Kodewerx :: View topic - Small program: NDS Pointer codes & Backtracer Tool

02020000 00000063
02020004 00000063

02020008 00000063

infinite lives
02020000 00000063
02020004 00000063
infinite munitions
02020008 00000063

Inf Money (First Dump)
02347180

Inf Money (Second Dump)
02347544

62386E20 00000000
B2386E20 00000000
00004384 0001869F
D2000000 00000000

Moonjump
94000130 FFFD0000
62105f88 00000000
B2105f88 00000000
20000055 00000099
d2000000 00000000

62105f88 00000000 ----
B2105f88 00000000 Moonjump code
20000055 00000099
D2000000 00000000----
023FE2B4 E1D320B0 - offset support for the type '9' code
023FE2B8 E1E03004 - offset support for the type '9' code
62105F80 00000000 - make sure pointer != 0
B2105F80 00000000 - load the pointers value into the offset
900000F8 00000002 test address 0xFB + offset (jumping/falling stat) for 2
xxxxxxxx xxxxxxxx - if true execute the Y speed mod
D0000000 00000000 - end test for jump/fall stat == 2
900000F8 00000000 test address 0xFB + offset (jumping/falling stat) for 0
xxxxxxxx xxxxxxxx - if true disable the Y speed mod
D0000000 00000000 - end test for jump/fall stat == 0
D2000000 00000000 - end all, clear offset
023FE2B4 E1E03004 - offset support OFF for the type '9' code
023FE2B8 E1D020B0 - offset support OFF for the type '9' code

94000130 XXXX0000 - Edit your own joker
023FE2B4 E1D320B0 - offset support for the type '9' code
023FE2B8 E1E03004 - offset support for the type '9' code
62105f88 00000000 - make sure pointer value != 0
B2105f88 00000000 - load pointer to offset
900000F8 00000002 - test address 0xFB + offset (jumping/falling stat) for 2
20000055 00000099 - speed mod on
D0000000 00000000 - end test for 0xFB + offset (jumping/falling stat) = 2
900000F8 00000000 - test address 0xFB + offset (jumping/falling stat) for 0
20000055 000000xx - speed mod off (replace xx with the value you need)
D0000000 00000000 - end test for 0xFB + offset (jumping/falling stat) = 2
023FE2B4 E1E03004 - offset support OFF for the type '9' code
023FE2B8 E1D020B0 - offset support OFF for the type '9' code
D2000000 00000000 - end joker, clear offset

Press/release L to replenish money*
020A3700 05914384
94000130 FDFF0000
020A3700 05811384
D0000000 00000000

(*the game will show 0 money while the button is pressed)

Press/release R to give 0 money
020A3700 05914384
94000130 FEFF0000
020A3700 05813384
D0000000 00000000

94000130 XXXX0000
023FE2B4 E1D320B0 - offset support for the type '9' code
023FE2B8 E1E03004 - offset support for the type '9' code
621C2894 00000000 - make sure pointer value != 0
B2105F80 00000000 - load the pointers value into the offset
DC000000 00000088 - adds 0x88 to the offset (= pointer2)
90000008 FFFFFFFF - if [offset+8<>0xffffffff]
90000000 00000000 - test is value != 0
B0000000 00000000 - loads pointer2 in offset
90000378 00000000 - if [pointer2+0x378] !=0
DC000000 00004384 - adds 0x4384 to pointer 2
00000000 YYYYYYYY - YYYYYYYY = money value
D2000000 00000000

Inf Money
62386E20 00000000
B2386E20 00000000
00004384 0001869F
D2000000 00000000

Inf Food
62386E20 00000000
B2386E20 00000000
0000438C 0001869F
D2000000 00000000

Author:	kenobi [ Sun Feb 11, 2007 10:11 am ]
Post subject:	Small program: NDS Pointer codes & Backtracer Tool
Update : Tool has changed. v1.90beta is up. Attachment: File comment: NDS Pointer codes & Backtracer Tool v1.90beta NDS PC&Bt.rar [187.16 KiB] Downloaded 1788 times It might not be useful for a lot of people, might even not be useful for anyone, but anyway... The purpose of this tool is to make the creation of ARDS pointer code 'easier' (even if there nothing hard in doing it manually). It is for people who hack their codes and : - Created 'standart' codes, and found out later that a pointer is used/needed (because the codes stopped working when progressing in the game), and don't want to 'convert' dozen of codes manually. - Created 'standart' codes while knowing a pointer is needed, but don't want to loose time writing all the pointer code lines when a tool can do it for them. You MUST know what you're doing when using that tool, else the outputed codes will not work. Here is how to use it : You enter in the left memo the codes you made. You enter in the bottom edit boxes : the address where the pointer address is stored, and the value of the pointer address (watch out : the value of the pointer address must be taken while being on the same level/place/screen used to create the standart codes, else the pointer codes won't likely work). You push the 'Go !' button. It supports converting ARDS code type 0, 1, 2, E from 'standart' to 'pointer'. Also, seperate your different codes with a non-code line (ie. blank line, name of code line...). All codes lines that are sticked together will be 'detected' as one code. Update x : v1.90beta is up. Corrected some bugs, renamed 'distance' to 'maximum offset'.

