Content: Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
Background: Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
Pattern: Blank Waves Notes Sharp Wood Rockface Leather Honey Vertical Triangles
Welcome to Xbox Chaos: Modding Evolved

Register now to gain access to all of our features. Once registered and logged in, you will be able to contribute to this site by submitting your own content or replying to existing content. You'll be able to customize your profile, receive reputation points as a reward for submitting content, while also communicating with other members via your own private inbox, plus much more! This message will be removed once you have signed in.

  • entries
    11
  • comments
    63
  • views
    29,893

About this blog

qqq

Entries in this blog

Lord Zedd

Shared Asset Lists

Due to size, all I can do is post this link: http://www.mediafire.com/download/q72zw282qjhidli/shared%20lists.rar where you'll find everything in a pretty rar. Lists are courtesy of the "SharedDump" tool made by AMD, which can be found with Assembly's source. Also courtesy of my own merging and sorting since SharedDump goes per-map.

If it ain't here it ain't shared. Go cry about it.

Includes:

Halo 3

Halo 3: ODST

Halo: Reach Beta

Halo: Reach

Halo 4 ;)

Lord Zedd

[nothalo]

So I'd been playing around with the Xbox version for a while, and now that there's a PC version more people can actually follow along. So here you go:

If you do a 4-byte search for "007747D4", you should get one result, which will be the information for the current player. Here's a quick labeling of cool things:

Kj48T9f.jpg

You can assign a hotkey that adds to that Z float and you can essentially have a Jump button.

Those scale floats, well, http://steamcommunity.com/sharedfiles/filedetails/?id=191046272

Update: The new value up there is better to search for and works both indoors and outdoors, and any character.

Then in the savefile, located in the game's \savedata folder, has 2 things to point out:

Offset x5CA is the character, your choices are:

0 York

1 Emily

2 Child York

3 Raincoat Killer

4

Zach

I should note that anything not York will probably not be able to open doors, among other things. But for a good amount of cutscenes they work add some silliness; http://steamcommunity.com/sharedfiles/filedetails/?id=191015359

Then at xCBF9 would be your current room, though many times your current coords will start you under the world and you'll fall to your death. Don't really have a list of good rooms, sorry.

The .DLC files in \addon are textfiles and the "bonuses" each suit/whatever brings can be tweaked. (PARAM0-PARAM5)

[/nothalo]

Lord Zedd

Poke a Nop over given offset (x60000000 as bytes)

8233E90C Halo 3 Beta (NoTU)

8233EA14 Halo 3 Beta (TU2)

821C293C Halo 3 Epsilon

8212A094 Halo 3 (Dev Demo)

8212A9B4 Halo 3 (NoTU)

8213A924 Halo 3 (TU3)(Mythic)

82136278 Halo 3 ODST

8268E330 Halo Reach Beta ("Pre-Beta")

824D6B24 Halo Reach Delta (Public Beta)

824F9B94 Halo Reach (NoTU)

824FB884 Halo Reach (TU1)(Anniversary)

824F8A7C Halo Reach Demo

8247AE54 Halo 4 (NoTU)

8247B0DC Halo 4 (TU1)

8247C53C Halo 4 (TU2)

8247C09C Halo 4 (TU3)

8247CFDC Halo 4 (TU4)

824903C4 Halo 4 (TU5)

824900AC Halo 4 (TU6)

824930BC Halo 4 (TU7)

Halo 3 Beta is screwy, monitor stays first person for whatever reason.

Halo 4 QTE events turn Chief invisible, just a heads up.

Lord Zedd

So, you know, I got banned tonight from Xbox Live, which took out my console and both the Lord Zedd and ddeZ droL accounts. The cause is up to debate, but the point is that I can no longer supply all the missions through my fileshare.

This is where this blog post comes in. In here I will reveal how to do this yourself and link the container files of my own runs.

But before I start I'd like to make this disclaimer: While the cause of my ban isn't fully understood (profile tampering? wat.), 343 have taken it upon themselves to take *action* regarding campaign films and screenshots. Load campaign films on Live at your own risk, especially so with taking screenshots.

Edit 10/8/13: xXDeViouS in the comments reported a ban for uploading some screenshots of Midnight. So it looks pretty likely that bad times will be had if you even think to take this stuff online. You have been warned.

