Content:
Slate
Blackcurrant
Watermelon
Strawberry
Orange
Banana
Apple
Emerald
Chocolate
Marble
Background:
Slate
Blackcurrant
Watermelon
Strawberry
Orange
Banana
Apple
Emerald
Chocolate
Marble
Pattern:
Blank
Waves
Notes
Sharp
Wood
Rockface
Leather
Honey
Vertical
Triangles
Welcome to Xbox Chaos: Modding Evolved
Register now to gain access to all of our features. Once registered and logged in, you will be able to contribute to this site by submitting your own content or replying to existing content. You'll be able to customize your profile, receive reputation points as a reward for submitting content, while also communicating with other members via your own private inbox, plus much more! This message will be removed once you have signed in.
-
Content count
1,614 -
Joined
-
Last visited
Reputation Activity
-
Guest liked a blog entry by Lord Zedd, Halo Xex Offsets To Note (Now With TU7)
Dumping these in the meantime until Assembly can use them. All bytes, poke x1 to them.
To get pan cam, you have to enable normal first, then poke pancam.
Don't be a jerk and repost these everywhere, not that notes like this have ever stopped jerks anyway.
Speaking of jerks, don't be a jerk and use these for evil. Though it hasn't seemed to stop people making stupid ass cheating tools. It's too late now but I have removed anything that could be used maliciously, which is a shame because revert checkpoint has a legitimate use when testing things.
Halo 3 Builds:
Halo Reach Builds:
Halo 4 Builds:
-
forerunner569 liked a blog entry by Lord Zedd, Update For September 14, 2016
The latest plugin update under Assembly's Updater has been pushed. It should be available shortly on both update channels.
The Github Commit can be found at: https://github.com/XboxChaos/Assembly/commit/1e040773a25d94cd2e72806d3a31fcb00a778c9c
The changelog for this update is as follows:
changed h3 flags value in MP properties to 16 bit added blocks to h3b equipment added forced death dialogue enum to reach+ jpt named text flag in odst chdt changed naming of resource types in zone zonesets fixed an enum value in h3-ish sily named location string in reach+ scnr placements named node positioning in scnr placements named animation values in chdt changed hidden enum in reach+ scnr sandbox to a flag named firefight bit in reach+ squads changed pmcg enums to flags added new flag in pre-h4 ligh (lehvak) fixed error in h4 hlmt updated end of zone with new research updated reach jmad with old inheritance block removed testing values in h4 new inheritance block It's been 9 months since the last update. Big things to mention are the better CHUD animation blocks, and node positioning in scnr, so you can pose corpses or whatever to your liking.
Probably another long delay coming, but it will be for good reason as the PC version of Halo 5 kinda came with full tag layouts, so I just have to port them backwards and LOTS of new stuff will be named.
-
weighta liked a blog entry by Lord Zedd, Update For December 24, 2015
The latest plugin update under Assembly's Updater has been pushed. It should be available shortly on both update channels.
The Github Commit can be found at: https://github.com/XboxChaos/Assembly/commit/65895be8c2ed93b460cc66faeae2d267b894858d
The changelog for this update is as follows:
fixed big error in pre-reach weap
added missing blocks in glps and glvs
fixed odst sbsp leaf system block location
added "any" option to pcec
fixed a prt3 error
fixed a phmo raw field error
added stringid to wgan
renamed health/shield thresholds in odst+
fixed some scnr fields
updated the h4 patch tags a bit
renamed "flair" to instances in hlmt/mode
added stuff to hlmt variants
added a couple weap names
some small physics changes
named/fix spawn timer names thanks to h5 forge
So this update includes a couple fixes; first there was a block defined in weap triggers that didn't actually exist until Reach, so it was removed from earlier games. Second some missing blocks were added to glps and glvs, which might help with injection glitches when importing an rmdf. Other fixes were found while working on Halo Online.
Also, "Flair" wasn't the proper label in mode and hlmt, so they have been renamed to "Instances".
-
weighta liked a blog entry by Lord Zedd, Update For November 7, 2015
The latest plugin update under Assembly's Updater has been pushed. It should be available shortly on both update channels.
The Github Commit can be found at: https://github.com/XboxChaos/Assembly/commit/33bdc69e000c71dc00e568e80f174e252404dcbc
The changelog for this update is as follows:
updated h3/odst wezr for proper round reset value
fixed odst wgan
updated wigl ui bipeds
removed incorrectly added reach beta pmcg fields
fixed change color flags in applicable scnrs
fixed event block visibility in h4 effe
added omaha instance response flag from jjijr
fixed reach ugh permutation block visibility
concluded the shared path in play is x100 long
named odst attachment flags
named damage reporting type in effe for reach+
named useless input/output enums for pseudo shaders
updated model mesh stuff to match halo online research
updates to metagame properties blocks
major updates and standardization of igpd and ingd
updated zone's encoded bit offsets a little
Nothing too big to note specifically, lots of small fixes. Model related tagblocks got a revamping based on research for Halo Online. It is also possible in games past reach for effects to have their own damage reporting type (used by the target locator).
While I'm here I'm gonna plug my fork of AussieBacom's modified Assembly for Halo Online. It's the most up to date public plugins and what not and can even show scripts for the original Alpha and Beta builds. You can find the link here: https://github.com/Lord-Zedd/Assembly
If you've been on the main update channel this whole time you will find with this update Halo 4 Beta support/Plugins have been added. However I must give a warning that saving might not all be perfect for the beta; injection in particular.
