WiiRd forum

I need help making a code that's in the MEM2 Range.

I know that 8, 16, 32bit codes starts with 00,02,04 followed by address (6digits long) example 8bit = 00xxxxxx
But, what if the address is 7 digitals long

For example if the memory address in wiird is
91531490 with value 000003E7

How do I make that into a code?

If I'm not mistaken, you'd use 0x91xxxxxx as the base address (ba);

(in example Mem2 16bit write (ba))
42000000 91000000
02531492 000003E7
E0000000 80008000

as for 0x81xxxxxx the Constant Write code type must be incremented, ie; 32bit value write (04) becomes 05.
Mind you I've been using an old version of WiiRD so the handler may have changed.

Quote from: TNTkryzt on November 03, 2008, 03:55:39 AM
If I'm not mistaken, you'd use 0x91xxxxxx as the base address (ba);

(in example Mem2 16bit write (ba))
42000000 91000000
02531492 000003E7
E0000000 80008000

ba is aligned to be divisible by 0x2000000, so 91000000 won't work as expected.  It should instead be:

42000000 90000000
03531490 000003E7
E0000000 80008000

Of course, that is assuming that you want a 16-bit write.  For 32-bit it would be:

42000000 90000000
05531490 000003E7
E0000000 80008000

Alternatively, you could use po (this example does a 32-bit write):

4A000000 91531490
14000000 000003E7
E0000000 80008000

Or you could use po like this, it would work since po isn't realigned:

4A000000 91000000
14531490 000003E7
E0000000 80008000

Quote from: TNTkryzt on November 03, 2008, 03:55:39 AMMind you I've been using an old version of WiiRD so the handler may have changed.

WiiRD doesn't load the code handler into memory, Gecko OS does.  Only the Gecko OS version will make a difference in regards to which codes do or don't work.

In that case I had better update my gecko OS  :eek:
For the "92" and "93" areas, you would use the "92 ba/po" plus incrementing the code type for "93" area.

(0x92531492) 16bit ba
42000000 92000000
02531492 000003E7
E0000000 80008000

(0x93531492) 16bit ba
42000000 92000000
03531492 000003E7
E0000000 80008000

Obviously, I failed on making the code since the address changes on every boot and using Pointer Search didn't yield any results. But those infos should come in handy in the future...Thank You both!

Just place a read breakpoint on the address and trace back to see how the address is fomulated, thats how I do it.

I tried to use a breakpoint...it does prevent the value from decreasing but it also affects the game making it unable to advance after nop the breakpoint address.

The breakpoint suggestion was so you could find a pointer for the address. Which game is it, I may have it and could help if not, just post the routine of the address you broke on. For read and write breaks if possible.

It's a max Coupon code for Pokemon Battle Revolution (U) [RPBE01] and the address is always in between 91909300 to 91909400.
I found the address and then right click it and choose BreakPoint, then goto the Break Point tab, choose Write and click on Set....you need the infos in the assembly box?

Nah I don't have that game. Just post the line it breaks on and preferably a couple of lines before the line it broke at.

Ok, I put down the address then Set Breakpoint to Read and found these results

80167624 7CA5002E      lwzr      r5, r5, r0
80167628 80C40004      lwz       r6, 4 (r4)
8016762C 209D0020      subfic   r4, r29, 32
80167630 5C70103A      rlwinm   r0, r30, 2, 0, 29
80167634 3863E4A0      subi      r3, r3, 7008

If I nop this address 80167624, I get tons of Coupons, over 9mil but couldn't get out of the shop.

Set Breakpoint to Write and found these results

80167538 90050000                          stw      r0, 0 (r5)
8016753C 41800068                          blt-      0x801675a4
80167540 38E6FFE0                          subi      r7, r6, 32
80167544 80C50004                          lwz       r6, 4 (r5)
80167548 5E0103A (<missed1digit)      rlwinm   r0, r7, 2, 0 ,29

If I nop this address 80167538 Coupons won't decrease when buying something, but you can't go into any battles.