Edit 10/15/13: Another ban documented.

How to:

So while you are in the lobby, you'll want to poke the following byte to something not 00 or 01:

NoTU: 827E3D33

TU1: 827E4683

TU2: 827E633B

TU3: 827E6133

TU4: 827EB49B

TU5: 827FF003

TU6: 827FF84B

TU7: 82803B63

The simple explanation is that normally, Halo 4 blocks certain engine modes from generating film files. This byte is part of the compare instruction that checks if a film file should be created. If the result is equal to this byte (00 normally), then the branch instruction afterward happens and no film is made. A value of say, 07 will never be seen when checking the engine so a film will always be made.

Once poked, start your game. Now, at some point before quitting, you'll want to poke that byte back to 00. The reason being is that if you don't, the game will start recording a (unplayable btw) film of the mainmenu.

This is bad because the game has checks in place to stop someone from playing a film while one is already recording. If you forget to poke back it isn't that big of a deal, you can either load up another map or reboot the game.

But when all is done, you should see your film waiting for you in your temporary history.

Now onto the list of completed missions for those without the ability to poke. Just resign them to your profile and start them up, keeping the above disclaimer in mind. If you want to contribute and save me the trouble of playing every mission just link me the container file and I'll put it here.

Prologue: (Useless, loads a video which takes away theater control)

Dawn: http://www.mediafire.com/?2454j5l7ba5w1bd (courtesy of Zeltrax)

Requiem: http://www.mediafire.com/download/itcu0rffmg9hci7/Requiem.rar (courtesy of Zeltrax)

Forerunner: http://www.mediafire.com/download/tlrlr5i7cs1basc/Forerunner.zip

Infinity: http://www.mediafire.com/download/tf44e031d1f54hn/Infinity.rar (courtesy of Zeltrax)

Reclaimer: http://www.mediafire.com/download/wx1mw8ikgkgqpge/Reclaimer.zip

Shutdown: Co-Op! My POV- http://www.mediafire.com/download/circ4zx5eesetf6/Shutdown-ZeddPOV.zip Zeltrax's POV- http://www.mediafire.com/download/mc6owkvvb4b17kd/Shutdown.rar (lags out at beginning of third tower :()

Composer: http://www.mediafire.com/download/85h9oovb8jnkrce/Composer.zip

Midnight: http://www.mediafire.com/download/x4omh41r8801j45/Midnight.zip

Epilogue: (Useless, loads a video which takes away theater control)

Lord Zedd

You guys have been asking for this post, and rather than continue to be self-conscious about what to write, I'm just gonna start typing.

My personal trick is that I've learned the common patterns found in the Halo engine. Halo games, as you should be well aware of, have always used the same engine. So there is a good chance that once you've found something in one game, it will be significantly easier to track it down in another.

But of course you have to find these patterns first and try to get some kind of footing. You should also take into consideration just what you are wishing to accomplish. In hindsight the changes needed to crack a locked down beta are simple but the problem was finding them.

There are a few ways you can try to find the function you are looking for. The ones I have used/seen are:

  • Bruting data references
  • Checking rdata strings
  • Checking import functions

The first is probably most familiar to anyone who has followed a tutorial like Chrisco's that has you dump floats and brute through them all looking for changes. But tutorials like his tutorial only stops at finding the values, rather than further exploring them.

Those tutorials also have you needlessly dumping for data values than necessary. By only searching something like ".float" you are grabbing every instance, and many of which aren't even directly referenced by the actual code. You can narrow it down by searching instead for ": .float", which the colon only appears on referenced floats, as seen here:

.data:83335AB8 flt_83335AB8:   .float 0.64221829	   # DATA XREF: sub_82C613F0+8D8r

Compare to:

.data:8337C154				 .float 1.0

Though for most things, you likely won't be searching floats to find something. Bytes are much better for that, found by searching ": .byte"

Now take those bytes and set them to 1, set them to 0, set them to -1. Keep experimenting until you get a reaction. If you were to do this in a (clean) Halo 4 while sitting in the menu, setting a certain byte to 0 will make the game lock you out as though you didn't have the disc 2 content installed. Bingo. This byte is offset 0x8407FD28 in a non-updated version. Let's take a look at that line:

.data:8407FD28 byte_8407FD28:  .byte 0				 # DATA XREF: sub_82693A20+Co

This tells us that the instruction at 0x82693A2C (among others, but were omitted for clarity) calls this particular byte, so lets open it in a new tab by clicking that offset and pressing Alt+Enter, or right clicking it and choosing "Jump in a new window". Now we can take a look at the function and see if we can't get it to ignore that flag. This function is for the MP content.

