Content: Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
Background: Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
Pattern: Blank Waves Notes Sharp Wood Rockface Leather Honey Vertical Triangles
Welcome to Xbox Chaos: Modding Evolved

Register now to gain access to all of our features. Once registered and logged in, you will be able to contribute to this site by submitting your own content or replying to existing content. You'll be able to customize your profile, receive reputation points as a reward for submitting content, while also communicating with other members via your own private inbox, plus much more! This message will be removed once you have signed in.

Lord Zedd

Administrators
  • Content count

    1,609
  • Joined

  • Last visited


Reputation Activity

  1. Guest
    Guest liked a blog entry by Lord Zedd, Halo Xex Offsets To Note (Now With TU7)   
    Dumping these in the meantime until Assembly can use them. All bytes, poke x1 to them.
    To get pan cam, you have to enable normal first, then poke pancam.
    Don't be a jerk and repost these everywhere, not that notes like this have ever stopped jerks anyway.
    Speaking of jerks, don't be a jerk and use these for evil. Though it hasn't seemed to stop people making stupid ass cheating tools. It's too late now but I have removed anything that could be used maliciously, which is a shame because revert checkpoint has a legitimate use when testing things.
    Halo 3 Builds:
    Halo Reach Builds:
    Halo 4 Builds:
  2. forerunner569 liked a blog entry by Lord Zedd, Update For September 14, 2016   
    The latest plugin update under Assembly's Updater has been pushed. It should be available shortly on both update channels.
    The Github Commit can be found at: https://github.com/XboxChaos/Assembly/commit/1e040773a25d94cd2e72806d3a31fcb00a778c9c
    The changelog for this update is as follows:
    changed h3 flags value in MP properties to 16 bit added blocks to h3b equipment added forced death dialogue enum to reach+ jpt named text flag in odst chdt changed naming of resource types in zone zonesets fixed an enum value in h3-ish sily named location string in reach+ scnr placements named node positioning in scnr placements named animation values in chdt changed hidden enum in reach+ scnr sandbox to a flag named firefight bit in reach+ squads changed pmcg enums to flags added new flag in pre-h4 ligh (lehvak) fixed error in h4 hlmt updated end of zone with new research updated reach jmad with old inheritance block removed testing values in h4 new inheritance block It's been 9 months since the last update. Big things to mention are the better CHUD animation blocks, and node positioning in scnr, so you can pose corpses or whatever to your liking.
    Probably another long delay coming, but it will be for good reason as the PC version of Halo 5 kinda came with full tag layouts, so I just have to port them backwards and LOTS of new stuff will be named.
  3. weighta liked a blog entry by Lord Zedd, Update For December 24, 2015   
    The latest plugin update under Assembly's Updater has been pushed. It should be available shortly on both update channels.
    The Github Commit can be found at: https://github.com/XboxChaos/Assembly/commit/65895be8c2ed93b460cc66faeae2d267b894858d
    The changelog for this update is as follows:
    fixed big error in pre-reach weap
    added missing blocks in glps and glvs
    fixed odst sbsp leaf system block location
    added "any" option to pcec
    fixed a prt3 error
    fixed a phmo raw field error
    added stringid to wgan
    renamed health/shield thresholds in odst+
    fixed some scnr fields
    updated the h4 patch tags a bit
    renamed "flair" to instances in hlmt/mode
    added stuff to hlmt variants
    added a couple weap names
    some small physics changes
    named/fix spawn timer names thanks to h5 forge

    So this update includes a couple fixes; first there was a block defined in weap triggers that didn't actually exist until Reach, so it was removed from earlier games. Second some missing blocks were added to glps and glvs, which might help with injection glitches when importing an rmdf. Other fixes were found while working on Halo Online.
    Also, "Flair" wasn't the proper label in mode and hlmt, so they have been renamed to "Instances".
  4. weighta liked a blog entry by Lord Zedd, Update For November 7, 2015   
    The latest plugin update under Assembly's Updater has been pushed. It should be available shortly on both update channels.
    The Github Commit can be found at: https://github.com/XboxChaos/Assembly/commit/33bdc69e000c71dc00e568e80f174e252404dcbc
    The changelog for this update is as follows:
    updated h3/odst wezr for proper round reset value
    fixed odst wgan
    updated wigl ui bipeds
    removed incorrectly added reach beta pmcg fields
    fixed change color flags in applicable scnrs
    fixed event block visibility in h4 effe
    added omaha instance response flag from jjijr
    fixed reach ugh permutation block visibility
    concluded the shared path in play is x100 long
    named odst attachment flags
    named damage reporting type in effe for reach+
    named useless input/output enums for pseudo shaders
    updated model mesh stuff to match halo online research
    updates to metagame properties blocks
    major updates and standardization of igpd and ingd
    updated zone's encoded bit offsets a little

    Nothing too big to note specifically, lots of small fixes. Model related tagblocks got a revamping based on research for Halo Online. It is also possible in games past reach for effects to have their own damage reporting type (used by the target locator).
    While I'm here I'm gonna plug my fork of AussieBacom's modified Assembly for Halo Online. It's the most up to date public plugins and what not and can even show scripts for the original Alpha and Beta builds. You can find the link here: https://github.com/Lord-Zedd/Assembly
    If you've been on the main update channel this whole time you will find with this update Halo 4 Beta support/Plugins have been added. However I must give a warning that saving might not all be perfect for the beta; injection in particular.
    Finally, for the time being Halo 3 Beta related updates are being pushed to its own branch where the maps can be opened again. There is still work to be done for sure but it might be worth a look if you want to poke around the beta. That branch is here: https://github.com/XboxChaos/Assembly/tree/halo3beta
  5. AMD liked a blog entry by Lord Zedd, Update For November 17, 2015   
    The latest plugin update under Assembly's Updater has been pushed. It should be available shortly on both update channels.
    The Github Commit can be found at: https://github.com/XboxChaos/Assembly/commit/2a53e5855092dc73380c4c0e8fade41f9f15e933
    The changelog for this update is as follows:
    named some damage reporting type enums in eqip and jmad
    renamed item scale values to small/medium/large/huge
    named h3 item grounded friction values
    named reach unit equipment variants
    named super detonation proj flags
    further updates to metagame stuff
    named shit types
    updated metagame globals with info from bungies apis
    updated reach damage report types from bungie apis
    copied halo 4 beta damage report types to missing spots in final
    fixed various errors
    added things to unit/bipd
    fixed block size in h3/odst chad
    added an instant response flag in hlmt

