ROM Hack USUM IPS Patches

[Sonansune]

Is there a no experience patch or does anybody know how you'd go about doing it?

For clarification I mean so Pokemon don't gain experience at all and thus don't level up; I've seen a few challenge runs of early generations and it looks like it would be fun for USUM.

try change the exp multiplier byte to 00

 

[tekwarfare]

try change the exp multiplier byte to 00

Offsets 04 AND 05 as are highlighted in the image in the first post? I was looking at the wrong image
Editing 00000010 offset 0B from 64 to 00 means I now gain 1 experience point per Pokemon. Not sure if there's any way to make it zero, but it's probably more than good enough for a no exp challenge run.
Thanks for your help

 

[JustMe2700]

I have had pretty good luck troubleshooting with these IPS patches. Gotten rid of most of the errors. The one that just won't go away is that I can't seem to use ShinyLockRemoval and ShinyChance (1,5,10,15... etc. any of em) together without it negating the edited shiny chance. Any ideas?

--------------------- MERGED ---------------------------

I have had pretty good luck troubleshooting with these IPS patches. Gotten rid of most of the errors. The one that just won't go away is that I can't seem to use ShinyLockRemoval and ShinyChance (1,5,10,15... etc. any of em) together without it negating the edited shiny chance. Any ideas?

Also, it could just be my crappy luck but shiny rates seem lower than they should as well.

 

[searequiem]

Hey, I cannot for the life of me get the no outlines patch to work. I'm on Luma 9.1 and enabled game patching and the code.ips file is inside /luma/titles/0040000001B5100/..
I know it worked before but, I just recently booted up my 3ds again and it doesn't anymore.

 

[Princess Emily]

Can I request some cheats too?

BTW I'm using CTRPF to make cheats myself such as Enemy Pokemon's PP=0 (which I already know what the offsets are), but there are some things that are hard to find out such as secondary effects of moves will always happen, or enemy will always miss if accuracy is below 100%

Do you have like a source code of your .ips cheats so that I can see their code forms? Or is there a way to convert .ips & .plg codes to Action Replay ones?

I wanna know myself the offsets to things like status (poison, paralysis, burn, etc.), catch rate, critical hit chance, if the move will miss or not, etc.

 

[Sonansune]

Can I request some cheats too?

BTW I'm using CTRPF to make cheats myself such as Enemy Pokemon's PP=0 (which I already know what the offsets are), but there are some things that are hard to find out such as secondary effects of moves will always happen, or enemy will always miss if accuracy is below 100%

Do you have like a source code of your .ips cheats so that I can see their code forms? Or is there a way to convert .ips & .plg codes to Action Replay ones?

I wanna know myself the offsets to things like status (poison, paralysis, burn, etc.), catch rate, critical hit chance, if the move will miss or not, etc.

most ips came from cheat codes.
ips is just just a patch files generated from binary comparsion, a binary container with offsets, length and those different bytes.

the feature u want require more than value search. most likely, u need to re the corresponding cro or code.bin to do the magic. also, ida debug should help u with this process.

and for cheat like this "enemy will always miss if accuracy is below 100%", u definitely need to know how to code in arm assembly, since u will have to put your custom codes into the code cave of the code.bin file.

 

[Princess Emily]

Umm what do you mean by "u need to re the corresponding cro or code.bin to do the magic" ?
You meant read?

And what's ida debug? How or where to access it?

 

[Sonansune]

Umm what do you mean by "u need to re the corresponding cro or code.bin to do the magic" ?
You meant read?

And what's ida debug? How or where to access it?

reverse engineering.

if u are asking these question, which means u never heard of debugging, then just give it up. trust me... it's not entry level stuff.
it sounds rude, but im saving u alot time from trying and get nothing.

 

[Princess Emily]

Haven't gone into advanced programming yet myself, so yeah I have to give up RE & debugging (temporarily) until I study programming.

Best bet I'll have is to use CTRPF to do Action Replay code editing.

BTW I did some searches on the opposing Pokemon's PP, and noticed that for each move's PP there are 4 offsets (30004FA6, 30004FAC, 3000BF8E, 3000BF94 for Move #1). Editing 4FA6 & BF8E does nothing apparently, but editing 4FAC to 0 will make the opposing Pokemon struggle on the 2nd turn onwards if Move #1 is its only move left (for some reason it can still execute the move in the first turn unless BF94 is set to 0). If BF94 is set to 0 but 4FAC is untouched, then "No PP is left for the move" will be displayed each turn but it won't Struggle.

Was wondering why 4FA6 & BF8E does nothing... are they like placeholders or something?

