Generic Code Hacking

From Wiki - GameHacking.org
Jump to: navigation, search
EnHacklopedia >> {{ #ifeq: Generic Code Hacking | EnHacklopedia | Index | Generic Code Hacking }}


Using Trainers

Trainers come in various forms and are called different things (code generator, code searcher, etc). They may vary in look and features, but they all function the same way. They "dump" the memory from a game and search for values in it. Most trainers save this dump temporarily for making relative comparisons (greater/less/equal/different) at different points in the game. The idea being to change something in the game and compare the new memory to the old, in order to find which locations in memory have changed each time. This allows the hacker to find the address in memory of something, whether it be lives, health, or removing Lara Croft's underwear on Tomb Raider.

Typical Search Options

  • Initial Dump / Start Search - This grabs the current memory for comparing to after causing something to change.
  • Known Value - Searches for a user entered value
  • Greater Than - Find values that have increased.
  • Less Than - Find values that have decreased.
  • Different To / Not Equal To - Find values that have changed
  • Equal To - Find values that are the same.
  • In-Range - Find any value within a certain range (like between 1 and 10).

An Example Search For a Health Bar

  1. Get to the point in the game where health is actually displayed.
  2. Start Search (Initial Dump)
  3. Get back in the game and lose health.
  4. Search for values that are Less Than.
  5. Go back to the game and lose health again.
  6. Search Less Than again.
  7. If health is gained by pickups or something, pick one up, and search Greater Than.
  8. Repeat this until the number of results shown by the trainer is reasonably small. Sometimes it will narrow all the way to 1 result, but don't count on it.
  9. Test the result(s) until one effects health.

Known Value Searches

A known value search is the most basic search that there is. It is used to search for things that you know the exact value of, generally something displayed onscreen, such as a score or number of lives. It's worth keeping in mind that the on-screen value is not necessarily the value that is stored in memory. It is not uncommon for the value to be stored in memory with one added or subtracted to it. Additionally, the value may be stored as a <acronym title="Binary Coded Decimal">BCD</acronym> or float values instead of a normal hexadecimal number. If searching for known values is not successful, unknown value searches may be necessary to find the code.

Unknown Value Searches

For use when the user doesn't know the exact value to search for, like timers, and health bars. Unknown value searches consist of comparing memory dumps in relation to how the target has changed. If health/time decreases, search "Less Than." If it increases, search "Greater than." Examples of such comparison search options include: Greater Than, Less Than, Different To, and Equal To.

Signed Searches

Some trainers allow signed searching by extend sign-extending values being compared, just as the game would sign them for doing things. This allows for finding things that would might be handled by a game as negative values. With a regular 32-bit search, for example, 0xFFFFFFE0 would be greater than 0x42C80000. However, if these were compared as signed, 0x42C80000 would be greater because 0xFFFFFFE0 is read as negative 0x20 (-32). Games use signed values for anything from acceleration to coordinates. For example, acceleration might be stored by a game as a negative value while driving in reverse because that's how vectors are stored. The direction is like the most significant bit, so looking at them signed makes them easy to search for. There are also times when games display a negative number for something on the screen as well.

  • Unsigned
    • For 8-bits
      • 0x00 -> 0xFF = 0 to 255.
    • For 16-bits
      • 0x0000 -> 0xFFFF = 0 to 65535.
    • For 32-bits
      • 0x00000000 -> 0xFFFFFFFF = 0 to 4294967295.
  • Signed
    • For 8-bits
      • 0x00 -> 0x7F = 0 to 127.
      • 0x80 -> 0xFF = -127 to -1.
    • For 16-bits
      • 0x0000 -> 0x7FFF = 0 to 32767.
      • 0x8000 -> 0xFFFF = -32768 to -1.
    • For 32-bits
      • 0x00000000 -> 0x7FFFFFFF = 0 to 2147483647.
      • 0x80000000 -> 0xFFFFFFFF = -2147483648 to -1.


Hacking With Emulators

An emulator is a computer program that acts as a virtual game console, so to speak. It imitates the actual hardware in order to run backups of games (ROMs) for the given system. There may not be an emulator for every system, or the ones available may not work very well (if at all). Not every emulator can run every game. This is partly because of incompetence on the part of emulator authors, especially in the case of Nintendo 64. The authors do NOT provide ROMs, so don't ask!

Some emulators have built-in cheat searching utilities, just like trainers for the consoles themselves. They work the same way. More information on hacking with specific emulators may be found with the in-depth system info for some systems. There are alternatives to built-in trainers as well, like external programs used in conjunction with an emulator or using save states. These methods can be lifesavers when an emulator's cheating utilities are lacking or non-existent.

Renegade

Most trainers and hacking tools available are for specific consoles and/or emulators. Renegade, on the other hand, is one of the few hacking tools made to support many emulators and pretty much anything else that allows the user to save a copy of the memory. Renegade can seem overwhelming at first, but hacking normal codes with it is really the same as anything else.

