[GH-ISSUE #3365] Jit emuhacks detected by games (Metal Gear Solid: Peace Walker demo) #1409

New issue

Open

opened 2026-03-17 23:16:28 +03:00 by kerem · 5 comments

kerem commented 2026-03-17 23:16:28 +03:00

Owner

Copy link

Originally created by @unknownbrackets on GitHub (Aug 24, 2013).
Original GitHub issue: https://github.com/hrydgard/ppsspp/issues/3365

The jit, to detect when the game modifies its code, writes "emuhack" instructions over the original MIPS instructions. This way, if it's changed from an emuhack, we know that the code has likely been rewritten, and we need to recompile it. It also makes it faster since the emuhack tells us where the jitted code is.

However, this only works because virtually all games just run MIPS code, they don't read it themselves. Metal Gear Solid: Peace Walker demo actually hashes its own code, and then (it seems intentionally) goes into an infinite loop because it doesn't match.

The interpreter works fine since it doesn't need the emuhacks.

We should collect any other games with similar behavior here.

• Metal Gear Solid: Peace Walker demo:
  Happens at 0x09C92818 or 08CCD80C when v1 == 00003119 (which reads from 0x09C92818.)

  Can be worked around by changing 0x0880FAE4 to 0A203F39 (j 0x0880FCE4), skipping the hash compare.

-[Unknown]

Originally created by @unknownbrackets on GitHub (Aug 24, 2013). Original GitHub issue: https://github.com/hrydgard/ppsspp/issues/3365 The jit, to detect when the game modifies its code, writes "emuhack" instructions over the original MIPS instructions. This way, if it's changed from an emuhack, we know that the code has likely been rewritten, and we need to recompile it. It also makes it faster since the emuhack tells us where the jitted code is. However, this only works because virtually all games just run MIPS code, they don't read it themselves. Metal Gear Solid: Peace Walker demo actually hashes its own code, and then (it seems intentionally) goes into an infinite loop because it doesn't match. The interpreter works fine since it doesn't need the emuhacks. We should collect any other games with similar behavior here. - Metal Gear Solid: Peace Walker demo: Happens at 0x09C92818 or 08CCD80C when v1 == 00003119 (which reads from 0x09C92818.) Can be worked around by changing 0x0880FAE4 to 0A203F39 (j 0x0880FCE4), skipping the hash compare. -[Unknown]

kerem added the

CPU emulation

label 2026-03-17 23:16:28 +03:00

kerem commented 2026-03-17 23:16:39 +03:00

Author

Owner

Copy link

@xsacha commented on GitHub (Jun 26, 2014):

Is it possible to detect reads to the jitted code and present a version without emuhacks?

<!-- gh-comment-id:47231167 --> @xsacha commented on GitHub (Jun 26, 2014): Is it possible to detect reads to the jitted code and present a version without emuhacks?

kerem commented 2026-03-17 23:16:45 +03:00

Author

Owner

Copy link

@hrydgard commented on GitHub (Jun 26, 2014):

Possible in non-fast-mem, yes. but would require heavy checks for every read so is a non-starter performance-wise.

I've been thinking about trying some simple 2-level hash table instead of of overwriting instructions, PCSX2 uses that approach with good results but I don't know how it would compare speed-wise to the current approach.

<!-- gh-comment-id:47234832 --> @hrydgard commented on GitHub (Jun 26, 2014): Possible in non-fast-mem, yes. but would require heavy checks for every read so is a non-starter performance-wise. I've been thinking about trying some simple 2-level hash table instead of of overwriting instructions, PCSX2 uses that approach with good results but I don't know how it would compare speed-wise to the current approach.

kerem commented 2026-03-17 23:16:50 +03:00

Author

Owner

Copy link

@unknownbrackets commented on GitHub (Jul 6, 2014):

It's hard to know how many games this affects. We can guess, but some things can also be jit bugs.

We could make it so that slow/safe mem (or some new dev option) makes all reads in the "possible emuhack op ranges" go through ReadInstruction. This would probably be a lot slower, but we could use it to safely determine which games might be affected.

Or we could just change it, but I suspect anything we do will make it slower, but maybe not really much slower.