There are a few ways you could get that done, but first let's explain some of what we are seeing it this function. Will help to turn on Auto Comments (Options>General>Auto comments).

.text:82693A2C Get the first 2 bytes of the byte's location and store it in r11

.text:82693A30 Get the last 2 bytes and assemble the offset with r11, load the byte's value into r10

.text:82693A34 Compare r10 with 0, store the result into cr6

.text:82693A38 Check cr6, and if r10 was found not equal to the given 0, then branch to 0x82693A9C (Pass, game says you have D2 MP content)

.text:82693A3C Branch off to the function at 0x82693C08 (Another function that handles Disc 2 stuff)

.text:82693A40 I still doesn't understand clrlwi, but the result gets stored in r11

.text:82693A44 Compare r11 with 0, store the result in cr6

.text:82693A48 Check cr6, and if r11 was zero, then branch to 0x82693A64 (Fail, game says you do not have D2 MP content)

~

.text:82693A64 Load 0 into r11 and tell you to install the D2 MP content. (You lose. Good day sir.)

While not everything, it is enough. Here are the easy ways I can think of to have my way with that function using just the above:

  • Change 0x82693A30 to a li instruction, putting a value of 1 into r10, which will always make 0x82693A38 branch and pass. (in hex: 39400001)
  • Make 0x82693A34 compare to another value so that the result is always found not equal, making 0x82693A38 branch and pass. (in hex: 2B0A0066, new compare value becomes x66)
  • Remove the comparison check in 0x82693A38 and always branch to 0x82693A9C and pass. (in hex: 48000064)
  • Go into the branched function from 0x82693A3C and try other things that will come back to stop 0x82693A48 from branching (may or may not work)
  • Let it fail, but make the li at 0x82693A64 load 1 into r11 instead of 0, so you still pass anyway (in hex: 39600001)

The best of these are the first 3, because it will instantly jump to the end of the function with no chance of error. I used the last one though in my PPFs. :tongue:

Another way to find a function is through strings left in the rdata section of the executable. This way may not be as fruitful unless you are looking into a debug/internal build that has a lot of juicy strings. Though there are a few strings that tend to remain even in retail builds, such as map header errors. Simply do a text search for some key words pertaining to what you are looking for and cross your fingers. If you find something that looks pretty believable you can jump to whatever function calls it and get cracking.

The last way of finding functions, and is the least fruitful/useful in many cases, is to check the imported pre-named functions from the xbox kernel. If you sort your functions sidebar by name, you'll see them at the top of the list. These will take more understanding to use, but some common ones are:

XamUserGetSigninState/j_XamUserGetSigninState - Checks your state, whether offline or connected to XBL. Checking calls to these can allow you to fool the Halo 3 Beta, Halo 3 Epsilon, and Reach Pre-Beta into thinking you are online to get past the simple blocks preventing you from starting games.

XeCrypt~/j_XeCrypt~ - Several of these exist and they are used for run-of-the-mill hashing/encryption/decryption. Checking these calls can allow you to bypass the RSA verification on various external files.

And that should be about it. Post a comment if you have anything to say/ask/make fun of

And if you wish to learn further, I highly suggest downloading a premodded xex, extracting its basefile along with the basefile of a clean xex, and doing a compare in your hex editor of choice. You can add x82000000 to the file offset of the basefile to locate the change in IDA. Try to figure out what that change did and how it does what it does.

Lord Zedd

Thunder was kind enough to rip the original wiki page out of a backup, so here it is, re-posted in blog form.

The "Permission Flag" can be either poked in-game or for a permanent solution you can replace all references to its offset with a Load Immediate (li) instruction that loads the unlock value directly into whichever register is given. The original wiki had all these set already, but I'll only include them for Non-TU Halo 3 Beta for learning purposes.

