Kodewerx

Our culture has advanced beyond all that you could possibly comprehend with one hundred percent of your brain.
It is currently Thu Mar 28, 2024 4:32 am

All times are UTC - 8 hours [ DST ]




Post new topic Reply to topic  [ 69 posts ]  Go to page Previous  1, 2, 3  Next
Author Message
 Post subject:
PostPosted: Tue Jan 23, 2007 3:12 pm 
Offline
Kommunist
Kommunist

Joined: Tue Oct 10, 2006 9:32 am
Posts: 445
Actually, all the CB codes type are 5bits long.
To extract the code type the CB does :
codetype = (addr >> 24) & 0xF8

Then to extract the 'real' address it does :
addr &= 0x07FFFFFF

And let's say that someone tries to use a code type that does not exist, for exemple code type 0x18, then the CB will just skip it (and will not think it's the same than code type 0x10) because it makes sure that an extracted code type exactly matches a known code type before 'executing' it (it makes something like 'cmp codetype, 0x10' , 'cmp codetype, 0x20',..., and skips the code 'execution' if no match is found).


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Feb 28, 2007 7:29 am 
Offline
Kommunist
Kommunist

Joined: Mon Jan 29, 2007 2:23 pm
Posts: 313
so why the & 0xF8 ? in this case:
32001234 00011234 :: 16-bit increment of 0x1234 to address 0x02001234
3A001234 00011234 :: 32-bit increment of 0x00011234 to address 0x02001234

32001234 >> 24 = 0x32
0x32 & 0xF8 = 30

wouldn't the CB need to know that the 2nd digit is a 2 to correctly identify the difference between the code types?

Forgive me for asking about something over a month old.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Feb 28, 2007 7:40 am 
Offline
Krew (Admin)
Krew (Admin)
User avatar

Joined: Sun Oct 01, 2006 9:26 pm
Posts: 3768
Title: All in a day's work.
No. The '2' is part of the address, not the code type.

Extracting the address:
32001234 & 0x07FFFFFF = 0x02001234

Why the F8? 0xF8 in binary = 11111000b <- 5 bits for the code type.

_________________
I have to return some video tapes.

Feed me a stray cat.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Feb 28, 2007 8:33 am 
Offline
Kommunist
Kommunist

Joined: Mon Jan 29, 2007 2:23 pm
Posts: 313
ok, i see. I misread the info. Thanks


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Feb 28, 2007 8:42 am 
Offline
Kommunist
Kommunist

Joined: Mon Jan 29, 2007 2:23 pm
Posts: 313
Parasyte wrote:
Here are some universal Activator codes which will work on all games:
......
......
To combine one or more buttons together, use bitwise AND:

(A | B) = (0001 | 0002) = 0003


I assume you wrote AND but meant ORR? that threw me off for a bit. lol


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Feb 28, 2007 5:05 pm 
Offline
Krew (Admin)
Krew (Admin)
User avatar

Joined: Sun Oct 01, 2006 9:26 pm
Posts: 3768
Title: All in a day's work.
Ah, yes, of course I meant to write 'bitwise OR' ... That is what I get for copy-pasting from the AR universal activators post. I just missed changing that.

_________________
I have to return some video tapes.

Feed me a stray cat.


Top
 Profile  
Reply with quote  
PostPosted: Thu Jun 07, 2007 1:01 pm 
Offline
Kommunist
Kommunist

Joined: Tue Oct 10, 2006 9:32 am
Posts: 445
I'm finally able to get some hacking going on for the CBDS.
Not quite sure what would be useful though... So well, I just made one small hack for now.

This is a 'proof of concept', beta hack. Once entered it allows you execute custom ASM using the code type 5. The base address of the code handler is in the F0 (m) code, and it's 0x023FC000 for the game I used (might be that for most/all games?) :

Code:
CBDS CUSTOM ASM ROUTINE EXECUTE HACK (CBDS v1.0.1) :
123FC2EE 00009B02
123FC2F0 00001C98
123FC2F2 00000080
123FC2F4 00004440
123FC2F6 00004780
123FC308 000046C0
123FC312 0000189B


I used 16-bits codes because the CBDS's code handler is in thumb, and it's alignment could change depending of the (m) code.

With this hack, you have then :

Code:
52000000 XXXXXXXX
02000000 00000000
ZZZZZZZZ ZZZZZZZZ
...