-[Unknown]

<!-- gh-comment-id:48100554 --> @unknownbrackets commented on GitHub (Jul 6, 2014): It's hard to know how many games this affects. We can guess, but some things can also be jit bugs. We could make it so that slow/safe mem (or some new dev option) makes all reads in the "possible emuhack op ranges" go through ReadInstruction. This would probably be a lot slower, but we could use it to safely determine which games might be affected. Or we could just change it, but I suspect anything we do will make it slower, but maybe not really much slower. -[Unknown]

kerem commented 2026-03-17 23:16:55 +03:00

Author

Owner

Copy link

@Linblow commented on GitHub (Jun 22, 2023):

@unknownbrackets
The same issue arises with SOCOM FireTeam Bravo 1 and 2 when the server sends anti-cheat queries to the client.
For example, server sends a hash query, which the client (game) executes, and of course it always results in different hashes because of the emuhacks thus triggering a false positive. Is there any workaround for this, such as invalidating the Icache before performing a memory read of the game's instructions? Could there be a good alternative to the jit blocks hack?

<!-- gh-comment-id:1602951526 --> @Linblow commented on GitHub (Jun 22, 2023): @unknownbrackets The same issue arises with SOCOM FireTeam Bravo 1 and 2 when the server sends anti-cheat queries to the client. For example, server sends a hash query, which the client (game) executes, and of course it always results in different hashes because of the emuhacks thus triggering a false positive. Is there any workaround for this, such as invalidating the Icache before performing a memory read of the game's instructions? Could there be a good alternative to the jit blocks hack?

kerem commented 2026-03-17 23:17:00 +03:00

Author

Owner

Copy link

@hrydgard commented on GitHub (Jun 22, 2023):

The right way is to separate the block lookup from RAM and stop overwriting first-instruction-in-a-block, although we'd lose the inherent "change detection" of emuhacks (when they get overwritten, we necessarily end up recompiling).

Detecting changes can be done in other ways like playing games with page protection and exception handling, although been reluctant to go this route because it's hard to support on some of the ports we support (or would like to support).

<!-- gh-comment-id:1602969189 --> @hrydgard commented on GitHub (Jun 22, 2023): The right way is to separate the block lookup from RAM and stop overwriting first-instruction-in-a-block, although we'd lose the inherent "change detection" of emuhacks (when they get overwritten, we necessarily end up recompiling). Detecting changes can be done in other ways like playing games with page protection and exception handling, although been reluctant to go this route because it's hard to support on some of the ports we support (or would like to support).