 

[Sonansune]

Haven't gone into advanced programming yet myself, so yeah I have to give up RE & debugging (temporarily) until I study programming.

Best bet I'll have is to use CTRPF to do Action Replay code editing.

BTW I did some searches on the opposing Pokemon's PP, and noticed that for each move's PP there are 4 offsets (30004FA6, 30004FAC, 3000BF8E, 3000BF94 for Move #1). Editing 4FA6 & BF8E does nothing apparently, but editing 4FAC to 0 will make the opposing Pokemon struggle on the 2nd turn onwards if Move #1 is its only move left (for some reason it can still execute the move in the first turn unless BF94 is set to 0). If BF94 is set to 0 but 4FAC is untouched, then "No PP is left for the move" will be displayed each turn but it won't Struggle.

Was wondering why 4FA6 & BF8E does nothing... are they like placeholders or something?

there are differences between display value and the effective value. in this case, those 2 are display value.
simplified example:

some function:
a=X
b=a
....
function that does the pp amount check, and b never used here. thus changes in b wont affect anything.
....


notice here, changes in a will affect b, but b doesnt do anything other than store the value.

 

[Princess Emily]

I see.

BTW, do you know how to change/force the initial seed of the game?
I tried using this hex code as suggested by somebody else:

But it doesn't work, because when using the RNG Plugin to view the initial seed (https://gbatemp.net/threads/pcalc-usum-the-rng-plugin-for-ultra-sun-and-ultra-moon.489643/), the initial seeds are still different & not matching the one above (even when saving it as code.ips)

 

[Sonansune]

I see.

BTW, do you know how to change/force the initial seed of the game?
I tried using this hex code as suggested by somebody else:

But it doesn't work, because when using the RNG Plugin to view the initial seed (https://gbatemp.net/threads/pcalc-usum-the-rng-plugin-for-ultra-sun-and-ultra-moon.489643/), the initial seeds are still different & not matching the one above (even when saving it as code.ips)

i doubt u are using the right code nor right offset
d9cc in code.bin is an add instuction. u definitely replace the wrong thing with aabbccdd

 

[Princess Emily]

Updated Reply: Turns out he gave me the Gen 6 one by mistake (XY & OR/AS).
I hope you can make one for Gen 7.

Reason for this request is all about RNG abuse purposes tho.

Update 2: Turns out there's no Gen 7 ips patch for forced initial seed, only Gen 6.

 

[Rdh1081]

Will these work for USUM on the older 3DS’s with cfw or is this exclusive to the new 3DS’s?

 

[Real.96]

Will these work for USUM on the older 3DS’s with cfw or is this exclusive to the new 3DS’s?

Should work without problems

 

[princessdmg]

Is there any way to apply the patches without a computer or would I have to use a computer?

 

[Sonansune]

Is there any way to apply the patches without a computer or would I have to use a computer?

u can do it with android phone, if u manage to get python work on your phone.
Don't ask me how to do that.

 

[princessdmg]

u can do it with android phone, if u manage to get python work on your phone.
Don't ask me how to do that.

Ok thanks will look into that

 

[JoshsVlogs]

Support V1.0 - V1.2

Notice: Recommend to use saltysd as romfs content(cro, etc.) redirection tool.
Luma romfs redirection seems to have some kind of unkown bug? it leads the game crash during the battle scene when certain ips and cro both applied.

if you had any startup crashes with cro patches, please re-merge your ips with new mergetool.
old mergetool simply combine those ips instead of re-order them by offset, could be one of the reason that the game crashes at loading stage.

EDIT: re-upload mergetool.exe

IPS Patch collection contains multiple mono feature patch as listed below.

Spoiler

1. no outlines
2. Guarantee Catch
3. all pokemon rename-able
4. instant message display
5. quick hatch
6. AlwaysShinyForNotLockedPM
7. walking/running speed *1.375 constantly. according to other speed hack user's posts, beyond 1.375 is not SAFE(through the wall etc...)
8. Disable ingame NFC (wifi won't be cut off after connected. no more festival plaza or suspend the game when you try to video record your game or use pkmn-ntr debugger)
9. SaltySD (https://github.com/shinyquagsire23/SaltySD) (extra two verion independent saltysd. redirect US and UM to different directory. sd:/saltysd/UltraSun or UltraMoon. original version is UltraSunMoon)
10. PC Anywhere (overwrite the default Options/Setting menu)
11. walk Through Wall
12. SciresM's QR Patch (https://github.com/SciresM/SMPatcher)
13. Exp Multiplier * 100 (can change by yourself, edit the selected byte (Hexadecimal))
14. Catch Trainer's Pokemon
15. Be able to learn all TM/HM
16. No QR Scanning CoolDown (QR Injection patch include this feature.)
17. Shiny Lock Removal
18. Customize shiny rate
19. inverse type chart
20. All Stats+6 in battle
21. Mega evolution remains, even after battle (mega-evolvED.ips)
22. Party Mega form pkm won't revert back when loads the save (Bypass Mega check(party pkm).ips)
23. No force trainer battle
24. Legendaries to be played with in the Battle Royal Dome & Battle Tree(Super)
25. Camera zoom. (must use with edited cro, check below) zoom level also can be changed by editing ips. check here. #3160
    