Xs = number of WORDS to execute (must be even).
Zs = ARM asm to be executed. Must finish by a bx to [ch address]+0x2F9


Exemple (for SM64 v1.1), which gives 99 lives :

Code:
52000000 00000008
02000000 00000000
E3A04063 E59F200C
E5824000 E59F2000
E12FFF12 023FC2F9
02098930 00000000


Last edited by kenobi on Tue Jun 26, 2007 2:04 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  
PostPosted: Sun Jun 10, 2007 9:27 am 
Offline
Kommunist
Kommunist
User avatar

Joined: Sun May 27, 2007 7:43 pm
Posts: 775
Location: Makai
Title: The HENTAI M@ster
kenobi wrote:
I'm finally able to get some hacking going on for the CBDS.
Not quite sure what would be useful though... So well, I just made one small hack for now.

This is a 'proof of concept', beta hack. Once entered it allows you execute custom ASM using the code type 5. The base address of the code handler is in the F0 (m) code, and it's 0x023FC000 for the game I used (might be that for most/all games?) :

Code:
CBDS CUSTOM ASM ROUTINE EXECUTE HACK :
123FC2EE 00009B02
123FC2F0 00001C98
123FC2F2 00000080
123FC2F4 00004440
123FC2F6 00004780
123FC308 000046C0
123FC312 0000189B


I used 16-bits codes because the CBDS's code handler is in thumb, and it's alignment could change depending of the (m) code.

With this hack, you have then :

Code:
52000000 XXXXXXXX
02000000 00000000
ZZZZZZZZ ZZZZZZZZ
...

Xs = number of WORDS to execute (must be even).
Zs = ARM asm to be executed. Must finish by a bx to [ch address]+0x2F9


Exemple (for SM64 v1.1), which gives 99 lives :

Code:
52000000 00000008
02000000 00000000
E3A04063 E59F200C
E5824000 E59F2000
E12FFF12 023FC2F9
02098930 00000000



hum, interesting, i didn't know about that one :) thanks kenobi


but tell me something about these custom asm executions, when you change a register, it changes in the game it self or in the CB one? don't get it this part... because changing registers can be dangerous sometimes XD except if you is executing from the source address.

what i mean is:
mov r4,0x63 < r4 is being executed by CBDS it self or the game?

_________________
Image
DO NOT send me code requests/conversions via pm. I DON'T GIVE PERMISSION, READ THE FUCKING RULES.
I Hate You So Much!!! Fuck & Peace!

Everyone has AIDS!
My grandma and my dog 'ol blue
My father
My sister
My uncle and my cousin and her best friend
The pope has got it and so do you.


My SITE

My Official Code Breaker DS Codes


Top
 Profile  
Reply with quote  
PostPosted: Sun Jun 10, 2007 9:14 pm 
Offline
Kommunist
Kommunist

Joined: Tue Oct 10, 2006 9:32 am
Posts: 445
The asm routine is executed inside the code handler, like the AR hack I made.
It has the same advantages (the biggest beeing not to worry about free space)/disadvantages.
So the registers are used by the CBDS (and I believe some are still used by the game - the code handler being in thumb, I suspect it doesn't push registers r8-r12). In my exemple I used some registers which values were overwritten at the end of the code type 5 execution, so changing their values before its end wouldn't 'break' anything, but obviously chaging other registers would have a bad impact on the CBDS code handler execution (normally I should have pushed/poped the registers, but I was running short of time and these one were available).
Later I'll post some infos on the 'free/used' registers, and some code to disable the hack.


Top
 Profile  
Reply with quote  
PostPosted: Tue Jun 12, 2007 9:50 am 
Offline
Kommunist
Kommunist
User avatar

Joined: Sun May 27, 2007 7:43 pm
Posts: 775
Location: Makai
Title: The HENTAI M@ster
kenobi wrote:
The asm routine is executed inside the code handler, like the AR hack I made.
It has the same advantages (the biggest beeing not to worry about free space)/disadvantages.
So the registers are used by the CBDS (and I believe some are still used by the game - the code handler being in thumb, I suspect it doesn't push registers r8-r12). In my exemple I used some registers which values were overwritten at the end of the code type 5 execution, so changing their values before its end wouldn't 'break' anything, but obviously chaging other registers would have a bad impact on the CBDS code handler execution (normally I should have pushed/poped the registers, but I was running short of time and these one were available).
Later I'll post some infos on the 'free/used' registers, and some code to disable the hack.


oh, about the bx thing...

an example:

ldr r0,=$02099E1C
ldr [r0],[r0]
ldr r1,=$0000270F
strh r1,[r0]



in this case, i must bx to where? i'm a bit confuse about this right now.

Must finish by a bx to [ch address]+0x2F9

_________________
Image
DO NOT send me code requests/conversions via pm. I DON'T GIVE PERMISSION, READ THE FUCKING RULES.
I Hate You So Much!!! Fuck & Peace!