Renegade: Code Search Window
Attaching to an Emulator

  1. Start the emulator, and get a game running.
  2. Pause the game. Most emulators have the option to pause emulation entirely. This is recommended.
  3. Open Renegade
  4. Go to the Cheating menu. Choose Attach To Emulator.
  5. Choose the emulator that's running in the dialog box. The text box beside there will tell if the running emulator was found by Renegade or not.
  6. The Attach button should be enabled when it verifies the selected emulator is running. Click Attach
  7. Now go to the Cheating menu and choose Code Search, Memory Editor, or open both.
  8. Now the search options look pretty much the same as in any other trainer; there's just a lot more of them.
  9. Do an Initial Dump or Known Value search to start.
  10. Switch back to the emulator and change the thing being hacked.
  11. Pause the emulator again, switch back to Renegade, and search accordingly.
  12. Keep this up to narrow results as with any other trainer.
  13. When the time comes to test results, the results window displays the addresses in the form of raw addresses. This simply means that the user is expected to use the right code prefix, etc for the system being hacked (80/81 on N64, for instance).
  14. Another thing to note is that the results are automatically stored in a text file in the searches directory each time the Results button on the Code Search window is clicked. The filename is always search#.txt. The results can also be exported as N64 codes for easy testing.

Comparing Files

  1. Open the Code Search window without attaching to an emulator as described above. If it was already attached, simple select Detach From Emulator from the Cheating menu.
  2. There's an option to specify the byte order.
  3. Also notice the Header option. This can be configured to ignore the first so many bytes (header) of a file.
  4. If doing a Known Value search, one file is required to start.
    • On the Search Type drop-down list choose Known Value, In-Range, or any option that can be done with a single file.
    • Click the Search button and a file dialog appears. Choose the file to be searched. Searching will commence, and result count will be displayed
    • The search can be continued by simply setting the search type as desired, and clicking search again. The dialog will prompt for choosing the next file.
  5. For doing comparison searches, there is no actual "Initial Dump." Just start by comparing the first two files.
    • Set the search options for the desired comparison and click the Search button. The difference here is after the dialog prompts for the first file, it will immediately prompt for the second.
    • The search is continued the same as if it were started by searching for a known value. Choose search options, then click Search to be prompted for the next file.

Save States

Save states are like a RAM dump, a copy of the game's memory at any given time. These can be compared or viewed in a hex editor just like a regular RAM dump. Most emulators have the option of saving the current state of the game. Some are even nice enough to have an actual "RAM Dump" option.

Two Important Notes About Save Sates

  1. Save states typically have extra information in them besides the RAM dump itself. This is in the form of extra bytes before or after the actual dump shows up in the file. The number of bytes varies by emulator but not by game. This is because different emulator authors store information differently. Finding the right RAM addresses for values found in these files is just a matter of subtracting the size of the header from the address in the file. Meaning if the header is 0x40 bytes and the a code is found a 0x45690 in the file, the actual RAM address would be 0x45650. This is pretty much the same concept as porting codes, but the porting is being done from save sate address to RAM address.
  2. Some emulators will compress save states by default. These will need to be uncompressed before they can be handled as normal RAM dumps. Some emulators have the option of turning off the compression, others don't. In most cases, programs like WinRAR can decompress the save states because they use common compression algorithms. However, there are times when this won't work, and there isn't really any solution short of asking the emulator author.


Guess and Check Style Hacking

To Do


Porting Codes

Porting is a process used to convert Action Replay/Equalizer (and Gameshark) codes from one version to another. It can be used to convert codes from version 1.0 to 1.1, or PAL to NTSC, or even sometimes from P1 to P2.

There are about 4 different ways of porting codes. Different methods are used for porting different codes and sometimes different methods are mixed to port codes. 500 codes don't need porting.

One method is working out the difference in Hexadecimal between two codes that already exist in both versions. This is known as 'Version-Difference Porting'

Pointers

A pointer is an address in memory that actually contains the value of another address. Say for example the 8-bit values at 0x80045020 are 0x80 0x25 0x78 0x40. That's probably a pointer to the address 0x80257840, rather than just the values of something. Games use pointers to keep track of where certain blocks of data are located in the memory. The pointer usually references the beginning of such a block. Some cheat devices support loading these pointers from the address given in order to write to the address plus a user defined offset. For instance, health may be at 0x80257854 in memory. The pointer at 0x80045020 indicates that the block of data (player data in this case) starts at 0x80257840. The difference between the beginning of the data block and the health location is 0x14. Now a pointer code type could tell the device to load the value (pointer) at 0x80045020, add 0x14, and write the value for full health to the resulting address.


Miscellaneous Hacking Tips

Have All Maps With the all maps, go into the map screen and bring up the selections of maps and start a unknown search. Once you find a new listed map do greater than last. And keep doing that, add equal to last to go by it fast, until you come up with it.

Extra Hacking: Complete Map In some games you will have a map, but it will not be completed. To hack this start an Unknown search. Complete some of the missing sections on the map and do greater than last. Do this as many times as you want and follow it up with equal to last. You will notice you have it when you go into an area you never been in and it does show up on the map.