Download: https://mega.nz/#F!yRBnDIyD!v3snrrQ8Yxfza_lTvKfMXw
USE THE PATCH BASED ON YOUR GAME VERSION!!!
For SM: https://gbatemp.net/threads/batch-tool-to-generate-ips-patches-for-pkmn-su-mo.452178/

---

IPS Merge Tutorial:

Spoiler

1: (require python)
Download attached mergeTool.txt.
put desired patches in the same directory as mergetool.
open cmd and type in

python "the script file full name"(without quotes")

new generated code.ips is your new merged ips patch with all feature you want.
OR 2: (windows, No python requirment)
download mergeTool:
https://puu.sh/A8t3A/e46f04d10b.7z
put desired patches in the same directory as this exe.
double click.
new generated code.ips is your new merged ips patch with all feature you want. video tutorial provided by @DrGreed

---

CRO Editing:

Spoiler

for anyone interested in the wormhole cheat. (it's a gw only cheats if you don't know how to write a plugin)
I have an alternative method for it. you guys can use it before analogman release his new version plugin.

requirement:
luma cfw
godmode9

1. boot into godmode9
2. select "sysnand/emunand SD" depends on your own game installation.
3. select the file in this path: title\00040000001b5100(or 1b50 based on version of the game you want to patch)\content\00000000.app (for v1.1 and above, using 0004000E001b instead of game itself)
4. ncch image options -> mount image -> romfs\lunasoldive.cro copy this file to your sd:\luma\titles\your game id\romfs\lunasoldive.cro go to sd:/saltysd/UltraSunMoon or UltraSun or UltraMoon depends on which version saltysd you used.
5. open the file in hex, go to offset 18630（v1.0) change the bytes in this order, save it after edit. done. (v1.1&v1.2 is 186C0)

06 00 00 2A 00 00 A0 E3

to

00 00 A0 E1 03 00 A0 E3

this gives you max level wormhole all the time.

---

display opponent HP in battle(not stable):
v1.0:
battle.cro go to offset A8CFC.
replace "F8 40 2D E9" with "E7 FE FF EA"

v1.1:
offset A9160.

V1.2:
offset A9198

if you had any startup crashes, please re-merge your ips with new mergetool.
old mergetool simply combine those ips instead of re-order them by offset, could be one of the reason that the game crashes at loading stage.

some other cheats also can be done by this way.

---

WARNING!!! About to enter the Devil Zone.

Spoiler

【Tutorial】How to integrate gw only cheats to the game (Could apply to other games)
------------------------------------------------"gw only" is true only if you don't know how to write a plugin nor rewrite a code cave version cheat-----------------------------------------------------------

Spoiler

Notice: same as ips patch, cro editing does not have trigger feature. in order to use it on 3ds with Luma, you need to enable "game patching" in Luma preference menu.

Requirement:
1. Not a noob(3ds hacking scene)
2. Luma CFW \ Citra
3. CTRFramework \ GDB debugger (ida pro as in the tutorial, recommend v7.0 as the time I wrote this tutorial)
4. Hex editor
5. Godmode9 (Optional)
6. hexadecimal calculator (optional)
7. understand gateshark instruction(novice level at least) and Endianess. IMPORTANT!!!

During this tutorial, I will demonstrate a cheat sample and explain the codes, but I won't go through all gateshark instructions. thus No.7 is IMPORTANT!!!

• Step 0: (Preparation)

get all .cro files from the game.

Spoiler

you can use either godmode9 or grab the romfs folder when you extract your dumped game on computer.

• godmode9:
  1. boot into godmode9
  2. select "sysnand/emunand SD" depends on your own game installation.
  3. select the file in this path: title\your game title id\content\00000000.app
  4. ncch image options -> mount image -> romfs\
  5. copy the romfs folder to your sd card.
  6. copy romfs folder from sd card to your computer.

• Step 1:

Take a look at the cheat you want to port, have a brief understanding of the codes.