Finally, for the time being Halo 3 Beta related updates are being pushed to its own branch where the maps can be opened again. There is still work to be done for sure but it might be worth a look if you want to poke around the beta. That branch is here: https://github.com/XboxChaos/Assembly/tree/halo3beta
-
AMD liked a blog entry by Lord Zedd, Update For November 17, 2015
The latest plugin update under Assembly's Updater has been pushed. It should be available shortly on both update channels.
The Github Commit can be found at: https://github.com/XboxChaos/Assembly/commit/2a53e5855092dc73380c4c0e8fade41f9f15e933
The changelog for this update is as follows:
named some damage reporting type enums in eqip and jmad
renamed item scale values to small/medium/large/huge
named h3 item grounded friction values
named reach unit equipment variants
named super detonation proj flags
further updates to metagame stuff
named shit types
updated metagame globals with info from bungies apis
updated reach damage report types from bungie apis
copied halo 4 beta damage report types to missing spots in final
fixed various errors
added things to unit/bipd
fixed block size in h3/odst chad
added an instant response flag in hlmt
Some small offset related errors have been fixed thanks to some research on the Halo Online side of stuff. I also came across Bungie's API for ODST/Reach, which nicely listed some enums for me, that I've added to the plugins in the appropriate locations.
A semi-special thing got added in this update is the "tricks" block inside the biped tag for Reach and later. It is the same as the one in vehicle, but will let you call specific animations using the left stick and jump. With this you can for instance set the player to a hunter, then assign the directional melees for a more realistic experience.
Do note though is that you have to be in the right "state" for it, so if an animation is only for combat:rifle, you're gonna need a rifle. But it seems most AI animations are any:any or combat:any so it shouldn't be an issue too often.
-
AMD liked a blog entry by Lord Zedd, Update For November 17, 2015
The latest plugin update under Assembly's Updater has been pushed. It should be available shortly on both update channels.
The Github Commit can be found at: https://github.com/XboxChaos/Assembly/commit/2a53e5855092dc73380c4c0e8fade41f9f15e933
The changelog for this update is as follows:
named some damage reporting type enums in eqip and jmad
renamed item scale values to small/medium/large/huge
named h3 item grounded friction values
named reach unit equipment variants
named super detonation proj flags
further updates to metagame stuff
named shit types
updated metagame globals with info from bungies apis
updated reach damage report types from bungie apis
copied halo 4 beta damage report types to missing spots in final
fixed various errors
added things to unit/bipd
fixed block size in h3/odst chad
added an instant response flag in hlmt
Some small offset related errors have been fixed thanks to some research on the Halo Online side of stuff. I also came across Bungie's API for ODST/Reach, which nicely listed some enums for me, that I've added to the plugins in the appropriate locations.
A semi-special thing got added in this update is the "tricks" block inside the biped tag for Reach and later. It is the same as the one in vehicle, but will let you call specific animations using the left stick and jump. With this you can for instance set the player to a hunter, then assign the directional melees for a more realistic experience.
Do note though is that you have to be in the right "state" for it, so if an animation is only for combat:rifle, you're gonna need a rifle. But it seems most AI animations are any:any or combat:any so it shouldn't be an issue too often.
-
AMD liked a blog entry by Lord Zedd, Update For November 17, 2015
The latest plugin update under Assembly's Updater has been pushed. It should be available shortly on both update channels.
The Github Commit can be found at: https://github.com/XboxChaos/Assembly/commit/2a53e5855092dc73380c4c0e8fade41f9f15e933
The changelog for this update is as follows:
named some damage reporting type enums in eqip and jmad
renamed item scale values to small/medium/large/huge
named h3 item grounded friction values
named reach unit equipment variants
named super detonation proj flags
further updates to metagame stuff
named shit types
updated metagame globals with info from bungies apis
updated reach damage report types from bungie apis
copied halo 4 beta damage report types to missing spots in final
fixed various errors
added things to unit/bipd
fixed block size in h3/odst chad
added an instant response flag in hlmt
Some small offset related errors have been fixed thanks to some research on the Halo Online side of stuff. I also came across Bungie's API for ODST/Reach, which nicely listed some enums for me, that I've added to the plugins in the appropriate locations.
A semi-special thing got added in this update is the "tricks" block inside the biped tag for Reach and later. It is the same as the one in vehicle, but will let you call specific animations using the left stick and jump. With this you can for instance set the player to a hunter, then assign the directional melees for a more realistic experience.
Do note though is that you have to be in the right "state" for it, so if an animation is only for combat:rifle, you're gonna need a rifle. But it seems most AI animations are any:any or combat:any so it shouldn't be an issue too often.
-
Thunder liked a blog entry by Lord Zedd, Update For August 8, 2015
The latest plugin update under Assembly's Updater has been pushed. It should be available shortly on both update channels.
The Github Commit can be found at: https://github.com/XboxChaos/Assembly/commit/82b58906e11883c903a2b98f4fcdefb08fb113a2
The changelog for this update is as follows:
updated all bitm plugins to help with custom injection
fixed typos in h4 cnmp
fixed name error in h4 bipd
added pulse grenade to h4 squad enum
fixed offset error in h4 eqip
fixed early mover block size in reach
named reach/beta ligh value thanks to JJIJR
fixed typos in odst items
moved comment in odst/h3 weap
fixed offset error in odst vehi
updated some chdt input names
fixed size of symmetry enum in h3/odst scnr
fixed odst scnr decal palette block size
various updates discovered in halo online
It's been a bunch of months since the last plugin update, which is in part due to Halo Online, but working on that helped find some errors/new things in current plugins, which this update contains. This update also includes the updated bitms from the Custom Bitmap Injection Tutorial.
The main new thing to know is that weap has a tagref for "Crate Projectile" now, which along with the Speed value below it, is actually used for shooting out objects properly. This discovery makes spawning through firing effects obsolete. Speed changes the force of which the object is spawned with.
