In PSO time attack there is a category for starting the quest with the highest level shifta/deband that could be achieved through a photon blast. In 4 player games this ends up being level 81. The problem is that it takes time to get this before each run.
So here I am trying to make it a bit more streamlined.
I'm specifically targetting psogc on actual hardware so things like trainers and memory editors you can use on blue burst (or psogc through dolphin) are not an option. That leaves trying to use a network proxy to spoof packets.
I`ll be using my own psogc proxy I`ve been working on: darkbridge
Casting foie 1 causes my client to send these 3 packets:
Lets try foie 2:
what happens if we cast shifta 1?
Well turns out
And
Shifta 1 only targets yourself, but shifta 30 can target other players. So this is just saying which other players it affected. The first
Note we omit the length portion of the packet here as the command calculates it automatically.
On cast my atp goes from 616 to 916. The shifta buff algorithm is approximately
Maybe its a signed int and it overflew, lets try
what is going on? Okay, lets increment from values we know are correct
lets increment the other variable:
And if I just change the first one...?
It looks like the level of techs that can be cast through this method is capped to reasonable values.
In conclusion: techs are dumb
Full vod of my researching this at: https://www.youtube.com/watch?v=2P0RXrYhe3M except since I suck at streaming the audio of the person I was talking to during all of this isn't there so it looks like I'm just talking to myself like a lunatic
So here I am trying to make it a bit more streamlined.
I'm specifically targetting psogc on actual hardware so things like trainers and memory editors you can use on blue burst (or psogc through dolphin) are not an option. That leaves trying to use a network proxy to spoof packets.
I`ll be using my own psogc proxy I`ve been working on: darkbridge
Idea: I can pretend someone else is casting level 81 sd on me.
First, how do techs work?Casting foie 1 causes my client to send these 3 packets:
60 00 0C 00 8D 02 00 00 00 00 00 00
60 00 0C 00 47 02 00 00 00 00 00 00
60 00 0C 00 48 02 00 00 00 00 00 00
60 00 0C 00 47 02 00 00 00 00 00 00
60 00 0C 00 48 02 00 00 00 00 00 00
60 basically means echo it to all other people in the room, 0C is the length of the packet.60 00 0C 00 8D 02 00 00 00 00 00 00
60 00 0C 00 47 02 00 00 00 00 00 00
60 00 0C 00 48 02 00 00 00 00 00 00
So these are the bytes we care about.60 00 0C 00 47 02 00 00 00 00 00 00
60 00 0C 00 48 02 00 00 00 00 00 00
8D, 47, and 48 are subcommand identifers and 02 is the length (in u32s). The rest is the payload data except its all zeros and not helpful at all.Lets try foie 2:
60 00 0C 00 8D 02 00 00 00 00 00 00
60 00 0C 00 47 02 00 00 00 00 01 00
60 00 0C 00 48 02 00 00 00 00 01 00
Found the tech level!60 00 0C 00 47 02 00 00 00 00 01 00
60 00 0C 00 48 02 00 00 00 00 01 00
what happens if we cast shifta 1?
60 00 0C 00 8D 02 00 00 00 00 00 00
60 00 0C 00 47 02 00 00 0D 00 00 00
60 00 0C 00 48 02 00 00 0D 00 00 00
And shifta 30:60 00 0C 00 47 02 00 00 0D 00 00 00
60 00 0C 00 48 02 00 00 0D 00 00 00
60 00 0C 00 8D 02 00 00 0F 00 00 00
60 00 10 00 47 03 00 00 0D 00 0E 01 01 00 00 00
60 00 0C 00 48 02 00 00 0D 00 0E 00
...wait what?60 00 10 00 47 03 00 00 0D 00 0E 01 01 00 00 00
60 00 0C 00 48 02 00 00 0D 00 0E 00
hex(30-1) = 1D, but in the level there is 0E and this new 0F in command 8D.Well turns out
0E + 0F = 1D, but this doesn't explain why it got split up over two bytes.And
47 has some additional data...Shifta 1 only targets yourself, but shifta 30 can target other players. So this is just saying which other players it affected. The first
01 is the number of targets followed by a u32 specifying the client id of the target. So if you hit 3 other players with shifta the packet would be:60 00 18 00 47 05 00 00 06 00 0E 03 01 00 00 00 02 00 00 00 03 00 00 00
But back to that splitting up of the tech level. What happens if we just max out the level to FF and send us that packet?jake@sharnoth $ cat s30.txt
raw client 60 00 8D 02 01 00 FF 00 00 00
raw client 60 00 47 03 01 00 0D 00 FF 01 00 00 00 00
raw client 60 00 48 02 01 00 0D 00 FF 00
jake@sharnoth $ cat s30.txt > /tmp/darkbridge
This packet is crafted so it seems like the other player in the game is casting shifta on us. In red is the client id of the other player and in yellow is the client id of yourself.raw client 60 00 8D 02 01 00 FF 00 00 00
raw client 60 00 47 03 01 00 0D 00 FF 01 00 00 00 00
raw client 60 00 48 02 01 00 0D 00 FF 00
jake@sharnoth $ cat s30.txt > /tmp/darkbridge
Note we omit the length portion of the packet here as the command calculates it automatically.
