Kodewerx

Our culture has advanced beyond all that you could possibly comprehend with one hundred percent of your brain.
It is currently Thu Mar 28, 2024 3:31 am

All times are UTC - 8 hours [ DST ]




Post new topic Reply to topic  [ 65 posts ]  Go to page Previous  1, 2, 3  Next
Author Message
 Post subject:
PostPosted: Thu Mar 01, 2007 8:20 pm 
Offline
Kommunist
Kommunist

Joined: Mon Jan 29, 2007 2:23 pm
Posts: 313
Parasyte wrote:
You found a pointer that moves in memory. (See my last post for a more technical explanation.)


the food and money pointer works fine, but you are right about the pointer I found for the units. it was 021CECC8. I was trying to make a move again code but I think the pointer may have disappeared. Guess Ill have to get the debug version of No$gba or look into what I can do with ASM.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Mar 01, 2007 11:12 pm 
Offline
Krew (Admin)
Krew (Admin)
User avatar

Joined: Sun Oct 01, 2006 9:46 pm
Posts: 2331
Location: *poof*
Title: The Mad Hacker
I don't know about CB but the AR for DS can have a pointer to a pointer then do whatever. Just find a pointer for your pointer like you found the pointer for your object. :)

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Mar 04, 2007 10:33 am 
Offline
Kommunist
Kommunist

Joined: Tue Oct 10, 2006 9:32 am
Posts: 445
1.70 is up.
It allows 'negative offsets' (something I decided to remove in the first release, but it looks like it could be useful afterall).
If the tool can't find a pointer, try to check the 'allow negative offsets' checkbox on tab 2 and make a new search, that might help.

Edit : 1.71 up. I was doing something stupid when calculating the codes using the negative offset. Fixed now.

Edit2 : 1.72 up. Just set up a bigger range for managing the negative offset (might be useless, it's just in case).


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Mar 04, 2007 12:57 pm 
Offline
Kommunist
Kommunist
User avatar

Joined: Sat Oct 21, 2006 3:26 pm
Posts: 366
Location: USA
Title: Ancient Code Sage
In case people are wondering why kenobi has done this....we are working on some very weird codes for Star Wars Lethal Alliance. One of those codes was thought to be hacked by Code Junkies but not yet released I was asked by FNG to test the code I found it not working as it should and I also thought it could be a "stronger" code by adding another feature to it. I would rather not describe the code at this point as a lot of work has gone into this code...and it does appear at first to require a pointer that simply violates all standard rules we usually expect.

_________________
Ancient Code Sage


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Mar 06, 2007 2:18 pm 
Offline
Kommunist
Kommunist

Joined: Tue Oct 10, 2006 9:32 am
Posts: 445
Small update...
1.74 released.
Now checking the 'Negative offsets' will only search for (and display) pointers that are >= to the code address, and letting it unchecked will only search for (and display) pointers that are <= to the code address (in the previous version, searching for negative offsets would actually report positive and negative offsets).

That could be the final version, as I don't see what else could be added/changed (unless bugs/problems are reported).


Top
 Profile  
Reply with quote  
PostPosted: Wed Mar 28, 2007 4:01 pm 
Offline
Kommunist
Kommunist

Joined: Wed Mar 21, 2007 12:51 pm
Posts: 35
wait, how does it work i keep getting this string error, how exactly do u use this?

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Mar 28, 2007 9:58 pm 
Offline
Kommunist
Kommunist

Joined: Tue Oct 10, 2006 9:32 am
Posts: 445
String errors ? Can you be more precise ? (what do you enter in the program, which file you choose...)


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Mar 29, 2007 12:36 pm 
Offline
Kommunist
Kommunist

Joined: Wed Mar 21, 2007 12:51 pm
Posts: 35
kenobi wrote:
String errors ? Can you be more precise ? (what do you enter in the program, which file you choose...)


i open the program hit pointer search click file 1 select a save and i hit go, i get the same error if i do 2 files use the adress things i dont get it at all

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Apr 17, 2007 2:12 pm 
Offline
Kommunist
Kommunist

Joined: Tue Oct 10, 2006 9:32 am
Posts: 445
Just to let you see what I just started working on... I've added a new function to my pointer too : a backtracer.
So now it's name is changed to NDS Pointer codes & Backtracer Tool v1.81alpha (bleh I hate version number, never know what to put in there !).