On the general Assembly side, Halo 3 Beta now has valid scripting definitions, though you will need to move the .xml to an older build if you want to make use of it.
-
Thunder liked a blog entry by Lord Zedd, Update For August 8, 2015
The latest plugin update under Assembly's Updater has been pushed. It should be available shortly on both update channels.
The Github Commit can be found at: https://github.com/XboxChaos/Assembly/commit/82b58906e11883c903a2b98f4fcdefb08fb113a2
The changelog for this update is as follows:
updated all bitm plugins to help with custom injection
fixed typos in h4 cnmp
fixed name error in h4 bipd
added pulse grenade to h4 squad enum
fixed offset error in h4 eqip
fixed early mover block size in reach
named reach/beta ligh value thanks to JJIJR
fixed typos in odst items
moved comment in odst/h3 weap
fixed offset error in odst vehi
updated some chdt input names
fixed size of symmetry enum in h3/odst scnr
fixed odst scnr decal palette block size
various updates discovered in halo online
It's been a bunch of months since the last plugin update, which is in part due to Halo Online, but working on that helped find some errors/new things in current plugins, which this update contains. This update also includes the updated bitms from the Custom Bitmap Injection Tutorial.
The main new thing to know is that weap has a tagref for "Crate Projectile" now, which along with the Speed value below it, is actually used for shooting out objects properly. This discovery makes spawning through firing effects obsolete. Speed changes the force of which the object is spawned with.
On the general Assembly side, Halo 3 Beta now has valid scripting definitions, though you will need to move the .xml to an older build if you want to make use of it.
-
Thunder liked a blog entry by Lord Zedd, Update For August 8, 2015
The latest plugin update under Assembly's Updater has been pushed. It should be available shortly on both update channels.
The Github Commit can be found at: https://github.com/XboxChaos/Assembly/commit/82b58906e11883c903a2b98f4fcdefb08fb113a2
The changelog for this update is as follows:
updated all bitm plugins to help with custom injection
fixed typos in h4 cnmp
fixed name error in h4 bipd
added pulse grenade to h4 squad enum
fixed offset error in h4 eqip
fixed early mover block size in reach
named reach/beta ligh value thanks to JJIJR
fixed typos in odst items
moved comment in odst/h3 weap
fixed offset error in odst vehi
updated some chdt input names
fixed size of symmetry enum in h3/odst scnr
fixed odst scnr decal palette block size
various updates discovered in halo online
It's been a bunch of months since the last plugin update, which is in part due to Halo Online, but working on that helped find some errors/new things in current plugins, which this update contains. This update also includes the updated bitms from the Custom Bitmap Injection Tutorial.
The main new thing to know is that weap has a tagref for "Crate Projectile" now, which along with the Speed value below it, is actually used for shooting out objects properly. This discovery makes spawning through firing effects obsolete. Speed changes the force of which the object is spawned with.
On the general Assembly side, Halo 3 Beta now has valid scripting definitions, though you will need to move the .xml to an older build if you want to make use of it.
-
Dark Universe liked a blog entry by Lord Zedd, Update For March 8, 2015
The latest plugin update under Assembly's Updater has been pushed. It should be available shortly on both update channels.
The Github Commit can be found at: https://github.com/XboxChaos/Assembly/commit/6669bd23a87a5cea3754af445a2b6ca74cf9941d
The changelog for this update is as follows:
updated rmt2 and standardized better
fixed up h2 bsdt and standardized the others
fixed string size in reach sbsp
fixed bit names
named new mode ik block in reach+ animations
named ai melee damage in reach+ units
added the swarm and transformation blocks to odst char
renamed transformation block to morph in h3/odst char
added jmrq plugin for odst (ur welcome gamecheat)
fixed and named boarding properties in char
named extra targets block in odst hlmt
fixed error on h3 scnr
added missing block in h3/odst jmad
named editor folder indexes in scnr
other small char edits/additions
named script values for h4 vignettes
fixed objective conditions block in scnr
small edit to odst+ squads
fixed phantom types enums in phmo
standardized and mapped pphy
updated naming in metagame globals in matg
updated all lsnd
updated all snde
updated and standardized drdf, and by extension csdt and rmbl
fix typos in h3/odst goof
added enums to h3b, reach beta, reach, and h4 sily/goof
fixed big issue in reach beta impo
A healthy-sized list this time around. Some changes came about while working on Outbreak. You will notice bitfield bits in reach are now named "Bit #" instead of just "#" which had been bugging me for quite some time. A semi-important fix is that the Boarding Properties in CHAR tags is named and properly sized. Injected AI should now be able to board you if the animations are all good. There was also a critical typo in ReachBeta's IMPO that caused freezing on injected objects.
Perhaps the biggest change is that now most SILY/GOOF parameters have been named and put into an enum. Previously only Halo 3/ODST only had them set up. Along with names the enum includes the value type the xex expects from each SILY parameter.
-
SnipeStyle liked a blog entry by Lord Zedd, How Zedd Unlocks Executables
You guys have been asking for this post, and rather than continue to be self-conscious about what to write, I'm just gonna start typing.
My personal trick is that I've learned the common patterns found in the Halo engine. Halo games, as you should be well aware of, have always used the same engine. So there is a good chance that once you've found something in one game, it will be significantly easier to track it down in another.
But of course you have to find these patterns first and try to get some kind of footing. You should also take into consideration just what you are wishing to accomplish. In hindsight the changes needed to crack a locked down beta are simple but the problem was finding them.
