Archive for the ‘Reverse Engineering’ Category.

Forza Studio 4.0 – Forza Motorsport 3 & 4 Resource Extraction Tool

With school now out of the way, I suppose it’s time for me to get my ass in gear and start finishing up the various side-projects I seemed to have accumulated throughout the years. Starting with the one most recently adopted, I present you a semi-finalized version of Forza Studio. Forza Studio 4.0 should now render all previous versions of my Forza-related utilities obsolete.  Any questions can be directed to the comments section of this post and I’ll happily reply to them as soon as I can.

Forza Studio 4.0 now officially supports the viewing and extraction of most cars (.carbin), wheels, brakes, rotors, calipers, tracks (.rmb.bin), and textures (.xds, .bix) from both versions of Forza 3 and Forza 4.

Its use is fairly straightforward in my opinion. Right-clicking various sections will bring up a context menu specific to that control. When viewing a model in the viewport, use the WASD keys on your keyboard to move the camera position and IJKL to look around. I’ve also included zip extraction functionality that can be found under the utilities menu for those who wish to use it instead of the usual QuickBMS script.

.NET Framework 2.0 (or greater)
XNA Framework 3.1 (4.0 is different)

Forza Studio 4.0 Application (12819)
Forza Studio 4.0 Source (5887)
Forza Studio 4.1 Application (Horizon Support) (14228) UPDATE!

Yelo: Halo 2 Xbox Trainer

Here’s the first of a few older projects I’ll end up posting and open sourcing on this site just for historical purposes. The Halo games and Xbox console in general are what originally got me involved in software development, so I figure I’ll post what started it all first.

It began in December of 2004 with me installing a mod-chip on my Xbox which basically turns it into a media center and also allows for the execution of homebrew software among other things. During that process, I stumbled across the Halo 2 map editor Ch2r, which provided the basic ability to open Halo 2 .map files and modify the resources within. Halo maps use a tag-based system for storing information related to everything from vehicle and weapon settings to particle effects or raw resources such as models, images, and sounds. Ch2r had an xml plugin system that was used to identify offsets and data types of the information stored in each of those tags. Since most plugins were still in their infancy, I decided to teach my self how to read the tags extracted by Ch2r in a hex editor and identify some of the tag values for the rest of the Halo modding community to use in their mods.

Eventually, I became interested in the Halo 2 game engine itself, and started learning x86 assembly so I could make a simple third person camera hack similar to the one bitterbanana made for the original Halo on PC. With the help of Acidflash, EvoxT, and a few others in the scene, I started picking up the knowledge needed to create and inject assembly code into Xbox games. On and off over the course of a few years, I spent lots of time researching the Halo 2 game engine by locating things in memory, stepping through the code in a debugger, studying its disassembly, and documenting all of my findings. The features in Yelo are only a small collection of the things I’ve found researching throughout the years, but it still provides users with plenty of options and a good overall summary of some of the useful things that can be done in the game. Bungie must have also recognized the large amount of replay value these kinds of features offer, since they’ve included something similar to Yelo in all of their new titles following Halo 2, allowing you to fly around in the levels and take screen shots. I only wish other game developers in the industry would catch on and do the same, as exploring some of these virtual worlds can be very fun and interesting.

If you don’t know how to use trainers (hell, I barely remember anymore :P), I suggest you check out Xbox-Scene or MaxConsole for further information. Along with the trainer, you must also transfer over the “” file to “E:/TDATA/4D530064/”. If you fail to do so the trainer will not function properly and immediately go into wireframe at the press of a button. Every combo and a few other options can be edited via the trainer config file. Note that some of the cinematic and lighting options are experimental so if you don’t like them, don’t use them :P

This trainer will only work with the Xored ETM Launcher v2.2 (due to memory allocation issues) so be sure to download that before use. Please use Aequitas’ UberScreenshotTool below for screenshot recovery. Use the supplied config editor below if you wish to change things. For those of you that have been complaining about the 1.1 update and wish to still use the new maps, download and apply Snave’s mainmenu patch below.

dpad-up = increase cam speed*
dpad-down = decrease cam speed*
dpad-left = decrease look speed*
dpad-right = increase look speed*
lthumb+rthumb = toggle timefreeze
lthumb+dpad-up = increase vertical look shift
lthumb+dpad-down = decrease vertical look shift
lthumb+dpad-left = increase horizontal look shift
lthumb+dpad-right = decrease horizontal look shift
lthumb+black = disable cinematic mode
lthumb+white = enable cinematic mode
lthumb+back = stillcam
rthumb+dpad-up = decrease camera depth
rthumb+dpad-down = increase camera depth
rthumb+dpad-left = increase fov
rthumb+dpad-right = decrease fov
rthumb+A = save camera state (shifts, fov, and depth)
rthumb+B = load camera state (shifts, fov, and depth)
rthumb+X = save gamestate
rthumb+Y = load gamestate
rthumb+back = cutscene camera
back+dpad-up = first person perspective
back+dpad-down = third person perspective
back+dpad-left = chasecam perspective
back+dpad-right = devcam perspective
black+dpad-up = increase z cam shift
black+dpad-down = decrease z cam shift
black+dpad-left = decrease y cam shift
black+dpad-right = increase y cam shift
white+dpad-down = auto hires grabber*
white+dpad-left = vidcap (10fps)
white+dpad-right = 360 degree shot*
white+back = screenshot
rtrigger = move up along z axis*
ltrigger = move down along z axis*
A+dpad-up = letterbox toggle
A+dpad-down = wireframe
A+dpad-left = hud toggle
A+dpad-right = ai toggle
A+black = decrease ambient light brightness
A+white = increase ambient light brightness
B+dpad-up = teleport to current camera coordinates
B+dpad-left = decrease gamespeed
B+dpad-right = increase gamespeed
X+dpad-up = secondary light vertical increase
X+dpad-down = secondary light vertical decrease
X+dpad-left = secondary light horizontal decrease
X+dpad-right = secondary light horizontal increase
X+black = decrease secondary light brightness
X+white = increase secondary light brightness
Y+dpad-up = primary light vertical increase
Y+dpad-down = primary light vertical decrease
Y+dpad-left = primary light horizontal decrease
Y+dpad-right = primary light horizontal increase
Y+black = decrease primary light brightness
Y+white = increase primary light brightness

* while in devcam

-Have you read this entire post?
-Are you using the Xored v2.2 launcher with correct config settings?
-Did you transfer over the “” to “E:/TDATA/4D530064/”?
-Did you disable the Autoupdate in your trainer options menu?
-Do you only have one controller plugged in, and is it in the first controller port?
-Do you have a semi-functional brain that posesses the knowledge required to run such a fine piece of software?

Yelo: Halo 2 Xbox Trainer (1472)
Yelo Config Editor (1298)
Snave's Main Menu Patch (1230)
UberScreenshotTool (1114)