Nanashi3

Oh, and good luck for the project. Have always been wanting to play it cause the artwork is outright gorgeous.

Hi, I wrote that some time ago: http://wrttn.in/c03b7f And this packer might work (untested): https://gist.github.com/mchubby/7754610 Edit: where did I get that from??? Some Japanese developer called "nota"apparently, but I can't remember, sorry http://www31.zippyshare.com/v/9237311/file.html Edit2: site is http://anime.geocities.jp/notazsite1/soft/ number 009

Looking at the Chinese TL, it seems STS.DAT contains bits of text (XOR key 0xDA). EBOOT was left mostly untouched, so the script should not be in there.

M? Some of the links are still up, eg http://uploadhero.co/dl/BJ2nXgBL or http://uploaded.net/file/llxbjqvv

According to this blog post (and if I deciphered correctly), the XOR algorithm has slightly changed in 0.473 http://www.cnblogs.com/sunjicccc/archive/2013/01/02/2841956.html

Hello everyone, I hereby proudly present a modest set of tools which aim at pulling out text from console VNs published by Yeti/Regista/Cyberfront. There was no identifiable name for the VN engine, and it is only one among many others Cyberfront etc. use. Tested titles are: Cross + Channel PSP and X360 Secret Game and its sequel Rebellion's PSP Kana Imouto PSP Hoshizora Planet PSP Ryuu-Koku PSP Konneko PSP Tamayura PSP Root Double X360 Those tools were written in Python 3 and may be freely used provided proper credit is given. Since it is a dynamic scripting language, sourcecode is freely available. How to use it: 0- Install Python 3 (whatever version) 1- Unzip archive contents. Edit all PS1 files to match your Python 3 path. 2- Extract sn.bin from your game media and copy it into the same folder. Give it a significant name, e.g. sg2psp-sn.bin 3- Open a Powershell prompt and change directory to the extract folder 4- Run _1-extpak.ps1 ( C:\Mydir PS> .\_1-extpak.ps1 ) It should generate a bunch of z__*.opcodescript files 5- Run _2-extjis.ps1 ( C:\Mydir PS> .\_2-extjis.ps1 ) For each opcodescript, a resource txt file may appear depending on whether strings were detected. 6-Optionally you may want to convert those txt files to po for importing them into a Weblate project for instance You may also want to take a look at the presentation I created for installing Weblate on a cloud service: https://slid.es/mchubby/weblate-on-pythonanywhere I had no time to retest the whole process again though >_< Known Non-Bugs: The last item of each archive is not a game script. It certainly serves a purpose, but it does not matter as far as text extraction is concerned. Known Bugs: Rebellion's SG script 002 won't be parsed correctly.. Not that it matters, it seems to be an orphan script. TODO: Decode root double PS3 (BLJM-61100) 's sn.sdat, but I cannot find the corresponding klicensee even after bruteforcing. help? Figure out bitmap format of XTX graphics mode 1 and 2 asmodean's spc2bmp only supports 32bpp bitmaps (mode 0) only clue I have atm is http://tieba.baidu.com/p/2397878791 ; they have the same issue here http://tieba.baidu.com/p/2631815322 PS: @Ziddy, apologies for not answering PMs, I was horribly busy

Minorin says: ｸﾞｼﾞｮｰ( ´ー`)

Here is a ripping script, although still imperfect. http://www.embedupload.com/?d=2VCZCUIVEP Usage: 1. Install Python 3.x 2. Edit "dump_data.py" to reflect data.bin path 3. Open a command prompt and chdir to script directory python dump_data.py 4. Double-click "_convert_tm2.cmd" to begin conversion process. Only a small fraction of BG/CG/Tachie files seem to be properly handled? There is more work needed to unpack multi-TIM2 containers.