Everyone has AIDS!
My grandma and my dog 'ol blue
My father
My sister
My uncle and my cousin and her best friend
The pope has got it and so do you.


My SITE

My Official Code Breaker DS Codes


Top
 Profile  
Reply with quote  
PostPosted: Wed Jun 13, 2007 2:39 pm 
Offline
Kommunist
Kommunist

Joined: Tue Oct 10, 2006 9:32 am
Posts: 445
Yes, you'll just have to bx to [ch address]+0x2F9, which usually is egal to 0x023FC2F9.
Also, I would recommend you push/pop the registers you use. Or use r4 and r2.


Top
 Profile  
Reply with quote  
PostPosted: Wed Jun 13, 2007 3:44 pm 
Offline
Kommunist
Kommunist
User avatar

Joined: Sun May 27, 2007 7:43 pm
Posts: 775
Location: Makai
Title: The HENTAI M@ster
kenobi wrote:
Yes, you'll just have to bx to [ch address]+0x2F9, which usually is egal to 0x023FC2F9.
Also, I would recommend you push/pop the registers you use. Or use r4 and r2.


but isn't push/pop in thumb? so i have to assemble in thumb mode... or just use r2 and r4 as you said. now the question, why r2 and r4 is safer than the other registers?

ldr r2,=$02099E1C
ldr r2,[r2]
ldr r4,=$0000270F
strh r4,[r2]
ldr r2,=$023FC2F9
bx r2


so, this would be

52000000 0000000A < the address can be anything? since 02000000 generally contains the game code in there... just curiosity.
02000000 00000000
E59F4010 E59F2010
E4B22000 E0E240B0
E59F2008 E12FFF12
0000270F 02099E1C
0203FC2F9 00000000

_________________
Image
DO NOT send me code requests/conversions via pm. I DON'T GIVE PERMISSION, READ THE FUCKING RULES.
I Hate You So Much!!! Fuck & Peace!

Everyone has AIDS!
My grandma and my dog 'ol blue
My father
My sister
My uncle and my cousin and her best friend
The pope has got it and so do you.


My SITE

My Official Code Breaker DS Codes


Top
 Profile  
Reply with quote  
PostPosted: Wed Jun 13, 2007 9:06 pm 
Offline
Kommunist
Kommunist

Joined: Tue Oct 10, 2006 9:32 am
Posts: 445
Push/pop should work fine in ARM.

R2 and R4 are safe because the code handler 'destroys' them after the asm routine is executed, so it doesn't matter if their value changed.

I'll try to work on the CBDS this week end, to add a list of the registers contents and the 'turn off' code, but I'm a bit sick right now (got an angina), and I'm not sure how it'll evolve...


Top
 Profile  
Reply with quote  
PostPosted: Thu Jun 14, 2007 8:46 am 
Offline
Kommunist
Kommunist
User avatar

Joined: Sun May 27, 2007 7:43 pm
Posts: 775
Location: Makai
Title: The HENTAI M@ster
kenobi wrote:
Push/pop should work fine in ARM.


just in arm9? because my arm7 assembler can't seem to assemble push/pop in arm mode... neither i saw a game with push/pop in arm mode... what's the hex value instruction for push/pop? (like E59F for ldr etc...)

or you're talking about stmia and ldmia ones?

hope you gets good soon.

_________________
Image
DO NOT send me code requests/conversions via pm. I DON'T GIVE PERMISSION, READ THE FUCKING RULES.
I Hate You So Much!!! Fuck & Peace!

Everyone has AIDS!
My grandma and my dog 'ol blue
My father
My sister
My uncle and my cousin and her best friend
The pope has got it and so do you.


My SITE

My Official Code Breaker DS Codes


Top
 Profile  
Reply with quote  
PostPosted: Thu Jun 14, 2007 11:22 am 
Offline
Kommunist
Kommunist

Joined: Tue Oct 10, 2006 9:32 am
Posts: 445
E92D.... for push (=STMBD [r13]!,...).
E8BD.... for pops (=LDMIA [r13]!,...).

And the assembler I have accept push/pops without any problem (you can download it here).


Top
 Profile  
Reply with quote  
PostPosted: Thu Jun 14, 2007 3:30 pm 
Offline
Kommunist
Kommunist
User avatar

Joined: Sun May 27, 2007 7:43 pm
Posts: 775
Location: Makai
Title: The HENTAI M@ster
kenobi wrote:
E92D.... for push (=STMBD [r13]!,...).
E8BD.... for pops (=LDMIA [r13]!,...).