Author:	James0x57 [ Sun Feb 11, 2007 1:34 pm ]
Post subject:
Oh cool, nice idea Kenobi!

Author:	kenobi [ Mon Feb 26, 2007 12:54 pm ]
Post subject:
Updated the tool, and also renamed it to 'ARDS Pointer codes Tool'. There is now another tab in the proggy, which will make the program search pointers for you. For this, you need : 2 FULL ram dumps taken at different places (ex : level1, level2). 2 addresses (ex : amo address on level1 = 0x021d8f90 ; amo on level2 = 0x021C8648). And that's all. The program will scan the files to search for all the possible pointers, and will also copy the data of the most 'accurate' pointer in the first tab (so you'll just have to enter the code data in there). You can also put a code type in the addresses (it'll then be used for the ARDS pointer code creation in the first tab). And, for the info, the program will always assume that the base address of the ram dump is (code address and $0f000000) (that's why you need full ram dumps !).

Author:	Parasyte [ Mon Feb 26, 2007 2:02 pm ]
Post subject:
Very nice little project you have here.

Author:	kenobi [ Mon Feb 26, 2007 3:53 pm ]
Post subject:
Thanks ! Just corrected some small bugs (I wasn't freeing the files once the search was done). Also speeded up a bit the search by loading the data into a tmemorystream.

Kodewerx https://www.kodewerx.org/forum/

Small program: NDS Pointer codes & Backtracer Tool https://www.kodewerx.org/forum/viewtopic.php?f=11&t=721	Page 1 of 3

Author:	macrox [ Mon Feb 26, 2007 5:43 pm ]
Post subject:
Thanks Kenobi!! I could not help but think our discussion in pointer finding the other day had something to do with this...well...it is very welcome by me since I still firmly believe the search for a pointer can be more definitive in the process. Merci!!! Postscript: THIS IS FANTASTIC!!! I repeated the process we had for the two file dumps from Star Wars Lethal Alliance...and in under 2 minutes I had the final AR DS code in my hand. No guessing...no expanding searches...no hex workshop to compare possible suspects....this is just utterly too good to put into words...you did good my friend!!! I agree fully with you that you still must understand and know what the hell you are doing as far as the concept of a pointer and what code type you want to create. The smallest detail must be adhered to...including the XOR3 to go from the 32 bit to 8 bit code type...as well as assigning the code type to the address header and adding the 0x02000000 for the code offset.

Author:	James0x57 [ Mon Feb 26, 2007 7:00 pm ]
Post subject:
This whole thread makes me happy!

Author:	Dualscreenman [ Mon Feb 26, 2007 8:26 pm ]
Post subject:
Very sweet.

Author:	kickenchicken57 [ Mon Feb 26, 2007 10:03 pm ]
Post subject:
woot woot, good job

Author:	kenobi [ Tue Feb 27, 2007 12:52 pm ]
Post subject:
Upgraded to v1.60, for some kinda useless changes... The proggy now allows the search in these cases : - Only one ram dump (in file 1) and one code (in address 1) avaible . - Two ram dumps, but only one code (in address 1) avaible. Of course, these search will display more possible results. That's just in case you don't wanna/can't make another ram dump, or you don't wanna/can't search for the code a second time in the next level. These searches should be unused, and might not find the good result at all... Only a 2 files/2 codes search will almost garantee you to find the good pointer address (unless the games does some funky stuff with the pointer, or uses a pointer in pointer). Edit : OOps, Macrox just told me I forgot to clear the codes I entered in the edit fields (for testing purpose). I'll remove them and make it 1.61 this evening...

Author:	kickenchicken57 [ Wed Feb 28, 2007 10:22 pm ]
Post subject:
sorry to bother you kenobi, but I have a question. Do I need to find all possible addresses and put them ALL in the box on the left. And if so, how does this save time from witting all of the addresses? If I am confused on how your App works, please correct me. (I do know what a pointer so no need to explain that. just not sure to do with the pointer and value to get my AR codes I guess)

Author:	Dualscreenman [ Wed Feb 28, 2007 10:31 pm ]
Post subject:
Now that you have your pointer you can go back to the first tab and fill the codes in the boxes in the bottom right corner. Put your changing code if the left box and press go.

