on PS3HaX back then, now I could and so it was released on PS3News. A site which I don’t visit on my own, but I thought interesting news will spread anyway. I just tested the algorithm and got permission to release it. Basically the happy (fairy tail) guy was the brain behind it. Most people in the scene should know who he is. Even if he is mostly underrated.
Q.3) Why did you release it ?
A.) Why not make it public? I asked if I can release it and was told that the owner doesn’t care if it is out there, as long as his name isn’t exposed.
Q.4) Will you be releasing anything else ?
A.) This depends on the brilliant hackers behind all this. I just say AC1D
.
Q.5) What do you think of the lv0 keys release ?
A.) Oh I think I know who is behind it, but of course I have no proof. They somehow claim they were forced to release it, but how are they forced to? So they gave it to someone else in the first hand. In my opinion it is their problem after all and I don’t believe that they didn’t want to release it. They checked cex > dex and nothing special happened because of the Anon release maybe and saw how a release is done.
Q.6) What do you think of the PS3 scene ?
A.)I like it. A good amount of drama and epic stories. It is/was a quite impressive time so far. I can’t wait for the next gen consoles. Sometimes it is sad how no brainers talk about the devs and it’s sad how others put them on a throne.
Q.7) What do you think about graf_chokolo ?
A.) His story is sad at the end. He is very inspiring for many hackers in the scene I guess. No one reached his knowledge about the PS3 so far and he will always be the number one hacker in our hearts. Many kudos for him.
Q.8) I hear you are a big fan of GeoHot, what is it you like about him ?
A.) I like it when people act dumb and go to TV. It’s like a robber ringing the bell afterwards and tell the house owner I just stole your stuff. Like my hacker friend (happy [fairy tail] guy) always says “Hacking is an underground job after all”. I don’t know if he ever said that on a forum, but he told me often enough. I like his humour I guess, the rap video was funny as hell. I wish he did more of them, but going on TV is not a well idea. I heard rumours he lost his job at Facebook too. He is just too ego I guess and no team player after all.
Q.9) Will you be working on any Next Gen consoles ?
A.)If I get the chance I will of course. The PS4 Press release was awesome in my opinion. I’m a bit happy about the X86 architecture and a bit sad. X86 is full of garbage because it grew with the time and still is backward compatible. AMD and Intel both worked that whore and that is how she looks like in my opinion.
Q.10) Is there anything you would like to add ?
A.) I would like to thank some people: KDSBest, cfwprophet, Team AC1D, GregoryRasputin, Pockets69, graf, durandal, eussNL, naehrwert and everything else I forgot of course.
Finally,
HotNsexy has shared a
Dead Space 3 PS3 Cheat PKG for 1.0 stating the following:
Ok. I'm on rebug 4.21.2 and I succeed to make a pkg cheat for Dead Space 3 BLUS31053 Its full heath and stasis and infinite ammo, for version 1.0 if you have 1.01 installed delete it and then install this pkg:
If you get a black screen, just take out your BD from drive, restart console go to MM and start the game (no BD mirror or what so ever), just start the game and then start it from APP/HOME when prompt to update to 1.01 just skip it and enjoy... All greats to "medo" that released the codes.
He also made available an
Infinite Ammo & Bottomless Clip stating: Again its for version 1.00 if you update 1.01 installed delete it and then install this pkg. Try it as I didnt try but I think it will work, cause Im currently playing with the other one hehe... Tried with patch update but always give me a black screen.
hi...
Another few updates by qorner for the GT5 save game editor (aka GT5 Career Booster): http://uploadmirrors.com/download/5F1MZRBE/GT5CB-12242012.rar and also http://rghost.net/42581355
Gran Turismo 5 Save Editor / Gran Turismo 5 Career Booster (GT5CB)
What you get with this tool is 20 000 000 in-game credits, and A-Spec level 40.
Prerequisites
First of all, whatever you do, always backup your files! Second, you must upgrade Gran Turismo 5 (GT5) to version 2.09, run it afterwards, load your game, perform manual save from "GT Mode" and finally exit GT5.
