What's new

[Research] Loading GSC Files

Dwack

Dwack

Now employed at Dominoes!
Experienced Veteran Hardened Veteran
Messages
4,551
Reaction score
2,949
Points
685
Sin$
0
** serious discussion only please **


So I began a little research into the BO xex. Trying to eventually load GSC files stored outside an .ff file.

I've located what I believe to be the main area of the xex that handles this.

He is my code to grab the names of the loaded files:

We start of with a hook to a new function that calls DbgPrint:

Code:
.text:8245D4C8                 stwu      r1, -0x80(r1)
.text:8245D4CC                 mr        r29, r3
.text:8245D4D0                 li        r6, -1
.text:8245D4D4                 li        r5, 1
.text:8245D4D8                 li        r3, 0x25
.text:8245D4DC                 bl        sub_82607FA0 # Original Code ==> mr r30, r4
.text:8245D4E0                 bl        sub_82286370
.text:8245D4E4                 mr        r31, r3
.text:8245D4E8                 cmplwi    cr6, r3, 0
.text:8245D4EC                 bne       cr6, loc_8245D510
.text:8245D4F0                 lis       r11, ((unk_83E890EC+0x10000)@h)
.text:8245D4F4                 slwi      r10, r29, 4

My code to print the names:

Code:
.text:82607FA0 # =============== S U B R O U T I N E =======================================
.text:82607FA0
.text:82607FA0
.text:82607FA0 sub_82607FA0:                           # CODE XREF: sub_8245D4C0+1Cp
.text:82607FA0                 mfspr   r12, LR
.text:82607FA4                 stw       r12, -8(r1)
.text:82607FA8                 stwu      r1, -0x60(r1)
.text:82607FAC                 mr        r30, r4 # r4 is string location
.text:82607FB0                 lis       r3, aCmdVsayS@h
.text:82607FB4                 ori       r3, r3, aCmdVsayS@l # "cmd vsay %s\n"
.text:82607FB8                 bl        DbgPrint
.text:82607FBC                 mr        r4, r30
.text:82607FC0                 li        r3, 0x25
.text:82607FC4                 addi      r1, r1, 0x60
.text:82607FC8
.text:82607FC8 loc_82607FC8:                           # DATA XREF: .rdata:off_820C4140o
.text:82607FC8                 lwz       r12, -8(r1)
.text:82607FCC                 mtspr   LR, r12
.text:82607FD0                 blr
.text:82607FD0 # End of function sub_82607FA0
.text:82607FD0
.text:82607FD0 # ---------------------------------------------------------------------------

