Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 483

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 483

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 483

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 483

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 483

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 483

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 483

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 483

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 483

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 483

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 483

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 483

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 483

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 483

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 483

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 483

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 483

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 483

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 483

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 483

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 483

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 483

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 483

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 483

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 483

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 483

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 379

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 112

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 112

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 112

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 112

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/njssjfu/includes/bbcode.php on line 112
[phpBB Debug] PHP Notice: in file /includes/functions.php on line 3828: Cannot modify header information - headers already sent by (output started at /includes/bbcode.php:483)
[phpBB Debug] PHP Notice: in file /includes/functions.php on line 3830: Cannot modify header information - headers already sent by (output started at /includes/bbcode.php:483)
[phpBB Debug] PHP Notice: in file /includes/functions.php on line 3831: Cannot modify header information - headers already sent by (output started at /includes/bbcode.php:483)
[phpBB Debug] PHP Notice: in file /includes/functions.php on line 3832: Cannot modify header information - headers already sent by (output started at /includes/bbcode.php:483)
Action Replay Central :: View topic - How to hack codes

Action Replay Central

Official Forums of ARCentral.net
IRC:cookie.sorcery.net #ARCentral
* FAQ   * Rules   * Search   * Members   * The Staff
* Login
It is currently Wed Sep 20, 2017 8:53 pm

How to hack codes


Post new topic Reply to topic  [ 124 posts ]  Go to page 1, 2, 3, 4, 5 ... 7  Next
Author Message
PostPosted: Wed Jun 29, 2005 1:51 pm   Post subject: How to hack codes
Fire In My Hole
User avatar

Joined: Thu Jul 17, 2003 5:40 am
Posts: 13608
I'm bored so I decided to post this topic, anyone can pitch in, correct a person or whatever, just remember this is how WE find these things, doesnt mean to say it's right or wrong, it just works for US

Tip #1 How to hack a Simple Infinite Ammo/Stop Timer Code Using Simple ASM

I joined these up because in my experience the ASM used is usually exactly the same.

For infinite ammo, you will need to first find the normal address of a gun. Do this by normal searches of how much ammo you have in reserve (do it in hex), then once you have it, you can try out some ASM on it, which may just give you infinite ammo for EVERY gun.

Once you have the address, go into the breakpoints tab, and set a breakpoint write onto the address you got for your ammo in your current gun. Set the breakpoint, and fire your gun, it should now break and display lots of info in the window below.

The address that breaks usually has a stw command. This means store word. Once your address has hit, go into the dissasembler tab, and it should now be displaying the address that hits. This isnt the address you want, everytime I've ever hacked these codes the address you want, is directly above the stw address, or nearby, so click the up tab.

You now should see an address, and a value, and hopefully a sub command. This is the address you want. The value for the address may look like this -

80124AD8 3803FFFF sub r0 r3 1

Something like that, what this is doing is this, when you fire your gun, this address is subtracting 1 bullet, we dont want that to happen do we?
Here is how to stop it, the FFFF part is whats subtracting 1 bullet, we want it to subtract 0 bullets when we fire, right? Simple then change the FFFF to 0000, so the code will look like this -

80124AD8 38030000 add r0 r3 0

Notice its changed to an add? Well when you fire its now adding 0 bullets to your gun, but it's also not taking any away either. Congrats you now have unlimited bullets.

If you want the game to give you 1 bullet every time, well thats easy too, just change the the 0000 part to 0001 so it now looks like this -

80124AD8 38030001 add r0 r3 1

You can alter the 0000 part so it gives you whatever amount of bullets you want when you fire. You can also just give your guns loads of ammo from the start by inputting a li then whatever into the mis, which would usually be -

80124AD8 380003E7 li r0 999

Or something like that, the ASM probabally isnt accurate, but its near enough, what that code does is load immediate 03E7.