There are a few ways you can try to find the function you are looking for. The ones I have used/seen are:
Bruting data references
Checking rdata strings
Checking import functions
The first is probably most familiar to anyone who has followed a tutorial like Chrisco's that has you dump floats and brute through them all looking for changes. But tutorials like his tutorial only stops at finding the values, rather than further exploring them.
Those tutorials also have you needlessly dumping for data values than necessary. By only searching something like ".float" you are grabbing every instance, and many of which aren't even directly referenced by the actual code. You can narrow it down by searching instead for ": .float", which the colon only appears on referenced floats, as seen here:
.data:83335AB8 flt_83335AB8: .float 0.64221829 # DATA XREF: sub_82C613F0+8D8r
Compare to:
.data:8337C154 .float 1.0
Though for most things, you likely won't be searching floats to find something. Bytes are much better for that, found by searching ": .byte"
Now take those bytes and set them to 1, set them to 0, set them to -1. Keep experimenting until you get a reaction. If you were to do this in a (clean) Halo 4 while sitting in the menu, setting a certain byte to 0 will make the game lock you out as though you didn't have the disc 2 content installed. Bingo. This byte is offset 0x8407FD28 in a non-updated version. Let's take a look at that line:
.data:8407FD28 byte_8407FD28: .byte 0 # DATA XREF: sub_82693A20+Co
This tells us that the instruction at 0x82693A2C (among others, but were omitted for clarity) calls this particular byte, so lets open it in a new tab by clicking that offset and pressing Alt+Enter, or right clicking it and choosing "Jump in a new window". Now we can take a look at the function and see if we can't get it to ignore that flag. This function is for the MP content.
There are a few ways you could get that done, but first let's explain some of what we are seeing it this function. Will help to turn on Auto Comments (Options>General>Auto comments).
.text:82693A2C Get the first 2 bytes of the byte's location and store it in r11
.text:82693A30 Get the last 2 bytes and assemble the offset with r11, load the byte's value into r10
.text:82693A34 Compare r10 with 0, store the result into cr6
.text:82693A38 Check cr6, and if r10 was found not equal to the given 0, then branch to 0x82693A9C (Pass, game says you have D2 MP content)
.text:82693A3C Branch off to the function at 0x82693C08 (Another function that handles Disc 2 stuff)
.text:82693A40 I still doesn't understand clrlwi, but the result gets stored in r11
.text:82693A44 Compare r11 with 0, store the result in cr6
.text:82693A48 Check cr6, and if r11 was zero, then branch to 0x82693A64 (Fail, game says you do not have D2 MP content)
~
.text:82693A64 Load 0 into r11 and tell you to install the D2 MP content. (You lose. Good day sir.)
While not everything, it is enough. Here are the easy ways I can think of to have my way with that function using just the above:
Change 0x82693A30 to a li instruction, putting a value of 1 into r10, which will always make 0x82693A38 branch and pass. (in hex: 39400001)
Make 0x82693A34 compare to another value so that the result is always found not equal, making 0x82693A38 branch and pass. (in hex: 2B0A0066, new compare value becomes x66)
Remove the comparison check in 0x82693A38 and always branch to 0x82693A9C and pass. (in hex: 48000064)
Go into the branched function from 0x82693A3C and try other things that will come back to stop 0x82693A48 from branching (may or may not work)
Let it fail, but make the li at 0x82693A64 load 1 into r11 instead of 0, so you still pass anyway (in hex: 39600001)
The best of these are the first 3, because it will instantly jump to the end of the function with no chance of error. I used the last one though in my PPFs.
Another way to find a function is through strings left in the rdata section of the executable. This way may not be as fruitful unless you are looking into a debug/internal build that has a lot of juicy strings. Though there are a few strings that tend to remain even in retail builds, such as map header errors. Simply do a text search for some key words pertaining to what you are looking for and cross your fingers. If you find something that looks pretty believable you can jump to whatever function calls it and get cracking.
The last way of finding functions, and is the least fruitful/useful in many cases, is to check the imported pre-named functions from the xbox kernel. If you sort your functions sidebar by name, you'll see them at the top of the list. These will take more understanding to use, but some common ones are:
XamUserGetSigninState/j_XamUserGetSigninState - Checks your state, whether offline or connected to XBL. Checking calls to these can allow you to fool the Halo 3 Beta, Halo 3 Epsilon, and Reach Pre-Beta into thinking you are online to get past the simple blocks preventing you from starting games.
XeCrypt~/j_XeCrypt~ - Several of these exist and they are used for run-of-the-mill hashing/encryption/decryption. Checking these calls can allow you to bypass the RSA verification on various external files.
And that should be about it. Post a comment if you have anything to say/ask/make fun of
And if you wish to learn further, I highly suggest downloading a premodded xex, extracting its basefile along with the basefile of a clean xex, and doing a compare in your hex editor of choice. You can add x82000000 to the file offset of the basefile to locate the change in IDA. Try to figure out what that change did and how it does what it does.
-
Guest liked a blog entry by Lord Zedd, Halo Xex Offsets To Note (Now With TU7)
Dumping these in the meantime until Assembly can use them. All bytes, poke x1 to them.
To get pan cam, you have to enable normal first, then poke pancam.
Don't be a jerk and repost these everywhere, not that notes like this have ever stopped jerks anyway.
Speaking of jerks, don't be a jerk and use these for evil. Though it hasn't seemed to stop people making stupid ass cheating tools. It's too late now but I have removed anything that could be used maliciously, which is a shame because revert checkpoint has a legitimate use when testing things.
Halo 3 Builds:
Halo Reach Builds:
Halo 4 Builds:
-
Dark Universe liked a blog entry by Lord Zedd, Update For March 8, 2015
The latest plugin update under Assembly's Updater has been pushed. It should be available shortly on both update channels.