Hacking Tip #1: When using Unknown search, try to do as many Different, Greater, and Less than last. Doing this will lessen the possibilities even more when you select Equal to last.

Hacking Tip #2: Memory cards are the best tools when trying to hack a code to unlock things.

Hacking Tip #3: Known search 0 (on or off) and 1 (on or off) may be he best way to hack codes without the effort. If you are trying to hack an activator type code, this method is best used.

Hacking Tip #4: Translating codes with an calculator that can calculate hexadecimal and decimal can save you a lot of trouble.

Fake Codes

To Do

Infinite Money/Ammo/Items

[Difficulty: Beginner]

These are about the easiest codes to hack. To hack one, take the value of desired item to get infinite of, and do a known value search for it. Next, manipulate the amount of it (EG lose a life), and search for the new value. Keep doing this until results are narrowed down enough to test some. This usually doesn't take much when searching for exact values. Most games store the simple stuff this way; however, some will use float or BCD values, depending on the game system.


Have Item

Hacking for a Chest/Items Slots

First find a position in the Chest/Item Screen you want to hack the Item code for. Now since you've did that, do an unknown search.

Now place an item in its position and do a Different To last.
Swap out items and again Different To.
Do that once again then Different To.
Now let the item stay and this time Equal To.
Now take out the item then do an Different To followed by Equal To.

This should give you a item modifier for just that slot, but to get
the next slot, hack a item mod in its position. Now compare both addresses:

I.E.
Slot 1 Item Mod 80000000-????
Slot 2 Item Mod 80000002-????

As you see at the end of the first 8 numbers, it adds 2.
So to get the next slot keep adding 2:

I.E.
Slot 3 80000004-????
Slot 4 80000006-????

Activating Unlockables

Unlocking a Secret Character or Menu: First find the screen where the character or menu is supposedly to be unlocked at and start a unknown search. Unlock that feature and do different/greater to last search. Do it once (or 2) more followed by equal to. This should give you a lot of possibilities, but you can lower them by choosing 10 or less address to activate and do the method over. You will know you have it when you find the address and change the second set of digits at the end to unlock something or someone else.

Level Modifier

Location modifier/another level modifier

The easiest way is to have a save in level 1, and another in level 2.
Load level one, and do a known value search of 000000.
Then load level 2, and do a known value search for 000001.
Go back from levels 1 and 2 a few times to get the possibilities down.
When you find the code, you should be able to change the last four digits to go to new levels.

Note: this does not work with all games

Character/Team/Costume Modifier

Character Modifier

First do an Unknown value search without a character.
Next select one character and then perform a Different To search.
You might want to try an Equal To search afterwards, just to eliminate junk codes.
Lose on purpose, then switch characters.
Repeat this method over until you have a reasonable amount of possibilities.
Then when you get the code change the values so you can get the character you want to be.
It takes patience looking up values for the game. But once you find it out the rest should be there.

Clothes Modifier

Anybody can figure this out. First do a unknown search. Than go back to a game.
Move around and do an equal-to search. Go back to the game.
Change your clothes and do a different than last search.
Keep switching and you should have some codes.
Try to put it to one (if possible)
Switch your values around and you should get a clothes mod.

Moon Jump

[Difficulty: Intermediate to Hard]

With this type of hack, the objective is to find the player's up/down acceleration. A more technical name for this would be a Y Speed Modifier, because it alters the speed the player's Y coordinate is moving. This causes the game to think the player is floating upward just as if the jump button was pressed. In some games, there is no jump button, but this can still be done if there's a place to fall off of as falling is part of Y speed too.

There are multiple ways to go about these, since different games on different systems tend to handle it differently. The basic theory doesn't change much with the search methods though. Y speed is usually a 16 or 32 bit signed value in memory. It increases when moving upward, and decreases when falling. This is signed because most games store vectors this way. The value is based on both the direction being moved and how fast the player is moving in that direction. Most times, Y speed will be 0 when standing still, but don't rely on this. If the player has a little bouncing stance or something, the Y speed could very well be changing just slightly the whole time. Also note that on older systems (like NES/GBC), Y speed can be as simple as an 8-bit value being 0 on the ground and 1 or higher while moving upward.

The GLEE Method

The "<acronym title="Greater, Less, Equal, Equal">GLEE</acronym>" method was pioneered by macrox. The basic theory at the time was that the player's Y speed increases when not on the ground (whether rising or falling). This may seem to contradict the theory above, but it's still technically true. This is because the GLEE method treats moon jumps like most other basic codes: it uses unsigned searches. The steps are outlined below. It's probably best to set whatever search tool is being used to compare 32-bit values first, if available. If that option is unavailable or doesn't work, try 16-bit and so on.