What is this backtracing about ? Well think of it like a 'break on read/write'. Except it won't break the game of course. It'll find all references to the address you'll select. Then you'll have to check them (using the TT, and looking at the assembly at these addresses), and see what's going on there... So yeah, assembly knowledge is mandatory !!!
For now it doesn't do much... But within some days (weeks ? :/) it'll be pretty much enhanced. And of course, it has a lot of limitations : for now it only does ARM searches. Also, it'll in no way find all the time all the opcodes that might read the address you entered. It'll only scan for the 'down' ldr r,=xxxxxxxx (for now, I'll change it to 'up and down' ldr).

Here is a small exemple for SM64DS US v1.1 :
1 - I made a full ram dump of a game, during a level. I know that for this game the lives value is stored at 0x02098930 (but a simple search with the TT would reveal that).
2 - So I use the tool's backtrace's tab, I select the ram dump I made and enter '02038930' into the 'address to backtrace' box.
3 - I click 'backtrace' once. The tool will list all the occurences of the address it found in the ram dump.
4 - I click it another time : this time, the tool will search for all the 'ldr r,=02098930h' it can find.
5 - Now I open the TT's assembly window, select ARM, and go to these (=the second set of) addresses the tool found...
After examining them and making some tests a bit (and that is the very tricky part : you MUST know a bit of asm to understand what's going on at these addresses), I found that the last address found by my tool was interessing :
Code:
020F3F44 : ldr r1,[r15,#$90]
This is the opcode reported by my tool. Ie. it loads 02098930 into r1
Code:
020F3F48 : mov r0,r10
020F3F4C : ldrsb r1,[r1,#$0]
This ldrsb loads the value at 02098930 (= the number of lives) in r1.
Code:
020F3F50 : mov r1,r1,lsl#16
020F3F54 : mov r1,r1,lsr#16
These lsl/lsr instructions are used to 'isolate' the value. This means at the second instruction, the games should have the real number of lives in r1. So, we can for exemple change the lsr with ldr r1,#$64 (this can be handy), patch the game with this new opcode (020F3F54 E3A01064) and - fortunatly - this will give the player 99 lives.

Yeah, I know, my exemples suck because I always find code that have not much use (why do an asm hack when you could just do 02098930 00000064). And moreover, it appears that the asm at 020F3F44~54 is not always there (so it might be dangerous to blindly patch it)... Whatever :p

Also, if no matches are found for a particular address, try finding a pointer for the address you're looking for, and enter the address the pointer points to in the backtrace's tab (ie. the address in the 'Pointer Address Value', on the 'Pointer to ARDS's tab).

You download it at the bottom of this page...


Last edited by kenobi on Tue Apr 17, 2007 8:57 pm, edited 2 times in total.

Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Apr 17, 2007 8:26 pm 
Offline
Krew (Admin)
Krew (Admin)
User avatar

Joined: Sun Oct 01, 2006 9:46 pm
Posts: 2331
Location: *poof*
Title: The Mad Hacker
Heh, nice Kenobi! Parasyte was just telling me to do something like this with mine for GCN and I plan on it! :D

Great work man!

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Apr 18, 2007 8:37 pm 
Offline
Kommunist
Kommunist

Joined: Mon Jan 29, 2007 2:23 pm
Posts: 313
wow, i love you! you just made my life a lot easier. I've been trying to patch some roms for cheating :)


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sat Apr 21, 2007 9:57 am 
Offline
Kommunist
Kommunist

Joined: Tue Oct 10, 2006 9:32 am
Posts: 445
v1.82alpha is up.

Now it works like this :
Enter an address, choose a full ram dump, and click 'Backtrace'. Then the proggy will scan for all the occurences of this address, and will display one line per match.
On these lines you'll find : the presumed start of the routine that holds the ldr of that address, the ldr location, and the address's location.
Exemple : backtracing 0x02098930 in a SM64DS v1.1 ram dump (initial search).
The proggy shows (amongst others) '02029C68:02029CA0:02029CC8'.
That means (from right to left):
-an occurence of 0x02098930 was found in the ram at 0x02029CC8.
-a ldr instruction, located at 0x02029CA0, loads the data at 0x02029CC8 into a register.
-the routine that holds that ldr should start at 0x02029C68.

