MWR

[sulfur]

I was woundering if somebody could help me I am trying to make infinite ammo with no reload for two of my guns ak-47 and g36c well I searched the values in each clip at a 16 bit and I found both addresses, poked both and it worked so made a gct code and everything is good except when I change to a different map then some don't work or it would make one gun infinite ammo but the other one have no ammo, I tried to do a pointer search but came up with nothing, does anybody have any suggestions.

[GMO]

Try an ASM code for the Current Ammo. Break on Write.

[sulfur]

I really don't know how to do ASM yet I am just learning this, could you kinda give me an Idea on what to do?

[GMO]

In WiiRd click on Breakpoints.  Paste in one of the addresses. Under Breakpoint Type click Write. Then click the Set Breakpoint Button.  Shoot your gun in-game.  the game will freeze and wiird will dump. when you see the addresses fill up paste it here

[sulfur]

I hope this is what I was suppose to post this is out of the bottom box:

802D96A0:  B00301F4   sth   r0,500(r3)
802D96A4:  83E1001C   lwz   r31,28(r1)
802D96A8:  83C10018   lwz   r30,24(r1)
802D96AC:  83A10014   lwz   r29,20(r1)
802D96B0:  80010024   lwz   r0,36(r1)
802D96B4:  7C0803A6   mtlr   r0
802D96B8:  38210020   addi   r1,r1,32
802D96BC:  4E800020   blr   
802D96C0:  38600001   li   r3,1
802D96C4:  4E800020   blr   
802D96C8:  9421FFF0   stwu   r1,-16(r1)
802D96CC:  7C0802A6   mflr   r0
802D96D0:  90010014   stw   r0,20(r1)
802D96D4:  93E1000C   stw   r31,12(r1)
802D96D8:  7C7F1B78   mr   r31,r3
802D96DC:  80630104   lwz   r3,260(r3)

[GMO]

try
042D96A0 60000000
This should just stop the bullet count from counting + No Reload

or

C22D96A0 00000002
380003E7 B00301F4
60000000 00000000
This should do the same but your Current bullet count should be set at 999 Unless you want a specific amount

C22D96A0 00000002 <- Bold is your Current Ammo Address
380003E7 B00301F4 <- Bold is The Bullet Value
60000000 00000000 <- nop

[sulfur]

Ya that works could you explain what I was doing wrong and how you came up with that thanks.

[GMO]

Normally in games that deal with Ammo you have 2 addresses.
1 - Current Ammo
2 - Max Ammo

Current Ammo is the only thing you really want to modify. You can easily find a current ammo code for each stage, and make a pointer code like in Super Mario Galaxy.  Or simple make an ASM code to stop the operation from where it's writing from. Your game is probably deal with dynamic memory where everything has it's on own on each level.

A better Video Tutorial can be found here http://wiird.l0nk.org/forum/index.php/topic,2663.0.html by Romapp.

When you did the Break on Write I asked you; all you really needed was
802D96A0:  B00301F4   sth   r0,500(r3); 98% of the time the first address is all you need

stopping that address is what you wanted.
802D96A0:  B00301F4   sth   r0,500(r3); would become
802D96A0:  60000000  nop

042D96A0 60000000 Final Code

try doing this for the other weapon as well if it didn't work for both. I know some War games have Primary and secondary weapons.

[sulfur]

Hey thanks alot and I will watch that video.

[dcx2]

Breakpoints stop the execution of the game momentarily so that you can look at what's going on inside the processor.  In this case, the breakpoint stopped execution whenever the processor was going to update the memory cell with the current ammo count.

The instruction sth r0,500(r3) takes the value in register 0 and writes it to (the address in r3 + 500).  sth stands for "STore Half-word" - The "Half-word" means that ammo is a 16-bit value.

What GMO suggested was nop-ing the code.  NOP = No OPeration - do nothing.  So, rather than storing the new ammo count to 500(r3), it does nothing, for that single instruction, and then continues executing the game's instructions.

But if r0 has the new ammo count we're supposed to write to memory, the instructions immediately before it are probably the ones that calculated the new ammo value.  Set your breakpoint again, then click on the "Disassembly" tab, and scroll up a few lines (like, six or ten lines or so)  Right-click, and copy/paste the instructions, and I'll briefly describe what's going on, and how you can make a different 999 ammo code, without using a C2 code-type.

[sulfur]

Ok here is 10 lines up in bold print.

802D9678:  7FC3F378     mr      r3,r30
802D967C:  4BFFFC85     bl      0x802d9300
802D9680:  5460083C     rlwinm  r0,r3,1,0,30
802D9684:  7C7D0214     add     r3,r29,r0
802D9688:  A88301F      lha     r4,500(r3)
802D968C:  7C04F800     cmpw    r4,r31
802D9690:  41800008     blt-    0x802d9698
802D9694:  7FE4FB78     mr      r4,r31
802D9698:  A80301F4     lha     r0,500(r3)
802D96A0:  7C040050     sub     r0,r0,r4

802D96A0:  B00301F4   sth   r0,500(r3)
802D96A4:  83E1001C   lwz   r31,28(r1)
802D96A8:  83C10018   lwz   r30,24(r1)
802D96AC:  83A10014   lwz   r29,20(r1)
802D96B0:  80010024   lwz   r0,36(r1)
802D96B4:  7C0803A6   mtlr   r0
802D96B8:  38210020   addi   r1,r1,32
802D96BC:  4E800020   blr   
802D96C0:  38600001   li   r3,1
802D96C4:  4E800020   blr   
802D96C8:  9421FFF0   stwu   r1,-16(r1)
802D96CC:  7C0802A6   mflr   r0
802D96D0:  90010014   stw   r0,20(r1)
802D96D4:  93E1000C   stw   r31,12(r1)
802D96D8:  7C7F1B78   mr   r31,r3
802D96DC:  80630104   lwz   r3,260(r3)

[dcx2]

Okay, the important lines are these three.