Result:
* Won't see this unless you have a DevKit or have UART enabled on a JTAG *
Code:
cmd vsay codescripts/delete.gsc
cmd vsay codescripts/struct.gsc
cmd vsay maps/mp/_destructible.gsc
cmd vsay maps/mp/_utility.gsc
cmd vsay common_scripts/utility.gsc
cmd vsay maps/mp/gametypes/_hud_util.gsc
cmd vsay maps/mp/_createfx.gsc
cmd vsay maps/mp/_createfxmenu.gsc
cmd vsay maps/mp/_fx.gsc
cmd vsay maps/mp/gametypes/_spawnlogic.gsc
cmd vsay maps/mp/gametypes/_callbacksetup.gsc
cmd vsay maps/mp/_audio.gsc
cmd vsay maps/mp/gametypes/_globallogic.gsc
cmd vsay maps/mp/_burnplayer.gsc
cmd vsay maps/mp/gametypes/_globallogic_player.gsc
cmd vsay maps/mp/gametypes/_hardpoints.gsc
cmd vsay maps/mp/_airsupport.gsc
cmd vsay maps/mp/gametypes/_weapons.gsc
cmd vsay maps/mp/_flashgrenades.gsc
cmd vsay maps/mp/gametypes/_globallogic_score.gsc
cmd vsay maps/mp/gametypes/_globallogic_utils.gsc
cmd vsay maps/mp/gametypes/_hud_message.gsc
cmd vsay maps/mp/_laststand.gsc
cmd vsay maps/mp/gametypes/_gameobjects.gsc
cmd vsay maps/mp/gametypes/_objpoints.gsc
cmd vsay maps/mp/gametypes/_hostmigration.gsc
cmd vsay maps/mp/gametypes/_hud.gsc
cmd vsay maps/mp/_radar.gsc
cmd vsay maps/mp/gametypes/_tweakables.gsc
cmd vsay maps/mp/_killstreakrules.gsc
cmd vsay maps/mp/_popups.gsc
cmd vsay maps/mp/gametypes/_persistence.gsc
cmd vsay maps/mp/gametypes/_class.gsc
cmd vsay maps/mp/gametypes/_customclasses.gsc
cmd vsay maps/mp/gametypes/_copycat.gsc
cmd vsay maps/mp/gametypes/_armor.gsc
cmd vsay maps/mp/gametypes/_bot.gsc
cmd vsay maps/mp/gametypes/_globallogic_ui.gsc
cmd vsay maps/mp/gametypes/_teams.gsc
cmd vsay maps/mp/gametypes/_teamset_junglemarines.gsc
cmd vsay mpbody/ordnance_disposal_mp.gsc
cmd vsay mpbody/camo_mp.gsc
cmd vsay mpbody/hardened_mp.gsc
cmd vsay mpbody/standard_mp.gsc
cmd vsay mpbody/utility_mp.gsc
cmd vsay mphead/head_armor_mp.gsc
cmd vsay mphead/head_flak_mp.gsc
cmd vsay mphead/head_camo_mp.gsc
cmd vsay mphead/head_standard_mp.gsc
cmd vsay mphead/head_utility_mp.gsc
cmd vsay maps/mp/gametypes/_teamset_urbanspecops.gsc
cmd vsay maps/mp/gametypes/_teamset_winterspecops.gsc
cmd vsay maps/mp/gametypes/_teamset_cubans.gsc
cmd vsay maps/mp/gametypes/_spectating.gsc
cmd vsay maps/mp/gametypes/_pregame.gsc
cmd vsay maps/mp/gametypes/_spawning.gsc
cmd vsay maps/mp/_tacticalinsertion.gsc
cmd vsay maps/mp/_properks.gsc
cmd vsay maps/mp/gametypes/_globallogic_audio.gsc
cmd vsay maps/mp/_music.gsc
cmd vsay maps/mp/gametypes/_weaponobjects.gsc
cmd vsay maps/mp/_satchel_charge.gsc
cmd vsay maps/mp/_decoy.gsc
cmd vsay maps/mp/_entityheadicons.gsc
cmd vsay maps/mp/gametypes/_missions.gsc
cmd vsay maps/mp/gametypes/_rank.gsc
cmd vsay maps/mp/_medals.gsc
cmd vsay maps/mp/_challenges.gsc
cmd vsay maps/mp/_vehicles.gsc
cmd vsay maps/mp/_scrambler.gsc
cmd vsay maps/mp/gametypes/_damagefeedback.gsc
cmd vsay maps/mp/_acousticsensor.gsc
cmd vsay maps/mp/_cameraspike.gsc
cmd vsay maps/mp/_ballistic_knife.gsc
cmd vsay maps/mp/_rcbomb.gsc
cmd vsay maps/mp/_treadfx.gsc
cmd vsay maps/mp/gametypes/_shellshock.gsc
cmd vsay maps/mp/gametypes/_gametype_variants.gsc
cmd vsay maps/mp/gametypes/_gv_actions.gsc
cmd vsay maps/mp/gametypes/_wager.gsc
cmd vsay maps/mp/_spyplane.gsc
cmd vsay maps/mp/_tabun.gsc
cmd vsay maps/mp/_dogs.gsc
cmd vsay maps/mp/gametypes/_battlechatter_mp.gsc
cmd vsay maps/mp/_smokegrenade.gsc
cmd vsay maps/mp/_heatseekingmissile.gsc
cmd vsay maps/mp/_explosive_bolt.gsc
cmd vsay maps/mp/_sticky_grenade.gsc
cmd vsay maps/mp/_flamethrower_plight.gsc
cmd vsay maps/mp/_tvguidedmissile.gsc
cmd vsay maps/mp/_flare.gsc
cmd vsay maps/mp/_helicopter.gsc
cmd vsay maps/mp/_airstrike.gsc
cmd vsay maps/mp/_napalm.gsc
cmd vsay maps/mp/_artillery.gsc
cmd vsay maps/mp/_mortar.gsc
cmd vsay maps/mp/_helicopter_player.gsc
cmd vsay maps/mp/gametypes/_supplydrop.gsc
cmd vsay maps/mp/_turret_killstreak.gsc
cmd vsay maps/mp/_mgturret.gsc
cmd vsay maps/mp/gametypes/_killstreak_weapons.gsc
cmd vsay maps/mp/_gamerep.gsc
cmd vsay maps/mp/gametypes/_globallogic_spawn.gsc
cmd vsay maps/mp/gametypes/_globallogic_defaults.gsc
cmd vsay maps/mp/gametypes/_globallogic_vehicle.gsc
cmd vsay maps/mp/_demo.gsc