One notable point is PMF videos are rendered with specifically-developed code in PPSSPP (HLE code); 46:29:937 user_main I[ME]: HLE\scePsmf.cpp:857 scePsmfPlayerSetPsmf(088c0fa8, disc0:/PSP_GAME/USRDIR/X6MOVIE/16.pmf) 46:29:937 user_main W[ME]: HLE\scePsmf.cpp:930 UNIMPL scePsmfPlayerStart(088c0fa8, 088c0f84, 00000000) 46:29:940 user_main I[ME]: HW\MediaEngine.cpp:108 Format aac detected only with low score of 1, misdetection possible! 46:29:943 user_main I[ME]: HW\MediaEngine.cpp:108 get_buffer() failed 46:29:943 user_main I[ME]: HW\MediaEngine.cpp:108 Could not find codec parameters for stream 0 (Audio: aac, 0 channels, fltp): unspecified sample r ate Consider increasing the value for the 'analyzeduration' and 'probesize' options The emulator seems to have trouble detecting audio format for this one video file.

1. Download QuickBMS.zip from http://aluigi.altervista.org/quickbms.htm and extract it. 2. Create a file in the same directory called spanic_databin.bms and paste this contents: # extract LZ77 files from DATA.BIN in PS2 Strawberry Panic [SLPS-25612] endian little comtype PUYO_LZ01 For FindLoc OFFSET string "LZ77" 0 "" #print "OFFSET = %OFFSET%" If OFFSET == "" cleanexit EndIf xmath REM "OFFSET % 16" If REM == 0 GoTo OFFSET getdstring SIGN 4 get SIZE long math SIZE += 0x7FF get ZSIZE long savepos OFFSETZ get NAME basename string NAME += "_" string NAMEEND p= "%08x.dmp" OFFSET string NAME += NAMEEND print "@ %OFFSET% %ZSIZE% -> %SIZE% => %NAME%" clog NAME OFFSETZ ZSIZE SIZE Else xmath OFFSET "OFFSET + 16" GoTo OFFSET EndIf Next 3. Open a command prompt in the directory. Copy and paste this command: quickbms.exe spanic_databin.bms e:\DATA.BIN . where e:\DATA.BIN is the PS2 DVD resource path. Result is a bunch of files - those which have a "TIM2" header when opened in a hexadecimal editor = de-facto PS2 image file format standard (see here for example http://blogs.yahoo.co.jp/osaka_0705/18217893.html) - those which don't, may be a collection of TIM2 files (e.g. DATA_001e0000.dmp, DATA_158bf780.dmp, etc.) - need further study - some others are rather mysterious: DATA_1b5a0000, obfuscated scripts maybe?? decoder provided as is with no warranty that produced data is correct.

As far as I can tell, there are (far?) More vns with a sc localization, than English ones (especially psp titles). Just have a look at vndb for a somewhat incomplete list. For instance, there's a port of a vn engine written in lua that runs Eden* on psp

Fantastic, thank you very much for the answers. 1/ I wasn't aware of the dependency removal (>=1.7?), but yeah, it stroke me as bizarre it relied on pango/pycairo whose package installation feels alien and awkward. As a matter of fact, do you think it could be run on PythonAnywhere free tier? It has no cron, access via a 'console' instead of SSH, external https git only but provides easy_install and pip. Edit: list of whitelisted hosts https://www.pythonanywhere.com/whitelist/ 3/ guidelines, as in do they have to commit a bunch of lines at once, checkout/lock entries, are there quantified objectives etc.

@xyz, First of all cheers, as it seems the Toradora project is advancing very swiftly and is now quite close to TL completion (dunno about TLC) I am quite interested in using weblate for future projects (versus other formats such as Sakuraume's Text files editor), and hope you can share your experience about leading / managing this project. 1 - Are the software and dependencies difficult to set up on, say, a VPS Linux box? Would it also be fine on shared hosting? 2 - What structure do you keep for securing project progress? Can you simply clone and backup the so-called "blessed" repository or are there external resources in the weblate FS/database? 3 - Did you have specific guidelines w.r.t what and when to commit translations? Is there some sort of translation memory for team mebers to collaborate? 4 - Do you have code examples which generate scripts that can later be processed by weblate? .po files?

I'd say, it depends on your previous programming background? For absolute newcomers you may want to pick up a new language without too much complexity, and which will help you learn better software practices: Ruby or Python. If you need to find a job, C# and/or Java, with my preference for the former as it has superior debugging capacities and overall a more pleasant syntax. Later, after you have grasped the whys and hows, a lower-level language such as C++ and C. Nore re: hkki, I developed a small test suite in ruby to check various IdeaFactory scripts (script data structures) I think the author maybe erroneously interpreted how the file is divided, thus sometimes it works and other times not.