802D9698:  A80301F4     lha     r0,500(r3)
802D96A0:  7C040050     sub     r0,r0,r4
802D96A0:  B00301F4   sth   r0,500(r3)

The lha line is Loading the Half-word Aligned.  It takes the pointer in r3, adds 500 (decimal; 0x1F4 hex!) to it, and then puts the half-word (= 16-bits) from the memory cell at that address into the register r0.

The next line subtracts the value r4 from r0, and puts it into r0.  (FYI: the PowerPC's "Destination" register is always first).

The final line STores the Half-word.  It takes the pointer in r3, adds 500, and puts the 16-bits in r0 into that memory cell.

Right-click the "lha r0,500(r3)" line and select "Breakpoint".  Now go to the Breakpoints tab, set the breakpoint, and shoot.  Once execution has stopped, look at r0.  Then press "Step".  Execution steps over one instruction and stops again, on the sub.

Look at r0 again - it will have the current ammo count.  Look at r4 - it will probably have "1".  Press "Step" again.  Execution stops on the sth.

Look at r0 again - it will have the new ammo count after having had r4 subtracted from it.  At this point, you could modify the register r0 to hold pretty much any value you want.  If we had 10 bullets, and now we have 9, we could over-write the value in r0 with, say, 99.  Thing is, this only happens once; the next time the code is executed, it will re-load r0 with the value from 500(r3), and we would have to change r0 again.  While the effect isn't permanent, this is a great way to make sure you understand what's going on with instructions before you start changing them.  You could change r4 to be 0 before the subtract executes, for instance.  Press "Step" again and, if you flip over to the Memory Viewer, you can see that the memory cell has the new value.

GMO suggested patching out the sth, so that way, after calculating the new ammo count, the game does nothing with this new value.  And he suggested a C2 code-type, which allowed him to insert an extra instruction to load 999 into the ammo count.

There's another way to do it, though.  We can replace the sub instruction with another instruction that just loads 999 into r0.  Then we don't need the C2 code-type.

802D9698:  A80301F4     lha     r0,500(r3)
802D9698:  ?????????     li        r0,999
802D96A0:  B00301F4   sth   r0,500(r3)

I'm not sure what the machine code for li r0,999 is (probably similar to "380003E7"), so I left it as ??'s.  But if you're in the Disassembly window, you can pause the game, highlight the sub instruction, and change it to "li r0,999", and it calculates the machine code for you.

li stands for Load Immediate.  An "immediate" is a value that's part of the instruction (380003E7 - notice how 999 decimal = 0x3E7 hex is a part of the instruction); it does not get the value from a register or a memory cell.

What this is doing is putting 999 into r0 right before it gets written to memory.  Two birds with one stone - not only did we get rid of the subtraction so you don't consume ammo when you shoot, but we also made it so you will get max ammo when you shoot!

In my opinion, assembly hacks are a lot better than pointer hacks.  Pointers can move around, they can be hard to find, if they become null your game will crash, etc.  However, the game's assembly (almost) never moves around, it's easy to find with breakpoints, and it's a bit harder to crash the game.

The only problem is that the code that subtracts one from your bullets might also subtract one from your enemies' bullets.  So an assembly hack might give everyone infinite ammo, while the pointer hack only gives _you_ infinite ammo.  Sometimes this is doesn't matter (most enemies have infinite ammo anyway), sometimes it's good (player 2 gets infinite ammo), but sometimes it's bad (if you make an infinite health code and enemies also get infinite health...)

[sulfur]

Cool I will try that with Romapp's video I was able to make a add gernades code which is pretty cool I know there is alot of stuff I don't know yet but I am learning. :)


So what you were talking about at the bottom let me know if I have this right, in other words just because I found the ammo address for host only if I change the assembly then it might not be a host only code?

[dcx2]

Let's say there's a piece of game code, and let's call it "DecAmmo".  The purpose of DecAmmo is to subtract from ammo.  It can be used on anyone with ammo - players, enemies, etc.

Each player and each enemy is a different portion of memory, but DecAmmo is used to adjust everyone's ammo.  So you shoot, DecAmmo decreases your player's ammo, but then your pointer hack will alter only the portion of memory for your player, giving you your ammo back.  Other characters are unaffected if you only change the memory for your player.  When they shoot, nothing changes their memory.

In contrast, the assembly hack changes everyone that DecAmmo is used on.  When anyone shoots, the new DecAmmo that we hacked changes their memory, regardless of whether it's your player or not.  If you wanted to make it only apply to your player, you would need to add extra code that only does li r0,999 when it knows that it's adjusting the player's memory.

[sulfur]

Ok thank you for all your help I think I have a really good idea of what to do I will do some expirementing and so what I can do.  :)