    Some small offset related errors have been fixed thanks to some research on the Halo Online side of stuff. I also came across Bungie's API for ODST/Reach, which nicely listed some enums for me, that I've added to the plugins in the appropriate locations.
    A semi-special thing got added in this update is the "tricks" block inside the biped tag for Reach and later. It is the same as the one in vehicle, but will let you call specific animations using the left stick and jump. With this you can for instance set the player to a hunter, then assign the directional melees for a more realistic experience.
    Do note though is that you have to be in the right "state" for it, so if an animation is only for combat:rifle, you're gonna need a rifle. But it seems most AI animations are any:any or combat:any so it shouldn't be an issue too often.
  6. AMD liked a blog entry by Lord Zedd, Update For November 17, 2015   
    The latest plugin update under Assembly's Updater has been pushed. It should be available shortly on both update channels.
    The Github Commit can be found at: https://github.com/XboxChaos/Assembly/commit/2a53e5855092dc73380c4c0e8fade41f9f15e933
    The changelog for this update is as follows:
    named some damage reporting type enums in eqip and jmad
    renamed item scale values to small/medium/large/huge
    named h3 item grounded friction values
    named reach unit equipment variants
    named super detonation proj flags
    further updates to metagame stuff
    named shit types
    updated metagame globals with info from bungies apis
    updated reach damage report types from bungie apis
    copied halo 4 beta damage report types to missing spots in final
    fixed various errors
    added things to unit/bipd
    fixed block size in h3/odst chad
    added an instant response flag in hlmt

    Some small offset related errors have been fixed thanks to some research on the Halo Online side of stuff. I also came across Bungie's API for ODST/Reach, which nicely listed some enums for me, that I've added to the plugins in the appropriate locations.
    A semi-special thing got added in this update is the "tricks" block inside the biped tag for Reach and later. It is the same as the one in vehicle, but will let you call specific animations using the left stick and jump. With this you can for instance set the player to a hunter, then assign the directional melees for a more realistic experience.
    Do note though is that you have to be in the right "state" for it, so if an animation is only for combat:rifle, you're gonna need a rifle. But it seems most AI animations are any:any or combat:any so it shouldn't be an issue too often.
  7. AMD liked a blog entry by Lord Zedd, Update For November 17, 2015   
    The latest plugin update under Assembly's Updater has been pushed. It should be available shortly on both update channels.
    The Github Commit can be found at: https://github.com/XboxChaos/Assembly/commit/2a53e5855092dc73380c4c0e8fade41f9f15e933
    The changelog for this update is as follows:
    named some damage reporting type enums in eqip and jmad
    renamed item scale values to small/medium/large/huge
    named h3 item grounded friction values
    named reach unit equipment variants
    named super detonation proj flags
    further updates to metagame stuff
    named shit types
    updated metagame globals with info from bungies apis
    updated reach damage report types from bungie apis
    copied halo 4 beta damage report types to missing spots in final
    fixed various errors
    added things to unit/bipd
    fixed block size in h3/odst chad
    added an instant response flag in hlmt

    Some small offset related errors have been fixed thanks to some research on the Halo Online side of stuff. I also came across Bungie's API for ODST/Reach, which nicely listed some enums for me, that I've added to the plugins in the appropriate locations.
    A semi-special thing got added in this update is the "tricks" block inside the biped tag for Reach and later. It is the same as the one in vehicle, but will let you call specific animations using the left stick and jump. With this you can for instance set the player to a hunter, then assign the directional melees for a more realistic experience.
    Do note though is that you have to be in the right "state" for it, so if an animation is only for combat:rifle, you're gonna need a rifle. But it seems most AI animations are any:any or combat:any so it shouldn't be an issue too often.
  8. Thunder liked a blog entry by Lord Zedd, Update For August 8, 2015   
    The latest plugin update under Assembly's Updater has been pushed. It should be available shortly on both update channels.
    The Github Commit can be found at: https://github.com/XboxChaos/Assembly/commit/82b58906e11883c903a2b98f4fcdefb08fb113a2
    The changelog for this update is as follows:
    updated all bitm plugins to help with custom injection
    fixed typos in h4 cnmp
    fixed name error in h4 bipd
    added pulse grenade to h4 squad enum
    fixed offset error in h4 eqip
    fixed early mover block size in reach
    named reach/beta ligh value thanks to JJIJR
    fixed typos in odst items
    moved comment in odst/h3 weap
    fixed offset error in odst vehi
    updated some chdt input names
    fixed size of symmetry enum in h3/odst scnr
    fixed odst scnr decal palette block size
    various updates discovered in halo online