It seems some UTF tables are encrypted. To extract from those archives, you may use CriToolpack from Falo ( http://forum.xentax.com/viewtopic.php?f=10&t=10646 ) I have uploaded a modded version which has "extract all" and "extract selected" working correctly http://www.embedupload.com/?d=92EWH2YGVB Diabolik Lovers scripts @ http://www.embedupload.com/?d=4PL3GXQPIW Opening fine in hkki AFAICT. Edit: more info about XOR obfuscation in source, and here --> http://wrttn.in/04fb3f by [unknown] Edit2: another tool https://github.com/shinohane/cpktools

As you probably know, console code runs on different architectures (PowerPC, MIPS) and is not compatible with PC hardware. But even on similar hardware (xbox one, ps4 running on x86 cores) you cannot simply slap the code and decreet it is runnable on Windows or some other os. You have two cases: - Original vn engine on PC was directly ported to console with minor differences, with proper tweaks you can use those assets on PC; IIRC there was a seemingly backport of x360 Chaos;Head but the whole project was C&D - You convert game resources (including scripts) to run on an open source engine such as Kirikiri or ONscripter and as you said, you can extract text and have it translated independently, but it is generally complicated to keep staff motivated enough when they can't see the result of their work...

It all depends on the constraints set by the underlying platform. For instance, NDS cartridges are commonly 128MB or 256MB, so there are tradeoff to compress stuff and decoding / ripping those can be more or less complicated. But for former next-gen it's a non-issue as they're released on large media (DVD-DL) that are generally amply sufficient for VN resources.

Syntax 1: mkdir INSTALL.DNS.cpk_output quickbms.exe cpk.bms INSTALL.DNS.cpk INSTALL.DNS.cpk_output Syntax 2: cpk_unpack.exe INSTALL.DNS.cpk Either way, you end up with STCM2L in the scripts subfolder, which cannot be parsed by hkki...