Author:	kenobi [ Wed Feb 28, 2007 10:53 pm ]
Post subject:
Actually, the program will automatically copy the 'best matching' pointer code in the boxes in the bottom right corner of the fist tab. Then, all you have to do is to put your codes in the left edit (separate different codes with an empty line), and press the 'go !' button in the first tab. However, if the code created this way doesn't work properly (ie. stops working on level 2, or level 3), that'll mean the 'best matching' pointer found by the proggy is wrong, and you'll need to choose a new one manually. So you might want to test another result shown in the 2nd tab. The results are in the form XXXXXXXX:YYYYYYYY. Copy the XXXXXXXX in the 'pointer address location', YYYYYYYY in the 'pointer address value', copy your normal code(s) in the left edit, and press the 'go !' button in the first tab. an empty line, or anything that isn't a code if you life code is : 02020000 00000063 02020004 00000063 and you munition code is : 02020008 00000063 you should put the code that way : Code: 02020000 00000063 02020004 00000063 02020008 00000063 or that way : Code: infinite lives 02020000 00000063 02020004 00000063 infinite munitions 02020008 00000063 I might add that this program is only useful to people that need to use pointer codes, ie. people who find codes that work on a level, but stop working on another level. It'll be a confusing/useless proggy for anyone else. However, if you actually need to create a pointer code, please post more infos (which codes do you have already found, what game are you hacking) so I can provide more specific informations on how to use the program in your case. Btw, v1.61 was posted some hours ago (fix the 'already filled address boxes in the second tab' problem).

Author:	kickenchicken57 [ Thu Mar 01, 2007 6:11 am ]
Post subject:
[NDS] 0324 - Age of Empires - The Age of Kings (U) ADDRESSES: Code: Inf Money (First Dump) 02347180 Inf Money (Second Dump) 02347544 (I did my search with the 1.61) The addresses do change, even when loading the same level twice in a row. I only got ONE result in the pointer search (02386E20:02342DFC) and did use little endian. The app automatically placed the 'best result' in for me and also the address from the first dump (02347180) so I went ahead and added the value on the address and clicked go. This is what I got Code: 62386E20 00000000 B2386E20 00000000 00004384 0001869F D2000000 00000000 I understand that this code will get the value of the pointer (In the first dumps case: 02342DFC) and store it in the offset. Then 4384+offset = 02347180 which is the address for the money in dump one. Do I need to add more codes in the left box (like the second dumps address) or is this exactly what I needed to do? I posted this code in the game hacking thread and asked that it be tested So I will let you know if it works when I know. EDIT: think it works, i checked the pointer in the emulator and added the value + 0x4384 and got the right address

Author:	Parasyte [ Thu Mar 01, 2007 7:39 am ]
Post subject:
Never ever, ever use a pointer that resides in high memory (anything above 0x02280000, or so) if you can avoid it. Because this is DEEP in the NDS ARM9 arena, which is where the game dynamically allocates memory. More than likely, it's data allocated from the top of the arena. Any data in this area is subject to moving around often, or even vanishing completely in many cases. DSman: Why is the pointer that you used 8-bytes off between those two codes? That can't be right! (You will probably want to use some of the weird code types that utilize the 'offset' to get this to work. Or screw it! Use assembly.)

Page 1 of 3	All times are UTC - 8 hours [ DST ]
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/

Author:	Dualscreenman [ Thu Mar 01, 2007 6:17 am ]
Post subject:
That is exactly what you need to do. If you put the second dump's address in the box, you'd find it would give you the same code as the first dump's address. Now I need a bit of help here. I have this moonjump: Code: Moonjump 94000130 FFFD0000 62105f88 00000000 B2105f88 00000000 20000055 00000099 d2000000 00000000 I'd like to check a dynamic address to see if I am jumping or falling, and then execute the Y speed mod only when I am falling. I found the address of jumping/falling stat, but I need to check it then execute if it equals 2. I think I need one of the AR hacks, but I don't know how to implement the offset with them.

Author:	Dualscreenman [ Thu Mar 01, 2007 7:16 am ]
Post subject:
Moonjump with pointer 62105f88 00000000 B2105f88 00000000 20000055 00000099 22000000 00000000 Jumping/falling stat with pointer 62105F80 00000000 B2105F80 00000000 200000F8 00000000 D2000000 00000000 0 == jumping, 2 == falling

Author:	Dualscreenman [ Thu Mar 01, 2007 7:50 am ]
Post subject:
Hmm, I don't know why those two are off. I'll look into it. I don't know assembly, so I guess somebody will have to document the weird codetypes.