  1. If the character is stands totally still on the ground, it's a reasonable assumption that Y speed isn't changing. Start a an unknown value search (initial dump). If the character jitters while standing or something, the Equal To searches mentioned here may need to be skipped. This makes it more difficult to narrow the results, but it's still possible.
  2. Move around a bit, then stand still again. Search Equal To. Repeat this step a couple times to eliminate some junk results.
  3. Now jump, or fall from a high place if the game has no jumping. While in the air and rising/falling, search Greater Than. Even if the game does allow jumping, falling from something instead to do the Greater Than might shave some extra results off the list.
  4. Once the player lands on the ground again and is standing still, search Less Than.
  5. Repeat the steps above until the results list is narrowed considerably.
  6. When ready to test some results, jump again (if possible) and do a Greater Than while still rising. Catching the value when just beginning to rise is best, though not always easy. The current value should give an idea of what to use for a moon jump value. Turn on a result at a time and look for effects on the player's Y speed.
  7. Once the correct address is found, try different values until the desired rising effect is reached. A value too high can orbit the player instantly (and even crash the game), and a value too low will force the player to the ground or perhaps keep the play from falling. On games that don't allow jumping, try freezing the value of each address to 0 and attempting to fall until an effect is noticed. Note that getting the rising effect on games which don't allow jumping sometimes still requires falling off something.
    • If the game doesn't allow rising without falling off something, then be possible to hack a code to tell the game the player is in the air. This can be hard or next to impossible on some games, but it works on others.
    • The idea is to start a new search while standing still. Then move to a different position, and search Equal To.
    • Fall off something, and search Different To while in the air. Following this up with an Equal To while still in the air might help cut down the results.
    • Once the player in back on the ground, search Different To again. Repeat these 3 steps until the results are narrowed.
    • Try the results with addresses nearest the Y speed address first. Doing this can sometimes save time, especially when it gets hard to reduce the amount of results and there are still a lot left. When testing results use the value from when the player was in the air along with the Y speed code to attempt forcing the player to rise.
  8. After locating the Y speed and the right value to get the player rising up without actually jumping to the moon, look up the button activator/joker for the game and the button value desired for the moon jump code. Using the same button the game does to jump is the preferred choice.
  9. Put the Y speed code with the activator and test it. If a code was hacked to tell the game the player is in the air, put this on an activator for the same button.
  10. Enjoy the new moon jump code.

Signed Searching Method

Another way to hack moon jumps is with signed searching. This can be useful on some systems, if a trainer is available with the option.

  1. Start an unknown value search while just standing still.
  2. If the game leaves the player standing completely still, then it's safe to assume the Y speed isn't changing. Move around then stand still again. Search Equal to. Repeat a few times if desired.
  3. Now here's where signed searching differs from GLEE. The Y speed is positive while rising up, negative while falling, and either 0 or slightly less when standing still. Press the jump button and quickly freeze the game while the player is still rising. Search Greater Than.
  4. As the player begins to fall, search Less Than.
  5. When the player hits the ground and is standing still again, search Greater Than.
  6. Now jump again, and quickly freeze the game while rising once more. Do a Greater Than search.
  7. This may have been enough to get down to a decent amount of results. If not, repeat the steps as needed, remembering the way Y speed values work signed.
  8. Once the results are done enough to warrant even looking at them, look for the positive, negative, 0/negative combination of current and previous values for each result. Pick out the ones worth trying and test them with the positive value. The value may still need to be increased a little, but again, keep in mind the signing factor. Don't raise it too high and turn it negative or the player will be glued to the ground.
  9. Take the right address and value, and put the code on an activator for pressing the jump button (or other button, if desired).
  10. Up, up, and away!


Speed Modifier

A speed modifier is a code that modifies the speed of an in-game character or object. In most cases, this is a 16 or 32-bit signed value in memory. When the character or object is stopped, the value is usually zero. Keep in mind that simpler systems such as the NES and GBC may use 8-bit values for the speed value

To hack this code, a slight deviation of the GLEE method may be used.

  1. If the character is stands totally still on the ground, it's a reasonable assumption that the character's speed isn't changing. Start a an unknown value search (initial dump). If the character jitters while standing or something, the Equal To searches mentioned here may need to be skipped. This makes it more difficult to narrow the results, but it's still possible.
  2. Move around a bit, then stand still again. Search Equal To. Repeat this step a couple times to eliminate some junk results.
  3. Now start moving. Without stopping, do a Greater Than search.
  4. Once the character stops or diminishes in speed, do a Less Than search.
  5. Repeat the steps above until the results list is narrowed considerably.
  6. When ready to test some results, try setting the speed to something really low. If the character is going really slowly, a speed mod has been found!
  7. Once the correct address is found, try different values until the desired level of speed is reached. A value set too high may launch the character careening through the level or it may even crash the game.
  8. Once you have your code, it's a good idea to put an activator on it. Else, the character will always be moving at fast speeds. Some good choices for activators include a "moving/not moving" flag in memory, or even button activators if an alternative isn't found.


Position Modifier

Every game uses coordinate system to position a given object or character. These coordinates are located on a set of invisible axes. Two-dimensional games use two axes, referred to as the X and Y axes. Three dimensional games rely on three axes, referred to as the X, Y, and Z axes. The X axis is used for left/right movement, the Y axis for down/up movement, and the Z axis for near/far movement. As an object's X coordinate increases, it is moved to the right, and vice-versa. The same rule applies for the other axes. It is important to note that these axes have nothing to do with what is shown on the game screen. For example: the Y coordinate measures an object's absolute height, as opposed to how high the object is relative to the ground. It is recommended that 32-bit searches are used for three-dimensional games if the emulator or trainer has that option, although 16-bit searches will work just as well. For two dimensional games, 16-bit searches are usually sufficient.