Sometimes however it wont be done like this, it will still say sub....whatever, but it will have a different value (normally it starts with 7C something or whatever), for this I usually just nop the address, the value for that is 60000000 so the code would look like this -

80124AD8 60000000 nop

Timers are exactly the same, when you find it use the exact same principles, if the timer is counting down it will say sub rX rX 1 or whatever, if it's going up, and you want it to say zero, it will say add rX rX 1, and the bestway to treat that code is with a load immediate zero.

Make sense?

Things always dont goto plan though, and sometimes it maynot look like any of the above. But if an address breaks, and you scroll up one, and you see the sub command mixed in, or a letter then sub, or add, then try nopping that address and see what happens.


Last edited by Yamishira on Tue Sep 20, 2005 10:34 am, edited 3 times in total.
Top Profile
PostPosted: Thu Jun 30, 2005 2:32 pm   Post subject:
Hero of Legend

Joined: Sat Mar 13, 2004 11:47 pm
Posts: 2076
Location: Milwaukee
I'm going to sticky this, sir, would that be ok with you? Then everyone can add their own tidbits throughout time. :)

PS: Excellent reference, I'm spending a lot of my time now learning basic ASM writes, but seeing an actual example helped. :D
Top Profile
PostPosted: Thu Jun 30, 2005 2:45 pm   Post subject:
Fire In My Hole
User avatar

Joined: Thu Jul 17, 2003 5:40 am
Posts: 13608
Go for it.
Top Profile
PostPosted: Fri Jul 01, 2005 12:22 pm   Post subject:
Hero of Legend

Joined: Sat Mar 13, 2004 11:47 pm
Posts: 2076
Location: Milwaukee
Viola! :lol: :)

Thanks again, Jay007, I'm going to try some hacking this evening once I get PSO from my friend (Chaching!!). :D
Top Profile
PostPosted: Thu Jul 07, 2005 11:53 am   Post subject:
Fire In My Hole
User avatar

Joined: Thu Jul 17, 2003 5:40 am
Posts: 13608
Tip #2 Writing to an address blocked by ASM

Sometimes you may come accross addresses that when poked with GCNrd, arent actually poked when you view them via the memory viewer, but why is this?

There is ASM writing to this section thats why, so everytime you try and write to this address, it's blocked. So how do we write to these addresses?

Simple really. Set a breakpoint write on the address you cant poke, and it should hit straight away, the asm that hits may have a command like stw, or something, well what we want to do is nop that address.

So say where trying to write to address 80456678, but cant because of ASM. The address that hit is 801B4474, well need to nop this address first before we can write to this adddress.

So we need to do this -

Poke - 801B4474 60000000

Now go back to address 80456678, and try poking something to it, and it should work. If it doesnt then set another breakpoint write and it should break again, nop the address thats hits aswell, and try again.

Remember you will need to include whatever addresses you nopped in the final AR code, or it still wont work.
Top Profile
PostPosted: Sat Jul 09, 2005 5:30 pm   Post subject:
Smash Member (100-150)
User avatar

Joined: Sat Oct 23, 2004 12:01 am
Posts: 119
Do you have any decent PowerPC assembly language references? I've looked around, but they all seem to be missing a lot of instructions/pseudoinstructions/whatnot. I see all these tutorials everywhere, but no references. I'm just wondering if there's something that lists all of the instructions, and maybe even a table that lists all their opcodes/functs too...that would be even more awesome.
Top Profile
PostPosted: Mon Jul 11, 2005 2:20 am   Post subject:
Smash Member (100-150)

Joined: Thu Jan 29, 2004 4:38 am
Posts: 129
Location: Kobe
djwang88 wrote:
Do you have any decent PowerPC assembly language references? I've looked around, but they all seem to be missing a lot of instructions/pseudoinstructions/whatnot. I see all these tutorials everywhere, but no references. I'm just wondering if there's something that lists all of the instructions, and maybe even a table that lists all their opcodes/functs too...that would be even more awesome.


