PS4 Trainer Utility: Community Edition (TUCE) v0.9 by ZeroFox

Hi everyone, I have created a tool for this "modding" community, expanding on what's been done in this space.

I took out the horizon trainer file because it was actually nothing, just for demo purposes.

To start, not many people will recognize who I am because I am using a different alias. However, back in the Xbox 360 scene, I was the one who fixed up XPowerPlay by the2000 and the first person to release trainers for the 360.

Since then a lot of people approached me and I helped where I could, some of those people I encountered are even here now I believe (@DeathRGH, @vampirexx ?). That scene then took off and other people started making trainers.

That brings me to now, I've been watching the PS4 scene and what's been happening as far as memory and "trainer" tools go, and I'm happy to see some progress has been made. So I've decided to make my own contribution and help out the community as I did with the 360.

Now I've been working on this tool for awhile now in my spare time (even before PS4Cheater), but my spare time has been sparse which is why it has taken me so long to get this tool out there. Although it may seem similar to other tools out there there is added value to this specific tool.

Let me introduce you to the PS4 Trainer Utility: Community Edition (TUCE). Works on both 4.05 and 4.55.

Main Features Include:

• Extensive searching capabilities: search for many different kinds of values (integers, floats, strings, etc.), while using different equality comparisons (bigger than, smaller than, value between, changed, unchanged, opposites such as NOT bigger than, etc).

• Built-in dynamic trainer editor and loader: Simple and intuitive, create trainers with ease AND run them all within the same tool. Using trainers is super easy that even non-experienced people can use (they're all buttons!, just click and go!)

• Other memory tools at your disposal: Poke memory, view memory, dump memory. Save address tables, add newly found addresses during to scan to a trainer with ease.

F.A.Q:

Q: Why is this slower scanning memory than PS4Cheater?

A: While I can't speak for how PS4Cheater works, I noticed that when I did the EXACT same scan side-by-side using TUCE and PS4Cheater, I got significantly more results with TUCE than PS4Cheater. With TUCE I got over 16k results while PS4 Cheater only gave me 4k on the same scan. I'm not sure why this is but I can attest that my method will give you EVERY single result based on your search.

Q: I'm running a trainer but x,y,z value is not changing, why?!

A: A lot of values are dynamically allocated and as such the address the value is stored in changes on every console reboot. In order to trace the value back to where it gets assigned we need a debugger, which is currently not available.

Special thanks to @g991 (aka Golden) for creating jkpatch, which this tool utilizes.

Screenshots:

Download:

• PS4 Trainer Utility v0.9.4.rar (0.17 MB - Changes)

This is an ALPHA release due so many variables that I could simply not test every single scenario. If you do come across any bugs or issues, or even any feature requests, please let me know and I will do my best to provide support.

Thanks,
-ZF

Game Trainers:

• Final Fantasy XVI (CUSA01615) v1.00 by imedox

 

[Pretinaverse]

@mittyredstar
I think in settings you can change port? I'm not sure... I don't have my pc with me.

 

[spectro23]

Tested and approved, game Horizon Zero Dawn ID: CUSA007326. Working perfectly

Memory Scan Options
240000000-274E00000
Enjoy!!!

 

[mittyredstar]

@spectro23... work for you, but how ? details ?

 

[superlinux]

​

See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************
System.IO.FileNotFoundException: Could not load file or assembly 'System.Net.Sockets, Version=4.1.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' or one of its dependencies. The system cannot find the file specified.
File name: 'System.Net.Sockets, Version=4.1.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'
   at librpc.PS4RPC..ctor(IPAddress addr)
   at PS4_Trainer_Utility_CE.MainForm.ConnectBtn_Click(Object sender, EventArgs e)
   at System.Windows.Forms.Control.OnClick(EventArgs e)
   at System.Windows.Forms.Button.OnClick(EventArgs e)
   at System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
   at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
   at System.Windows.Forms.Control.WndProc(Message& m)
   at System.Windows.Forms.ButtonBase.WndProc(Message& m)
   at System.Windows.Forms.Button.WndProc(Message& m)
   at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
   at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
   at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

WRN: Assembly binding logging is turned OFF.
To enable assembly bind failure logging, set the registry value [HKLM\Software\Microsoft\Fusion!EnableLog] (DWORD) to 1.
Note: There is some performance penalty associated with assembly bind failure logging.
To turn this feature off, remove the registry value [HKLM\Software\Microsoft\Fusion!EnableLog].