  1. Identify the target object or character, preferably one whose movement can be controlled by the player. Begin an unknown value search.
  2. Identify the target axis. Hacking with only one axis in mind is much easier than attempting to keep track of movement on multiple axes. Remember that causing a change in the character's Y coordinates requires movement to a higher position in the level, which may not be easily accessible, so choosing to hack the X or Z coordinate may be easier.
  3. Move the character several game "feet"/"meters" to the left, right, away from the camera, or towards the camera. Perform a Different To search. It's important to move the character far enough away from the original point if doing a 16-bit search. As each coordinate is usually 32 bits in length (in three-dimensional games), it's extremely important to move the character so that the first half of the value changes. For example: 0x12345678 would need to become 0x1235789A (or higher) so that a 16-bit search registers the change and doesn't discard a potential code. This is not an issue with 32-bit searches.
  4. Move the character in the opposite direction, keeping the above warning in mind. Perform another Different To search.
  5. Repeat steps 3 and 4 until there is a manageable number of results, preferably less than 20 or 30.
  6. Test each code until the target character's movement on one axis is restricted.
  7. Now the codes for the other two axes need to be found. They will usually be in close proximity to the code that was just hacked. On some systems, one can usually find another part of the code by adding or subtracting 0x04 to or from the newly-found code's offset. The offset containing the X coordinate is usually first, followed by the Y coordinate, and then the Z coordinate. Note the existing values for the surrounding offsets and enter those as codes.
    • If the character is unable to move to the side or toward the game camera, then the correct code for the X or Z coordinate has most likely been found.
    • If the character is unable to jump, then the correct code for the Y coordinate has most likely been found.
  8. The first 16 bits of the value are usually enough to change a character or object's position, so assign those to a code and enjoy the results.

Due to their nature, position modifiers are very easy to find usable values for. Simply view the offsets from each of the codes for the target character/object's coordinates, and apply those to the target character/object's position modifier, or a completely different object's position modifier.


Infinite Time

Timers can be painfully simple, or they can send the hacker into violent tantrums. It all sort of depends on the game and system. The general idea is to just keep searching greater/less depending on the way the timer is counting, but they can vary a lot. Timers come in any size from 8-bit to 64-bit, but 16-bit and 32-bit ones are more common.

Basic Timer Hack Strategy

  1. First get to the point in the game where the timer starts counting up/down. Then pause/freeze and start an unknown value search (initial dump). 32-bit is probably the way to start, if possible. If this fails, try 16-bit and so on.
  2. Now let the timer count down just a little, and do a less than search. Keep letting it count down and doing less than until the results are narrowed enough to test.
  3. In some cases, restarting the timer and doing a greater than followed by continuing with the above step will help.
  4. Now when the results are narrowed enough to start testing, set a constant write/freeze on the address using a high value to see if the timer still counts down. If the trainer being used lists all the previous values of the timer, a little educated guessing can help with picking out the right result to try. Sometimes a timer will be as simple as the value on screen being the same value in memory, but don't bank on it.
  5. Don't be surprised if none of the results work. Try a different bit size or one of the extra tips below.

Timer Tips

  • clock style (00:00:00) timers tend to be 32-bit, but they can be found even if the user is searching 16-bit. One thing to be cautious of though is the amount of timer going by between searches. Let the seconds or minutes count up/down a couple digits, depending on the timer's speed.
  • Don't be afraid to try searching the opposite direction when the search instructions above don't work. Sometimes a timer counting down on screen is really counting up internally. It's odd, but it happens. The timer on Star Fox 64 kept some hackers guessing for years because the timer on screen was stored a as 32-bit value counting down, while the real timer was a 16-bit value counting up! Just to add insult, the real timer was only a few bytes from the on-screen one.
  • Beware of fake timers. A lot of timers there's both and on-screen timer and a real one. Test the code for as long as it would normally take the timer to run out to be sure it's really being stopped.
  • In some cases, the right address is found, but attempts to freeze it will fail. This is because the game reads/writes the location faster than the cheat device can. The only way around this is to try hacking it with assembly. Hackers wanting to attempt this will need this address, so hang onto it.


Size Modifier

Objects That Change Size Normally

To Do

Objects That Never Change Size

To Do

Image Modifier

To Do


Cut scene Modifier

Press the freeze button while a cut-scene/FMV is playing and start an Unknown Value search. Play the same cut-scene, do an "equal-to" search.

Play a different cut-scene, search for "different-to" values. THROW OUT ALL CODES that have value "FF"... Look for everything else, turn all codes that are not "FF" on (some of them one at a time). Play a cut-scene /FMV, if you play the same cut-scene/FMV no matter where you are, turn off a few codes, (WRITE THEM DOWN), until you get the activate codes that do not play the same cut-scene. Eliminate those codes. Turn on one code at a time (that you've previously written down) until the cut-scene never changes.