One possible solution I can think of is use Button Activate (nop, un-nop), but if there's another better solution to it then it would be even better.

The routines are most likely used by other function calls, I'll be getting the game soon so I can have a closer look at it.

Ok, I had a look at it and the routines load and store to other areas of the block so you're better off branching off to your own routine where you'd need to run a check.

The following sub-routine will run a check on r27, which is when the desired address is present in r5, which we'll be writing our new value too.

817F3000:  2C1B0002   cmpwi   r27,2
817F3004:  40820008   bne-   0x817f300C
817F3008:  3800270F   li   r0,9999
817F300C:  90050000   stw   r0,0(r5)
817F3010:  4A97452C   b   0x8016753C

80167538:  4968BAC8   b   0x817f3000

Have 9,999 Coupons
077F3000 00000014
2C1B0002 40820008
3800270F 90050000
4A97452C 00000000
04167538 4968BAC8

..or you could target the main calculation;
8014211C:  7C9E1850   sub   r4,r3,r30

and either nop it or have it increase your coupons when buying
8014211C:  7C83F214   add   r4,r3,r30

Spend to Increase Coupons
0414211C 7C83F214

PP address
803BAD08:  7C170050   sub   r0,r0,r23

Incidently, here's a pointer to the main poke block pointers;
[80628890]
+30h = plyr [+2d42 =strength] [+2d8c =HP]

Not quite understand what all those stuff means but I tested the 9999 Coupon code and it works good. Thanks! You should post the codes in the USA Codes section or database to get credit.

Turns out this game was already hacked by juan.

http://wiird.l0nk.org/forum/index.php?topic=1510.0 (http://wiird.l0nk.org/forum/index.php?topic=1510.0)

They are different codes and ported from Zit's...and some people have problems when used both codes together.

Quote from: TNTkryzt on November 05, 2008, 10:21:08 AM
Have 9,999 Coupons
077F3000 00000014
2C1B0002 40820008
3800270F 90050000
4A97452C 00000000
04167538 4968BAC8

What does an 07 code do?
077F3000 00000014

It's the string code incremented to write to the 0x81xxxxxx area;

= CST3 : String Code =

06______ YYYYYYYY : Patch code (ba)
d1d2d3d4 d5d6d7d8...
writes d1d2d3d4 d5d6d7d8... at ba+address.
YYYYYYYY is the number of bytes to write

Quote from: brkirch on November 03, 2008, 06:24:15 AM

Quote from: TNTkryzt on November 03, 2008, 03:55:39 AM
If I'm not mistaken, you'd use 0x91xxxxxx as the base address (ba);

(in example Mem2 16bit write (ba))
42000000 91000000
02531492 000003E7
E0000000 80008000

ba is aligned to be divisible by 0x2000000, so 91000000 won't work as expected.  It should instead be:

42000000 90000000
03531490 000003E7
E0000000 80008000

Of course, that is assuming that you want a 16-bit write.  For 32-bit it would be:

42000000 90000000
05531490 000003E7
E0000000 80008000

Alternatively, you could use po (this example does a 32-bit write):

4A000000 91531490
14000000 000003E7
E0000000 80008000

Or you could use po like this, it would work since po isn't realigned:

4A000000 91000000
14531490 000003E7
E0000000 80008000

Quote from: TNTkryzt on November 03, 2008, 03:55:39 AMMind you I've been using an old version of WiiRD so the handler may have changed.

WiiRD doesn't load the code handler into memory, Gecko OS does.  Only the Gecko OS version will make a difference in regards to which codes do or don't work.

What if I want to add an IF code to the MEM2 code,
example:
The Code
42000000 90000000
03531490 000003E7
E0000000 80008000

I want to make it like IF 91531480 = FFFFFFFF then  write 03E7  to 91531490
how do it do that?

20______ YYYYYYYY : 32bits If equal (ba)
increment the 20 to 21 if reading 91 area;

The Code (ba)
42000000 90000000
21531480 FFFFFFFF
03531490 000003E7
E0000000 80008000

Yeah thanks adding 01000000 to the address solve the problem. Learned something new today  :)