Copy GT5 saved data from console to storage media. Tutorial can be found here: http://manuals.playstation.net/document/en/ps3/current/game/copysavedata.html
Download Gran Turismo 5 Career Booster (GT5CB) from SourceForge (new and official source): https://sourceforge.net/projects/gt5cb/files/
Note that I'm not the developer of this tool! I accidentally stumble upon it while using Google
You'll also need flat_z's pfdtool for data crypting. pfdtool can be found here: http://www.ps3news.com/ps3-hacks-jailbreak/ps3-save-game-tools-pack-updated-by-flat-z-pfdtool-v0-2-3-out/
If you're on OFW, as I am, Console ID can be found by following this tutorial (nope, currently there is no easier way): Using pfdtool without cfw (Borderlands 2 specific)
If you want to know how to use the lately released Save Game:
Required tools:
• pfdtool by flatz: http://rghost.ru/42242210
• wireshark: http://www.wireshark.org/download.html
• PS3 ProxyServer by CF3B5: http://www.ps3news.com/forums/downloads.php?do=file&id=3673
• .net 1.1 runtimes (for PS3 PoxyServer): http://www.microsoft.com/en-us/download/details.aspx?id=26
1. Create a folder near your root drive for pfdtool (i.e. c:/pfdtool/), then extract all files into that folder from the linked archive.
2. Download and install wireshark and winPcap (included with the wireshark installer)
3. Download and install the .net runtimes
4. Download and install PS3 ProxyServer
5. Open a command prompt (start menu -> all programs -> accessories -> command prompt) and enter command “ipconfig”. Write down the IPv4 address (should look like 192.168.0.10 or something similar)
6. Open PS3 ProxyServer and copy the IPv4 address you wrote down into the IP Address field and check of PS3 mode, leave the other options alone. Hit the big start button. Keep you IPv4 number handy, you’ll need it again. Leave this program running.
7. Open Wireshark. On the left side there is an option to start capture. Left click with your mouse to select the appropriate network adapter listed below the start command. If you are not sure about which adapter to use, select them all using ctrl + left mouse click. Hit the start button once you’ve highlighted the appropriate adapters. Leave this program running.
8. Boot up your PS3 and navigate to Settings -> Network Settings -> Internet Connection Settings. on the first page select Custom, on the second select whether you are connected wirelessly or wired. Skip all other options by hitting right on your controller until you get to the Proxy Server page, then select use for that option. input the IPv4 address you wrote down earlier into the top field. Make sure that the port number on this page matches the port number on PS3 ProxyServer (should both say 8080). Skip to the last page on the configuration and hit x. Test connection when prompted by hitting x again. As long as the top 3 fields say succeeded you can carry on to the next step. if not, review your settings in this step and steps 5 and 6 and retry.
9. Sign into the playstation network and login to the psn store.
10. Go back to your pc and check Wireshark. There should be a whole bunch of information displayed on the screen, don’t worry you don’t need to know what it means. Press [ctrl]+ e to stop capturing, then press [ctrl]+f to bring up your search dialogue. Under “find” check of “string” and under “Search In” check off “Packet bytes”. Enter 0000000100 as your search criteria and hit enter. If the necessary packet was found, in the bottom frame it should show the number highlighted on the right side (plaintext view) to ensure you have the right packet, right before the highlighted text it should say “devideID”:” and then the numbers you searched for. Take all the numbers and letters starting with your highlighted numbers and copy everything down until you find the next quotation mark in the plaintext. You should have a total of 32 digits written down. Should look something like 000000010084 followed by a bunch of letters and numbers. This is your console id.
11. Go to the folder you installed pfdtool in. Open global.conf in notepad. Eidt the line where it says console_id=by adding the console id you just captured after the =. Also change the other fields that are bolded below to match
; Global settings
[global]
authentication_id=1010000001000003
console_id=00000001008400xxx01dxxxx239xx6x6
user_id=00000001
syscon_manager_key=D413B89663E1FE9F75143D3BB4565274
keygen_key=6B1ACEA246B745FD8F93763B920594CD53483B82
savegame_param_sfo_key=0C08000E090504040D010F000406020209060D03
trophy_param_sfo_key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
tropsys_dat_key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
tropusr_dat_key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
troptrns_dat_key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
tropconf_sfm_key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
fallback_disc_hash_key=D1C1E10B9C547E689B805DCD9710CE8D
Save file and exit (make sure you save as .conf not .txt)
12. Open the games.conf file in the same folder. Edit it as follows for NA retail disc version only. You’ll have a different game id (the BLUS30982) and secure_file_id. You’ll need to ask for someone on the forums to get those for you if you are using a different region, version or entirely differnt game. You can add additional games follwing the same layout by adding more lines. The disc_hash_key is commented out, so you will get a notifaction everytime you use pfdtool, but it still works fine.