    It's been a bunch of months since the last plugin update, which is in part due to Halo Online, but working on that helped find some errors/new things in current plugins, which this update contains. This update also includes the updated bitms from the Custom Bitmap Injection Tutorial.
    The main new thing to know is that weap has a tagref for "Crate Projectile" now, which along with the Speed value below it, is actually used for shooting out objects properly. This discovery makes spawning through firing effects obsolete. Speed changes the force of which the object is spawned with.
    On the general Assembly side, Halo 3 Beta now has valid scripting definitions, though you will need to move the .xml to an older build if you want to make use of it.
  9. Thunder liked a blog entry by Lord Zedd, Update For August 8, 2015   
    The latest plugin update under Assembly's Updater has been pushed. It should be available shortly on both update channels.
    The Github Commit can be found at: https://github.com/XboxChaos/Assembly/commit/82b58906e11883c903a2b98f4fcdefb08fb113a2
    The changelog for this update is as follows:
    updated all bitm plugins to help with custom injection
    fixed typos in h4 cnmp
    fixed name error in h4 bipd
    added pulse grenade to h4 squad enum
    fixed offset error in h4 eqip
    fixed early mover block size in reach
    named reach/beta ligh value thanks to JJIJR
    fixed typos in odst items
    moved comment in odst/h3 weap
    fixed offset error in odst vehi
    updated some chdt input names
    fixed size of symmetry enum in h3/odst scnr
    fixed odst scnr decal palette block size
    various updates discovered in halo online

    It's been a bunch of months since the last plugin update, which is in part due to Halo Online, but working on that helped find some errors/new things in current plugins, which this update contains. This update also includes the updated bitms from the Custom Bitmap Injection Tutorial.
    The main new thing to know is that weap has a tagref for "Crate Projectile" now, which along with the Speed value below it, is actually used for shooting out objects properly. This discovery makes spawning through firing effects obsolete. Speed changes the force of which the object is spawned with.
    On the general Assembly side, Halo 3 Beta now has valid scripting definitions, though you will need to move the .xml to an older build if you want to make use of it.
  10. Thunder liked a blog entry by Lord Zedd, Update For August 8, 2015   
    The latest plugin update under Assembly's Updater has been pushed. It should be available shortly on both update channels.
    The Github Commit can be found at: https://github.com/XboxChaos/Assembly/commit/82b58906e11883c903a2b98f4fcdefb08fb113a2
    The changelog for this update is as follows:
    updated all bitm plugins to help with custom injection
    fixed typos in h4 cnmp
    fixed name error in h4 bipd
    added pulse grenade to h4 squad enum
    fixed offset error in h4 eqip
    fixed early mover block size in reach
    named reach/beta ligh value thanks to JJIJR
    fixed typos in odst items
    moved comment in odst/h3 weap
    fixed offset error in odst vehi
    updated some chdt input names
    fixed size of symmetry enum in h3/odst scnr
    fixed odst scnr decal palette block size
    various updates discovered in halo online

    It's been a bunch of months since the last plugin update, which is in part due to Halo Online, but working on that helped find some errors/new things in current plugins, which this update contains. This update also includes the updated bitms from the Custom Bitmap Injection Tutorial.
    The main new thing to know is that weap has a tagref for "Crate Projectile" now, which along with the Speed value below it, is actually used for shooting out objects properly. This discovery makes spawning through firing effects obsolete. Speed changes the force of which the object is spawned with.
    On the general Assembly side, Halo 3 Beta now has valid scripting definitions, though you will need to move the .xml to an older build if you want to make use of it.
  11. Dark Universe liked a blog entry by Lord Zedd, Update For March 8, 2015   
    The latest plugin update under Assembly's Updater has been pushed. It should be available shortly on both update channels.
    The Github Commit can be found at: https://github.com/XboxChaos/Assembly/commit/6669bd23a87a5cea3754af445a2b6ca74cf9941d
    The changelog for this update is as follows:
    updated rmt2 and standardized better
    fixed up h2 bsdt and standardized the others
    fixed string size in reach sbsp
    fixed bit names
    named new mode ik block in reach+ animations
    named ai melee damage in reach+ units
    added the swarm and transformation blocks to odst char
    renamed transformation block to morph in h3/odst char
    added jmrq plugin for odst (ur welcome gamecheat)
    fixed and named boarding properties in char
    named extra targets block in odst hlmt
    fixed error on h3 scnr
    added missing block in h3/odst jmad
    named editor folder indexes in scnr
    other small char edits/additions
    named script values for h4 vignettes
    fixed objective conditions block in scnr
    small edit to odst+ squads
    fixed phantom types enums in phmo
    standardized and mapped pphy
    updated naming in metagame globals in matg
    updated all lsnd
    updated all snde
    updated and standardized drdf, and by extension csdt and rmbl
    fix typos in h3/odst goof
    added enums to h3b, reach beta, reach, and h4 sily/goof
    fixed big issue in reach beta impo

    A healthy-sized list this time around. Some changes came about while working on Outbreak. You will notice bitfield bits in reach are now named "Bit #" instead of just "#" which had been bugging me for quite some time. A semi-important fix is that the Boarding Properties in CHAR tags is named and properly sized. Injected AI should now be able to board you if the animations are all good. There was also a critical typo in ReachBeta's IMPO that caused freezing on injected objects.
    Perhaps the biggest change is that now most SILY/GOOF parameters have been named and put into an enum. Previously only Halo 3/ODST only had them set up. Along with names the enum includes the value type the xex expects from each SILY parameter.
  12. SnipeStyle liked a blog entry by Lord Zedd, How Zedd Unlocks Executables   
    You guys have been asking for this post, and rather than continue to be self-conscious about what to write, I'm just gonna start typing.
    My personal trick is that I've learned the common patterns found in the Halo engine. Halo games, as you should be well aware of, have always used the same engine. So there is a good chance that once you've found something in one game, it will be significantly easier to track it down in another.
    But of course you have to find these patterns first and try to get some kind of footing. You should also take into consideration just what you are wishing to accomplish. In hindsight the changes needed to crack a locked down beta are simple but the problem was finding them.
    There are a few ways you can try to find the function you are looking for. The ones I have used/seen are:
    Bruting data references
    Checking rdata strings
    Checking import functions