Spoiler

lines in bold have conditional instruction. there are multiple conditional mnemonic symbol. 3,4,5,6 are used for 4 bytes(32 bits) value. (if less than, if greater than, if equal, if not equal)
lines in purple and orange are memory writing.

[Camera zoom out(SELECT+L)Enable, (SELECT+R)Disable]
605B9F80 ED940A1C -------------------------------> if a 4 bytes value at offset 0x005B9F80 is not equal to 0xED940A1C, execute following instructions until hits D0000000 00000000
005B9F80 ED940A1C
005B9F84 ED9F1A03
005B9F88 EE300A01
005B9F8C ED840A1C
005B9F90 E2840004
005B9F94 E12FFF1E
005B9F98 00000000
D0000000 00000000 ------------------------------------> terminate conditional instruction
5803B784 E2840004 --------------------------------> if a 4 bytes value at offset 0x0803B784 is equal to 0xE2840004, same as above 6XXXXXXX
0803B784 EBFAA9FD
D0000000 00000000
DD000000 00000204 <- SELECT+L(Enable) ----------> [this instruction means: execute following instructions until hits D0000000 if select & L are pressed.] you should always ignore key trigger instructions (DD000000)
005B9F98 C4BB8000 -------------------------------------> since you want the cheat to be ON, so you pick this instead of the orange one.
D0000000 00000000
DD000000 00000104 <- SELECT+R(Disable)
005B9F98 00000000
D0000000 00000000

For you better understanding, translate this cheat into more readable english would be like this:
first, you check a 4 bytes value at offset 0x005B9F80. if the value is not equal to 0xED940A1C, you will write 1C 0A 94 ED(see the reverse order here? gateshark codes are written in big endian, but codes are little endian in actual ram) to 0x005B9F80-0x005B9F83 respectively. 03 1A 9F ED to 0x005B9F84-0x005B9F87, and so on... this purple chunk has almost all core codes on the value side.
Then, you check another 4 bytes value at offset 0x0803B784. if the value is equal to 0xE2840004, you will write FD A9 FA EB(see the same reverse order here?) to 0x0803B784-0x0803B787 respectively.
Finally, you check for the key press. if select & L are pressed, you write 00 80 BB C4 to 0x005B9F98-9B. by overwrite the 00000000 at 0x005B9F98. this memory write code completes the core codes mentioned in first part, thus it's activated.
if select & R are pressed, you set 0x005B9F98 back to 00000000, so the core codes got revert, thus it's disabled.

all the instructions are constant rapidly running as long as the cheat itself is enable in gw cheat menu, so it can "lock" all the written value and answer your key press.

By now, you should understand what does the code do. if not, make sure you do, then you can go to the next step.

• Step 2:

Simplify the cheat.

Spoiler

simplified camera zoom out would look like below:
you should keep memory writing instructions only.

005B9F80 ED940A1C
005B9F84 ED9F1A03
005B9F88 EE300A01
005B9F8C ED840A1C
005B9F90 E2840004
005B9F94 E12FFF1E
005B9F98 C4BB8000

0803B784 EBFAA9FD

offsets in first 7 instructions are continuous, it used an code cave(bunch of null bytes) in code.bin; which means it can be made as an ips patch.
the last one has a much larger offset; which means normally, you can only access it during the game play.

• Step 3:

create an ips patch if possible.

Spoiler

005B9F80 ED940A1C
005B9F84 ED9F1A03
005B9F88 EE300A01
005B9F8C ED840A1C
005B9F90 E2840004
005B9F94 E12FFF1E
005B9F98 C4BB8000

what you gonna do:
1. open any hex editor and create a new file.
2. add "PATCH".

3. take the offset and subtract 0x00100000 from it. i.e. 0x005B9F80 will be 0x004B9F80.
4. type 4B9F80 in hex section after "PATCH".

5. calculate the length of one continuous bytes chunk. 4*7=28; 28-16=12; so 28 is 0x10 + 0x0C=0x1C in hexadecimal. if you can't do mental arithmetic, use a calculator.

6. type in the length 001C.

7. convert the value to little endian with your own way, put them into the hex section.(manually type or use other tool)

8. add "EOF".

• Step 4:

Locate large offset in the game.

Spoiler

0803B784 EBFAA9FD

in step 4, you are gonna view 3ds's ram during the game play by using 【3DS with Luma CFW & (NTR CFW + CTRFramework) OR GDB Debugger】OR【Citra & GDB Debugger】 maybe you are gonna say luma does have a ram viewer with recent commit. BUT you should know it's a highly experimental feature. I wouldn't recommend it as current state.