And the assembler I have accept push/pops without any problem (you can download it here).


thanks for the assembler, i use stmfd sp!,{rx} for store and ldmfd sp!,{rx} to load. something wrong maybe ? XD since you used r13

again thanks.

edit: i tried the assembler

stmfd sp!,{r2,r3}
ldr r2,=$02001848
ldr r2,[r2]
ldr r3,=$00000364
add r2, r2, r3
ldr r3,=$03E703E7
str r3,[r2]
str r3,[r2,#4]
ldr r3,=$000001B4
sub r2, r2, r3
mov r3,#02
strb r3,[r2]
ldmia sp!,{r2,r3}
mov r3,#4000000
b $03002D04

error:
source.s: Assembler messages:
source.s:19: Error: invalid constant (3d0900) after fixup

lol i can't figure out what is it. i guess there are something wrong with my code?

this is the original from ARMStrong ARM assembler

@textarea 0x03002D00
b 0x03007000
@endarea

@textarea 0x03007000
stmfd sp!,{r2,r3}
ldr r2,=$02001848
ldr r2,[r2]
ldr r3=$00000364
add r2, r2, r3
ldr r3,=$03E703E7
str r3,[r2]
str r3,[r2,0x4]
ldr r3,=$000001B4
sub r2, r2, r3
mov r3,0x02
strb r3,[r2]
ldmfd sp!,{r2,r3}
mov r3,0x4000000
b 0x03002D04
@endarea

Edit 2: ok, this is making the error > mov r3,#4000000

dunno why XD

NOTE: this is for a GBA game lol ASM hacks in GBA with CBA? that's the first one i think :P

most (if not all) arm code in gba games are executed from iram or wram, that's where i hooked my code... funny it works >:P

the code:
7200180C 0000
53002D00 0002
0133A0E3 0000
7200180C 0001
53002D00 0002
BE1000EA 0000
7200180C 0001
53007000 0027
0C002DE9 3020
9FE50020 B2E4
2C309FE5 0320
82E02830 9FE5
0030A2E4 0430
82E52030 9FE5
032042E0 0230
A0E30030 E2E4
0C00BDE8 0133
A0E331EF FFEA
48180002 6403
0000E703 E703
B4010000 0000

Image

_________________
Image
DO NOT send me code requests/conversions via pm. I DON'T GIVE PERMISSION, READ THE FUCKING RULES.
I Hate You So Much!!! Fuck & Peace!

Everyone has AIDS!
My grandma and my dog 'ol blue
My father
My sister
My uncle and my cousin and her best friend
The pope has got it and so do you.


My SITE

My Official Code Breaker DS Codes


Last edited by Hiei-YYH on Thu Jun 14, 2007 6:28 pm, edited 2 times in total.

Top
 Profile  
Reply with quote  
PostPosted: Thu Jun 14, 2007 5:48 pm 
Offline
Krew (Admin)
Krew (Admin)
User avatar

Joined: Sun Oct 01, 2006 9:26 pm
Posts: 3768
Title: All in a day's work.
The mnemonics for push/pop in ARM mode are STMFD SP!/LDMFD SP!, respectively.

Example:
Code:
.org 0
.text
.arm
stmfd   sp!, {r4-r6}
...
ldmfd   sp!, {r4-r6}
bx      lr


Futher, r0-r3 and r12 are volatile registers (you should be able to clobber these at almost any time for any reason). I disagree with any hacks that make any of these registers non-volatile (meaning they must be backed up before use).

And your syntax is a huge mess. Immediate values need be preceded with a hash mark (#); you should use the 0x identifier for hex, not $; all hexadecimal values should be padded with 0's up to two, four, or eight digits; you need to pool your PC-relative loads with a .pool pseudo-instruction; and r3 does not need to be pushed nor popped since you just clobber it at the end with 'mov r3, #0x04000000', nor should it or r2 need to be pushed because they are both volatile registers as explained above.

_________________
I have to return some video tapes.

Feed me a stray cat.


Top
 Profile  
Reply with quote  
PostPosted: Thu Jun 14, 2007 6:21 pm 
Offline
Kommunist
Kommunist
User avatar

Joined: Sun May 27, 2007 7:43 pm
Posts: 775
Location: Makai
Title: The HENTAI M@ster
Parasyte wrote:
The mnemonics for push/pop in ARM mode are STMFD SP!/LDMFD SP!, respectively.

Example:
Code:
.org 0
.text
.arm
stmfd   sp!, {r4-r6}
...
ldmfd   sp!, {r4-r6}
bx      lr


Futher, r0-r3 and r12 are volatile registers (you should be able to clobber these at almost any time for any reason). I disagree with any hacks that make any of these registers non-volatile (meaning they must be backed up before use).