Author:	kickenchicken57 [ Thu Mar 01, 2007 10:49 am ]
Post subject:
Dualscreenman wrote: Moonjump with pointer 62105f88 00000000 B2105f88 00000000 20000055 00000099 D2000000 00000000 Jumping/falling stat with pointer 62105F80 00000000 B2105F80 00000000 200000F8 00000000 D2000000 00000000 0 == jumping, 2 == falling Ok, try this then. assuming your pointer WONT move on you, this could work. 1)your address for whether or not you are falling should be the word at [02105F80] + 0xF8 2)you only want the speed mod on if the word at [02105F80] + 0xF8 == 2 Try this Code: 62105f88 00000000 ---- B2105f88 00000000 Moonjump code 20000055 00000099 D2000000 00000000---- 023FE2B4 E1D320B0 - offset support for the type '9' code 023FE2B8 E1E03004 - offset support for the type '9' code 62105F80 00000000 - make sure pointer != 0 B2105F80 00000000 - load the pointers value into the offset 900000F8 00000002 test address 0xFB + offset (jumping/falling stat) for 2 xxxxxxxx xxxxxxxx - if true execute the Y speed mod D0000000 00000000 - end test for jump/fall stat == 2 900000F8 00000000 test address 0xFB + offset (jumping/falling stat) for 0 xxxxxxxx xxxxxxxx - if true disable the Y speed mod D0000000 00000000 - end test for jump/fall stat == 0 D2000000 00000000 - end all, clear offset 023FE2B4 E1E03004 - offset support OFF for the type '9' code 023FE2B8 E1D020B0 - offset support OFF for the type '9' code Hope this works.

Author:	Dualscreenman [ Thu Mar 01, 2007 10:54 am ]
Post subject:
What goes in the xxxxxxxx xxxxxxxx's? 20000055 00000099 and 200000F8 00000000?

Author:	Dualscreenman [ Thu Mar 01, 2007 12:01 pm ]
Post subject:
I will test this later and give you partial credit. Thanks. ^_^

Author:	kenobi [ Thu Mar 01, 2007 2:01 pm ]
Post subject:
This Age of Empires (U) game uses pointer(s) in pointer(s)... (and might use them in a very complicated way). And my tool is kinda useless for these cases. In such cases, I believe some asm hack work better... I just used no$gba, set some bpr on the money value, another bpr on the pointer, and I found where the game was actually loading the money. Then I just made a code to change the ldr to a str, and that's all... This gives : Code: Press/release L to replenish money* 020A3700 05914384 94000130 FDFF0000 020A3700 05811384 D0000000 00000000 (the game will show 0 money while the button is pressed) This is 'quick and dirty', means it might (will) give money to everyone, so you might not want to give infinite money to your enemy... (ie. not press L when it's not your turn). Edit : Indeed, this cheat will work in multiplayer for everyone. Not sure about the npc ennemy. Or one could also use this code to give 0 money to the active player : Code:* Press/release R to give 0 money 020A3700 05914384 94000130 FEFF0000 020A3700 05813384 D0000000 00000000 Making use of normal codes is still possible, but they'll be quite big (compared to the asm code). For exemple (not tested, not sure if it'll work properly - these codes kinda reproduce what the game is doing (it's missing another check though)). Code: 94000130 XXXX0000 023FE2B4 E1D320B0 - offset support for the type '9' code 023FE2B8 E1E03004 - offset support for the type '9' code 621C2894 00000000 - make sure pointer value != 0 B2105F80 00000000 - load the pointers value into the offset DC000000 00000088 - adds 0x88 to the offset (= pointer2) 90000008 FFFFFFFF - if [offset+8<>0xffffffff] 90000000 00000000 - test is value != 0 B0000000 00000000 - loads pointer2 in offset 90000378 00000000 - if [pointer2+0x378] !=0 DC000000 00004384 - adds 0x4384 to pointer 2 00000000 YYYYYYYY - YYYYYYYY = money value D2000000 00000000 And the last (and more accurate) solution would be to create an asm routine that will mimic what the game is doing when accessing to the money value. However, it'll be quite big too, so I still believe the 'quick and dirty asm hacks' are better for these cases...

Author:	kickenchicken57 [ Thu Mar 01, 2007 7:56 pm ]
Post subject:
I already found the pointer and used it for money and food: Code: Inf Money 62386E20 00000000 B2386E20 00000000 00004384 0001869F D2000000 00000000 Inf Food 62386E20 00000000 B2386E20 00000000 0000438C 0001869F D2000000 00000000 The units aren't like I expected though I expected to be able to add a constant offset to each address to get the next but they are all scattered. ALSO: I cannot load this game in No$gba 2.3d or do breakpoints. I assume thats the debug version :/ I may buy that...

Author:	Parasyte [ Thu Mar 01, 2007 8:04 pm ]
Post subject:
You found a pointer that moves in memory. (See my last post for a more technical explanation.)