Hi xyz, The mods? they're a couple of assembly instructions that circumvent how the program originally runs. A "NoUmd" patch if you want. For instance, sceUmdCheckMedium and sceUmdActivate are typically called once in the whole game during the startup sequence. The C code (higher level) would be like this: if(sceUmdCheckMedium() != 0) { if(sceUmdActivate(1, "disc0:") >= 0) { sceUmdWaitDriveStat(PSP_UMD_READY); //... } } It translates to this: .text:088056A0 jal sceKernelRegisterExitCallback .text:088056A4 move $a0, $v0 .text:088056A8 jal sceUmdCheckMedium .text:088056AC nop .text:088056B0 bnez $v0, loc_88056C0 .text:088056B4 nop .text:088056B8 jal sub_8871B94 ; call to a subroutine @8871B94, which itself calls sceUmdWaitDriveStatCB .text:088056BC li $a0, 2 .text:088056C0 .text:088056C0 loc_88056C0: .text:088056C0 lui $a1, 0x88F .text:088056C4 li $a0, 1 .text:088056C8 jal sceUmdActivate .text:088056CC la $a1, aDisc0 # "disc0:" .text:088056D0 bgezl $v0, loc_88056E0 .text:088056D4 li $a0, 0x20 .text:088056D8 b loc_8805734 .text:088056DC li $v0, 0xFFFFFFFF .text:088056E0 # --------------------------------------------------------------------------- .text:088056E0 .text:088056E0 loc_88056E0: .text:088056E0 jal sub_8871B94 ; ditto above .text:088056E4 nop .text:088056E8 la $a0, unk_9CB2494 conversely sceUmdGetDriveStat, sceUmdWaitDriveStat and friends are called at several locations before a read is attempted. We don't need them, since we're not reading from UMD any longer. 1) So the first task is to reference all locations that want to read from disc0:, and somehow have them read from ms0: (hardcoded string modification) - this is done in a hex editor. If it is simply "disc0:", I lookup in IDA what uses such a string (1st: sceUmdActivate itself, 2nd: ADXT::SetDevice) - only 2nd requires "disc0:" be changed into "ms0:" 2) Then I blank out ("NOP") the whole code block after I checked out there was really nothing interesting inside. I switch between IDA View and Hex View to find patterns to locate code (or I am smarter and I compute where modifications should go) .text:088056A0 jal sceKernelRegisterExitCallback .text:088056A4 move $a0, $v0 .text:088056A8 nop .text:088056AC nop .text:088056B0 nop .text:088056B4 nop .text:088056B8 nop .text:088056BC nop .text:088056C0 nop .text:088056C4 nop .text:088056C8 nop .text:088056CC nop .text:088056D0 nop .text:088056D4 nop .text:088056D8 nop .text:088056DC nop .text:088056E0 nop .text:088056E4 nop .text:088056E8 la $a0, unk_9CB2494 3) Patching the remaining calls 3A) sceUmdGetDriveStat a quick google lookup says it returns an integer. pspUmdState { PSP_UMD_NOT_PRESENT = 0x01, PSP_UMD_PRESENT = 0x02, PSP_UMD_CHANGED = 0x04, PSP_UMD_INITING = 0x08, PSP_UMD_INITED = 0x10, PSP_UMD_READY = 0x20 } Um, okay. So we patch the call to always return 0x20. Return values are stored in $v0 and $v1 in MIPS. So when I see: .text:088AE15C jal sceUmdGetDriveStat .text:088AE160 nop I want this instead: .text:088AE15C li $v0, 0x20 .text:088AE160 nop I pay extra attention to the instruction after jal because it is executed before the call, I do not want it to have undesirable effects. Having checked all xrefs, I know all sceUmdGetDriveStat calls use a nop instruction in the delay slot, so no need for inversion. To get the 32-bit opcode for the load instruction ( "li $v0, 0x20" ), you either find the same instruction elsewhere in the program (this one is relatively easy to find), or you compile one. PPSSPP has a debugger window in which you can Assemble opcode Assemble opcode, value: "li v0,0x20", click OK Right click on assembled instruction => go in memory view and see corresponding 32-bit word To sum up: Search: 88B3230E (stub call jal sceUmdGetDriveStat) Replace all: 20000224 (li $v0, 0x20) 3B) sceUmdWaitDriveStatCB This is referenced in a single function that serves as wrapper & called from several locations. I should have the replacement code call the CB and return a >=0 value, but things seem to work just as well without, so I don't really care .text:08871B94 # =============== S U B R O U T I N E ======================================= .text:08871B94 .text:08871B94 sub_8871B94: .text:08871B94 addiu $sp, -0x10 .text:08871B98 sw $ra, 0x10+var_4($sp) .text:08871B9C sw $s0, 0x10+var_8($sp) .text:08871BA0 move $s0, $a0 .text:08871BA4 move $a0, $s0 .text:08871BA8 .text:08871BA8 loc_8871BA8: .text:08871BA8 jal sceUmdWaitDriveStatCB .text:08871BAC li $a1, 0x2710 After .text:08871B94 # =============== S U B R O U T I N E ======================================= .text:08871B94 jr $ra .text:08871B98 nop ; nop in delay slot substitution sequence is 0800E003 00000000 3C) sceUmdWaitDriveStat calls were guarded behind a sceUmdGetDriveStat check. Since we replaced that in 3A), no need to patch anything I suggest you try to compile simple homebrews and see the assembly output. It is another useful way to learn how high-level constructs are translated into machine code. PPSSPP features a basic debugger so you can also see how tests, branches, etc. work out.

Uuuuuuuh... This is embarrassing, but I got things mixed up. What I posted earlier refers to the WOF fandisc and not to wand of fortune itself. Remarks about incompatible STCM2L still applies, though.