    The first is probably most familiar to anyone who has followed a tutorial like Chrisco's that has you dump floats and brute through them all looking for changes. But tutorials like his tutorial only stops at finding the values, rather than further exploring them.
    Those tutorials also have you needlessly dumping for data values than necessary. By only searching something like ".float" you are grabbing every instance, and many of which aren't even directly referenced by the actual code. You can narrow it down by searching instead for ": .float", which the colon only appears on referenced floats, as seen here:
    .data:83335AB8 flt_83335AB8: .float 0.64221829 # DATA XREF: sub_82C613F0+8D8r
    Compare to:
    .data:8337C154 .float 1.0
    Though for most things, you likely won't be searching floats to find something. Bytes are much better for that, found by searching ": .byte"
    Now take those bytes and set them to 1, set them to 0, set them to -1. Keep experimenting until you get a reaction. If you were to do this in a (clean) Halo 4 while sitting in the menu, setting a certain byte to 0 will make the game lock you out as though you didn't have the disc 2 content installed. Bingo. This byte is offset 0x8407FD28 in a non-updated version. Let's take a look at that line:
    .data:8407FD28 byte_8407FD28: .byte 0 # DATA XREF: sub_82693A20+Co
    This tells us that the instruction at 0x82693A2C (among others, but were omitted for clarity) calls this particular byte, so lets open it in a new tab by clicking that offset and pressing Alt+Enter, or right clicking it and choosing "Jump in a new window". Now we can take a look at the function and see if we can't get it to ignore that flag. This function is for the MP content.
    There are a few ways you could get that done, but first let's explain some of what we are seeing it this function. Will help to turn on Auto Comments (Options>General>Auto comments).
    .text:82693A2C Get the first 2 bytes of the byte's location and store it in r11
    .text:82693A30 Get the last 2 bytes and assemble the offset with r11, load the byte's value into r10
    .text:82693A34 Compare r10 with 0, store the result into cr6
    .text:82693A38 Check cr6, and if r10 was found not equal to the given 0, then branch to 0x82693A9C (Pass, game says you have D2 MP content)
    .text:82693A3C Branch off to the function at 0x82693C08 (Another function that handles Disc 2 stuff)
    .text:82693A40 I still doesn't understand clrlwi, but the result gets stored in r11
    .text:82693A44 Compare r11 with 0, store the result in cr6
    .text:82693A48 Check cr6, and if r11 was zero, then branch to 0x82693A64 (Fail, game says you do not have D2 MP content)
    ~
    .text:82693A64 Load 0 into r11 and tell you to install the D2 MP content. (You lose. Good day sir.)
    While not everything, it is enough. Here are the easy ways I can think of to have my way with that function using just the above:
    Change 0x82693A30 to a li instruction, putting a value of 1 into r10, which will always make 0x82693A38 branch and pass. (in hex: 39400001)
    Make 0x82693A34 compare to another value so that the result is always found not equal, making 0x82693A38 branch and pass. (in hex: 2B0A0066, new compare value becomes x66)
    Remove the comparison check in 0x82693A38 and always branch to 0x82693A9C and pass. (in hex: 48000064)
    Go into the branched function from 0x82693A3C and try other things that will come back to stop 0x82693A48 from branching (may or may not work)
    Let it fail, but make the li at 0x82693A64 load 1 into r11 instead of 0, so you still pass anyway (in hex: 39600001)

    The best of these are the first 3, because it will instantly jump to the end of the function with no chance of error. I used the last one though in my PPFs.
    Another way to find a function is through strings left in the rdata section of the executable. This way may not be as fruitful unless you are looking into a debug/internal build that has a lot of juicy strings. Though there are a few strings that tend to remain even in retail builds, such as map header errors. Simply do a text search for some key words pertaining to what you are looking for and cross your fingers. If you find something that looks pretty believable you can jump to whatever function calls it and get cracking.
    The last way of finding functions, and is the least fruitful/useful in many cases, is to check the imported pre-named functions from the xbox kernel. If you sort your functions sidebar by name, you'll see them at the top of the list. These will take more understanding to use, but some common ones are:
    XamUserGetSigninState/j_XamUserGetSigninState - Checks your state, whether offline or connected to XBL. Checking calls to these can allow you to fool the Halo 3 Beta, Halo 3 Epsilon, and Reach Pre-Beta into thinking you are online to get past the simple blocks preventing you from starting games.
    XeCrypt~/j_XeCrypt~ - Several of these exist and they are used for run-of-the-mill hashing/encryption/decryption. Checking these calls can allow you to bypass the RSA verification on various external files.
    And that should be about it. Post a comment if you have anything to say/ask/make fun of
    And if you wish to learn further, I highly suggest downloading a premodded xex, extracting its basefile along with the basefile of a clean xex, and doing a compare in your hex editor of choice. You can add x82000000 to the file offset of the basefile to locate the change in IDA. Try to figure out what that change did and how it does what it does.
  13. Guest
    Guest liked a blog entry by Lord Zedd, Halo Xex Offsets To Note (Now With TU7)   
    Dumping these in the meantime until Assembly can use them. All bytes, poke x1 to them.
    To get pan cam, you have to enable normal first, then poke pancam.
    Don't be a jerk and repost these everywhere, not that notes like this have ever stopped jerks anyway.
    Speaking of jerks, don't be a jerk and use these for evil. Though it hasn't seemed to stop people making stupid ass cheating tools. It's too late now but I have removed anything that could be used maliciously, which is a shame because revert checkpoint has a legitimate use when testing things.
    Halo 3 Builds:
    Halo Reach Builds:
    Halo 4 Builds:
  14. Dark Universe liked a blog entry by Lord Zedd, Update For March 8, 2015   
    The latest plugin update under Assembly's Updater has been pushed. It should be available shortly on both update channels.
    The Github Commit can be found at: https://github.com/XboxChaos/Assembly/commit/6669bd23a87a5cea3754af445a2b6ca74cf9941d
    The changelog for this update is as follows:
    updated rmt2 and standardized better
    fixed up h2 bsdt and standardized the others
    fixed string size in reach sbsp
    fixed bit names
    named new mode ik block in reach+ animations
    named ai melee damage in reach+ units
    added the swarm and transformation blocks to odst char
    renamed transformation block to morph in h3/odst char
    added jmrq plugin for odst (ur welcome gamecheat)
    fixed and named boarding properties in char
    named extra targets block in odst hlmt
    fixed error on h3 scnr
    added missing block in h3/odst jmad
    named editor folder indexes in scnr
    other small char edits/additions
    named script values for h4 vignettes
    fixed objective conditions block in scnr
    small edit to odst+ squads
    fixed phantom types enums in phmo
    standardized and mapped pphy
    updated naming in metagame globals in matg
    updated all lsnd
    updated all snde
    updated and standardized drdf, and by extension csdt and rmbl
    fix typos in h3/odst goof
    added enums to h3b, reach beta, reach, and h4 sily/goof
    fixed big issue in reach beta impo

