add Ep3 codepaths to B2 enabler

This commit is contained in:
Martin Michelsen
2024-06-23 00:24:01 -07:00
parent 862b3d27da
commit 3a22a5c489
14 changed files with 166 additions and 80 deletions
@@ -1,10 +1,6 @@
# This patch gives you the maximum number of each card. It only works if used
# in-game, which means it must be used by running `$patch AllCards`.
# This patch is only for PSO Episode 3 USA, which means it requires the
# EnableEpisode3SendFunctionCall option to be enabled in config.json. If that
# option is disabled, the Patches menu won't appear for the client.
.meta hide_from_patches_menu
.meta name="Get all cards"
.meta description="This patch gives you\nthe maximum number\nof each card."
@@ -4,13 +4,9 @@
# present in PSO PC and PSOX as well, but not in GC Episodes 1 & 2. There are
# notes in the below comments that may help get these editors working on PSO PC.
# This patch is only for PSO Episode 3 USA, which means it requires the
# EnableEpisode3SendFunctionCall option to be enabled in config.json. If that
# option is disabled, the Patches menu won't appear for the client. If this
# patch is run on a different client version, it will do nothing. Also, this
# patch must not be run from the Patches menu - it should only be run with the
# $patch command, since the client will likely crash if the player is not in a
# game or lobby when the patch runs.
# This patch must not be run from the Patches menu - it should only be run with
# the $patch command, since the client will likely crash if the player is not
# in a game or lobby when the patch runs.
.meta hide_from_patches_menu
.meta name="Editors"
@@ -1,8 +1,3 @@
# This patch is only for PSO Episode 3 USA, which means it requires the
# EnableEpisode3SendFunctionCall option to be enabled in config.json. If that
# option is disabled, the Patches menu won't appear for the client. If this
# patch is run on a different client version, it will do nothing.
.meta name="Get VIP card"
.meta description="Gives you a VIP card"
@@ -1,3 +1,7 @@
# This program was an early attempt at restoring B2 patching functionality to
# Episode 3. It is no longer used, since the quest loading method is more
# reliable, but this file remains for documentation purposes.
# There is a buffer overflow bug in PSO Episode 3 that this program uses to
# achieve arbitrary code execution. (This bug is likely present in all versions
# of PSO, but the code here is specific to the USA version of Episode 3.) This
+7 -9
View File
@@ -1055,15 +1055,13 @@
// load, then wait for the client to leave the "game", before even getting to
// the welcome message.
// This quest is not intended to be localized since it should not contain any
// user-visible text, so the server sends the English version for PSO USA
// v1.2, and the Japanese version for PSO JP v1.5, regardless of the client's
// language setting. The quest is not used on any other PSO version.
"PSOPlusSendFunctionCallQuestNumber": -1,
// Whether to enable patches on Episode 3 USA. This functionality depends on
// exploiting a bug in Episode 3, and while it seems to work reliably on
// Dolphin, it hasn't been tested on a real GameCube. So, newserv doesn't
// enable Episode 3 USA patches by default; it only does if this option is on.