cmd vsay maps/mp/gametypes/_killcam.gsc
cmd vsay maps/mp/_tutorial.gsc
cmd vsay maps/mp/gametypes/_deathicons.gsc
cmd vsay maps/mp/_busing.gsc
cmd vsay maps/mp/_gameadvertisement.gsc
cmd vsay maps/mp/_pc.gsc
cmd vsay maps/mp/_clientflags.gsc
cmd vsay maps/mp/gametypes/_menus.gsc
cmd vsay maps/mp/gametypes/_serversettings.gsc
cmd vsay maps/mp/gametypes/_clientids.gsc
cmd vsay maps/mp/gametypes/_scoreboard.gsc
cmd vsay maps/mp/gametypes/_healthoverlay.gsc
cmd vsay maps/mp/_serverfaceanim_mp.gsc
cmd vsay maps/mp/gametypes/_friendicons.gsc
cmd vsay maps/mp/gametypes/_globallogic_actor.gsc
cmd vsay maps/mp/animscripts/dog_combat.gsc
cmd vsay maps/mp/animscripts/shared.gsc
cmd vsay maps/mp/animscripts/utility.gsc
cmd vsay maps/mp/animscripts/dog_stop.gsc
cmd vsay maps/mp/animscripts/dog_death.gsc
cmd vsay maps/mp/animscripts/dog_init.gsc
cmd vsay maps/mp/animscripts/dog_move.gsc
cmd vsay maps/mp/animscripts/dog_pain.gsc
cmd vsay maps/mp/animscripts/dog_flashed.gsc
cmd vsay maps/mp/animscripts/dog_jump.gsc
cmd vsay maps/mp/animscripts/dog_turn.gsc
cmd vsay maps/mp/gametypes/tdm.gsc
cmd vsay maps/mp/mp_array.gsc
cmd vsay maps/mp/mp_array_fx.gsc
cmd vsay maps/mp/createfx/mp_array_fx.gsc
cmd vsay maps/mp/createart/mp_array_art.gsc
cmd vsay maps/mp/_load.gsc
cmd vsay maps/mp/_deployable_weapons.gsc
cmd vsay maps/mp/_minefields.gsc
cmd vsay maps/mp/_rotating_object.gsc
cmd vsay maps/mp/_shutter.gsc
cmd vsay maps/mp/_elevator.gsc
cmd vsay maps/mp/_interactive_objects.gsc
cmd vsay maps/mp/_lights.gsc
cmd vsay maps/mp/_art.gsc
cmd vsay maps/mp/_global_fx.gsc
cmd vsay maps/mp/animscripts/traverse/shared.gsc
cmd vsay maps/mp/_compass.gsc
cmd vsay maps/mp/mp_array_amb.gsc
cmd vsay maps/mp/_ambientpackage.gsc
cmd vsay maps/mp/animscripts/traverse/jump_down_40.gsc
cmd vsay maps/mp/animscripts/traverse/mantle_on_40.gsc
cmd vsay maps/mp/animscripts/traverse/mantle_over_40.gsc
cmd vsay animtrees/mp_vehicles.atr
cmd vsay animtrees/fxanim_props.atr
cmd vsay animtrees/multiplayer.atr
cmd vsay codescripts/delete.gsc
cmd vsay codescripts/struct.gsc
cmd vsay clientscripts/mp/_callbacks.csc
cmd vsay clientscripts/mp/_utility.csc
cmd vsay clientscripts/mp/_utility_code.csc
cmd vsay clientscripts/mp/_vehicle.csc
cmd vsay clientscripts/mp/_rcbomb.csc
cmd vsay clientscripts/mp/_rewindobjects.csc
cmd vsay clientscripts/mp/_plane.csc
cmd vsay clientscripts/mp/_airsupport.csc
cmd vsay clientscripts/mp/_airstrike.csc
cmd vsay clientscripts/mp/_fx.csc
cmd vsay clientscripts/mp/_lights.csc
cmd vsay clientscripts/mp/_players.csc
cmd vsay clientscripts/_filter.csc
cmd vsay clientscripts/mp/_acousticsensor.csc
cmd vsay clientscripts/mp/_ambient.csc
cmd vsay clientscripts/mp/_rotating_object.csc
cmd vsay clientscripts/mp/_destructible.csc
cmd vsay clientscripts/mp/_explode.csc
cmd vsay clientscripts/mp/_cameraspike.csc
cmd vsay clientscripts/mp/_explosive_bolt.csc
cmd vsay clientscripts/mp/_sticky_grenade.csc
cmd vsay clientscripts/mp/_decoy.csc
cmd vsay clientscripts/mp/_satchel_charge.csc
cmd vsay clientscripts/mp/_claymore.csc
cmd vsay clientscripts/mp/_treadfx.csc
cmd vsay clientscripts/mp/_helicopter.csc
cmd vsay clientscripts/mp/_helicopter_sounds.csc
cmd vsay clientscripts/mp/_music.csc
cmd vsay clientscripts/mp/_audio.csc
cmd vsay clientscripts/mp/_ambientpackage.csc
cmd vsay clientscripts/mp/_dogs.csc
cmd vsay clientscripts/mp/_burnplayer.csc
cmd vsay clientscripts/mp/_clientfaceanim_mp.csc
cmd vsay clientscripts/mp/_face_utility_mp.csc
cmd vsay clientscripts/mp/_footsteps.csc
cmd vsay clientscripts/mp/mp_array.csc
cmd vsay clientscripts/mp/_teamset_winterspecops.csc
cmd vsay clientscripts/mp/_load.csc
cmd vsay clientscripts/mp/_clientflags.csc
cmd vsay clientscripts/mp/_global_fx.csc
cmd vsay clientscripts/mp/_busing.csc
cmd vsay clientscripts/mp/_ctf.csc
cmd vsay clientscripts/mp/_tacticalinsertion.csc
cmd vsay clientscripts/mp/_scrambler.csc
cmd vsay clientscripts/mp/_flamethrower_plight.csc
cmd vsay clientscripts/mp/_helicopter_player.csc
cmd vsay clientscripts/mp/mp_array_fx.csc
cmd vsay clientscripts/mp/createfx/mp_array_fx.csc
cmd vsay clientscripts/mp/mp_array_amb.csc
cmd vsay animtrees/multiplayer.atr