The Github Commit can be found at: https://github.com/XboxChaos/Assembly/commit/6669bd23a87a5cea3754af445a2b6ca74cf9941d
The changelog for this update is as follows:
updated rmt2 and standardized better
fixed up h2 bsdt and standardized the others
fixed string size in reach sbsp
fixed bit names
named new mode ik block in reach+ animations
named ai melee damage in reach+ units
added the swarm and transformation blocks to odst char
renamed transformation block to morph in h3/odst char
added jmrq plugin for odst (ur welcome gamecheat)
fixed and named boarding properties in char
named extra targets block in odst hlmt
fixed error on h3 scnr
added missing block in h3/odst jmad
named editor folder indexes in scnr
other small char edits/additions
named script values for h4 vignettes
fixed objective conditions block in scnr
small edit to odst+ squads
fixed phantom types enums in phmo
standardized and mapped pphy
updated naming in metagame globals in matg
updated all lsnd
updated all snde
updated and standardized drdf, and by extension csdt and rmbl
fix typos in h3/odst goof
added enums to h3b, reach beta, reach, and h4 sily/goof
fixed big issue in reach beta impo
A healthy-sized list this time around. Some changes came about while working on Outbreak. You will notice bitfield bits in reach are now named "Bit #" instead of just "#" which had been bugging me for quite some time. A semi-important fix is that the Boarding Properties in CHAR tags is named and properly sized. Injected AI should now be able to board you if the animations are all good. There was also a critical typo in ReachBeta's IMPO that caused freezing on injected objects.
Perhaps the biggest change is that now most SILY/GOOF parameters have been named and put into an enum. Previously only Halo 3/ODST only had them set up. Along with names the enum includes the value type the xex expects from each SILY parameter.
-
Dark Universe liked a blog entry by Lord Zedd, Update For March 8, 2015
The latest plugin update under Assembly's Updater has been pushed. It should be available shortly on both update channels.
The Github Commit can be found at: https://github.com/XboxChaos/Assembly/commit/6669bd23a87a5cea3754af445a2b6ca74cf9941d
The changelog for this update is as follows:
updated rmt2 and standardized better
fixed up h2 bsdt and standardized the others
fixed string size in reach sbsp
fixed bit names
named new mode ik block in reach+ animations
named ai melee damage in reach+ units
added the swarm and transformation blocks to odst char
renamed transformation block to morph in h3/odst char
added jmrq plugin for odst (ur welcome gamecheat)
fixed and named boarding properties in char
named extra targets block in odst hlmt
fixed error on h3 scnr
added missing block in h3/odst jmad
named editor folder indexes in scnr
other small char edits/additions
named script values for h4 vignettes
fixed objective conditions block in scnr
small edit to odst+ squads
fixed phantom types enums in phmo
standardized and mapped pphy
updated naming in metagame globals in matg
updated all lsnd
updated all snde
updated and standardized drdf, and by extension csdt and rmbl
fix typos in h3/odst goof
added enums to h3b, reach beta, reach, and h4 sily/goof
fixed big issue in reach beta impo
A healthy-sized list this time around. Some changes came about while working on Outbreak. You will notice bitfield bits in reach are now named "Bit #" instead of just "#" which had been bugging me for quite some time. A semi-important fix is that the Boarding Properties in CHAR tags is named and properly sized. Injected AI should now be able to board you if the animations are all good. There was also a critical typo in ReachBeta's IMPO that caused freezing on injected objects.
Perhaps the biggest change is that now most SILY/GOOF parameters have been named and put into an enum. Previously only Halo 3/ODST only had them set up. Along with names the enum includes the value type the xex expects from each SILY parameter.
-
AMD liked a blog entry by Lord Zedd, Update for January 15, 2015
The first plugin update under Assembly's new Updater has been pushed. It should be available shortly on both update channels.
The Github Commit can be found at: https://github.com/XboxChaos/Assembly/commit/ee2bd73c6a6a63863355d59833359b04ba3ff17f
The changelog for this update is as follows:
updated bsp physics in coll reach and above
named kccd reference in h4 proj
fixed render data block in chdt
added texture camera flag in chdt
mapped a little of mats and mtsb
fixed offset typo in odst chdt
named font enums in chdt
CHDT met quite a few changes this time around. Turns out the flags at the top of Render Data were not flags at all but an index to a shader in the CHGD tag.
With this change came a tweak to the names of the color/value enums to match stringids found in the shader tags; "Function Value" and related has become "Function Scalar" I also went through and named each chud font so you have a better idea of everything instead of "Unknown #".
This update will also allow you to turn a CHDT Bitmap Widget into a display for the current Texture Camera. This can be activated by ticking the "Enable Texture Cam" bitmap flag and selecting the Texture Cam shader.
-
AMD liked a blog entry by Lord Zedd, Update for January 15, 2015
The first plugin update under Assembly's new Updater has been pushed. It should be available shortly on both update channels.
The Github Commit can be found at: https://github.com/XboxChaos/Assembly/commit/ee2bd73c6a6a63863355d59833359b04ba3ff17f
The changelog for this update is as follows:
updated bsp physics in coll reach and above
named kccd reference in h4 proj
fixed render data block in chdt
added texture camera flag in chdt
mapped a little of mats and mtsb
fixed offset typo in odst chdt
named font enums in chdt
CHDT met quite a few changes this time around. Turns out the flags at the top of Render Data were not flags at all but an index to a shader in the CHGD tag.
With this change came a tweak to the names of the color/value enums to match stringids found in the shader tags; "Function Value" and related has become "Function Scalar" I also went through and named each chud font so you have a better idea of everything instead of "Unknown #".