Here
Top Profile WWW
PostPosted: Mon Jul 11, 2005 4:33 pm   Post subject:
Smash Member (100-150)
User avatar

Joined: Sat Oct 23, 2004 12:01 am
Posts: 119
Whoa.

Thanks.

Hrm. Are there any register conventions that I should use? Like, are there certain temporary registers? And what's the stack pointer? If I'm writing some new code, I have to push registers I'm going to overwrite onto the stack, right?

Also, how does branching work? Say I want to check if r0 is equal to 1, and branch if it does.

cmpwi r0, 1
beq 0xDEADBEEF (or whatever)

Is that right? That huge documentation says that I need to specify a CR register to put the compare in, but disassembled code doesn't seem to do that. Yeah, this is a bit confusing...
Top Profile
PostPosted: Sun Jul 17, 2005 1:43 am   Post subject:
Metal Member (150-200)
User avatar

Joined: Fri Aug 08, 2003 10:25 pm
Posts: 159
Location: New Zealand
You shouldn't change r0 or r1 I've been told. But whatever ones you do use it's probably a good idea to write a quick ASM code to change them to something different and see if the game still runs :]
Don't know anything about the stack pointer. And nothing about moving registers into the stack either.
The compare you've got there should work. And in case you didn't already know, the value after the branch should be the offset from the address that command is stored at, to where the branch is branching to. :|
In your example if the beq is at 80002000 then if cmpwi r0,1 is true the branch will branch to (0xDEADBEEF + 0x2000).
_________________
~ Jay
Zelda Chaos
Top Profile WWW
PostPosted: Sun Jul 17, 2005 3:27 pm   Post subject:
Hero of Time

Joined: Sun Nov 02, 2003 9:33 pm
Posts: 1139
Location: Saint Paul, MN
The stack pointer is r1. I believe you're allowed to use an address < the stack pointer for temporary storage (normally of registers, including the link register). If you only need one register, you can do a simple stw r2,r1(-4) and lwz r2,r1(-4), if those are the actual instructions. I don't remember seeing anyone use the stack for arguments or return value in ppc, thankfully.

Like I seem to recall saying in a private conversation, if you're doing one of those things where you insert a branch in normal code, your best bet is probably to look at the asm you're branching from and find a register whose value gets thrown away. You might even move the branch point (to, say, after it saves the registers to the stack and before it overwrites them), to make this possible.

Jay's thing about writing a quick asm code and making sure the game still runs is very good advice. It's good to do these in many steps so you know exactly where it went wrong when it does.

And I think you have to explicitly make your branches relative (otherwise the assembler takes them as absolute, but it fails to generate correct machine code because it doesn't have an accurate source address). To do this, you'll want to subtract the address in memory where that instruction will go from your destination address (so calculate destination - source) and put that value in, with a + or -, like this:
beq +0x08
I know it's a hassle, but sadly it's necessary (there might actually be a way to make the assembler do subtraction for you but I can't remember how that stuff works).
_________________
http://img128.imageshack.us/my.php?imag ... hotfu6.png
Top Profile E-mail ICQ
PostPosted: Wed Jul 20, 2005 3:08 pm   Post subject:
Smash Member (100-150)
User avatar

Joined: Sat Oct 23, 2004 12:01 am
Posts: 119
Ohh...I think I see why my code froze the game now...I was using absolute addresses for branches and putting a little minus because I wasn't actually sure what I was supposed to put. That might explain it. I thought I was supposed to use PC-relative addressing, but other branches didn't seem to do it, so I went and tried to copy what some sample disassembled assembly did.