And your syntax is a huge mess. Immediate values need be preceded with a hash mark (#); you should use the 0x identifier for hex, not $; all hexadecimal values should be padded with 0's up to two, four, or eight digits; you need to pool your PC-relative loads with a .pool pseudo-instruction; and r3 does not need to be pushed nor popped since you just clobber it at the end with 'mov r3, #0x04000000', nor should it or r2 need to be pushed because they are both volatile registers as explained above.


fixed the textarea thing, this is correct > @textarea 0x03002D00 not @textarea $03002D00
and the stmfd/ldmfd, yes, i mean that ones, the assembler fixed at assembly anyway. at least that's what VBA showed to me.

take that game and try to hook anywhere without backup registers and you'll see what you get lol like i said, this is a GBA game. there's no place to hook beside the ROM area that make a 100% crash free. if i don't backup those registers (ok, except r3 :lol: ) the game will crash for sure as i already tested this code a lot, and since CBA doesn't support ROM patching... guess what.
anyway, all those syntaxes that i used there are Compatible with ARMStrongs assembler.

just to clarify, i picked up a random spot in RAM that the game read a lot (like always), and did a subroutine. since the game coding for the LIFE is stored at ROM, that's the only thing that i could do to use ASM hacks in CBA.

but say, that was smart isn't? :P

_________________
Image
DO NOT send me code requests/conversions via pm. I DON'T GIVE PERMISSION, READ THE FUCKING RULES.
I Hate You So Much!!! Fuck & Peace!

Everyone has AIDS!
My grandma and my dog 'ol blue
My father
My sister
My uncle and my cousin and her best friend
The pope has got it and so do you.


My SITE

My Official Code Breaker DS Codes


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sat Jun 16, 2007 7:40 am 
Offline
Komrade
Komrade

Joined: Tue Mar 27, 2007 10:18 am
Posts: 1328
I thought the mnemonics for push/pop was stmdb/ldmia?

Does stmfd/ldmfd do the same thing? I know stmdb decrements the address to store to before storing just like push does, and ldmia increments it after loading just like pop. I'm not sure of what full descending does because I only ever used push and pop.

Also, Hiei, I noticed your "mov r3,#4000000" didn't use "0x". 4000000 in decimal is 0x3D0900, which is why it was saying invalid constant - 0x3D0900 has too many significant bits.

I trust you corrected it with the proper 0x designation, because having only one significant bit would assemble just fine ;)

Edit: DAMN that assembler works good. Well, it's the same assembler that I already used. But the program kenobi wrote to go with it that converts ASM into AR format is just win.

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject: Re:
PostPosted: Sat Jun 16, 2007 8:24 am 
Offline
Kommunist
Kommunist
User avatar

Joined: Sun May 27, 2007 7:43 pm
Posts: 775
Location: Makai
Title: The HENTAI M@ster
Zeld wrote:
I thought the mnemonics for push/pop was stmdb/ldmia?

Does stmfd/ldmfd do the same thing? I know stmdb decrements the address to store to before storing just like push does, and ldmia increments it after loading just like pop. I'm not sure of what full descending does because I only ever used push and pop.

Also, Hiei, I noticed your "mov r3,#4000000" didn't use "0x". 4000000 in decimal is 0x3D0900, which is why it was saying invalid constant - 0x3D0900 has too many significant bits.

I trust you corrected it with the proper 0x designation, because having only one significant bit would assemble just fine ;)

Edit: DAMN that assembler works good. Well, it's the same assembler that I already used. But the program kenobi wrote to go with it that converts ASM into AR format is just win.


kenobi assembler is good, i just don't know the syntaxes, can anyone tell me?

like the mov # things, and how to write to a specified address like @textarea in ARMStrongs

_________________
Image
DO NOT send me code requests/conversions via pm. I DON'T GIVE PERMISSION, READ THE FUCKING RULES.
I Hate You So Much!!! Fuck & Peace!

Everyone has AIDS!
My grandma and my dog 'ol blue
My father
My sister
My uncle and my cousin and her best friend
The pope has got it and so do you.


My SITE

My Official Code Breaker DS Codes


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sat Jun 16, 2007 11:37 am 
Offline
Komrade
Komrade

Joined: Tue Mar 27, 2007 10:18 am
Posts: 1328
Here, I'll post a sample source.