This update will also allow you to turn a CHDT Bitmap Widget into a display for the current Texture Camera. This can be activated by ticking the "Enable Texture Cam" bitmap flag and selecting the Texture Cam shader.
-
AMD liked a blog entry by Lord Zedd, Update for January 15, 2015
The first plugin update under Assembly's new Updater has been pushed. It should be available shortly on both update channels.
The Github Commit can be found at: https://github.com/XboxChaos/Assembly/commit/ee2bd73c6a6a63863355d59833359b04ba3ff17f
The changelog for this update is as follows:
updated bsp physics in coll reach and above
named kccd reference in h4 proj
fixed render data block in chdt
added texture camera flag in chdt
mapped a little of mats and mtsb
fixed offset typo in odst chdt
named font enums in chdt
CHDT met quite a few changes this time around. Turns out the flags at the top of Render Data were not flags at all but an index to a shader in the CHGD tag.
With this change came a tweak to the names of the color/value enums to match stringids found in the shader tags; "Function Value" and related has become "Function Scalar" I also went through and named each chud font so you have a better idea of everything instead of "Unknown #".
This update will also allow you to turn a CHDT Bitmap Widget into a display for the current Texture Camera. This can be activated by ticking the "Enable Texture Cam" bitmap flag and selecting the Texture Cam shader.
-
SnipeStyle liked a blog entry by Lord Zedd, How Zedd Unlocks Executables
You guys have been asking for this post, and rather than continue to be self-conscious about what to write, I'm just gonna start typing.
My personal trick is that I've learned the common patterns found in the Halo engine. Halo games, as you should be well aware of, have always used the same engine. So there is a good chance that once you've found something in one game, it will be significantly easier to track it down in another.
But of course you have to find these patterns first and try to get some kind of footing. You should also take into consideration just what you are wishing to accomplish. In hindsight the changes needed to crack a locked down beta are simple but the problem was finding them.
There are a few ways you can try to find the function you are looking for. The ones I have used/seen are:
Bruting data references
Checking rdata strings
Checking import functions
The first is probably most familiar to anyone who has followed a tutorial like Chrisco's that has you dump floats and brute through them all looking for changes. But tutorials like his tutorial only stops at finding the values, rather than further exploring them.
Those tutorials also have you needlessly dumping for data values than necessary. By only searching something like ".float" you are grabbing every instance, and many of which aren't even directly referenced by the actual code. You can narrow it down by searching instead for ": .float", which the colon only appears on referenced floats, as seen here:
.data:83335AB8 flt_83335AB8: .float 0.64221829 # DATA XREF: sub_82C613F0+8D8r
Compare to:
.data:8337C154 .float 1.0
Though for most things, you likely won't be searching floats to find something. Bytes are much better for that, found by searching ": .byte"
Now take those bytes and set them to 1, set them to 0, set them to -1. Keep experimenting until you get a reaction. If you were to do this in a (clean) Halo 4 while sitting in the menu, setting a certain byte to 0 will make the game lock you out as though you didn't have the disc 2 content installed. Bingo. This byte is offset 0x8407FD28 in a non-updated version. Let's take a look at that line:
.data:8407FD28 byte_8407FD28: .byte 0 # DATA XREF: sub_82693A20+Co
This tells us that the instruction at 0x82693A2C (among others, but were omitted for clarity) calls this particular byte, so lets open it in a new tab by clicking that offset and pressing Alt+Enter, or right clicking it and choosing "Jump in a new window". Now we can take a look at the function and see if we can't get it to ignore that flag. This function is for the MP content.
There are a few ways you could get that done, but first let's explain some of what we are seeing it this function. Will help to turn on Auto Comments (Options>General>Auto comments).
.text:82693A2C Get the first 2 bytes of the byte's location and store it in r11
.text:82693A30 Get the last 2 bytes and assemble the offset with r11, load the byte's value into r10
.text:82693A34 Compare r10 with 0, store the result into cr6
.text:82693A38 Check cr6, and if r10 was found not equal to the given 0, then branch to 0x82693A9C (Pass, game says you have D2 MP content)
.text:82693A3C Branch off to the function at 0x82693C08 (Another function that handles Disc 2 stuff)
.text:82693A40 I still doesn't understand clrlwi, but the result gets stored in r11
.text:82693A44 Compare r11 with 0, store the result in cr6
.text:82693A48 Check cr6, and if r11 was zero, then branch to 0x82693A64 (Fail, game says you do not have D2 MP content)
~
.text:82693A64 Load 0 into r11 and tell you to install the D2 MP content. (You lose. Good day sir.)
While not everything, it is enough. Here are the easy ways I can think of to have my way with that function using just the above:
Change 0x82693A30 to a li instruction, putting a value of 1 into r10, which will always make 0x82693A38 branch and pass. (in hex: 39400001)
Make 0x82693A34 compare to another value so that the result is always found not equal, making 0x82693A38 branch and pass. (in hex: 2B0A0066, new compare value becomes x66)
Remove the comparison check in 0x82693A38 and always branch to 0x82693A9C and pass. (in hex: 48000064)
Go into the branched function from 0x82693A3C and try other things that will come back to stop 0x82693A48 from branching (may or may not work)
Let it fail, but make the li at 0x82693A64 load 1 into r11 instead of 0, so you still pass anyway (in hex: 39600001)
The best of these are the first 3, because it will instantly jump to the end of the function with no chance of error. I used the last one though in my PPFs.