3DS: (for ntr method, I assume you know how to get CTRFramework to work and ntr is running in the background before you continue...)
1. launch the game.
2. play the game until you get into a valid scene for the cheat. (i.e. you need to be on the big map in order to see the camera zoom effect; in the ultra wormhole in order to see the wormhole changes, etc.)
Citra:
1. Citra -> Emulation -> Configure -> Debug -> check enable gdb stub. remember the port! (you are not going to actually DEBUG the game, so you don't have to disable jit)
2. launch the game. Citra will freeze at the title list screen. it's waiting for gdb to connect. once connected, it will resume.

---

3.

• NTR:
  launch CTRFP menu. go to Options, and select second entry. press X and select jump to address/offset, type in 803B784. take a note of 0x30(48) bytes start from 0x0803B784; the more the better. (avoid similar code chunk when used for later searching up bytes)

• GDB:
  
  1. enter luma menu. enable debugger. go to process list and select your game process(usually the one with game name or some code name. should always be the third or second from last)
  2. on ida pro. you select Debugger -> attach -> remote gdb debugger -> debug options -> set specific options -> change the processor type from intel x86 to arm little endian -> OK twice and back to "debug application setup"
  3. fill the hostname with your 3ds ip address shown on luma menu (citra: open cmd/powershell, type in ipconfig /all. you will see an ipv4 address, it's your computer local ip). fill the port too. you can check "save network settings as default" if you don't want to type in the same ip and port everytime.
  4. Luma:
     hit multiple OK. if there is a small pop out box has a suspending button, hit it.
     Citra:
     hit multiple OK. ignore the pop out suspending box for now.
     play the game until you get into a valid scene for the cheat. (i.e. you need to be on the big map in order to see the camera zoom effect; in the ultra wormhole in order to see the wormhole changes, etc.)
     then click the suspending button.
  5. click the hex window once, and press G on your keyboard. type in the offset 803B784 and hit OK.
  6. take a note of 0x30(48) bytes start from 0x0803B784 ; the more the better. (avoid similar code chunk when used for later searching up bytes)

4. you do it in a few ways.

Spoiler

1) general guessing:
for example, the cheat is about camera zoom on the map, which means it's related to the map. then you are gonna look for file named like map.cro, etc. (which has the keyword you want)
sadly, you can't find any cro with "map" in its name. in this case, you can go through all the cro to check their names. ha! found a similar name "field". since multiple files have "field" in their names, you want to go with the largest one "FieldRo.cro" first.
open the "FieldRo.cro" in hex editor and search for your noted hex bytes. you should get 1 result only; if not, go back to step 3 and take a larger bytes string than previously.

2) python script:
download this python script. https://github.com/Sepero/SearchBin/raw/master/searchbin.py
put the script in the same directory as those .cro files you previously extracted.
open a cmd window or powershell in above directory with shift + right click. (btw, on new version win10, you can use regedit to change right click powershell back to cmd if you want to stick with it)
type in

for %i in (*.cro) do (python searchbin.py -p "put your noted bytes here!" %i)

i.e. searchbin.py -p "0000A0E3"

3) grep (if you know how to use it)

5. you should located the offset in the correct cro by now.

• Step 5:

Editing and usage.

Spoiler

1. type in the hex value from cheat to replace original one. (remember reverse order!)
2. if the offset in the cheat is not continuous. repeat 3-5 in Step 4 respectively.
3. save the changes.
4. copy the cro into this directory on your 3ds sd card. /luma/titles/your game title id/romfs (other games may have relative path, you need to keep the same path as you see in godmode9 or extracted romfs folder)
5. Launch the game and have fun.

This tutorial took me quite a while to complete. If you like it, PLEASE CONSIDER DONATE A LIKE~~~

---

credit: ymyn for amazing cheat codes, SciresM for researching and amazing works, pk3ds for No.18-No.20 @Windylacine

Is it all possible to merge the Code.IPS and Code.bin?

 

[Zoon_Balverine]

First off, thank you so much for the collection of IPS Patches! The two that I use (NoOutlines and SciresM'sQR) work flawlessly on both Ultra Sun and Ultra Moon for me. I signed up here to ask a specific question about one of the patches.

Would the "InstMessage" IPS patch effect the online text speed in any way? I ask because I won't use it if I have to deactivate the patches through Luma everytime I'd like to play online. I keep the no outlines patch and the QR patch on when I battle online, but the text speed might show up as a red flag online is what I'm thinking. Asking because I'd like to not get banned from battling lol.

Just don't want to use any patches that effect the online play in anyway. I'd appreciate any help/advice from you guys.

Edit: I tried all three activated on my secondary New 2DS XL just to be sure, and everything is still working good. Just thought I'd let others know about it if they were wondering as well.