Halo 3 Public Beta, No-TU

offset, description, original instruction, new instruction

0x820E29C0, remove XBL dependency, load x0000 immediately into r11, load x0001 immediately into r11

0x828C49A8, permission flag, x00000000, x00000001

Permission Flag references to bypass:

offset, original instruction, new instruction

0x820F564C, load permission flag into r9, load x0001 immediately into r9

0x820F5B68, load permission flag into r11, load x0001 immediately into r11

0x820F5F70, load permission flag into r11, load x0001 immediately into r11

0x8212669C, load permission flag into r11, load x0001 immediately into r11

0x8215A47C, load permission flag into r11, load x0001 immediately into r11

0x8215A574, load permission flag into r11, load x0001 immediately into r11

0x822334D8, load permission flag into r11, load x0001 immediately into r11

0x822A8604, load permission flag into r11, load x0001 immediately into r11

0x8233FD38, load permission flag into r11, load x0001 immediately into r11

0x82451638, load permission flag into r11, load x0001 immediately into r11

0x82451678, load permission flag into r11, load x0001 immediately into r11

0x824614B4, load permission flag into r11, load x0001 immediately into r11

0x824622D8, load permission flag into r11, load x0001 immediately into r11

0x8247BF74, load permission flag into r11, load x0001 immediately into r11

0x8247C1D8, load permission flag into r11, load x0001 immediately into r11

0x8247C30C, load permission flag into r11, load x0001 immediately into r11

0x824939B0, load permission flag into r11, load x0001 immediately into r11

0x82493E4C, load permission flag into r11, load x0001 immediately into r11

0x824996F0, load permission flag into r11, load x0001 immediately into r11

0x824A0818, load permission flag into r11, load x0001 immediately into r11

0x824B34DC, load permission flag into r11, load x0001 immediately into r11

0x824B3998, load permission flag into r11, load x0001 immediately into r11

Halo 3 Public Beta, Title Update 2

offset, description, original instruction, new instruction

0x820E29B8, remove xbl dependency, load x0000 immediately into r11, load x0001 immediately into r11

0x828C49A8, permission flag, x00000000, x00000001

Halo 3 "Epsilon"

offset, description, original instruction, new instruction

0x8211B130, remove xbl dependency, load x0000 immediately into r11, load x0001 immediately into r11

0x82ABE9A8, permission flag, x00000000, x00000001

Halo: Reach "Pre"-Beta

offset, description, original instruction, new instruction

0x82181548, remove xbl dependency 1, load x0000 immediately into r11, load x0001 immediately into r11

0x821B1D60, remove xbl dependency 2, load x0000 immediately into r11, load x0001 immediately into r11

0x82272F54, open menus 1, load x0001 immediately into r11, load x0000 immediately into r11

0x8241B0E8, open menus 2, load x0000 immediately into r11, load x0001 immediately into r11

0x828C85F8, unhide second menu link, branch if equal, branch if not equal

0x82898A80, open lobbies, branch, nop

0x82BAD424, permission flag, xFFFFFFFF, x00000001

Halo: Reach Public Beta

offset, description, original instruction, new instruction

0x826D5D18, unhide second menu link, branch if equal, branch if not equal

0x826A9D88, open lobbies, branch, branch if equal

Menu Links:

offset, original link

0x826D5CBF, matchmaking

0x826D5D23, custom games

0x826D5D63, theater class

All above are Load Immediate (li) instructions, refer to the following list for valid link values:

value, link

x0000, campaign

x0001, matchmaking

x0002, custom games

x0003, forge

x0004, theater

x0005, firefight (no name string)

x0006, quit to dashboard

Halo: Reach Demo

offset, description, original instruction, new instruction

0x827251C0, firefight link enable, load x0000 immediately into r5, load x0001 immediately into r5

0x827251E0, custom games link enable, load x0000 immediately into r5, load x0001 immediately into r5

0x82725200, forge link enable, load x0000 immediately into r5, load x0001 immediately into r5

-----------------------------------------------

Questions? Put 'em in the comments!

Lord Zedd

Dumping these in the meantime until Assembly can use them. All bytes, poke x1 to them.

To get pan cam, you have to enable normal first, then poke pancam.

Don't be a jerk and repost these everywhere, not that notes like this have ever stopped jerks anyway.