************** Loaded Assemblies **************
mscorlib
    Assembly Version: 4.0.0.0
    Win32 Version: 4.6.1586.0 built by: NETFXREL2
    CodeBase: file:///C:/Windows/Microsoft.NET/Framework/v4.0.30319/mscorlib.dll
----------------------------------------
PS4 Trainer Utility CE
    Assembly Version: 0.9.1.0
    Win32 Version: 0.9.1
    CodeBase: file:///C:/Users/superlinux/Desktop/PS4%20EXPLOIT/PS4%204.55/PS4%20Trainer%20Utility%20v0.9.1/PS4%20Trainer%20Utility%20v0.9.1/PS4%20Trainer%20Utility%20CE.exe
----------------------------------------
System.Windows.Forms
    Assembly Version: 4.0.0.0
    Win32 Version: 4.6.1586.0 built by: NETFXREL2
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System
    Assembly Version: 4.0.0.0
    Win32 Version: 4.6.1586.0 built by: NETFXREL2
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
System.Drawing
    Assembly Version: 4.0.0.0
    Win32 Version: 4.6.1586.0 built by: NETFXREL2
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System.Configuration
    Assembly Version: 4.0.0.0
    Win32 Version: 4.6.1586.0 built by: NETFXREL2
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
----------------------------------------
System.Core
    Assembly Version: 4.0.0.0
    Win32 Version: 4.6.1586.0 built by: NETFXREL2
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Core/v4.0_4.0.0.0__b77a5c561934e089/System.Core.dll
----------------------------------------
System.Xml
    Assembly Version: 4.0.0.0
    Win32 Version: 4.6.1586.0 built by: NETFXREL2
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------
librpc
    Assembly Version: 1.0.0.0
    Win32 Version: 1.0.0.0
    CodeBase: file:///C:/Users/superlinux/Desktop/PS4%20EXPLOIT/PS4%204.55/PS4%20Trainer%20Utility%20v0.9.1/PS4%20Trainer%20Utility%20v0.9.1/librpc.DLL
----------------------------------------
System.Runtime
    Assembly Version: 4.0.0.0
    Win32 Version: 4.6.1586.0
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Runtime/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Runtime.dll
----------------------------------------
Accessibility
    Assembly Version: 4.0.0.0
    Win32 Version: 4.6.1586.0 built by: NETFXREL2
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Accessibility/v4.0_4.0.0.0__b03f5f7f11d50a3a/Accessibility.dll
----------------------------------------
System.Net.Primitives
    Assembly Version: 4.0.0.0
    Win32 Version: 4.6.1586.0
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Net.Primitives/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Net.Primitives.dll
----------------------------------------
System.Collections
    Assembly Version: 4.0.0.0
    Win32 Version: 4.6.1586.0
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Collections/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Collections.dll
----------------------------------------

************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.

For example:

<configuration>
    <system.windows.forms jitDebugging="true" />
</configuration>

When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.

 

[Pretinaverse]

@mittyredstar @Vahnyyz
I'm in home!!! Finally... 5 pm and just now can i power on my console

I just tried sending the payload from PS4 Trainer Utility and didn't have any problem. I think you messed something with the setup. Here is an screenshot of my config:

​

The payload was send without any problem and connected fine as well

 

[ZeroFox]

@Gelson @superlinux Try installing the latest .NET Framework run-time files, you can find them here: https://www.microsoft.com/net/download/dotnet-framework-runtime. If you're using the latest version, try doing a repair installation.

@mittyredstar @smasher248 @nikeymikey @Vahnyyz A few things that will hopefully help
1) Make sure you're sending the payload first before connecting
2) If you're on 4.55, the original exploit used port 9020 so make sure you're loading the original exploit in order to send payloads (NOT holy grail)
3) If you're using a different port make sure you update it in the settings page
4) If you're on a router, make sure ports 9020 (or whatever port you're using) AND 9023 are forwarded for both TCP and UDP
5) Check your firewall, Windows Defender settings
6) Try running the tool as admin

I will be providing another update soon.

 

[geek80]

One thing for me is after payload is loaded start the game up before clicking on connect.
I like the Float and value between option.
Maybe will help find those weapon values on Diablo 3.

 

[Pretinaverse]

@ZeroFox, here are the results of my testing:
(Tested while playing Star Ocean 5)

• Awesome speed: Full scan in just 3 minutes.
• Error while scanning SceGnmDriver (during full scan). Tool crash and close.
• Made a new full scan unchecking SceGnmDriver and the scan was succesfull. No error whatsoever.

And here a suggestion. A lot of games have dynamic addresses. After closing them and opened again, the addresses change. So, the function to make trainer is not very useful for those games.

For games with static addresses, the creation of trainers are great. You can share them, and you can use them every time you need them without the need for searching the values again. But for games with dynamic addresses, creating a trainer every time you play the game so you can use the code is too tiring.

Why don't you add an option for editing the values on the fly, similar to ps4 cheater or cheat engine, so you can double click the address you want to edit, and the address go to a section on the bottom where you can edit it and lock or unlock the new value.

And not everyone knows how to convert a normal (or decimal) value to hex, so, i think it'll be better if you can edit the decimal value instead of the hexadecimal. But this is just an idea

 

[g991]

@mittyredstar

since 733 is a dope port

 

[Pretinaverse]

@ZeroFox
Another suggestion would be, why don't make all the memory section, unrelated to values in game, unselectables. I'm talking about all the sections who have a "lib" or a "sce" in their names, like the libc.prx, or libscefios, scesavedata, libkernel, or the scegnmdriver that i had to uncheck for the full scan without errors.

Until now, nobody has found any value on those section, so, i think, in my lack of knowledge, that is safe to make unselectable