"EnableEpisode3SendFunctionCall": false,
// user-visible text, so the server uses the language field to determine
// which quest to send based on the client's version:
// - US Plus v1.2 + customizations: English
// - JP Plus v1.5: Japanese
// - US Ep3: Spanish
// - EU Ep3: German
"EnableSendFunctionCallQuestNumber": -1,
// Whether to enable protected subcommands on GC and Xbox. This enables the
// infinite HP cheat to also automatically revive players and clear conditions
+47
View File
@@ -0,0 +1,47 @@
.version GC_EP3
.quest_num 88500
.language 1
.episode Episode1
.name "GC Ep3 EU patch enabler"
.short_desc ""
.long_desc ""
start:
leti r3, 0x80004000
write4 0x80454E04, 0x80109FB4
write4 0x80454E08, 0x8000C324
write4 0x80454E0C, r3
read4 r0, 0x8057CA10
leto r4, code
read4 r4, r4
add r4, r0
leto r5, code_end
read4 r5, r5
add r5, r0
copy_byte:
jmp_eq r4, r5, copy_done
read1 r0, r4
write1 r3, r0
addi r3, 1
addi r4, 1
jmp copy_byte
copy_done:
.data F9FE00400080
.data F9FF
ba_initial_floor 17
write2 0x8057C930, 1
// Clean up quest handler table
write4 0x80454E04, 0
write4 0x80454E08, 0
write4 0x80454E0C, 0
ret
code:
.include_native q88500-gc.s
code_end:
+47
View File
@@ -0,0 +1,47 @@
.version GC_EP3
.quest_num 88500
.language 1
.episode Episode1
.name "GC Ep3 USA patch enabler"
.short_desc ""
.long_desc ""
start:
leti r3, 0x80004000
write4 0x80452A4C, 0x80109B28
write4 0x80452A50, 0x8000C324
write4 0x80452A54, r3
read4 r0, 0x8057A5F0
leto r4, code
read4 r4, r4
add r4, r0
leto r5, code_end
read4 r5, r5
add r5, r0
copy_byte:
jmp_eq r4, r5, copy_done
read1 r0, r4
write1 r3, r0
addi r3, 1
addi r4, 1
jmp copy_byte
copy_done:
.data F9FE00400080
.data F9FF
ba_initial_floor 17
write2 0x8057A510, 1
// Clean up quest handler table
write4 0x80452A4C, 0
write4 0x80452A50, 0
write4 0x80452A54, 0
ret
code:
.include_native q88500-gc.s
code_end:
+33 -8
View File
@@ -79,8 +79,7 @@ handle_B2_skip_relocations:
ori r0, r0, 0xC274
mr r3, r6
mr r4, r5
mtctr r0
bctrl # flush_code(code_base_addr, code_section_size)
bl call_flush_code # flush_code(code_base_addr, code_section_size)
# Call the code section and put the return value (byteswapped) on the stack
# Note: flush_code only uses r3, r4, and r5, so we don't need to reload r7
@@ -148,6 +147,16 @@ crc32_done:
xori r3, r3, 0xFFFF
blr # return (result ^ 0xFFFFFFFF)
call_flush_code:
lis r5, 0x8000
ori r5, r5, 0xC274
mtctr r5
lhz r0, [r5 + 6]
cmplwi r0, 0xFFF1
beqctr
addi r5, r5, 0xB0 # 8000C324
mtctr r5
bctr
get_handle_B2_ptr:
mflr r9 # r9 = &handle_B2
@@ -170,20 +179,36 @@ copy_handle_B2_word_again:
bdnz copy_handle_B2_word_again
# Invalidate the caches appropriately for the newly-copied code
lis r9, 0x8000
ori r9, r9, 0xC274
mtctr r9
mr r3, r12
rlwinm r4, r7, 30, 2, 31
bctrl # flush_code(copied_B2_handler, copied_B2_handler_bytes)
bl call_flush_code # flush_code(copied_B2_handler, copied_B2_handler_bytes)
# Replace the command handler table entry for command 0E (which is an unused
# legacy command and has very broken behavior) with our B2 implementation
lis r5, 0x804C
ori r5, r5, 0x4E08
li r0, 0x00B2
lis r6, 0x804C
ori r5, r6, 0x4E08 # US v1.2
lwz r3, [r5]
cmplwi r3, 0x000E
beq patch_main_handlers_write
ori r5, r6, 0x5530 # JP v1.5
lwz r3, [r5]
cmplwi r3, 0x000E
beq patch_main_handlers_write
lis r6, 0x8045
subi r5, r6, 0x097C # US Ep3
lwz r3, [r5]
cmplwi r3, 0x000E
beq patch_main_handlers_write
ori r5, r6, 0x1A3C # EU Ep3
lwz r3, [r5]
cmplwi r3, 0x000E
bne done
patch_main_handlers_write:
stw [r5], r0
stw [r5 + 0x0C], r12
done:
mtlr r11
blr