Then, clicking the backtrace button after an 'initial search' will do the following : the proggy will search the ram dump for all the 'routine start address' it found during the initial search. It'll display a result if it find either this address stored as a plain address (which could be used by a bx), or if it finds a bl to the routine start. This search is way slower than the initial search.
Exemple : backtracing 0x02098930 in a SM64DS v1.1 ram dump (second search).
Now the proggy will display '0200CCD8:0200CEF8:02029C68:BL'.
Which means (from right to left):
-there is a bl to 0x02029C68 located at 0x0200CEF8.
-and 0x0200CCD8 should be the start of the routine that holds that bl.

If it had displayed something like :
'0200CCD8:0200CEF8:02029C00:LD'
that would have meant the same things that the first search (routine start:ldr:value).

So you'll be able to find the routine that called the routine (that called the routine)... And hopefuly find what you're actually searching for (an offset calculation formulae, a debug menu enabler...).

(sorry again if all this explanations are confusing, or don't make much sense...).


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sat Apr 21, 2007 8:10 pm 
Offline
Kommunist
Kommunist

Joined: Wed Feb 28, 2007 5:52 pm
Posts: 79
What's the standard format for RAM dumps for the various hacking tools? Is it just the 4MiB starting from 0x02000000, or does it include IWRAM, VRAM, etc?


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sat Apr 21, 2007 8:26 pm 
Offline
Komrade
Komrade
User avatar

Joined: Mon Oct 02, 2006 5:56 pm
Posts: 1978
Title: Mr. Bitches
All applications I've seen take the 4 MiB from 0x02000000 -> namehere.bin

_________________
Image
Image
<EggWerx> MetalOverlord: Dsman and lemmayoshi will be used for taco meat, ask mo he knows me.
jleemero wrote:
Being required to learn Java for a Comp Sci MAJOR is like being required to shit on a lawnmower to be an astronaut.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Apr 22, 2007 3:02 am 
Offline
Krew (Admin)
Krew (Admin)
User avatar

Joined: Sun Oct 01, 2006 9:26 pm
Posts: 3768
Title: All in a day's work.
There is currently no reason for any cheat searches to be performed outside of ARM9's main memory, which is typically about 3.5MB of main memory. And it appears AR is incapable of accessing ARM9 ITCM/DTCM or VRAM at all. If any games ever use these locations to hide variables, special ARM9 master codes will be required.

_________________
I have to return some video tapes.

Feed me a stray cat.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Apr 22, 2007 8:28 am 
Offline
Kommunist
Kommunist

Joined: Tue Oct 10, 2006 9:32 am
Posts: 445
Updated the tool to 1.86alpha. (the download link is near the bottom of the page).

I have corrected some minor layout stuff, added a 'Distance' option in the pointer search (if the abs([pointer address location] - [pointer address value]) < Distance, it'll be not selected as a good match ; in shorts, it's to avoid finding 'bad' pointers).

But the biggest change is the apparition of the 'Register Dumper' Tab.
You select a (full) ram dump, then you enter :
The address of the opcode at which you want the registers to be dumped (Hook Address)
The address at which the asm code of the dumper should be copied (it takes 0x60 bytes) (=Dump routine).
The address at which the results should be copied (=Result address) (the dumped data will take 0x80 bytes).

For most of the game, choosing '0x02000000' for the Dump routine address should work.
And for the results, I advice '0x02000060' or '0x02000080' (however if you left the address blank, it'll be defaulted to 'Dump routine address + 0x60').


Then you press the 'Go !' button, and a set of AR codes will be created (and copied to the clipboard). Paste them in the run list of the TT PC software, upload them, and voilà : each time the address you selected is reached(/executed), the registers and the first 0x40 bytes of the stack will be dumped at the 'Result address' (just use the TT's PC software's hex view or assembly view and go at the 'Result address' to see them).

These informations (=registers contents and stack contents) can be (/are) very helpful, especially when using the Backtracing (either to know the register contents, or to see if an opcode is executed (setting the register dumper on an opcode and having no registers dumped means that opcode was not executed)).

For now it works only for ARM, but almost any ARM opcode should be hookable (even b/bl, ldrs with immediate offset...).

Edit :1.86alpha is up.
Changes from 1.85alpha : the first 0x40bytes of the stack are also dumped, right after the register dump.
That means the sizes are now 0x60bytes for the dumper, and 0x80 for the dumped data (0x40 for the registers, and 0x40 for the stack).