On cast my atp goes from 616 to 916. The shifta buff algorithm is approximately
(.0128 * (techlvl - 1) + 1.1) * base atp.(.0128*(31 - 1) + 1.1)*616 = 914. so level 31 shifta?Maybe its a signed int and it overflew, lets try
7F:jake@sharnoth $ cat s30.txt
raw client 60 00 8D 02 01 00 7F 00 00 00
raw client 60 00 47 03 01 00 0D 00 7F 01 00 00 00 00
raw client 60 00 48 02 01 00 0D 00 7F 00
jake@sharnoth $ cat s30.txt > /tmp/darkbridge
Aaaaaaaaaand the shifta isn't even a high enough level to affect me? Maybe there is an upper cap of 81 shifta or something:raw client 60 00 8D 02 01 00 7F 00 00 00
raw client 60 00 47 03 01 00 0D 00 7F 01 00 00 00 00
raw client 60 00 48 02 01 00 0D 00 7F 00
jake@sharnoth $ cat s30.txt > /tmp/darkbridge
jake@sharnoth $ cat s30.txt
raw client 60 00 8D 02 01 00 28 00 00 00
raw client 60 00 47 03 01 00 0D 00 28 01 00 00 00 00
raw client 60 00 48 02 01 00 0D 00 28 00
jake@sharnoth $ cat s30.txt > /tmp/darkbridge
Same result, it is too low level to affect me.raw client 60 00 8D 02 01 00 28 00 00 00
raw client 60 00 47 03 01 00 0D 00 28 01 00 00 00 00
raw client 60 00 48 02 01 00 0D 00 28 00
jake@sharnoth $ cat s30.txt > /tmp/darkbridge
what is going on? Okay, lets increment from values we know are correct
0F and 0E.jake@sharnoth $ cat s30.txt
raw client 60 00 8D 02 01 00 0F 00 00 00
raw client 60 00 47 03 01 00 0D 00 0F 01 00 00 00 00
raw client 60 00 48 02 01 00 0D 00 0F 00
jake@sharnoth $ cat s30.txt > /tmp/darkbridge
616 -> 796: shifta level...16? raw client 60 00 8D 02 01 00 0F 00 00 00
raw client 60 00 47 03 01 00 0D 00 0F 01 00 00 00 00
raw client 60 00 48 02 01 00 0D 00 0F 00
jake@sharnoth $ cat s30.txt > /tmp/darkbridge
(.0128*(16 - 1) + 1.1)*616 = 795.87. Does 0E + 1 overflow to 0?lets increment the other variable:
jake@sharnoth $ cat s30.txt
raw client 60 00 8D 02 01 00 10 00 00 00
raw client 60 00 47 03 01 00 0D 00 0E 01 00 00 00 00
raw client 60 00 48 02 01 00 0D 00 0E 00
jake@sharnoth $ cat s30.txt > /tmp/darkbridge
616 -> 908, level 30. huh. raw client 60 00 8D 02 01 00 10 00 00 00
raw client 60 00 47 03 01 00 0D 00 0E 01 00 00 00 00
raw client 60 00 48 02 01 00 0D 00 0E 00
jake@sharnoth $ cat s30.txt > /tmp/darkbridge
And if I just change the first one...?
jake@sharnoth $ cat s30.txt
raw client 60 00 8D 02 01 00 20 00 00 00
raw client 60 00 47 03 01 00 0D 00 0E 01 00 00 00 00
raw client 60 00 48 02 01 00 0D 00 0E 00
jake@sharnoth $ cat s30.txt > /tmp/darkbridge
30 againraw client 60 00 8D 02 01 00 20 00 00 00
raw client 60 00 47 03 01 00 0D 00 0E 01 00 00 00 00
raw client 60 00 48 02 01 00 0D 00 0E 00
jake@sharnoth $ cat s30.txt > /tmp/darkbridge
It looks like the level of techs that can be cast through this method is capped to reasonable values.
In conclusion: techs are dumb
Full vod of my researching this at: https://www.youtube.com/watch?v=2P0RXrYhe3M except since I suck at streaming the audio of the person I was talking to during all of this isn't there so it looks like I'm just talking to myself like a lunatic