Another way to find a function is through strings left in the rdata section of the executable. This way may not be as fruitful unless you are looking into a debug/internal build that has a lot of juicy strings. Though there are a few strings that tend to remain even in retail builds, such as map header errors. Simply do a text search for some key words pertaining to what you are looking for and cross your fingers. If you find something that looks pretty believable you can jump to whatever function calls it and get cracking.
The last way of finding functions, and is the least fruitful/useful in many cases, is to check the imported pre-named functions from the xbox kernel. If you sort your functions sidebar by name, you'll see them at the top of the list. These will take more understanding to use, but some common ones are:
XamUserGetSigninState/j_XamUserGetSigninState - Checks your state, whether offline or connected to XBL. Checking calls to these can allow you to fool the Halo 3 Beta, Halo 3 Epsilon, and Reach Pre-Beta into thinking you are online to get past the simple blocks preventing you from starting games.
XeCrypt~/j_XeCrypt~ - Several of these exist and they are used for run-of-the-mill hashing/encryption/decryption. Checking these calls can allow you to bypass the RSA verification on various external files.
And that should be about it. Post a comment if you have anything to say/ask/make fun of
And if you wish to learn further, I highly suggest downloading a premodded xex, extracting its basefile along with the basefile of a clean xex, and doing a compare in your hex editor of choice. You can add x82000000 to the file offset of the basefile to locate the change in IDA. Try to figure out what that change did and how it does what it does.
-
SnipeStyle liked a blog entry by Lord Zedd, How Zedd Unlocks Executables
You guys have been asking for this post, and rather than continue to be self-conscious about what to write, I'm just gonna start typing.
My personal trick is that I've learned the common patterns found in the Halo engine. Halo games, as you should be well aware of, have always used the same engine. So there is a good chance that once you've found something in one game, it will be significantly easier to track it down in another.
But of course you have to find these patterns first and try to get some kind of footing. You should also take into consideration just what you are wishing to accomplish. In hindsight the changes needed to crack a locked down beta are simple but the problem was finding them.
There are a few ways you can try to find the function you are looking for. The ones I have used/seen are:
Bruting data references
Checking rdata strings
Checking import functions
The first is probably most familiar to anyone who has followed a tutorial like Chrisco's that has you dump floats and brute through them all looking for changes. But tutorials like his tutorial only stops at finding the values, rather than further exploring them.
Those tutorials also have you needlessly dumping for data values than necessary. By only searching something like ".float" you are grabbing every instance, and many of which aren't even directly referenced by the actual code. You can narrow it down by searching instead for ": .float", which the colon only appears on referenced floats, as seen here:
.data:83335AB8 flt_83335AB8: .float 0.64221829 # DATA XREF: sub_82C613F0+8D8r
Compare to:
.data:8337C154 .float 1.0
Though for most things, you likely won't be searching floats to find something. Bytes are much better for that, found by searching ": .byte"
Now take those bytes and set them to 1, set them to 0, set them to -1. Keep experimenting until you get a reaction. If you were to do this in a (clean) Halo 4 while sitting in the menu, setting a certain byte to 0 will make the game lock you out as though you didn't have the disc 2 content installed. Bingo. This byte is offset 0x8407FD28 in a non-updated version. Let's take a look at that line:
.data:8407FD28 byte_8407FD28: .byte 0 # DATA XREF: sub_82693A20+Co
This tells us that the instruction at 0x82693A2C (among others, but were omitted for clarity) calls this particular byte, so lets open it in a new tab by clicking that offset and pressing Alt+Enter, or right clicking it and choosing "Jump in a new window". Now we can take a look at the function and see if we can't get it to ignore that flag. This function is for the MP content.
There are a few ways you could get that done, but first let's explain some of what we are seeing it this function. Will help to turn on Auto Comments (Options>General>Auto comments).
.text:82693A2C Get the first 2 bytes of the byte's location and store it in r11
.text:82693A30 Get the last 2 bytes and assemble the offset with r11, load the byte's value into r10
.text:82693A34 Compare r10 with 0, store the result into cr6
.text:82693A38 Check cr6, and if r10 was found not equal to the given 0, then branch to 0x82693A9C (Pass, game says you have D2 MP content)
.text:82693A3C Branch off to the function at 0x82693C08 (Another function that handles Disc 2 stuff)
.text:82693A40 I still doesn't understand clrlwi, but the result gets stored in r11
.text:82693A44 Compare r11 with 0, store the result in cr6
.text:82693A48 Check cr6, and if r11 was zero, then branch to 0x82693A64 (Fail, game says you do not have D2 MP content)
~
.text:82693A64 Load 0 into r11 and tell you to install the D2 MP content. (You lose. Good day sir.)
While not everything, it is enough. Here are the easy ways I can think of to have my way with that function using just the above:
Change 0x82693A30 to a li instruction, putting a value of 1 into r10, which will always make 0x82693A38 branch and pass. (in hex: 39400001)
Make 0x82693A34 compare to another value so that the result is always found not equal, making 0x82693A38 branch and pass. (in hex: 2B0A0066, new compare value becomes x66)
Remove the comparison check in 0x82693A38 and always branch to 0x82693A9C and pass. (in hex: 48000064)
Go into the branched function from 0x82693A3C and try other things that will come back to stop 0x82693A48 from branching (may or may not work)
Let it fail, but make the li at 0x82693A64 load 1 into r11 instead of 0, so you still pass anyway (in hex: 39600001)
The best of these are the first 3, because it will instantly jump to the end of the function with no chance of error. I used the last one though in my PPFs.
Another way to find a function is through strings left in the rdata section of the executable. This way may not be as fruitful unless you are looking into a debug/internal build that has a lot of juicy strings. Though there are a few strings that tend to remain even in retail builds, such as map header errors. Simply do a text search for some key words pertaining to what you are looking for and cross your fingers. If you find something that looks pretty believable you can jump to whatever function calls it and get cracking.