OK, now just play all the cut-scenes, press freeze button, write down digits, repeat until you get all the cut-scenes... If you have been through all cut-scenes and notice missing digits, try those missing digits in your new GameShark code. Sometimes the game will freeze with the missing digits, but you may find a hidden, or 'unfinished' cut-scene.

Skip Intros

To Do


Assembly Hacking

Description of Assembly

Assembly is a generic all-encompassing term for human-readable machine code. A <acronym title="Central Processing Unit">CPU</acronym> is very good at working with numbers and interpreting their meanings; humans are at a disadvantage here, and it makes working with machine code very difficult. Assembly makes it quite a bit easier by providing a 1:1 ratio to machine code. Where machine code might look like a long string of ones and zeros, assembly might look more like this:

Opcode Operands Comments
lw r0, =0x0203FA70 @ Load pointer to lives variable
mov r1, #31 @ Load number of lives we want
str r1, [r0] @ Store lives value to variable
bx lr @ Return

This example is ARM/Thumb assembly for CPUs such as the ARM7 and ARM9 available in GBA and NDS. The comments help the programmer understand the assembly code even better than the CPU does; the CPU will execute any instruction given to it without determining the consequences or raising concern. The responsibility of executing the right instructions falls soley on the programmer. This example brings to light what is meant by "human readable machine code." Compared to "0011010011101001100101..." the assembly is a lot more understandable.

That aside, assembly is not without its own faults. It is often very difficult for a novice (with no previous programming experience) to learn and understand. This is due to assembly's naturally low level; an assembly programmer talks to the machine in its own language (via a translator).

Programs that translate assembly into its machine code counter-part are called assemblers and are available for various target CPUs and platforms. The target CPU is what the assembler needs to output machine code for. The platform is the CPU/<acronym title="Operating System.">OS</acronym> that a programmer will use to write the assembly and translate/assemble the code. Assembling code for a target that differs from the working platform called cross platform development.

Hacking assembly is just the opposite; a hacker will translate machine code into human-readable assembly to understand the code and make changes as necessary. A program which does this kind of translation is called a disassembler, which are just as widely available as assemblers. The trouble is, few disassemblers output assembly that can be assembled back into machine code by an assembler. For the purposes of this tutorial, doing so would be out of scope because it is not usually a requirement to rebuild an entire program just to hack it. Renegade64 contains a code assembler which is much closer to what a hacker will use when patching assembly.

Rundown of Assembly Languages

Assembly languages define a set of instructions specific to one family of CPUs. Depending on the CPU or assembly language, there may be only a small handful of instructions, or there may be a vast library of instructions available to the CPU. There are two common terms for CPUs which define the type of instruction set a CPU will use. The <acronym title="Complex Instruction Set Computer.">CISC</acronym> machines generally have many different forms of the same instruction, while <acronym title="Reduced Instruction Set Computer">RISC</acronym> machines typically have only one (rarely two or more) form of the same instruction. The names "Complex" and "Reduced" do not refer to the size of the instruction set, but to the ratio of instruction forms to single instructions (the smaller the number of instruction forms, the more "reduced" the instruction set). Some RISC machines have a far greater instruction set than CISC machines. For example: PowerPC(RISC) compared to 6502(CISC).

Regardless of the type of instruction set, an instruction is typically comprised of two parts: The opcode and the operands. The opcode defines the command which the CPU will use. The operands define how the CPU will execute the instruction. The number of operands can vary, depending on the language and the opcode. Some opcodes have no operands at all; these are called "implied" operands, since the operand is implied to be non-existent.

The most basic example of such an opcode is NOP. NOP, also sometimes called NOOP, exists on every major CPU in use today (though the assembly instruction is the same across all instruction sets, the machine code is not; yet another example of making machine code easier to understand). Its function is simply wasting CPU cycles; it does nothing else. This seems impractical by today's standards, where timing is not as crucial as it once was, and in most cases it may be desired to use every last cycle to its greatest potential. However, the NOP instruction is important for many tasks. It can be used to help synchronize multiple CPUs by having both wait for a small time, for instance. For a hacker, the NOP instruction becomes an invaluable tool for manipulating programs. Any instruction can be overwritten with a NOP to disable it completely. Overwriting the instruction which changes a character's health in a game will disable the game from changing any health at all.

To Do: Explain operands.


Breaking Limits

To Do


Infinite Ammo For All Guns/Levels

To Do


Changing Starting Items/Stats

To Do


Killing Timers

Timers can be stopped with assembly the same as anything else, but caution should be taken in doing so. Setting a breakpoint on write of the timer address and making disabling the instruction which write to the timer address. Now here's where the caution comes in. Some assembly routines aren't just used for that single timer. There are times when stopping a simple timer can freeze half the stuff in the game, so be careful.