Top
 Profile  
Reply with quote  
PostPosted: Tue Jun 05, 2007 6:23 pm 
Offline
Kommunist
Kommunist
User avatar

Joined: Sun May 27, 2007 7:43 pm
Posts: 775
Location: Makai
Title: The HENTAI M@ster
where's the CBDS pointer code tools? :lol:

j/k

no one seems to like anyway :(


edit: damn, i was trying to make a infinite health for Boss Battles in Pirates of Caribbean at Worlds End... alright i dumped 4 different addresses but the program can't seem to find any pointer, even with negative offsets :( wtf!!! :shock: what's going on with this fucking game lol no pointers, and don't use the same addresses, no tracing can be found lol

guess the only hope is a debugger.

_________________
Image
DO NOT send me code requests/conversions via pm. I DON'T GIVE PERMISSION, READ THE FUCKING RULES.
I Hate You So Much!!! Fuck & Peace!

Everyone has AIDS!
My grandma and my dog 'ol blue
My father
My sister
My uncle and my cousin and her best friend
The pope has got it and so do you.


My SITE

My Official Code Breaker DS Codes


Top
 Profile  
Reply with quote  
PostPosted: Tue Jul 17, 2007 10:10 pm 
Offline
Kommunist
Kommunist

Joined: Fri Feb 16, 2007 10:09 pm
Posts: 36
This is a late reply but I believe POTCAWE uses pointers upon pointers. It seems like there have been a lot of games lately that are doing this. Possibly to deter cheating? In any case no$gba debug will be best chance at finding the addresses.

_________________
Want to cheat in *any* DS game on *any* cart? - Get DSATM
For more tools visit cracker's crap!


Top
 Profile  
Reply with quote  
PostPosted: Wed Jul 18, 2007 2:06 pm 
Offline
Krew (Admin)
Krew (Admin)
User avatar

Joined: Sun Oct 01, 2006 9:46 pm
Posts: 2331
Location: *poof*
Title: The Mad Hacker
Hiei-YYH wrote:
where's the CBDS pointer code tools? :lol:
edit: damn, i was trying to make a infinite health for Boss Battles in Pirates of Caribbean at Worlds End... alright i dumped 4 different addresses but the program can't seem to find any pointer, even with negative offsets :( wtf!!! :shock: what's going on with this fucking game lol no pointers, and don't use the same addresses, no tracing can be found lol

guess the only hope is a debugger.
Ah, but there's more hope than you think! ;p As long as you can dump a chunk of the DS RAM, download and follow the instructions for my tool here:
http://gcn.jaytheham.com/extra/gcnpcc_v1.2.zip
and use the "generic search" option to try and find your code. You'll have to put the code into the correct CB codetype but that shouldn't be a problem. ;) Good luck!
If Kenobi's didn't find it though, there may not be as much hope for ya. ;p hehe Still worth a try. :)

_________________
Image


Top
 Profile  
Reply with quote  
PostPosted: Sat Jul 21, 2007 6:10 am 
Offline
Kommunist
Kommunist
User avatar

Joined: Sun May 27, 2007 7:43 pm
Posts: 775
Location: Makai
Title: The HENTAI M@ster
Twilight Spectre wrote:
Hiei-YYH wrote:
where's the CBDS pointer code tools? :lol:
edit: damn, i was trying to make a infinite health for Boss Battles in Pirates of Caribbean at Worlds End... alright i dumped 4 different addresses but the program can't seem to find any pointer, even with negative offsets :( wtf!!! :shock: what's going on with this fucking game lol no pointers, and don't use the same addresses, no tracing can be found lol

guess the only hope is a debugger.
Ah, but there's more hope than you think! ;p As long as you can dump a chunk of the DS RAM, download and follow the instructions for my tool here:
http://gcn.jaytheham.com/extra/gcnpcc_v1.2.zip
and use the "generic search" option to try and find your code. You'll have to put the code into the correct CB codetype but that shouldn't be a problem. ;) Good luck!
If Kenobi's didn't find it though, there may not be as much hope for ya. ;p hehe Still worth a try. :)


I actually found the code already XD it was a pointer to pointer, that's why i couldn't find at that time...
thanks anyway.

Infinite Health (Boss Battles)
023FE424 E08AA003
621299AC 00000000
B21299AC 00000000
D4000000 00000014
B0000000 00000000
000000B8 00000000
D2000000 00000000

_________________
Image
DO NOT send me code requests/conversions via pm. I DON'T GIVE PERMISSION, READ THE FUCKING RULES.
I Hate You So Much!!! Fuck & Peace!

Everyone has AIDS!
My grandma and my dog 'ol blue
My father
My sister
My uncle and my cousin and her best friend
The pope has got it and so do you.


My SITE

My Official Code Breaker DS Codes


Top
 Profile  
Reply with quote  
PostPosted: Sat Jul 21, 2007 9:43 pm 
Offline
Kommunist
Kommunist

Joined: Mon Nov 13, 2006 2:47 pm
Posts: 14
Edit:
Sorry. I found this thread through a search and didn't realize this wasn't a forum to ask for help in. This post can be deleted, if you desire.

Edit2:
Thanks, kenobi! :)


Last edited by donny2112 on Sat Jul 21, 2007 10:07 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  
PostPosted: Sat Jul 21, 2007 9:59 pm 
Offline
Kommunist
Kommunist

Joined: Tue Oct 10, 2006 9:32 am
Posts: 445
Open the TT's hex editor, make a right click on it, and choose 'save to file', then select the area you wanna dumo (usually 0x02000000-0x02400000). Doing this you can select where to store the file.

About the pointer in pointer search. I never detailled it, but as it's for 'advanced hackers', I won't go much into details :
If you know the game is using pointers, but can't find it with the tool, try that :
Make a search. You'll find in the proggy's first tab pointer 1, located at XXXXXXXX. Then make a pointer search for XXXXXXXX, and note the address found in tab 1 (address1).
If you have a second file, make a search for pointer 2. You'll find in the proggy's first tab pointer 2, located at YYYYYYYY. Then make a pointer search for YYYYYYYY, and note the address found in tab 1 (address2).

If everything goes fine (ie. if the game uses a simple pointer in pointer), you'll have address1=address2.
(if not, you could still continue the searches by using address1 as pointer 1 and address2 as pointer 2, in case the games uses pointer in pointer in pointer... and so on).


Also btw, I think their is a small bug in the proggy (with the 'Distance' option). Not 100% sure, but I'll try to verify it (and make an update) today.


Top
 Profile  
Reply with quote  
PostPosted: Sun Jul 22, 2007 6:54 am 
Offline
Kommunist
Kommunist
User avatar

Joined: Sun May 27, 2007 7:43 pm
Posts: 775
Location: Makai
Title: The HENTAI M@ster
kenobi wrote:
Open the TT's hex editor, make a right click on it, and choose 'save to file', then select the area you wanna dumo (usually 0x02000000-0x02400000). Doing this you can select where to store the file.

About the pointer in pointer search. I never detailled it, but as it's for 'advanced hackers', I won't go much into details :
If you know the game is using pointers, but can't find it with the tool, try that :
Make a search. You'll find in the proggy's first tab pointer 1, located at XXXXXXXX. Then make a pointer search for XXXXXXXX, and note the address found in tab 1 (address1).
If you have a second file, make a search for pointer 2. You'll find in the proggy's first tab pointer 2, located at YYYYYYYY. Then make a pointer search for YYYYYYYY, and note the address found in tab 1 (address2).

If everything goes fine (ie. if the game uses a simple pointer in pointer), you'll have address1=address2.
(if not, you could still continue the searches by using address1 as pointer 1 and address2 as pointer 2, in case the games uses pointer in pointer in pointer... and so on).


Also btw, I think their is a small bug in the proggy (with the 'Distance' option). Not 100% sure, but I'll try to verify it (and make an update) today.


Maybe you could add a thing in this program kenobi, to make things easy when the game use pointer to pointer and you compare 2 files.
The program auto search for equal offsets (let's say that the health is POINTER X > POINTER Y+200h, since the writing offset is always the same [i presume] all different offsets that isn't equal in those 2 files can be deleted. With this, you'll possibly find the offset that is writing directly to the LIFE with less results, and then all you have to do is compare those pointers and find the REAL one that is writing the other one.

well, at least i think that would be easy.

_________________
Image
DO NOT send me code requests/conversions via pm. I DON'T GIVE PERMISSION, READ THE FUCKING RULES.
I Hate You So Much!!! Fuck & Peace!

Everyone has AIDS!
My grandma and my dog 'ol blue
My father
My sister
My uncle and my cousin and her best friend
The pope has got it and so do you.


My SITE

My Official Code Breaker DS Codes


Top
 Profile  
Reply with quote  
PostPosted: Sun Jul 22, 2007 11:01 am 
Offline
Kommunist
Kommunist

Joined: Tue Oct 10, 2006 9:32 am
Posts: 445
1.87beta is up (corrected the distance management - btw distance is the maximum difference between the address the pointer points to and the searched address (ie. it's the maximum offset value to add to the pointer address)).

I'll see if I can come up with something about a pointer in pointer search, but not right now. It might need some hours of work, so don't expect anything soon, as I won't have much free time in the next days/weeks. Also I'm kinda affraid of the search time it'll take, however if it garantees finding pointers in pointers it might be worth the wait.


Top
 Profile  
Reply with quote  
PostPosted: Sun Jul 22, 2007 2:06 pm 
Offline
Krew (Admin)
Krew (Admin)
User avatar

Joined: Sun Oct 01, 2006 9:46 pm
Posts: 2331
Location: *poof*
Title: The Mad Hacker
I was going to put pointer to pointer search for my next version of GCNPCC. It would be easy to do, like I know exactly how to, but as you said, the time for the search would be quite a bit. hehe

_________________
Image


Top
 Profile  
Reply with quote  
PostPosted: Sat Jul 28, 2007 9:58 am 
Offline
Kommunist
Kommunist

Joined: Tue Oct 10, 2006 9:32 am
Posts: 445
Found some free time today (being lazy enought to not do important RL stuff helps), so I added the 'Pointer in Pointer' option. 1.90 alpha is up.

If can only be used if you have 2 files, and 2 (different) addresses to enter (each address being the location of the value you're trying to hack, be it life, money, amo...).

The search is a bit longer than a regular pointer search, but not that long (though its length would depend on how many pointers the game uses). Anyway I added a 'stop' option, to make the proggy stop the search if you're not willing to wait a minute or two before testing some codes...

Only the first result found will be copied in the first tab (which allows to create AR codes automaticaly). If you want to try other ones, copy them manually in there.

Also, a very brief (and maybe bad) explanation about pointer in pointer. It works like that :
[Pointer1]+Offset1 = Pointer2
[Pointer2]+Offset2 = Value

Pointer1 is a fixed address.
Offset1 and Offset2 are fixed values.
Pointer2 and Value move around.

'Distance1', in the tool, is the maximum value allowed for Offset1.
'Distance2', in the tool, is the maximum value allowed for Offset2.

And FYI I (only) tested it on Pokémon (key items code), and it worked nicely.

Edit :
Also tried it on autobots (which was a pain to hack with no$gba), and found a regular (ie. not asm hacked) health code :
620ACFF4 00000000
B20ACFF4 00000000
B0000110 00000000
0000013C 40000000
D2000000 00000000

Tried it on some levels, on both versions, and it worked without any problem.

Also, when you have different results with the tools, if the first one isn't working properly, the ones with offset1 and offset2 as small as possible could be the best choices.
Here is a small (autobots) exemple. I was looking for address1 = 0x022DA9E0
The tool outputted
020AB9B8:0206DF38:02074B08:0208801C
020AB9B8:0206DF38:0207587C:02087FEC
020ACFF4:0216FCBC:0216FDCC:022DA8A4
...
offset1 = 3rd column - 2nd column; offset2 = address - 3dr column.
So, for the third line, you have offset1=0x0216FDCC-0x0216FCBC=0x110, and offset2=0x022DA9E0-0x022DA8A4=0x13C. These are 'small' values, and seems to (/will be) be better than big offsets.
(you don't need to actually do the calculation btw, you can 'see' that for the other lines, 0x0207.... if far from 0x0206...., and 0x022D... is very far away from 0x0208...).


Top
 Profile  
Reply with quote  
PostPosted: Tue Jul 31, 2007 1:38 pm 
Offline
Kommunist
Kommunist
User avatar

Joined: Sun May 27, 2007 7:43 pm
Posts: 775
Location: Makai
Title: The HENTAI M@ster
kenobi wrote:
Found some free time today (being lazy enought to not do important RL stuff helps), so I added the 'Pointer in Pointer' option. 1.90 alpha is up.

If can only be used if you have 2 files, and 2 (different) addresses to enter (each address being the location of the value you're trying to hack, be it life, money, amo...).

The search is a bit longer than a regular pointer search, but not that long (though its length would depend on how many pointers the game uses). Anyway I added a 'stop' option, to make the proggy stop the search if you're not willing to wait a minute or two before testing some codes...

Only the first result found will be copied in the first tab (which allows to create AR codes automaticaly). If you want to try other ones, copy them manually in there.

Also, a very brief (and maybe bad) explanation about pointer in pointer. It works like that :
[Pointer1]+Offset1 = Pointer2
[Pointer2]+Offset2 = Value

Pointer1 is a fixed address.
Offset1 and Offset2 are fixed values.
Pointer2 and Value move around.

'Distance1', in the tool, is the maximum value allowed for Offset1.
'Distance2', in the tool, is the maximum value allowed for Offset2.

And FYI I (only) tested it on Pokémon (key items code), and it worked nicely.

Edit :
Also tried it on autobots (which was a pain to hack with no$gba), and found a regular (ie. not asm hacked) health code :
620ACFF4 00000000
B20ACFF4 00000000
B0000110 00000000
0000013C 40000000
D2000000 00000000

Tried it on some levels, on both versions, and it worked without any problem.

Also, when you have different results with the tools, if the first one isn't working properly, the ones with offset1 and offset2 as small as possible could be the best choices.
Here is a small (autobots) exemple. I was looking for address1 = 0x022DA9E0
The tool outputted
020AB9B8:0206DF38:02074B08:0208801C
020AB9B8:0206DF38:0207587C:02087FEC
020ACFF4:0216FCBC:0216FDCC:022DA8A4
...
offset1 = 3rd column - 2nd column; offset2 = address - 3dr column.
So, for the third line, you have offset1=0x0216FDCC-0x0216FCBC=0x110, and offset2=0x022DA9E0-0x022DA8A4=0x13C. These are 'small' values, and seems to (/will be) be better than big offsets.
(you don't need to actually do the calculation btw, you can 'see' that for the other lines, 0x0207.... if far from 0x0206...., and 0x022D... is very far away from 0x0208...).


ah thank you kenobi, that's what i want :lol:

_________________
Image
DO NOT send me code requests/conversions via pm. I DON'T GIVE PERMISSION, READ THE FUCKING RULES.
I Hate You So Much!!! Fuck & Peace!

Everyone has AIDS!
My grandma and my dog 'ol blue
My father
My sister
My uncle and my cousin and her best friend
The pope has got it and so do you.


My SITE

My Official Code Breaker DS Codes


Top
 Profile  
Reply with quote  
PostPosted: Thu Dec 20, 2007 2:28 pm 
Offline
Kommunist
Kommunist

Joined: Tue Oct 10, 2006 9:32 am
Posts: 445
1.90beta is up. Corrected some bugs with the 'distance', and renamed 'distance' to 'max offset' (so it reflects better its use).


Top
 Profile  
Reply with quote  
PostPosted: Tue Mar 03, 2009 8:21 am 
Offline
Kommunist
Kommunist

Joined: Sun Dec 30, 2007 4:44 am
Posts: 32
I want to make a code in MPH that displays the remaning time until the energy orb in map 3 respawns i found a pointer for the remeaning time
Code:
620E3E74 00000000
B20E3E74 00000000
0000051C 00000000  //Set respawn time to 0 (orb is alwas there)
D2000000 00000000

I've tryed to display the time with the codetypes 0xDA for reading and 0xD7 for storing the value. without pointer it worked great but i couldnt get it work with the pointer
here the code:
Code:
620E3E74 00000000
B20E3E74 00000000 
da000000 0000051C //Load the remaining time
d7000000 020db08e //and write this value to another location
D2000000 00000000


what did i wrong? or are there ways to realize it with the tool?


Top
 Profile  
Reply with quote  
PostPosted: Tue Mar 03, 2009 2:21 pm 
Offline
Kommunist
Kommunist

Joined: Tue Oct 10, 2006 9:32 am
Posts: 445
In your code, DA will load the value from [offset+0x51C], but D7 will write the value to [offset+0x020DB08E] (and not to [0x020DB08E]).
Meaning you have to clear the offset before the D7 code. That is done with the D3 code type :

620E3E74 00000000
B20E3E74 00000000
DA000000 0000051C //Load the remaining time
D3000000 00000000 // Clear the offset
D7000000 020DB08E //and write this value to another location
D2000000 00000000


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 65 posts ]  Go to page Previous  1, 2, 3  Next

All times are UTC - 8 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 117 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group