    A healthy-sized list this time around. Some changes came about while working on Outbreak. You will notice bitfield bits in reach are now named "Bit #" instead of just "#" which had been bugging me for quite some time. A semi-important fix is that the Boarding Properties in CHAR tags is named and properly sized. Injected AI should now be able to board you if the animations are all good. There was also a critical typo in ReachBeta's IMPO that caused freezing on injected objects.
    Perhaps the biggest change is that now most SILY/GOOF parameters have been named and put into an enum. Previously only Halo 3/ODST only had them set up. Along with names the enum includes the value type the xex expects from each SILY parameter.
  15. Dark Universe liked a blog entry by Lord Zedd, Update For March 8, 2015   
    The latest plugin update under Assembly's Updater has been pushed. It should be available shortly on both update channels.
    The Github Commit can be found at: https://github.com/XboxChaos/Assembly/commit/6669bd23a87a5cea3754af445a2b6ca74cf9941d
    The changelog for this update is as follows:
    updated rmt2 and standardized better
    fixed up h2 bsdt and standardized the others
    fixed string size in reach sbsp
    fixed bit names
    named new mode ik block in reach+ animations
    named ai melee damage in reach+ units
    added the swarm and transformation blocks to odst char
    renamed transformation block to morph in h3/odst char
    added jmrq plugin for odst (ur welcome gamecheat)
    fixed and named boarding properties in char
    named extra targets block in odst hlmt
    fixed error on h3 scnr
    added missing block in h3/odst jmad
    named editor folder indexes in scnr
    other small char edits/additions
    named script values for h4 vignettes
    fixed objective conditions block in scnr
    small edit to odst+ squads
    fixed phantom types enums in phmo
    standardized and mapped pphy
    updated naming in metagame globals in matg
    updated all lsnd
    updated all snde
    updated and standardized drdf, and by extension csdt and rmbl
    fix typos in h3/odst goof
    added enums to h3b, reach beta, reach, and h4 sily/goof
    fixed big issue in reach beta impo

    A healthy-sized list this time around. Some changes came about while working on Outbreak. You will notice bitfield bits in reach are now named "Bit #" instead of just "#" which had been bugging me for quite some time. A semi-important fix is that the Boarding Properties in CHAR tags is named and properly sized. Injected AI should now be able to board you if the animations are all good. There was also a critical typo in ReachBeta's IMPO that caused freezing on injected objects.
    Perhaps the biggest change is that now most SILY/GOOF parameters have been named and put into an enum. Previously only Halo 3/ODST only had them set up. Along with names the enum includes the value type the xex expects from each SILY parameter.
  16. AMD liked a blog entry by Lord Zedd, Update for January 15, 2015   
    The first plugin update under Assembly's new Updater has been pushed. It should be available shortly on both update channels.
    The Github Commit can be found at: https://github.com/XboxChaos/Assembly/commit/ee2bd73c6a6a63863355d59833359b04ba3ff17f
    The changelog for this update is as follows:
    updated bsp physics in coll reach and above
    named kccd reference in h4 proj
    fixed render data block in chdt
    added texture camera flag in chdt
    mapped a little of mats and mtsb
    fixed offset typo in odst chdt
    named font enums in chdt

    CHDT met quite a few changes this time around. Turns out the flags at the top of Render Data were not flags at all but an index to a shader in the CHGD tag.
    With this change came a tweak to the names of the color/value enums to match stringids found in the shader tags; "Function Value" and related has become "Function Scalar" I also went through and named each chud font so you have a better idea of everything instead of "Unknown #".
    This update will also allow you to turn a CHDT Bitmap Widget into a display for the current Texture Camera. This can be activated by ticking the "Enable Texture Cam" bitmap flag and selecting the Texture Cam shader.
  17. AMD liked a blog entry by Lord Zedd, Update for January 15, 2015   
    The first plugin update under Assembly's new Updater has been pushed. It should be available shortly on both update channels.
    The Github Commit can be found at: https://github.com/XboxChaos/Assembly/commit/ee2bd73c6a6a63863355d59833359b04ba3ff17f
    The changelog for this update is as follows:
    updated bsp physics in coll reach and above
    named kccd reference in h4 proj
    fixed render data block in chdt
    added texture camera flag in chdt
    mapped a little of mats and mtsb
    fixed offset typo in odst chdt
    named font enums in chdt