There are also times when the real timer can't be found normally, but a fake (on-screen) one can. These are more difficult to disable, but the real timer can sometimes be traced by doing a write breakpoint on the fake timer. Sometimes, it's as easy as looking as the instructions nearby. The game may be converting the timer to a different format to show on-screen immediately after it decrements and stores it. If the answer isn't obvious, the only thing to do is to backtrace the assembly to figure out where the value for the fake timer came from. It has to get it based on the real one, somehow. This is difficult to explain in real detail because games vary so much.


Rapid Fire

1st: Start a unknown value search.
2nd: Keep shooting your gun, then push the freeze button.
3rd: Do a different to last.
4th: Keep shooting and do an equal to last.
5th: Now stop shooting, then do a different to last.
6th: Still don't shoot, and do an equal to last search.
7th: Repeat all steps 1-6 until you have 10 or less possibilities.

Extra Hacking: Mega Rapid Fire

Do the Method above with the fastest shooting gun you have.
Shoot it slow and fast, and you should have a faster Rapid Fire.
Sometimes you can increase or decrease the last 4 digits to make it faster.

Mega Jump

1. Get into the game and perform a Start Search while you are on the ground.

2. Get back into the game and walk around a little bit and do an Equal To search while you are walking around to weed out some possibilities.

3. Repeat Step 2 about 1 to 3 times to narrow the possibilities some more.

4. Get back into the game and stand in place, and hit the jump button, and right as you are in mid-air, do a Different To search.

5. Get back into the game and walk around and do a Different To search.

6. Jump back into the game and walk around a little bit and do an Equal To search.

7. Repeat Step 6 about 2 to 3 times to narrow down the possibilities.

8. Now Repeat Steps 4 thru 7 to narrow down the possibilities till you have about 15 possibilities.

Now it's trial and error time, you are going to have to try out all of the codes. Look at your results, and if your last search was when your character was on the ground, the code should look similar to this: 91 00 456F or 91 01 456F. The value should be either 00 or in some cases it is 01, but it most likely will be the 00 value. Now some games will have a totally obscure value, so test all of the codes out is the key. Now when you test the codes out, the one that will not allow you to jump is the right one, now bump up the value to 01 or 02 and that should give you the Mega Jump, if not try higher values.

When you have your code, you may notice when you press the jump button your character will not come back down to the ground, well that is not a problem, just turn the GameShark switch off when you want to come back down again.

Invincibility

I found this from a tutorial from Lik. dlevere.

The first step is to get familiar with how to use your GameShark to hack, so to keep this tip short please refer to your GameShark owner's manual. Now to find health, you must get into game:

1. Get into the actual game and do a Start Search.

2. Get back into the game and let an enemy hit you once to make your health meter (or number, depending on the game) go down a notch, then do a Less Than Search.

3. Go back into the game and get hit some more so that your health goes down further than the search you just did, so if it went done a quarter of the way when you did the last search, this time get hit so it goes down about half way and then do another Less Than Search.

4. Go back to the game and get hit so that your health is almost just about gone, and do another Less Than Search.

5. Now go back into the game and when you health is full, do a Greater Than Search. Now your possibilities should be narrowed down to about 15 or 20. If they are not, repeat steps 2 thru 5 until you get a couple of possibilities left. If you have only a couple of results left, it is trial and error time, test out one code at a time and you will eventually find out which code is the right one, and with more experience, you will be able to know which one is the right one just by looking at it.

Debug Menus

Hacking for a Debug Menu and Debug Room

CHAPTER I:
What is a debug?
A debug is what the programmers use to get to different points in the game quickly and test parts of the game. The programmers don't want to play through the entire game to get to a part near the end, so they use a debug mode to take them to that point. The programmers don't want to fight in X many battles to see what happens at level 50, so they just change a value through the debug option.

CHAPTER II:
Does my game have a debug?
Probably. All Squaresoft games do. Most RPG's leave them in. For other games it's hit or miss. If you want to check, go to the memory editor and look for text that doesn't appear in the game. Example: In Final Fantasy Tactics the text "debug" can be found. This indicates there is a debug mode.

CHAPTER III:
Finding Debug Rooms
First you need to find a room modifier. A room modifier is a line of code in where the value of the current room your in. To find this, go into a room and do an unknown value search, take a few steps with in the same room and do an equal to last. Next, leave and go to a different room and do a different to last search, take a few steps and do an Equal to last. Repeat this process until the results aren't getting any lower. Copy one code at a time into the active code window. Leave the room, if you reappear in the room you just left you have found the room modifier. Play with different numbers in it's value, leave the room and see where you reappear. You'll go to a lot of rooms until you find the Debug room.

Remember: Room Modifiers can be in any part of the memory, so don't get discouraged if it's not in the first or second. NOTE: The value for the debug room will normally be low because they are designed early on.

CHAPTER IV:
Finding Debug Menus
Finding Debug menus can be very simple or very hard. The easy way to do them: go to a menu (Most games have multiple menus and it could be on any of them) Put your cursor in the first position and do an Known Value Search for 0000. Move your cursor to the second position, do Equal to 0001. Move your cursor to the third position, do an Equal to 0002. Repeat this process until you find where the cursor's position is stored. Once you have found the line, set the value to the number of options +2 and see if you're cursor is positioned in a blank space after the last choice, If it is you've probably just found a hidden menu. Treat it like a normal option on the menu, press enter and see what options come up.