Speaking of jerks, don't be a jerk and use these for evil. Though it hasn't seemed to stop people making stupid ass cheating tools. It's too late now but I have removed anything that could be used maliciously, which is a shame because revert checkpoint has a legitimate use when testing things.

Halo 3 Builds:

Quote

Epsilon

8222A887 toggle normal debug cam

8222A912 toggle pan cam

82B795AE redraw shaders

--------

Dev Demo

8218F5B7 toggle normal debug cam

8218F643 toggle pan cam

8289D4D7 redraw shaders

--------

noTU

821907D7 toggle normal debug cam

82190863 toggle pan cam

828C4712 redraw shaders

--------

TU3

821A04B7 toggle normal debug cam

821A0543 toggle pan cam

828E676E redraw shaders

--------

ODST

82197877 toggle normal debug cam

8219793B toggle pan cam

829252A3 redraw shaders

Halo Reach Builds:

Quote

Pre Beta

822628E3 toggle normal debug cam

8226296B toggle pan cam

8347DC34 redraw shaders

836837E8 toggle UI

--------

Public Beta

82191EEB toggle normal debug cam

82191F53 toggle pan cam

82FD7C30 redraw shaders

830AA408 toggle UI

--------

NoTU

820D48DB toggle normal debug cam

820D4943 toggle pan cam

83150D51 redraw shaders

832272C8 toggle UI

--------

TU1

820D49B3 toggle normal debug cam

820D4A1B toggle pan cam

8315159A redraw shaders

83227AC8 toggle UI

--------

Demo

820D46B3 toggle normal debug cam

820D471B toggle pan cam

83150DD5 redraw shaders

83227348 toggle UI

Halo 4 Builds:

Quote

NoTU

822E450B toggle normal debug cam

822E4577 toggle pan cam

8407FB57 redraw shaders

84777310 toggle UI

--------

TU1

822E4A2B toggle normal debug cam

822E4A97 toggle pan cam

8407FDF0 redraw shaders

7510 toggle UI

--------

TU2

822E4613 toggle normal debug cam

822E467F toggle pan cam

8407FDE2 redraw shaders

84778110 toggle UI

--------

TU3

822E458B toggle normal debug cam

822E45F7 toggle pan cam

8407FDE2 redraw shaders

84778110 toggle UI

--------

TU4

822E46E3 toggle normal debug cam

822E474F toggle pan cam

840900E6 redraw shaders

84788A90 toggle UI

--------

TU5

822F4A3B toggle normal debug cam

822F4AA7 toggle pan cam

840A42EE redraw shaders

8479E8D0 toggle UI

--------

TU6

822F4633 toggle normal debug cam

822F469F toggle pan cam

840A446E redraw shaders

8479EB50 toggle UI

--------

TU7

822F50A3 toggle normal debug cam

822F510F toggle pan cam

840C2196 redraw shaders

847BC9F0 toggle UI

Lord Zedd

8/14 Update: Made color picker visible again in shaders, and updated VTGL for a coming tutorial.

Just a quick-ish update to all shaders in light of Krazy Pigeon's new tutorial. Retail Only for now.

All shaders have been standardized along with pseudo-shaders like BEAM and LTVL, who also house a copy of the standard shader meta.

Tagrefs were named, chunk sizes were fixed, and turned Pigeon's "Shader Estensions" to "Tweaking" along with a comment box explaining things as that struct as it turns out does more than change colors.

2012-08-1206-38-32.jpg

And as an extra reminder, Force Checkpoint bytes have been found for all the Halo games and Halo builds I could get my hands on. That includes Halo 3 which resulted in the discovery of a fun glitch that lets you flycam cutscenes:

Check Ascension's Advanced Poker for more info. While you're there feel free to use the recently discoved long lost Halo CE cheats in CEA like Bump Possession and Medusa Mode, along with other various fun debug things for all games, like mesh water in Reach and Halo 3!

2012-08-0701-47-49.jpg

Get the Latest Ascension! - http://www.mediafire...jr56at7l1h4a8eb

Get the Latest Reach Plugins - http://www.xboxchaos...plugins-folder/

Until Next Time.

Lord Zedd

Only Reach is seeing an Update this time around.