If anyone else gets bored and wants to spend a little time reversing the xex just post what you find in this thread.
 
-Crippler-

-Crippler-

Getting There
Messages
1,474
Reaction score
968
Points
205
Sin$
0

Great idea Dwack, wrong site. Unfortunately this is way over 7s's members heads. NOT all members mind you. Just the ones browsing this forum. ****, it's over my head as well... lol
 
cabooose

cabooose

Enthusiast
Messages
240
Reaction score
363
Points
115
Sin$
0
Code:
mr        r30, r4 # r4 is string location

but you didn't put anything in r4 before you called 82607FA0?
 
D

Deluxe901

Banned
Messages
502
Reaction score
46
Points
95
Sin$
0
So basically your trying to load the .GSC file(s) from the BO xex?... Or am I just not getting this :/
 
Dwack

Dwack

Now employed at Dominoes!
Experienced Veteran Hardened Veteran
Messages
4,551
Reaction score
2,949
Points
685
Sin$
0
Code:
mr        r30, r4 # r4 is string location

but you didn't put anything in r4 before you called 82607FA0?

The original code had that. I originally didn't have that in the new function. After a few tests I found that DbgPrint was changing the value of r4. So I added that so I could restore it and the original xex code would work correctly. Otherwise you get a read error.

Getting further I have found the location of the compressed files as well.


Code:
.text:8245D550 # ---------------------------------------------------------------------------
.text:8245D550
.text:8245D550 loc_8245D550:                           # CODE XREF: sub_8245D4C0+6Cj
.text:8245D550                                         # sub_8245D4C0+84j
.text:8245D550                 lwz       r11, 8(r31)   # Load Word and Zero
.text:8245D554                 lwz       r3, 0(r11)    # r11 = Location in mem of gsc
.text:8245D558                 stw       r3, 0x80+var_30(r1) # Store Word
.text:8245D55C                 lwz       r30, 4(r11)   # Load Word and Zero
.text:8245D560                 bl        sub_823DCEA8  # Branch
.text:8245D564                 lwz       r11, 8(r31)   # Load Word and Zero
.text:8245D568                 mr        r6, r30       # Move Register
.text:8245D56C                 addi      r5, r11, 8    # Add Immediate
.text:8245D570                 addi      r4, r1, 0x80+var_30 # Add Immediate
.text:8245D574                 mr        r31, r3       # Move Register
.text:8245D578                 bl        sub_8240FD08  # Branch
.text:8245D57C
 
cabooose

cabooose

Enthusiast
Messages
240
Reaction score
363
Points
115
Sin$
0
The original code had that. I originally didn't have that in the new function. After a few tests I found that DbgPrint was changing the value of r4. So I added that so I could restore it and the original xex code would work correctly. Otherwise you get a read error.