CHAPTER V
Finding Debug Menus Part II
If the option modifier in CHAPTER IV doesn't work, there is also a menu modifier. First pop up a menu, start an unknown search. Now keep doing different to last in every menu you find. On one of them, move the cursor and it should be equal to last. Try as little as 1-5. Try to exit or go to another option. If you can't change menus then that's your code.
Tip: Remember that the digits will always be low.

CHAPTER VI
In some RPG you can also get in by certain dialogs and phrases (In FF VIII, you see dialogs when you enter debug rooms, and the only way you select what you want is by dialogs popping up first). This may be the hardest way, because you could end up in a debug room and not the main room, and RPG's have over thousands of dialogs to cover. To hack this, just use a simple dialogs modifier using a modifier method. This is also the surest way to find one.

Walk Through Walls

Hacking a walk through walls code involves locating the game's clipping routines, which can often be very spread-out and embedded deep in the physics engine. This theory will focus on 3D games, but much of it can also be applied to many 2D games. 2D games simply lack a Z axis.

Locating the clipping routines may take a few different steps, depending upon the game and how it was programmed. Locating the main character's coordinates is the best place to start. Coordinates can be found with a simple 32-bit unknown search. With 3D games, there are always three coordinates named "X", "Y", and "Z". The Y coordinate is the usually easiest to find because no matter which way the character or "camera" are facing, the Y axis is always up-and-down. Reference Position Modifiers for more information on locating coordinates.

Coordinates are almost always placed in memory in order; the Y coordinate will appear between the X and Z coordinates. This idea can be exploited to locate all three coordinates after finding just one of them. Once the X and Z coordinates have been pin-pointed, these can be used to locate the clipping routines.

The second step requires a write watchpoint on either the X or Z coordinate. Choosing which coordinate to use is entirely up to the hacker, as they will typically both lead to the same routines. Setting a breakpoint on one of the coordinates will usually cause a break right away, even with the main character standing completely still. If the break-causing store instruction is disabled, sometimes additional breaks will occur. It is wise to keep a list of all addresses which cause breaks without moving, and the instruction data they contain. This makes it easy to re-enable the instruction later. As soon as there are no other breaks occurring while the main character is standing still, this step is complete.

The next step requires checking if any breaks occur while walking in an open area, without touching any walls. Most of the character control routines have already been disabled, by this point, and in most cases the main character should be "stuck" walking along only one axis. However, in a few other cases, a break will occur as soon as the main character begins to move. If this happens, the instructions causing these breaks must also be disabled. When the main character is able to glide peacefully along a single axis, the only breaks occurring should be when the main character hits a wall.

With all of the character controlling routines disabled, walking into any wall should cause a break as the physics engine is attempting to clip the character's forward movement against the wall while retaining lateral movement (to "slide" against the wall when hit at an angle). This works because most physics engines want to adjust the coordinate for clipping (the one which was disabled for standard control) separately from the standard control routines. (Note that not all games will exhibit this behavior. For such games, the clipping will be done before the standard control routines write to the coordinates.)

At this point, the first clipping routine has been located. Disabling it (either by disabling the single instruction with a NOP instruction, or by branching over the write or the entire routine if it can be done safely) should result in one of two possibilities: The character will either move through the wall, or yet another break will occur. In the case of the former, the code has been found (or at least one part for one of the two axes). For the latter, these clipping routines can be consecutively disabled, with each new routine found becoming another part of the completed code; all clipping routines must be disabled for both the X and Z axes.

That concludes the basic rundown for walk through walls codes. To recap: Locate the clipping routines by disabling the standard controlling routines. Then disable those clipping routines. Test the game with the clipping routines disabled by re-enabling all of the standard controlling routines, or simply by resetting the console with the clipping-disabling codes enabled.


Jesus Mode

A Jesus Mode code allows the player to walk on water just like Jesus in the bible did. One of the most complex hacks to make, it requires great skills with a debugger and a real familiarity with assembly language. The first Jesus Mode code made was for Super Mario 64 by Parayste.

The idea behind Jesus Mode is to figure out how the game determines when the player hits the water, and then edit the code so that the water routine acts the same way the routine for solid ground does.

Mario walks on water (N64)


EnHacklopedia
Basics
Number and Data Encoding Formats - Generic Code Hacking
Individual Systems In Depth
Hacking Arcade - Hacking NES - Hacking SMS - Hacking SNES - Hacking Genesis - Hacking Saturn - Hacking PSX - Hacking N64 - Hacking DC - Hacking PS2 - Hacking GCN - Hacking Game Boy - Hacking Game Gear - Hacking Game Boy Advance - Hacking NDS -
Documents and References
Documents
Tools
Tools


Legal

Creative commons.png
All files (HTML, CSS, images) included in EnHacklopedia are licensed under the Creative Commons Attribution-ShareAlike 3.0 License. All authors contributing to EnHacklopedia should be made aware of the license before contributing. If the author does not agree to the licensing, his or her contributions will not be accepted into the project.