    CHDT met quite a few changes this time around. Turns out the flags at the top of Render Data were not flags at all but an index to a shader in the CHGD tag.
    With this change came a tweak to the names of the color/value enums to match stringids found in the shader tags; "Function Value" and related has become "Function Scalar" I also went through and named each chud font so you have a better idea of everything instead of "Unknown #".
    This update will also allow you to turn a CHDT Bitmap Widget into a display for the current Texture Camera. This can be activated by ticking the "Enable Texture Cam" bitmap flag and selecting the Texture Cam shader.
  18. AMD liked a blog entry by Lord Zedd, Update for January 15, 2015   
    The first plugin update under Assembly's new Updater has been pushed. It should be available shortly on both update channels.
    The Github Commit can be found at: https://github.com/XboxChaos/Assembly/commit/ee2bd73c6a6a63863355d59833359b04ba3ff17f
    The changelog for this update is as follows:
    updated bsp physics in coll reach and above
    named kccd reference in h4 proj
    fixed render data block in chdt
    added texture camera flag in chdt
    mapped a little of mats and mtsb
    fixed offset typo in odst chdt
    named font enums in chdt

    CHDT met quite a few changes this time around. Turns out the flags at the top of Render Data were not flags at all but an index to a shader in the CHGD tag.
    With this change came a tweak to the names of the color/value enums to match stringids found in the shader tags; "Function Value" and related has become "Function Scalar" I also went through and named each chud font so you have a better idea of everything instead of "Unknown #".
    This update will also allow you to turn a CHDT Bitmap Widget into a display for the current Texture Camera. This can be activated by ticking the "Enable Texture Cam" bitmap flag and selecting the Texture Cam shader.
  19. SnipeStyle liked a blog entry by Lord Zedd, How Zedd Unlocks Executables   
    You guys have been asking for this post, and rather than continue to be self-conscious about what to write, I'm just gonna start typing.
    My personal trick is that I've learned the common patterns found in the Halo engine. Halo games, as you should be well aware of, have always used the same engine. So there is a good chance that once you've found something in one game, it will be significantly easier to track it down in another.
    But of course you have to find these patterns first and try to get some kind of footing. You should also take into consideration just what you are wishing to accomplish. In hindsight the changes needed to crack a locked down beta are simple but the problem was finding them.
    There are a few ways you can try to find the function you are looking for. The ones I have used/seen are:
    Bruting data references
    Checking rdata strings
    Checking import functions

    The first is probably most familiar to anyone who has followed a tutorial like Chrisco's that has you dump floats and brute through them all looking for changes. But tutorials like his tutorial only stops at finding the values, rather than further exploring them.
    Those tutorials also have you needlessly dumping for data values than necessary. By only searching something like ".float" you are grabbing every instance, and many of which aren't even directly referenced by the actual code. You can narrow it down by searching instead for ": .float", which the colon only appears on referenced floats, as seen here:
    .data:83335AB8 flt_83335AB8: .float 0.64221829 # DATA XREF: sub_82C613F0+8D8r
    Compare to:
    .data:8337C154 .float 1.0
    Though for most things, you likely won't be searching floats to find something. Bytes are much better for that, found by searching ": .byte"
    Now take those bytes and set them to 1, set them to 0, set them to -1. Keep experimenting until you get a reaction. If you were to do this in a (clean) Halo 4 while sitting in the menu, setting a certain byte to 0 will make the game lock you out as though you didn't have the disc 2 content installed. Bingo. This byte is offset 0x8407FD28 in a non-updated version. Let's take a look at that line:
    .data:8407FD28 byte_8407FD28: .byte 0 # DATA XREF: sub_82693A20+Co
    This tells us that the instruction at 0x82693A2C (among others, but were omitted for clarity) calls this particular byte, so lets open it in a new tab by clicking that offset and pressing Alt+Enter, or right clicking it and choosing "Jump in a new window". Now we can take a look at the function and see if we can't get it to ignore that flag. This function is for the MP content.
    There are a few ways you could get that done, but first let's explain some of what we are seeing it this function. Will help to turn on Auto Comments (Options>General>Auto comments).
    .text:82693A2C Get the first 2 bytes of the byte's location and store it in r11
    .text:82693A30 Get the last 2 bytes and assemble the offset with r11, load the byte's value into r10
    .text:82693A34 Compare r10 with 0, store the result into cr6
    .text:82693A38 Check cr6, and if r10 was found not equal to the given 0, then branch to 0x82693A9C (Pass, game says you have D2 MP content)
    .text:82693A3C Branch off to the function at 0x82693C08 (Another function that handles Disc 2 stuff)
    .text:82693A40 I still doesn't understand clrlwi, but the result gets stored in r11
    .text:82693A44 Compare r11 with 0, store the result in cr6
    .text:82693A48 Check cr6, and if r11 was zero, then branch to 0x82693A64 (Fail, game says you do not have D2 MP content)
    ~
    .text:82693A64 Load 0 into r11 and tell you to install the D2 MP content. (You lose. Good day sir.)
    While not everything, it is enough. Here are the easy ways I can think of to have my way with that function using just the above:
    Change 0x82693A30 to a li instruction, putting a value of 1 into r10, which will always make 0x82693A38 branch and pass. (in hex: 39400001)
    Make 0x82693A34 compare to another value so that the result is always found not equal, making 0x82693A38 branch and pass. (in hex: 2B0A0066, new compare value becomes x66)
    Remove the comparison check in 0x82693A38 and always branch to 0x82693A9C and pass. (in hex: 48000064)
    Go into the branched function from 0x82693A3C and try other things that will come back to stop 0x82693A48 from branching (may or may not work)
    Let it fail, but make the li at 0x82693A64 load 1 into r11 instead of 0, so you still pass anyway (in hex: 39600001)