This is my Item Cycle code for MKDS; it works perfectly with kenobi's assembler:

ldr r4, Counter
ldrb r3, [r4]
ldr r0, IOFetch
ldrh r1, [r0]
mov r2, #0x100
and r1, r1, r2
cmp r1, #0x0
beq There
mov r0, #0x0
strb r0, [r4, #0x1]
b NoIncrement
There:
ldrb r0, [r4, #0x1]
cmp r0, #0x1
beq NoIncrement
add r3, #0x1
mov r0, #0x1
strb r0, [r4, #0x1]
NoIncrement:
cmp r3, #0x12
moveq r3, #0x0
strb r3, [r4]
ldr r6, IOFetch
ldrh r6, [r6]
mov r0, #0x4
and r6, r6, r0
mov r2, #0x1
ldr r5, Base
ldr r5, [r5]
mov r0, #0x9
lsl r0, r0, #0x8
add r0, #0x74
add r0, r0, r5
ldr r0, [r0]
str r3, [r0, #0x10]
str r3, [r0, #0x14]
cmp r6, #0x0
streq r2, [r0]
mov r0, #0xb
lsl r0, r0, #0x8
add r0, #0x84
add r0, r0, r5
ldr r0, [r0]
str r3, [r0, #0x10]
str r3, [r0, #0x14]
cmp r6, #0x0
streq r2, [r0]
mov r0, #0xd
lsl r0, r0, #0x8
add r0, #0x94
add r0, r0, r5
ldr r0, [r0]
str r3, [r0, #0x10]
str r3, [r0, #0x14]
cmp r6, #0x0
streq r2, [r0]
mov r0, #0xf
lsl r0, r0, #0x8
add r0, #0xa4
add r0, r0, r5
ldr r0, [r0]
str r3, [r0, #0x10]
str r3, [r0, #0x14]
cmp r6, #0x0
streq r2, [r0]
bx lr
IOFetch:
.long 0x4000130
Counter:
.long 0x23fffe8

Base:
.long 0x217bc14

Always use # before immediates. Use .long/.short/.byte for 4, 2, and 1 byte literal designations, respectively. Labels should begin with a letter and not have too many matching ASCII characters with other labels. I don't think they're case sensitive.

Only use a colon after labels that are at the target location, as opposed to the "goto" position. Do not forget your colons! Don't forget to use 0x for hex designation either ;_;

kenobi's assembler will not read .thumb designations; it assembles all code as ARM (this means my aim bot source is not compatible with the assembler, but the standard assembler without his program works fine). .org ops (these are used to designate where the code should be stored) don't work either; the assembler sees them as unnecessary, and if you use them in the standard assembler without kenobi's program, it will actually make the hex dump size increase to match the address accordingly, which is a real pain. It's better to just assemble differently located pieces of code separately and insert them manually.

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject: Re:
PostPosted: Sat Jun 16, 2007 3:44 pm 
Offline
Kommunist
Kommunist

Joined: Tue Oct 10, 2006 9:32 am
Posts: 445
Zeld wrote:
kenobi's assembler will not read .thumb designations; it assembles all code as ARM (this means my aim bot source is not compatible with the assembler, but the standard assembler without his program works fine). .org ops (these are used to designate where the code should be stored) don't work either.

Strange... I put
.thumb
ldr r0,[r0]

clicked assemble, and got this :
023FE074 012FFF11
E0000000 00000002
00006800 00000000 <- that is thumb
023FE074 E3520003

However the codes obvioulsy will not work properly, because a hack bx to what must be an arm instruction.

The .org seem to work for me too (however, I admit I put a .org 0 'hidden' in the proggy because I thought it was important, but I might have been wrong - I know very few about programming. See below) :
.thumb
.org 0x10
ldr r0,[r0]
.org 0x20
str r0,[r0]

gives

023FE074 012FFF11
E0000000 00000022
00000000 00000000
00000000 00000000
00006800 00000000 <- 0x10
00000000 00000000
00006000 00000000 <- 0x20
023FE074 E3520003

More precisely, the programm will add to any asm routine before compiling :
.text
.org 0
.arm
_start:

I thought making them 'hidden' would avoid problems with people deleting it and 'crashing' the proggy for some reasons. And I found it more conveniant (sp?). But don't hesitate to let me know if any of these lines is unneeded or just plain wrong, or if it'll really be better if they fully appear on the program window.

edit : I just remembered why I put .org 0. As the tool goal is to create AR codes using the ards hack, it is useless to use .org as you won't choose where your asm will be put : it'll be somewhere inside the code list.