I see.. It would have been easier to just set a breakpoint.
 
Dwack

Dwack

Now employed at Dominoes!
Experienced Veteran Hardened Veteran
Messages
4,551
Reaction score
2,949
Points
685
Sin$
0
More info. So it appears I have found all the information I was looking for. Next step would be to come up with a way to pass a pointer to the BO xex. That pointer would contain the location of my custom script.

Code:
.text:8245D550 # ---------------------------------------------------------------------------
.text:8245D550
.text:8245D550 loc_8245D550:                           # CODE XREF: sub_8245D4C0+6Cj
.text:8245D550                                         # sub_8245D4C0+84j
.text:8245D550                 lwz       r11, 8(r31)
.text:8245D554                 lwz       r3, 0(r11)    # r11 = Location in mem of compressed gsc
.text:8245D558                 stw       r3, 0x80+var_30(r1)
.text:8245D55C                 lwz       r30, 4(r11)
.text:8245D560                 bl        sub_823DCEA8
.text:8245D564                 lwz       r11, 8(r31)
.text:8245D568                 mr        r6, r30       # Compressed Size
.text:8245D56C                 addi      r5, r11, 8    # Pointer to zlib header
.text:8245D570                 addi      r4, r1, 0x80+var_30 # Uncompressed size?
.text:8245D574                 mr        r31, r3       # Pointer, where to store uncompressed .gsc script
.text:8245D578                 bl        sub_8240FD08  # <== Uncompresses data? Maybe more?

Hopefully I can come up with something soon....
 
Godish

Godish

Enthusiast
Messages
213
Reaction score
74
Points
85
Sin$
0
I don't know why you'd bother trying this yourself as the XEX has been lurking about for quite sometime.
 
XeChris

clt42

Contributor
Messages
2,410
Reaction score
792
Points
270
Sin$
0
No. IW compiled them and then stored them in the xex. This is loading them from your HDD, not from a ff/zone file.




:/
Ok. But that means this could bypass the check of the modded patch_mp and we could do infections again.
 
esrev3R

esrev3R

Enthusiast
Messages
52
Reaction score
27
Points
70
Sin$
0
Ok. But that means this could bypass the check of the modded patch_mp and we could do infections again.

Even if it does it still won't stop you from getting banned the minute you join XBL matches.....
 
cabooose

cabooose

Enthusiast
Messages
240
Reaction score
363
Points
115
Sin$
0
That code just decompresses a raw file from assets previously loaded from a fast file. You'll need to write your own function to read a script on the disc, compile, and then execute it.
 
Dwack

Dwack

Now employed at Dominoes!
Experienced Veteran Hardened Veteran
Messages
4,551
Reaction score
2,949
Points
685
Sin$
0
I know but hey I got lots of xbl accounts gold :tongue:

Wow .. you're so cool. Maybe I'll rethink sharing this if all you skids want to do is try for silly online infections. :rolleyes:


That code just decompresses a raw file from assets previously loaded from a fast file. You'll need to write your own function to read a script on the disc, compile, and then execute it.

I was thinking that I'd only need to pass a new pointer to the BO xex. It should compile that instead of the one it got from the ff.


ima punch you.



do you even mod?

Answer: No
 
irFrag

irFrag

Getting There
Messages
1,879
Reaction score
398
Points
190
Sin$
0
Wow .. you're so cool. Maybe I'll rethink sharing this if all you skids want to do is try for silly online infections. :rolleyes:




I was thinking that I'd only need to pass a new pointer to the BO xex. It should compile that instead of the one it got from the ff.




Answer: No
I think me and Elzelda Tried that before we got Raw .CFG loading to work. He tried at it while I looked at other methods but he got the farthest but got stuck. I'll Skype him later tonight and see if he remember what he did, I don't think pointing it was the problem though. :blink:

Even if it does it still won't stop you from getting banned the minute you join XBL matches.....
Treyarch can't ban you instantly...
 
Top Bottom
Login
Register