  • Went through and made a lot of the smaller plugins entirely visible. (Retail)
  • Added Byte Array lines to objects to easily copy/paste blocks of data across tags. (Retail)
  • Named some Bloom-related floats in WEAP. (Retail)
  • Added BSP Gravity to SCNR. (Retail)
  • Added StringIDs to MODE. (Beta)
  • Added cheat enum in EFFE. (Beta)
  • Fixed an incorrect struct size in PERF. (Beta)
  • Updated ClassLabels.txt to my best ability. (Ascension)
  • Added missing map preview images because why not. (Ascension)

In case you were wondering, the Map Images folder is hidden, but if you copy the contents of the archive to Ascension's root, the new images should add themselves in just fine.

Download them here: http://www.xboxchaos.com/files/file/47-reachs-ultimate-plugins-folder/

In other Reach related news, I recently uncovered bytes that do various cool things like force checkpoints and load checkpoints.

These values should be reaching you very soon via Ascension's Advanced Poker. Check under the "Debug" category for both "Halo Reach" and "Halo Reach TU1".

A side effect of not having a checkpoint set in multiplayer causes the map to reload the scenario, so now SCNR is free to poke to your heart's content as are any shaders. Just have to poke the Revert Checkpoint byte and you'll be good to go.

Cheers!

Lord Zedd

With the new blog system, one of the things I've wanted to do with it was go a bit more in-depth where possible with plugin changes and overall use it to better announce that there was an update. So without further adiou:

  • Reach got some Unit names, added in Mobious118's Tracking research in WEAP and a quick fix of an error, some naming in MODE, can't remember much else as I haven't updated the upload for over a month.

  • Reach Beta got a new object header with more naming, a port of the retail WEAP which includes Mobius' tracking stuff and the fixed error, and similar changes to reflect retail that I can't remember.

  • Halo 3 got some names in MODE just like Reach, with a WEAP fix.

  • ODST got the same changes as Halo 3.

Enjoy!

Link to Halo Reach/Beta

Link to Halo 3/ODST

Lord Zedd

My first blog shall be me asking for help because that's how I roll.


1
14 00 06 ar
14 8c 06 block 1x1
14 8c 0e block 1xflat
14 8c 16 block 1xshort
14 8c 1e block 1xtall
14 8c 26 1xtallthin
14 8e 0e bridge med

2
a0 00 31 ar
a4 60 31 block 1x1
a4 60 71 block 1xflat
a4 60 b1 block 1xshort
a4 60 f1 block 1xtall
a4 61 31 1xtallthin
a4 70 31 bridge sm
a4 70 71 bridge med
a4 70 b1 bridge lg
a4 70 f1 bridge xl
a4 71 31 bridge diag

3
9d 00 01 ar
9d 23 01 block 1x1
9d 23 03 1xflat
9d 23 05 1xshort
9d 23 07 1xtall
9d 23 09 1xtallthin
9d 23 83 bridge med

4
a8 00 0c ar
e9 18 0c block 1x1
e9 18 1c 1xflat
e9 18 2c 1xshort
e9 18 3c 1xtall
e9 18 4c 1xtallthin
e9 1c 1c bridge med

5
40 00 62 ar
48 c0 62 block 1x1
48 c0 e2 1xflat
48 c1 62 1xshort
48 c1 e2 1xtall
48 c2 62 1xtallthin
48 e0 e2 bridge med

6
3a 00 03 ar
3a 46 03 block 1x1
3a 46 07 1xflat
3a 46 0b 1xshort
3a 46 0f 1xtall
3a 46 13 1xtallthin
3a 47 07 bridge med

7
d0 00 18 ar
d2 30 18 block 1x1
d2 30 38 1xflat
d2 30 58 1xshort
d2 30 78 1xtall
d2 30 98 1xtallthin
42 38 38 bridge med

8
4e 80 00 ar
4e 91 80 block 1x1
4e 91 81 1xflat
4e 91 82 1xshort
4e 91 83 1xtall
4e 91 84 1xtallthin
42 91 c1 bridge med

9
74 00 06 ar
74 8c 06 block 1x1
74 8c 0e 1xflat
74 8c 16 1xshort
74 8c 1e 1xtall
74 8c 26 1xtallthin
74 8e 0e bridge med

The question is how these translate to mean the same thing. Format:


Object Entry #
XX XX XX first three bytes of named object