; “Borderlands 2″
[BLUS30982]
;disc_hash_key=
secure_file_id:*=02010508040102010508030A0F070C0D
Save and close the file once you are done adding games. Again make sure you save as .conf, not .txt.
13. Make sure you have a copy of your save game on your pc. I like to copy them right into the same folder as pfdtool to make for shorter commands.
14. You are now ready to actually use pfdtool. Navigate your command prompt to the folder you installed it (command to use is simply the path of the folder, ie “c:/pfdtool”. To decrypt we use the following command:
pfdtool -g BLUS30982 -d “C:/pfdtool/BLUS30982-SAVE-SAVE0001″ SAVE0001.SAV
where the part in quotations will be changed to reflect your actual drive location and the name of the file will be changed to your actual file name. The file name and path are case sensitive, make sure you double check you have the right case.
15. You now have a decrypted save file. Use your hex editor of choice or in the case of Borderlands 2 you can use the latest version of Gibbed’s Borderlands 2 Save Editor. Once you are done editing, sae your game again and onto the last step.
16. All that’s left at this point is to encrypt the file again. See below, same notes as when decrypting about file path and name.
pfdtool -g BLUS30982 -e “C:/pfdtool/BLUS30982-SAVE-SAVE0001″ SAVE0001.SAV
You can now transfer your save game back to your ps3.
A couple of quick notes: I have tried to make this as noob friendly as possible, but you still need some basic knowledge to follow this guide. Also, atm I really have no interest in modding any other save games so I do not have the info for other games to place in your games.conf file, though if anyone wants to post them I will be happy to add them to the guide. I did not write nor do I support any of the software mentioned in this guide.
If you have any suggestions for additions to this guide, post in comments below ^^, happy modding.
Download PSID Patch here: http://www.ps3news.com/ps3-hacks-jailbreak/psidpatch-1-5-arrives-now-changes-ps3-console-id-sent-to-psn/
Other necessary keys can be found here: pastebin.com/aqkATxXc
[Global Keys]
syscon_manager_key=D413B89663E1FE9F75143D3BB4565274
keygen_key=6B1ACEA246B745FD8F93763B920594CD53483B82
savegame_param_sfo_key=0C08000E090504040D010F000406020209060D03
fallback_disc_hash_key=D1C1E10B9C547E689B805DCD9710CE8D
[GT5 (BCES00569) Game Keys]
disc_hash_key=13D222C834F7F2BD2E4CB8CED51B1D94
secure_file_id=BDBD2EB72D82473DBE09F1B552A93FE6
Download Gran Turismo 5 Career Booster (GT5CB) and extract the archive contents to a writable directory, preferably without spaces or any special characters in folder path (e.g. C:\GT5CB\ or C:\Users\Public\GT5CB\).
Copy entire BCES00569-GAME (\PS3\SAVEDATA\BCES00569-GAME) folder and its contents from storage media to ..\GT5CB\SAVEDATA\ folder. Also, put flat_z's pfdtool.exe in ..\GT5CB\Tools\pfdtool\ folder (pfdtool *.conf files will be automatically generated by GT5CB).
Run GT5CB, browse for BCES00569-GAME folder and pfdtool.exe file, fill-in all necessary keys and click on the large "Boost GT5 Career / Ruin GT5 Experience " button. Save data, as well as pfdtool configuration files will be automatically (re)created. If everything is OK, you will be prompted to either continue or cancel the save data modding. If information provided is correct, click "Yes". Once completed, copy/overwrite modified save data from your PC back to PS3 via storage media and run GT5.
Note that SFO file is not modified this way, as it is not required by GT5 loading system. Data in SFO file will be automatically updated (corrected) by GT5 itself once loaded. Happy modding!
Content-ID = PS3CHT-CHET20000_00-PS3USERCHEAT0200
K_licensee = 0x00000000000000000000000000000000
DRM_Type = Free
Content_Type = GameExec
PackageVersion = 01.00
When it's done it will tells you the secure_file_id.
You could may post a save from a game which is not in the list, so I can test it.
Can i find out secure_file_id by pfdtool.exe?
i can't use 'Secure File ID Dumper' because my ps3 isn't 3.55 CFW.