All right, thanks.
Top Profile
PostPosted: Tue Aug 09, 2005 12:19 am   Post subject:
Hero of Legend

Joined: Sat Mar 13, 2004 11:47 pm
Posts: 2076
Location: Milwaukee
Can someone give a basic guide on how to find "Infinite [something]" that is NOT represented in numbers, but rather a meter? Obviously, searching for steadily decreasing values, then making the meter go back up and then doing a search for a greater than last value search, but how would I go about starting that search? Like, what to use for the "meter is full" value?
Top Profile
PostPosted: Tue Aug 09, 2005 12:23 am   Post subject:
Shadow Hacker
User avatar

Joined: Fri Jan 30, 2004 6:05 pm
Posts: 14872
Location: Hyrule
If you don't know what value to search for, always start the search with Unknown value and Equal.
_________________
My Game List
Image
Image


8-bit Link pwns you all!
Top Profile E-mail WWW
PostPosted: Wed Aug 10, 2005 9:13 am   Post subject:
Fire In My Hole
User avatar

Joined: Thu Jul 17, 2003 5:40 am
Posts: 13608
This maybe inaccurate below. I cant recall if you need to set a bpr, or a bpw. I dont think it matters, but maybe someone can correct me here.

How to make Pointer codes - Part I - Via Breakpoints

I havent really figured out how you tell if an address would possibly move. Usually I base it on where it is in RAM, usually if it's high up (80A0 - 817F range) I almost immediately try and do an assembly workaround, or in this case a pointer, or struct write as it's called.

Anyway, locate the address in question, set a breakpoint read on this address (not sure if write gives different results), and the address should hopefully break.

In the results window you may see something like lw r0, r31, or something to that effect.

Look at the data currently being stored for r0, and r31. You should notice that r0 probabally seems to store a value of some kind, while r31 looks like it's storing what looks like an address. Note this address down, and go back to the search tab.

reset the search, along with the search parameter, and pop that address stored at r31 into the search field. Make sure the search is set to 32bit also, and search.

If you get lucky you may only get 1 result, the address displayed could well be the address you can use for your pointer code.

______________________________________________

How to make pointer codes - Part II - Via Manual searching

You may find the above search didn't yield any results. This is too bad for you I guess, but don't give up, there is another way to possibly get the result you're looking for.

You can try and manually search for an address to use, to act as your pointer address, you do this by manually searching for it, here's how.

Say the address for Jill's booby size is at address 803A4240, however you fully know this address moves depending on your location in the mansion, and rather than having to make 3000 codes for it, you want to find a pointer address for it, but my above suggestion failed.

Well okay, do a 32bit full parameter search for 803A42??. You may be asking why do I put those ? symbols in, well searching for 803A42?? will make the GUI search for all address that have a value starting with 803A42, and give any results from it. We do this because we dont know what to look for, to get our pointer address. It maybe that this search doesnt give you anything, if thats the case try broadening the search, by searching for 803A4???, if that fails, broaden it again, etc.

Now from this you may find you have too many possibilities for the address you want. Well note down the offset between the value stored at your pointer address, and the address of your code. Get the address to move (by going into another room or whatever), and then doing an unequal search, and seeing if those values have changed. If they have, then see if your offset still points to the correct place. If it does, you may have the address you need, if it doesnt, oh well. If there are too many results, repeat the process again.


Last edited by Yamishira on Wed Aug 10, 2005 9:28 am, edited 1 time in total.
Top Profile
PostPosted: Fri Aug 26, 2005 7:35 pm   Post subject:
Shadow Hacker
User avatar

Joined: Fri Jan 30, 2004 6:05 pm
Posts: 14872
Location: Hyrule
Jay007 wrote:
If you get lucky you may only get 1 result, the address displayed could well be the address you can use for your pointer code.