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

dependabot/cargo/Tools/langtool/rustls-webpki-0.103.13

readme-1.20.4

https-linux-poc

more-minor-fixes

adhoc-view

minor-bbox-opt

more-cleanup

readme-fix

more-ui

v1.19.10-beta

adhoc-server-mode

morph-jit-work

add-vsync-event

viewport-rework

separate-portrait-config-work

ui-notification-work

lua-work

http-split-headers

v1.19.5-beta

matrix-opt

rewind-zstd

rework-audio-queues

psn-login-params

v1.19.3-commits

atrac-work

jit-ir-fixes

bump-android-sdk-version

themable-slider-colors

some-bbox-work

sum2012-half-skip

auto-log

more-smart-2d-filtering

ingame-network-ui

reject-icmp

atrac-forward-port

atrac-ctx-2-work

background-raster

defer-ge-cycles

test

parallel-loop-max-threads

ir-work-2

text-draw-refactor-3

avoid-strlen-memblockinfo

hotfixes-1.16.6

merge-drawcalls-same-output

frame-timing-new

lost-device-work

drawengine-reduce-buffer-binds

drawarrays-avoid-rebind

opengl-delayed-readback

minor-readback-refactors

nvda-support

vertex-format-remove-uv-flag

spirv-dumper

neon-opts

remove-hardware-skinning

ridge-racer-more-lens-flare

event-profiler

md5

maintainance_1.13

mali-stencil-test

interpreter-nan-check

sdl-vulkan-work

vfpu-dot-experiments

mipmap-slope

loco2-video-alt-fix

v1.20.3

v1.20.2

v1.20.1

v1.20

v1.19.3

v1.19.2

v1.19.1

v1.19

v1.18.1

v1.18

v1.17.1

v1.17

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.15

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14

v1.13.1b

v1.13.2

v1.13.1

v1.13

v1.12.3+

v1.12.3

v1.12.2

v1.12.1

v1.12

v1.11.3

v1.11.2

v1.11.1

v1.11

v1.10.3

v1.10.2

v1.10.1

v1.10

v1.9.3-950-g4debff114

v1.9.3-428-g2a0a64e0e

v1.9.4

v1.9.3-338-ga488fe17b

v1.9.3

v1.9.2

v1.9.1

v1.9

v1.8.0-698-g5c8ce9018

v1.8.0-550-gdc4e00f5d

v1.8.0-538-g3b29b13fe

v1.8.0-506-g30d7b7cb5

v1.8.0-477-g4510fb1e7

v1.8.0-409-g06e90a74a

v1.8.0-368-g73f8878c3

v1.8.0-260-gc0d5b4be7

v1.8.0-205-gf932de55b

v1.8.0-203-gb7ec62dae

v1.8.0

v1.7.5

v1.7.4

v1.7.3.1

v1.7.3

v1.7.2

v1.7.1-175-g631bc7840

v1.7.1

v1.7

v1.6.3-644-ga49df7d71

v1.6.3-605-g05b92c62b

v1.6.3-604-g7e6b227b4

v1.6.3-526-gcc7f8d561

v1.6.3-441-g3f79e3e24

v1.6.3

v1.6.2

v1.6.1

v1.6

v1.5.4-1041-ga16a7f0

v1.5.4-924-g65ba116

v1.5.4-492-gacfd919

v1.5.4-468-g2363ca6

v1.5.4-300-ge658e74

v1.5.4-267-g3b1b1bb

v1.5.4-232-gbe2984c

v1.5.4-204-gaa49c6d

v1.5.4-136-g8ac5fbc

v1.5.4

v1.5.3-71-g3ebd810

v1.5.3

v1.5.2

v1.5.1

v1.5

v1.4.2

v1.4.1

v1.4

v1.3

v1.2.2

v1.2.1

v1.2

v1.1.1

v1.1.0

v1.0.1

v1.0

v0.9.9.1

v0.9.9

v0.9.8

v0.9.7.2

v0.9.7.1

v0.9.7

v0.9.6

v0.9.5

v0.9.1

v0.9

v0.8.1

v0.8

v0.7.6

v0.7.5

v0.7

v0.6.1

v0.6

v0.5

v0.4

v0.31

v0.3.1

v0.3

Labels

Clear labels   

Atrac3+

  

Audio

  

CPU emulation

  

D3D11

  

D3D9 (removed)

  

Depth / Z

  

Feature Request

  

Font Atlas

  

GE emulation

  

Guardband / Range Culling

  

HLE/Kernel

  

I/O

  

Input/Controller

  

MP3

  

Multithreading

  

Needs hardware testing

  

Networking/adhoc/infrastructure

  

No Feedback / Outdated?

  

OpenGL

  

PGF / sceFont

  

PSMF / MPEG

  

Platform-specific (Android)

  

Platform-specific (Windows)

  

Platform-specific (iOS)

  

PowerVR GPU

  

SDL2

  

Saving issue

  

User Interface

  

Vulkan

  

arm64jit

  

armjit

  

armv6

  

x86jit

No labels

Atrac3+

Audio

CPU emulation

D3D11

D3D9 (removed)

Depth / Z

Feature Request

Font Atlas

GE emulation

Guardband / Range Culling

HLE/Kernel

I/O

Input/Controller

MP3

Multithreading

Needs hardware testing

Networking/adhoc/infrastructure

No Feedback / Outdated?

OpenGL

PGF / sceFont

PSMF / MPEG

Platform-specific (Android)

Platform-specific (Windows)

Platform-specific (iOS)

PowerVR GPU

SDL2

Saving issue

User Interface

Vulkan

arm64jit

armjit

armv6

x86jit

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ppsspp#1409

No description provided.