1/ Decrypting EBOOT.BIN - Download the PSP2PS3 package by szczuru which is a collection of PSP tools. https://www.dropbox.com/sh/lt5ggtuwnskcmor/omXB0AYVCW/PSP2PS3_v2.1.2_CEX.7z or http://www.sendspace.com/file/888suf - Copy EBOOT.BIN to the tools/ subfolder and double-click eboot_decrypt.exe. The generated BOOT.BIN is a MIPS executable with an ELF header. If you dont want to use eboot_decrypt, there are alternatives, including several running as homebrews on the PSP 2/ Prepare symbols file for IDA Pro - You will need prxtool 1.1 by TyRaNiD and the PSP PRX LibDoc describing function NIDs by SilverSpring. prx tool @ http://www.embedupload.com/?d=2PYEFZUTJJ 500_psplibdoc.zip @ http://silverspring.lan.st/ Sourcecode for the prxtool is available at https://github.com/pspdev/prxtool Extract everything in a single folder and BOOT.BIN too. In a command prompt, prxtool -n 500_psplibdoc_191008.xml --idcout -o BOOT.IDC BOOT.BIN The generated BOOT.IDC is a script containing instructions for IDA Pro. 3/ Load ELF in IDA Pro I won't give info about how to obtain the software, but licenses for IDA Pro (support for Allegrex CPU -PSP-) start at a very affordable 1129 USD / 869 EUR rate. Since you are in russia (I believe?), you could ask around for a rebate I guess ;)/>/>/>/>/>/> But enough chatter. - Open IDA Pro, and click Go - Drag BOOT.BIN into the main window, and click OK to accept defaults - In the top menu, click "File > Script File ..." and point to your BOOT.IDC script. The "Functions" pane should list detected function prologues with help from the IDC script. The sceUmd* functions are entries of interest. Double-click on one of them, and you should land on some subroutine in the main view. Now type "Ctrl+X" and you should get all function calls to the library function. The Hex-View is a synchronized view that lets you see the corresponding opcodes for each instruction. After that is a matter of reversing MIPS asm, which is something I cannot teach you since my knowledge in this area is very limited. - NOP = 00 00 00 00 (all instructions are exactly 32-bit) - JR $ra is the RETURN instruction. Beware, all branch instructions in MIPS use the so-called delay-slot activation. For instance JR $ra LI $v0, 1 will first execute the LI instruction, THEN the JR one. 4/ Building an EBOOT.PBP Traditionally, the only PBPs a regular PSP user would see are official firmware update. However, it is very possible to create custom ones, and any CFW shall run them. Since the geohot leaks, it is even possible to sign them so that OFW from PSP-1000 to PS Vita will run them (theoretically, I have never tested). - Create a working directory, copy into it: PSP_GAME\ICON0.PNG PSP_GAME\PARAM.SFO PSP_GAME\PIC1.PNG PSP_GAME\SND0.AT3 your BOOT.BIN Edit PARAM.SFO with a hex editor (e.g. Free Hex Editor Neo or Madedit) When you see "UG" (bootable UMD game), replace it with "MG" (bootable memorystick game). Then save. - Download the latest version of minimalist PSPSDK and install it. from http://sourceforge.net/projects/minpspw/files/SDK%20%2B%20devpak/pspsdk%200.11.2/ Another option is to open the setup package using 7-zip and extract bin\pack-pbp.exe into the working folder. Create a batch file with the following contents and execute it: SET SOURCE=BOOT.BIN C:\pspsdk\bin\pack-pbp "EBOOT.PBP" "PARAM.SFO" "ICON0.PNG" NULL NULL "PIC1.PNG" "SND0.AT3" %SOURCE% NULL That's all folks! There are certainly ways to sign code using tools from PSP2PS3 but it doesn't matter at the moment! Have fun!

I have modded the wof main executable so that you may now run the game outside of .iso (tested with PPSSPP and cfw phat) http://www.embedupload.com/?d=8FI2EWKIER (instructions are included) Rationale: you may now modify UNI files (or other resources) and see if things work out correctly, without rebuilding or modding an iso image.

The "STCM2 File Make By Minku 07.0" is not properly supported by the hkki tool because files seem to be slightly different: they supposedly include event blocks (see http://webcache.googleusercontent.com/search?q=cache:VQS-gM7j2eUJ:mce.do.am/forum/25-36-1&strip=1) What is striking is that they all seem to happen around the same offsets in the WOF scripts. 0x7380 0x7390 0x73E0 I don't see some related integer (value circa 0x7380 bytes) in the file saying, "X section will be that size, after that you will find event blocks". Maybe in hakuoki dialogue strings are embedded in the code, while in wand of fortune there is a dedicated string/event section at the end? Any idea? Edit: on the other hand, if VM code refers to dialogue "blocks" by an index#, it *could* be significantly easier to reinsert text...

You are right, for some reason those two dll's were not showing in the dependency walker graph. Here's a copy http://www.embedupload.com/?d=8HWCMHU0BQ