Top
 Profile  
Reply with quote  
PostPosted: Sat Jun 16, 2007 4:23 pm 
Offline
Kommunist
Kommunist
User avatar

Joined: Sun May 27, 2007 7:43 pm
Posts: 775
Location: Makai
Title: The HENTAI M@ster
i found a bit confusing when i first look at it... since i'm a bit used with the simple commands of ARMStrong...
but anyway, thanks for the sample Zeld :) i think now i got it right.

ok, let me see if i did it right

stmfd sp!,{r2,r4}
ldr r2,basepointer
ldr r2,[r2]
ldr r4,baseoffsethp
add r2, r2, r4
ldr r4,lifemax
str r4,[r2]
ldmfd sp!,{r2,r4}
bx lr

basepointer:
.long 0x02099E1C
baseoffsethp:
.word 0x000002BC
lifemax:
.long 0x270F270F

023FE074 012FFF11
E0000000 00000030
E92D0014 E59F2018
E5922000 E59F4014
E0822004 E59F4010
E5824000 E8BD0014
E12FFF1E 02099E1C
000002BC 270F270F
023FE074 E3520003


Edit: ok, just to remember you guys that this post is about CB and not ARDS :roll:
I'm asking CMX if he pretends to add another code types, then i can suggest the custom asm ones.

_________________
Image
DO NOT send me code requests/conversions via pm. I DON'T GIVE PERMISSION, READ THE FUCKING RULES.
I Hate You So Much!!! Fuck & Peace!

Everyone has AIDS!
My grandma and my dog 'ol blue
My father
My sister
My uncle and my cousin and her best friend
The pope has got it and so do you.


My SITE

My Official Code Breaker DS Codes


Top
 Profile  
Reply with quote  
PostPosted: Mon Jun 25, 2007 2:38 pm 
Offline
Kommunist
Kommunist

Joined: Tue Oct 10, 2006 9:32 am
Posts: 445
For the info, I compared the v1.1 and v2.0 CBDS code handlers, and even if the codes types didn't change, there are some extra lines in the v2.0 code handler (to disable the WiFi interrupts - is that a protection to stop the hacking of WiFi games ?) which make the whole code handler move a bit, so my "ASM ROUTINE EXECUTE HACK" won't work on the v2.0 CBDS (for now).


Top
 Profile  
Reply with quote  
PostPosted: Tue Jun 26, 2007 8:53 am 
Offline
Komrade
Komrade

Joined: Tue Mar 27, 2007 10:18 am
Posts: 1328
Hiei-YYH wrote:
stmfd sp!,{r2,r4}
ldr r2,basepointer
ldr r2,[r2]
ldr r4,baseoffsethp
add r2, r2, r4
ldr r4,lifemax
str r4,[r2]
ldmfd sp!,{r2,r4}
bx lr

basepointer:
.long 0x02099E1C
baseoffsethp:
.word 0x000002BC
lifemax:
.long 0x270F270F


I would have left the .word as .long, since it would still need to be 4 bytes to keep the proper alignment.

Hiei-YYH wrote:
023FE074 012FFF11
E0000000 00000030
E92D0014 E59F2018
E5922000 E59F4014
E0822004 E59F4010
E5824000 E8BD0014
E12FFF1E 02099E1C
000002BC 270F270F
023FE074 E3520003


But it looks like it assembled correctly anyway...I guess it doesn't matter, then...

On the topic of the altered CBDS code handler, is there any chance you could simply find the offset of the code handler addresses as a result of the interrupt disable and just change the address of the ASM hack?

How did you make that hack for the AR, anyhow? Where did you learn of the code handler's routines? It's not like you can plug in a Trainer Toolkit and dump it :\

_________________
Image


Top
 Profile  
Reply with quote  
PostPosted: Tue Jun 26, 2007 10:05 am 
Offline
Kommunist
Kommunist

Joined: Tue Oct 10, 2006 9:32 am
Posts: 445
Zeld wrote:
On the topic of the altered CBDS code handler, is there any chance you could simply find the offset of the code handler addresses as a result of the interrupt disable and just change the address of the ASM hack?


Well yes, I just have to compare the disassemblies of the v1.1 and v2.0 code handlers (I didn't do it before because I was a bit in a rush) to port the hack to v2.0 : the offset is +0x0C.
Means the CBDS v2.0 asm hack is :
Code:
CBDS CUSTOM ASM ROUTINE EXECUTE HACK (CBDS v2.0.x) :
123FC2FA 00009B02
123FC2FC 00001C98
123FC2FE 00000080
123FC300 00004440
123FC302 00004780
123FC314 000046C0
123FC31E 0000189B


Also, here are the codes to 'disable' the hack :
Code:
CBDS DISABLE CUSTOM ASM ROUTINE EXECUTE HACK (CBDS v1.0.1) :
123FC2EE 00004B16
123FC2F0 00001C28
123FC2F2 00004018
123FC2F4 00009B02
123FC2F6 00004645
123FC308 000054A3
123FC312 00003301


Code:
CBDS DISABLE CUSTOM ASM ROUTINE EXECUTE HACK (CBDS v2.0.x) :
123FC2FA 00004B11
123FC2FC 00001C28
123FC2FE 00004018
123FC300 00009B02
123FC302 00004645
123FC314 000054A3
123FC31E 00003201



Zeld wrote:
How did you make that hack for the AR, anyhow? Where did you learn of the code handler's routines? It's not like you can plug in a Trainer Toolkit and dump it :\

For the AR, there are these upgrade files that are sitting in the Datel's folder, which can - after being slightly modified - run in a emu. Then I scanned the asm manually, until I saw the code handler. But now that the TT is out, anyone can see/dump it by going at 0x023FE000.
For the CBDS, I made codes to make it 'compatible' with the TT, so I'm able to make ram dumps while the CBDS code handler is running.