    The best of these are the first 3, because it will instantly jump to the end of the function with no chance of error. I used the last one though in my PPFs.
    Another way to find a function is through strings left in the rdata section of the executable. This way may not be as fruitful unless you are looking into a debug/internal build that has a lot of juicy strings. Though there are a few strings that tend to remain even in retail builds, such as map header errors. Simply do a text search for some key words pertaining to what you are looking for and cross your fingers. If you find something that looks pretty believable you can jump to whatever function calls it and get cracking.
    The last way of finding functions, and is the least fruitful/useful in many cases, is to check the imported pre-named functions from the xbox kernel. If you sort your functions sidebar by name, you'll see them at the top of the list. These will take more understanding to use, but some common ones are:
    XamUserGetSigninState/j_XamUserGetSigninState - Checks your state, whether offline or connected to XBL. Checking calls to these can allow you to fool the Halo 3 Beta, Halo 3 Epsilon, and Reach Pre-Beta into thinking you are online to get past the simple blocks preventing you from starting games.
    XeCrypt~/j_XeCrypt~ - Several of these exist and they are used for run-of-the-mill hashing/encryption/decryption. Checking these calls can allow you to bypass the RSA verification on various external files.
    And that should be about it. Post a comment if you have anything to say/ask/make fun of
    And if you wish to learn further, I highly suggest downloading a premodded xex, extracting its basefile along with the basefile of a clean xex, and doing a compare in your hex editor of choice. You can add x82000000 to the file offset of the basefile to locate the change in IDA. Try to figure out what that change did and how it does what it does.
  20. SnipeStyle liked a blog entry by Lord Zedd, How Zedd Unlocks Executables   
    You guys have been asking for this post, and rather than continue to be self-conscious about what to write, I'm just gonna start typing.
    My personal trick is that I've learned the common patterns found in the Halo engine. Halo games, as you should be well aware of, have always used the same engine. So there is a good chance that once you've found something in one game, it will be significantly easier to track it down in another.
    But of course you have to find these patterns first and try to get some kind of footing. You should also take into consideration just what you are wishing to accomplish. In hindsight the changes needed to crack a locked down beta are simple but the problem was finding them.
    There are a few ways you can try to find the function you are looking for. The ones I have used/seen are:
    Bruting data references
    Checking rdata strings
    Checking import functions

    The first is probably most familiar to anyone who has followed a tutorial like Chrisco's that has you dump floats and brute through them all looking for changes. But tutorials like his tutorial only stops at finding the values, rather than further exploring them.
    Those tutorials also have you needlessly dumping for data values than necessary. By only searching something like ".float" you are grabbing every instance, and many of which aren't even directly referenced by the actual code. You can narrow it down by searching instead for ": .float", which the colon only appears on referenced floats, as seen here:
    .data:83335AB8 flt_83335AB8: .float 0.64221829 # DATA XREF: sub_82C613F0+8D8r
    Compare to:
    .data:8337C154 .float 1.0
    Though for most things, you likely won't be searching floats to find something. Bytes are much better for that, found by searching ": .byte"
    Now take those bytes and set them to 1, set them to 0, set them to -1. Keep experimenting until you get a reaction. If you were to do this in a (clean) Halo 4 while sitting in the menu, setting a certain byte to 0 will make the game lock you out as though you didn't have the disc 2 content installed. Bingo. This byte is offset 0x8407FD28 in a non-updated version. Let's take a look at that line:
    .data:8407FD28 byte_8407FD28: .byte 0 # DATA XREF: sub_82693A20+Co
    This tells us that the instruction at 0x82693A2C (among others, but were omitted for clarity) calls this particular byte, so lets open it in a new tab by clicking that offset and pressing Alt+Enter, or right clicking it and choosing "Jump in a new window". Now we can take a look at the function and see if we can't get it to ignore that flag. This function is for the MP content.
    There are a few ways you could get that done, but first let's explain some of what we are seeing it this function. Will help to turn on Auto Comments (Options>General>Auto comments).
    .text:82693A2C Get the first 2 bytes of the byte's location and store it in r11
    .text:82693A30 Get the last 2 bytes and assemble the offset with r11, load the byte's value into r10
    .text:82693A34 Compare r10 with 0, store the result into cr6
    .text:82693A38 Check cr6, and if r10 was found not equal to the given 0, then branch to 0x82693A9C (Pass, game says you have D2 MP content)
    .text:82693A3C Branch off to the function at 0x82693C08 (Another function that handles Disc 2 stuff)
    .text:82693A40 I still doesn't understand clrlwi, but the result gets stored in r11
    .text:82693A44 Compare r11 with 0, store the result in cr6
    .text:82693A48 Check cr6, and if r11 was zero, then branch to 0x82693A64 (Fail, game says you do not have D2 MP content)
    ~
    .text:82693A64 Load 0 into r11 and tell you to install the D2 MP content. (You lose. Good day sir.)
    While not everything, it is enough. Here are the easy ways I can think of to have my way with that function using just the above:
    Change 0x82693A30 to a li instruction, putting a value of 1 into r10, which will always make 0x82693A38 branch and pass. (in hex: 39400001)
    Make 0x82693A34 compare to another value so that the result is always found not equal, making 0x82693A38 branch and pass. (in hex: 2B0A0066, new compare value becomes x66)
    Remove the comparison check in 0x82693A38 and always branch to 0x82693A9C and pass. (in hex: 48000064)
    Go into the branched function from 0x82693A3C and try other things that will come back to stop 0x82693A48 from branching (may or may not work)
    Let it fail, but make the li at 0x82693A64 load 1 into r11 instead of 0, so you still pass anyway (in hex: 39600001)