The last way of finding functions, and is the least fruitful/useful in many cases, is to check the imported pre-named functions from the xbox kernel. If you sort your functions sidebar by name, you'll see them at the top of the list. These will take more understanding to use, but some common ones are:
XamUserGetSigninState/j_XamUserGetSigninState - Checks your state, whether offline or connected to XBL. Checking calls to these can allow you to fool the Halo 3 Beta, Halo 3 Epsilon, and Reach Pre-Beta into thinking you are online to get past the simple blocks preventing you from starting games.
XeCrypt~/j_XeCrypt~ - Several of these exist and they are used for run-of-the-mill hashing/encryption/decryption. Checking these calls can allow you to bypass the RSA verification on various external files.
And that should be about it. Post a comment if you have anything to say/ask/make fun of
And if you wish to learn further, I highly suggest downloading a premodded xex, extracting its basefile along with the basefile of a clean xex, and doing a compare in your hex editor of choice. You can add x82000000 to the file offset of the basefile to locate the change in IDA. Try to figure out what that change did and how it does what it does.
-
Lord Zedd liked a blog entry by AMD, Reach - Global Pixel Shaders
I'm going to start doing some mini blog posts from now on to keep everyone updated on our research, because it seems people don't notice some of the stuff we do otherwise.
Zedd's been doing a lot of work on cross-map BSP injection lately, and he's been having some trouble with the terrain shaders. Even though Assembly has support for shader extraction and injection, the map was still crashing. One shader that was causing problems for us in m70_bonus.map was levels\solo\m70_bonus\shaders\ground\m70_bonus_cinematic_ground.rmtr. Its actual pixl tag is shaders\terrain_templates\_0_0_0_0_0_0_0.pixl.
If you go to that tag in a newer version of Assembly (one that supports shaders), you might notice that all of the shader pointers in it are null, even though the shader works fine and certainly isn't just a null shader. How can this be? Well, we noticed that just above the shader pointer in one of the blocks, there was an int32 with a value of 321. This is usually set to -1 for shaders with valid code pointers. Obviously, there must be something to this.
We first speculated that this integer was an index into the resource table in zone. (That's a pretty safe guess when you're dealing with stuff like this.) At index 321 in zone, the parent resource was...a bitmap of a spartan helmet. Zedd did some zedding around with Assembly's injection code anyway, but couldn't get anything to work reliably. OK, that's probably not any good. Time to move on.
Stumped, I decided that we should set a memory read breakpoint on that integer and see what the game does with it. The breakpoint hit at address 0x82182E2C in the TU1 default.xex. Opening that up in IDA, you see this (not including irrelevant code):
lwz %r8, 0x50(%r3)...mulli %r10, %r8, 0x58
So this means that the value is an index into an array with an element size of 0x58. And it just so happens that shader tag blocks are that large, but there weren't 300-something entries in the pixl tag.
Turns out that, starting in Reach, there's a global_cache_file_pixel_shaders ('gpix') tag which contains a bunch of commonly-used shaders, and this is an index into a block in that tag. The actual shader code can be found there. This means that the corresponding block entry needs to be extracted and injected into the target map in order to make the shader work.
Well, looks like we have some work ahead of us.
-
Kojuku liked a blog entry by Lord Zedd, Shared Asset Lists
Due to size, all I can do is post this link: http://www.mediafire.com/download/q72zw282qjhidli/shared%20lists.rar where you'll find everything in a pretty rar. Lists are courtesy of the "SharedDump" tool made by AMD, which can be found with Assembly's source. Also courtesy of my own merging and sorting since SharedDump goes per-map.
If it ain't here it ain't shared. Go cry about it.
Includes:
Halo 3
Halo 3: ODST
Halo: Reach Beta
Halo: Reach
Halo 4
-
Kojuku liked a blog entry by Lord Zedd, Shared Asset Lists
Due to size, all I can do is post this link: http://www.mediafire.com/download/q72zw282qjhidli/shared%20lists.rar where you'll find everything in a pretty rar. Lists are courtesy of the "SharedDump" tool made by AMD, which can be found with Assembly's source. Also courtesy of my own merging and sorting since SharedDump goes per-map.
If it ain't here it ain't shared. Go cry about it.
Includes:
Halo 3
Halo 3: ODST
Halo: Reach Beta
Halo: Reach
Halo 4
-
Kojuku liked a blog entry by Lord Zedd, Shared Asset Lists
Due to size, all I can do is post this link: http://www.mediafire.com/download/q72zw282qjhidli/shared%20lists.rar where you'll find everything in a pretty rar. Lists are courtesy of the "SharedDump" tool made by AMD, which can be found with Assembly's source. Also courtesy of my own merging and sorting since SharedDump goes per-map.
If it ain't here it ain't shared. Go cry about it.
Includes:
Halo 3
Halo 3: ODST
Halo: Reach Beta
Halo: Reach
Halo 4
-
Guest liked a blog entry by Lord Zedd, Halo Xex Offsets To Note (Now With TU7)
Dumping these in the meantime until Assembly can use them. All bytes, poke x1 to them.
To get pan cam, you have to enable normal first, then poke pancam.
Don't be a jerk and repost these everywhere, not that notes like this have ever stopped jerks anyway.
Speaking of jerks, don't be a jerk and use these for evil. Though it hasn't seemed to stop people making stupid ass cheating tools. It's too late now but I have removed anything that could be used maliciously, which is a shame because revert checkpoint has a legitimate use when testing things.
Halo 3 Builds:
Halo Reach Builds:
Halo 4 Builds: