Kodewerx

You mean Codebreaker master/enabler codes? We use Dlong's Master Code app, found in Game Hacking Development.

_________________


<EggWerx> MetalOverlord: Dsman and lemmayoshi will be used for taco meat, ask mo he knows me.

Neat...

Okay, I got this:

Result #1
8000FD28 41534D45
F2380090 223FC000

Result #2
8000FD28 41534D45
F238BD24 223FC000

Result #3
8000FD28 41534D45
F238BD8C 223FC000

Result #4
8000FD28 41534D45
F238DD20 223FC000

Now are these encrypted? What part of the code is the hook address? What's with the April Fool's joke coming before it's even April Fool's day?

_________________

They aren't encrypted. You might want to read the CBDS code type documentation.
The '8' at the start of the first line of the (m) code tells the CBDS to NOT USE the encryption. Which mean, all the codes following this line will have to be unencrypted. You can't mix encrypted/unencrypted codes together.

For the second line, this is how it works :


So, for F2380090 223FC000, 02380090 is the hook address. As the type of hook to use is 2, it's safe to say that this hook address is actually something like this : 'ldr r,ADDRESS ; bx r ; ... ; ADDRESS', and the CBDS hook will change ADDRESS with the code handler 'entry point' (and will also save ADDRESS somewhere, so when the code handler has finish its job, it'll bx back to the game). I'm not quite sure what YYYYYYY is (is it the actual place where the master code will jump to, or is it the start of the code handler ?).

I got SM64DS working on the No$GBA 2.3a debugger version and figured out that I have the ASMENOJ20 version. That ought to come in handy...

I set a breakpoint on 2380090 and it's still not breaking. What does that mean? O_o

_________________

Well, and I assume you put a bpx, it sounds normal as the hook is of type 2. Not only the 02380090 will never be executed, but readen (02380090 holds an address, that will be loaded by a ldr/dx), but it also looks like the executable will be relocated in memory (in the 037/8..... range), so even if you put a break on execute on the ldr/bx at 0238...., you'll have no break.
What you need to do is put a break on read on 02380090 ([02380090]?), then look at which address it is copied to, then go to that destination address and find the ldr/bx that uses it, then put a breakpoint on that ldr/bx (or just put a break on read on the ldr/bx in the 0238.... range, then see where it is copied to, then go to that address and put a breakpoint on it).
I'm just not sure why you wanna breakpoint the hook (or maybe it's just to find out if it's a 'valid' hook?).

In Project 64, pausing the emulator always breaks on the 0x80000180 type instruction, which is the address most gamesharks use as the hook assuming the game supports a standard hook. I imagine most emulators are designed to break on the hook address when paused, so if I want to find out where the freeware version of No$GBA stores the current PC, I'll have to know what that PC will be when I pause the emulator so I know what to search for. I don't feel like spending $15 on the debug version each time a new version is released, so having a method for finding the PC would be ideal.

Does that make sense? It's what I did to make ASM codes for Jet Force Gemini, which doesn't work on any of the N64 debugging emulators. It also saves the pain of waiting for someone to write a debugger; with Cheat Engine, you pretty much already have a debugger for any emulator that you need debugging features for so long as you know how to figure out where your breakpoint is (obviously the breakpoint Cheat Engine gives won't be what you're looking for because you'll be debugging the emulator and not the actual game).

Edit: Let me make sure I got this. 02380090 is the address that is read by a PC relative load, and then that address is BX'd to? So the hook finds an existing ldr/bx combo and replaces the value that the ldr loads with the address the codes will be executed from...and somewhere in there the original value that would have been ldr'd gets stored for use as the return.

Does the game's execution get temporarily redirected to the cheat device during this process to avoid overwriting the instructions or something? Seems like the chunk of asm required to copy the original value and insert the new one would have trouble fitting.

Edit: I set a break on read of 02380090 and found a pc relative load from that address. I left a breakpoint there and it's not breaking on it again. :\ Hopefully there's other ldr's of the address or the ldr will be processed again once I'm actually in the game...I have no doubts of the validity of the hook, but it's odd that the breakpoint isn't occurring.

Edit: I messed around with the No$GBA 2.3a debugger and found out that the PC displayed in the application's R15 and the PC that is actually being executed are usually different v_V I found the application's true address for the PC and was able to crash the game by modifying it :\ Perhaps the address is in a similar location in the freeware 2.3d to where it is in the debugger 2.3a, which would incredibly speed up this lewd process.

SUPER EDIT: That was insanely fast. The address was no where near the same location, but I did searches for 0x11BC (the address it broke on most commonly) until I got a result that was constantly changing (I recognized other familiar PCs). I froze the address and it crashed the game so I assume I've found the PC. Perhaps now I can be competent in DS hacking?

_________________

First, you pay 15$ once and for all. Future upgrades are free (maybe until the author feels he wants a fee for a 'big' upgrade, but that never happened yet).

I'm not 100% sure for the other question(s). Also, I don't see why the 'chunk of asm required to copy the original value and insert the new one would have trouble fitting'. It would be just some ldr/str...

I heard that it DID happen recently. :\ Debugging for free is fine with me anyhow.

_________________

Well for the record I do have the debugger version since quite some time (1+ year, 2+ year...? can't remember), and I never repaied 15 bucks for it.
But I guess debugging for free is better than debugging for 15$ !

To paraphrase my response to an AIM comment by a friend on the subject:

"You already paid the $15, so I don't expect you to care, but for me, I just saved $15 or more on my No$GBA insurance."

It's good practice for debugging other emulators that have no debugging features, too, of course.

_________________