What do you with this address once you have found it?
_________________
My Game List
Image
Image


8-bit Link pwns you all!
Top Profile E-mail WWW
PostPosted: Sat Aug 27, 2005 10:31 am   Post subject:
Fire In My Hole
User avatar

Joined: Thu Jul 17, 2003 5:40 am
Posts: 13608
I cant help you Link Master, I'm apparently useless.
Top Profile
PostPosted: Sat Aug 27, 2005 12:35 pm   Post subject:
Shadow Hacker
User avatar

Joined: Fri Jan 30, 2004 6:05 pm
Posts: 14872
Location: Hyrule
Can you really not help me? :(
_________________
My Game List
Image
Image


8-bit Link pwns you all!
Top Profile E-mail WWW
PostPosted: Sat Aug 27, 2005 1:00 pm   Post subject:
Fire In My Hole
User avatar

Joined: Thu Jul 17, 2003 5:40 am
Posts: 13608
Well when you get that address, the value for it should like another address yeah? Usually in the area of the code you have, but is moving.

So, you take the value thats stored at your pointer address, the address of where your code is (that moves) and find the offset.

I will try and explain, but it is hard.

Say you have this for your pointer.

Address = 804000E0
Value at pointer address = 80C00000

Data of address that moves

Address = 80C04000
Data = 00000009 (Say this is for 9 lives)

You will need to find the offset for these.

So you take the value stored at the pointer address (80C00000) and the address of where your lives currently are (80C04000), and find the offset.

The offset being 4000.

Now that you have this offset, you can set it out differently, depending on what code type you want.

An 8bit pointer codetype is 40
A 16bit pointer codetype is 42
A 32bit pointer codetype is 44 (Never seen it used)

For 8bit pointers it works like this -

404000E0 XXXXXXZZ

X = The offset
Z = What you want to write to address plus that offset.

But this works like an 8bit write does.

So if we do this code say =

404000E0 00400009

It would be writing -

80C04000 09XXXXXX

Which is wrong, because the section for the lives is in the last section of the address (ie 80C04003) yes?

So you then find the offset between 80C00000 (pointer value) & 80C04003 (Actual section where lives stored are) which would be 4003.

So the code would be -

404000E0 00400309

i.e. whatever address/value is stored at pointer address 804000E0 + offset 4003, write 09 to it.

for a 16bit one its erm not the same. :(

With that its like a 16bit write. You would do the same, but when you get the offset you need to divide that offset by 2 (I dont know why either). So firstly we do that.

4000 / 2 = 2000

So here is what to do.

424000E0 XXXXZZZZ

X = Offset (you got then divided by 2)
Z = value to write to address plus offset

The original offset we had was 2000 (4000 divided by 2), thats wrong again, it would write this =

424000E0 20000009 - would write =

80C04000 0009XXXX

Again wrong, we again want it to write to the last section once again.

Think of each set of the address as 2 parts. 2000 writes to the first part yeah? So to write to the second half of it we'd change it to 2001 correct?

Basically because 80C00000 + 2001*2 = 80C04002.
So if we alter the code to

424000E0 20010009

It would in this case write =

80C04000 XXXX0009

X = This part wouldnt be effected.

God did that make sense?

I just waffle on afterawhile, I'm sure donny has something better to say, probabally a 1 paragraph reply, but I dont.
Top Profile
PostPosted: Sat Aug 27, 2005 1:23 pm   Post subject:
Shadow Hacker
User avatar

Joined: Fri Jan 30, 2004 6:05 pm
Posts: 14872
Location: Hyrule
Damn, sounds complicated. I got about 11 or so results instead of one though.
I'll just go and do the whole pointer bit again then go throguh your last post step by step with one of the addresses, and hopefully it'll be the right one and I do it right.

Thanks for the help Jay. :)
_________________
My Game List
Image
Image


8-bit Link pwns you all!
Top Profile E-mail WWW
PostPosted: Sat Aug 27, 2005 1:25 pm   Post subject:
Fire In My Hole
User avatar

Joined: Thu Jul 17, 2003 5:40 am
Posts: 13608
It's not supposed to be complicated, I just make it that way.
Top Profile
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 124 posts ]  Go to page 1, 2, 3, 4, 5 ... 7  Next


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group