Last edited by kenobi on Sat Aug 25, 2007 10:24 am, edited 1 time in total.

Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Jun 26, 2007 8:02 pm 
Offline
Komrade
Komrade

Joined: Tue Mar 27, 2007 10:18 am
Posts: 1328
Wait, the TT code handler and the AR code handler ARE the same?

I went to that offset and it looked like it was completely different...the disable ASM hack code didn't match up with the address I checked.

If I had known they were indeed the same code engine then I would be inventing code handling hacks of my own to minimize the need for custom ASM.

But like I said, the disabler's value didn't match what I saw at the corresponding address...and I don't recall getting any DS hack #4 type codes to work on my TT. :\

Is there an update I need or something?Ω

_________________
Image


Top
 Profile  
Reply with quote  
PostPosted: Tue Jun 26, 2007 9:22 pm 
Offline
Kommunist
Kommunist

Joined: Tue Oct 10, 2006 9:32 am
Posts: 445
Zeld : No, the AR and TT code handlers are different. They don't use the same registers, and the biggest difference is that the TT code handler has more code types (C4/C5/C6). I'm using the AR v1.52. The AR code handler sits at 0x023FE000 (unless you're using a custom (m) code), the TT one is in the 0x08800000 area, and I made AR hacks for both. But I'm getting confused with your questions, I don't uderstand what is the problem you're having... At which offset did you go, and what was wrong there (which disable asm code didn't match the values you saw - please post it) ?

Edit : Oh I may get your problem. It's that you can't see the AR code handler as you booted it with the TT (so the AR code handler isn't 'installed' in memory), right ? The way I used to 'see' the AR code handler was to boot the AR without the TT, then I used codes to enable the TT, plugged in it, and started the game. That way I could see the AR code engine at 0x023FE000, and create hacks for it.

Edit2 : more technically, if I remember correctly, when the AR boots with the TT the AR code handler is installed in memory, but is a bit off compared of the AR code handler running without the TT. And when the AR boots with the TT, the AR code handler is not executed (it branches to the TT code handler).


On topic :
Here is a code to disable the CBDS v2.0 WiFi 'protection', so games using WiFi will work properly :
Disable CBDS WiFi protection (CBDS v2.0.0)
123FC07E 000046C0

(actually the first part of the code is [code handler base address]+0x1000007E, wheb the cbds ch base address is the second part of the F0 (m) code ; and as usually the cbds ch base address is 0x023FC000, that means 0x123FC07E should work in most cases).


Last edited by kenobi on Wed Jun 27, 2007 10:19 pm, edited 3 times in total.

Top
 Profile  
Reply with quote  
PostPosted: Tue Jun 26, 2007 9:40 pm 
Offline
Kommunist
Kommunist
User avatar

Joined: Sun May 27, 2007 7:43 pm
Posts: 775
Location: Makai
Title: The HENTAI M@ster
kenobi wrote:
On topic :
Here is a code to disable the CBDS v2.0 WiFi 'protection', so games using WiFi will work properly :
Disable CBDS WiFi protection (CBDS v2.0.0)
123FC07E 000046C0


lol, that means... online cheating? :o

_________________
Image
DO NOT send me code requests/conversions via pm. I DON'T GIVE PERMISSION, READ THE FUCKING RULES.
I Hate You So Much!!! Fuck & Peace!

Everyone has AIDS!
My grandma and my dog 'ol blue
My father
My sister
My uncle and my cousin and her best friend
The pope has got it and so do you.


My SITE

My Official Code Breaker DS Codes


Top
 Profile  
Reply with quote  
PostPosted: Wed Jun 27, 2007 11:37 am 
Offline
Kommunist
Kommunist

Joined: Tue Oct 10, 2006 9:32 am
Posts: 445
Yes, that means it.
However it seemed to me (but I didn't test it, so I might be wrong) that online cheating was already possible with the CBDS v1.0.1, as it didn't have any WiFi protection (or at least not in its code handler)...


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 69 posts ]  Go to page Previous  1, 2, 3  Next

All times are UTC - 8 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 171 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group