    The best of these are the first 3, because it will instantly jump to the end of the function with no chance of error. I used the last one though in my PPFs.
    Another way to find a function is through strings left in the rdata section of the executable. This way may not be as fruitful unless you are looking into a debug/internal build that has a lot of juicy strings. Though there are a few strings that tend to remain even in retail builds, such as map header errors. Simply do a text search for some key words pertaining to what you are looking for and cross your fingers. If you find something that looks pretty believable you can jump to whatever function calls it and get cracking.
    The last way of finding functions, and is the least fruitful/useful in many cases, is to check the imported pre-named functions from the xbox kernel. If you sort your functions sidebar by name, you'll see them at the top of the list. These will take more understanding to use, but some common ones are:
    XamUserGetSigninState/j_XamUserGetSigninState - Checks your state, whether offline or connected to XBL. Checking calls to these can allow you to fool the Halo 3 Beta, Halo 3 Epsilon, and Reach Pre-Beta into thinking you are online to get past the simple blocks preventing you from starting games.
    XeCrypt~/j_XeCrypt~ - Several of these exist and they are used for run-of-the-mill hashing/encryption/decryption. Checking these calls can allow you to bypass the RSA verification on various external files.
    And that should be about it. Post a comment if you have anything to say/ask/make fun of
    And if you wish to learn further, I highly suggest downloading a premodded xex, extracting its basefile along with the basefile of a clean xex, and doing a compare in your hex editor of choice. You can add x82000000 to the file offset of the basefile to locate the change in IDA. Try to figure out what that change did and how it does what it does.
  21. Lord Zedd liked a blog entry by AMD, Reach - Global Pixel Shaders   
    I'm going to start doing some mini blog posts from now on to keep everyone updated on our research, because it seems people don't notice some of the stuff we do otherwise.
    Zedd's been doing a lot of work on cross-map BSP injection lately, and he's been having some trouble with the terrain shaders. Even though Assembly has support for shader extraction and injection, the map was still crashing. One shader that was causing problems for us in m70_bonus.map was levels\solo\m70_bonus\shaders\ground\m70_bonus_cinematic_ground.rmtr. Its actual pixl tag is shaders\terrain_templates\_0_0_0_0_0_0_0.pixl.
    If you go to that tag in a newer version of Assembly (one that supports shaders), you might notice that all of the shader pointers in it are null, even though the shader works fine and certainly isn't just a null shader. How can this be? Well, we noticed that just above the shader pointer in one of the blocks, there was an int32 with a value of 321. This is usually set to -1 for shaders with valid code pointers. Obviously, there must be something to this.
    We first speculated that this integer was an index into the resource table in zone. (That's a pretty safe guess when you're dealing with stuff like this.) At index 321 in zone, the parent resource was...a bitmap of a spartan helmet. Zedd did some zedding around with Assembly's injection code anyway, but couldn't get anything to work reliably. OK, that's probably not any good. Time to move on.
    Stumped, I decided that we should set a memory read breakpoint on that integer and see what the game does with it. The breakpoint hit at address 0x82182E2C in the TU1 default.xex. Opening that up in IDA, you see this (not including irrelevant code):
    lwz %r8, 0x50(%r3)...mulli %r10, %r8, 0x58
    So this means that the value is an index into an array with an element size of 0x58. And it just so happens that shader tag blocks are that large, but there weren't 300-something entries in the pixl tag.
    Turns out that, starting in Reach, there's a global_cache_file_pixel_shaders ('gpix') tag which contains a bunch of commonly-used shaders, and this is an index into a block in that tag. The actual shader code can be found there. This means that the corresponding block entry needs to be extracted and injected into the target map in order to make the shader work.
    Well, looks like we have some work ahead of us.
  22. Kojuku liked a blog entry by Lord Zedd, Shared Asset Lists   
    Due to size, all I can do is post this link: http://www.mediafire.com/download/q72zw282qjhidli/shared%20lists.rar where you'll find everything in a pretty rar. Lists are courtesy of the "SharedDump" tool made by AMD, which can be found with Assembly's source. Also courtesy of my own merging and sorting since SharedDump goes per-map.
    If it ain't here it ain't shared. Go cry about it.
    Includes:
    Halo 3
    Halo 3: ODST
    Halo: Reach Beta
    Halo: Reach
    Halo 4
  23. Kojuku liked a blog entry by Lord Zedd, Shared Asset Lists   
    Due to size, all I can do is post this link: http://www.mediafire.com/download/q72zw282qjhidli/shared%20lists.rar where you'll find everything in a pretty rar. Lists are courtesy of the "SharedDump" tool made by AMD, which can be found with Assembly's source. Also courtesy of my own merging and sorting since SharedDump goes per-map.
    If it ain't here it ain't shared. Go cry about it.
    Includes:
    Halo 3
    Halo 3: ODST
    Halo: Reach Beta
    Halo: Reach
    Halo 4
  24. Kojuku liked a blog entry by Lord Zedd, Shared Asset Lists   
    Due to size, all I can do is post this link: http://www.mediafire.com/download/q72zw282qjhidli/shared%20lists.rar where you'll find everything in a pretty rar. Lists are courtesy of the "SharedDump" tool made by AMD, which can be found with Assembly's source. Also courtesy of my own merging and sorting since SharedDump goes per-map.
    If it ain't here it ain't shared. Go cry about it.
    Includes:
    Halo 3
    Halo 3: ODST
    Halo: Reach Beta
    Halo: Reach
    Halo 4
  25. Guest
    Guest liked a blog entry by Lord Zedd, Halo Xex Offsets To Note (Now With TU7)   
    Dumping these in the meantime until Assembly can use them. All bytes, poke x1 to them.
    To get pan cam, you have to enable normal first, then poke pancam.
    Don't be a jerk and repost these everywhere, not that notes like this have ever stopped jerks anyway.
    Speaking of jerks, don't be a jerk and use these for evil. Though it hasn't seemed to stop people making stupid ass cheating tools. It's too late now but I have removed anything that could be used maliciously, which is a shame because revert checkpoint has a legitimate use when testing things.
    Halo 3 Builds:
    Halo Reach Builds:
    Halo 4 Builds: