ROM Hack Cheat Codes AMS and Sx Os, Add and Request

[cschene]

About MoonJump and Speed in DRAGON QUEST XI S, i did trace the address into this function: sub_1407D80 -> sub_82F080.
The problem is, this function is a vTable function and gets recalculated as soon as you change a screen.
Maybe it's impossible to find a pointer for it, i gave up after several full memory dumps and a lot of trial and error...

But i found others:

[main+0x7814B60] = Main Pointer
[[main+0x7814B60]+0x128] = JackGamePlayer

JackGamePlayer + 0xC0 = Gold
JackGamePlayer + 0xCC = DepositedGold
JackGamePlayer + 0xF0 = Pointer to Party
JackGamePlayer + 0xF8 = Pointer to Party Member

Character Id / Index:
0 = Luminary
1 = Erik
2 = Veronika
3 = Serena
4 = Rionaldo
5 = Jade
6 = Bodo
7 = Hendrik

CharacterData:
+0x0 = vTable
+0x8 = Flags
+0x70 = Gender
+0x71 = Job
+0x72 = Might
+0x73 = Position
+0x74 = Gambit
+0x75 = CharacterType
+0x78 = Level
+0x7C = CurrentHP
+0x80 = CurrentMP
+0x84 = BaseStrength
+0x88 = BaseStamina
+0x8C = BaseAgility
+0x90 = BaseDextery
+0x94 = BaseCharm
+0x98 = BaseMagicPower
+0x9C = BaseHealPower
+0xB0 = CurrentExp
+0xB4 = SkillPoint
+0xB8 = ConsumedSkillPoint
+0xBC = BonusSkillPoint

and also:

[Trial Level Limit = 20]
04000000 014E6E44 52800288
[Trial Level Limit = 999]
04000000 014E6E44 52807CE8

[IsTrial]
04000000 01165140 320003E8
[IsFullversion]
04000000 01165140 52800008

Notes:
- IsFullversion will crash your game if you do something, that isn't supposed to happen in the Demo, like continuing the story or switching to 2D Mode, because all of the assets are missing.
- Unlocking the remaining 4 party members is possible, but they don't have 3D Models / animations.
View attachment 177565
- I guess everything hackable in this demo is done...

So Falo I’m kind of confused as well. Are these 4 codes? Like the second one the level for the character will be 999? And what doesn’t the trial version and man version do? Sorry for the questions

 

[dsrules]

About MoonJump and Speed in DRAGON QUEST XI S, i did trace the address into this function: sub_1407D80 -> sub_82F080.
The problem is, this function is a vTable function and gets recalculated as soon as you change a screen.
Maybe it's impossible to find a pointer for it, i gave up after several full memory dumps and a lot of trial and error...

But i found others:

[main+0x7814B60] = Main Pointer
[[main+0x7814B60]+0x128] = JackGamePlayer

JackGamePlayer + 0xC0 = Gold
JackGamePlayer + 0xCC = DepositedGold
JackGamePlayer + 0xF0 = Pointer to Party
JackGamePlayer + 0xF8 = Pointer to Party Member

Character Id / Index:
0 = Luminary
1 = Erik
2 = Veronika
3 = Serena
4 = Rionaldo
5 = Jade
6 = Bodo
7 = Hendrik

CharacterData:
+0x0 = vTable
+0x8 = Flags
+0x70 = Gender
+0x71 = Job
+0x72 = Might
+0x73 = Position
+0x74 = Gambit
+0x75 = CharacterType
+0x78 = Level
+0x7C = CurrentHP
+0x80 = CurrentMP
+0x84 = BaseStrength
+0x88 = BaseStamina
+0x8C = BaseAgility
+0x90 = BaseDextery
+0x94 = BaseCharm
+0x98 = BaseMagicPower
+0x9C = BaseHealPower
+0xB0 = CurrentExp
+0xB4 = SkillPoint
+0xB8 = ConsumedSkillPoint
+0xBC = BonusSkillPoint

and also:

[Trial Level Limit = 20]
04000000 014E6E44 52800288
[Trial Level Limit = 999]
04000000 014E6E44 52807CE8

[IsTrial]
04000000 01165140 320003E8
[IsFullversion]
04000000 01165140 52800008

Notes:
- IsFullversion will crash your game if you do something, that isn't supposed to happen in the Demo, like continuing the story or switching to 2D Mode, because all of the assets are missing.
- Unlocking the remaining 4 party members is possible, but they don't have 3D Models / animations.
View attachment 177565
- I guess everything hackable in this demo is done...

nice, how do you add other members to the party?

 

[Falo]

So Falo I’m kind of confused as well. Are these 4 codes? Like the second one the level for the character will be 999? And what doesn’t the trial version and man version do? Sorry for the questions

The default limit is 20, so that's the "off" code, 999 = no limit is the "on" code.
IsTrial is the "off" code, IsFullversion is the "on" code, but i guess useless, just for the fun ^^

nice, how do you add other members to the party?

set the values at [[[main+0x7814B60]+0x128]+0xF8], there 4 * 4 Byte slots for the character id's.

 

[ultimatepump]

Is there an up to date collection of all the chets from this site. Lord apple is very behind and old and it is hard to keep up with a cheat released here, sometimes they are in a post and easily missed.

Thanks

 

[dsrules]

set the values at [[[main+0x7814B60]+0x128]+0xF8], there 4 * 4 Byte slots for the character id's.

at at [[[main+0x7814B60]+0x128]+0xF8] I see 08 00 00 00 18 00 00 00 , not which value to change

 

[Ultimos54]

ayy @Falo is it possible for you to help me with Pokken Tournament DX codes? I don't know who else to ask about ram/hex editing lol

 

[khuong]

ayy @Falo is it possible for you to help me with Pokken Tournament DX codes? I don't know who else to ask about ram/hex editing lol

It'd be better for you to just ask the question, and if Falo can answer they will. (or others)

 

[Ultimos54]

i did ask but it seems that no one is working on it or considering working on it .

 

[Falo]

at at [[[main+0x7814B60]+0x128]+0xF8] I see 08 00 00 00 18 00 00 00 , not which value to change

Oops sorry ^^, it's 0x100, 0xF8 = NumberOfCharacterSlots, 0x108 = NumberOfPartySlots.

ayy @Falo is it possible for you to help me with Pokken Tournament DX codes? I don't know who else to ask about ram/hex editing lol

I generally don't like Beat 'em ups, so i never played it and i don't plan on making codes for it.

 

[Ultimos54]

np hope someone can help with it

 

[CrossGamerHDX]

We need a better site to update these cheats.
Or showing games that have no cheats etc..
Hope someone come around for hotline Miami

 

[dsrules]

Oops sorry ^^, it's 0x100, 0xF8 = NumberOfCharacterSlots, 0x108 = NumberOfPartySlots.



I generally don't like Beat 'em ups, so i never played it and i don't plan on making codes for it.

now, it is good, Thanks

 

[Irendes]

Nine Parchments ver. 1.1.1
Title ID: 0100d03003f0e000
Build ID: f7893e37fc10c803

Spoiler: cheat

[Inf HP]
04000000
01972140 B9434A78
04000000 01972144
7100071F 04000000
01972148 540000A1
04000000 0197214C
710002BF 04000000
01972150 5400006D
04000000 01972154
8B090918 04000000
01972158 B85FC315
04000000 0197215C
B8297915 04000000
01972160 D65F03C0
04000000 01972164
7000CD07 04000000
00A184E4 943D6717

[Inf Magic]
04000000
01972100 1E212000
04000000 01972104
5400004C 04000000
01972108 1E204020
04000000 0197210C
BC297900 04000000
01972110 D65F03C0
04000000 002A21E4
945B3FC7

 

[Zumoly]

Is there an up to date collection of all the chets from this site. Lord apple is very behind and old and it is hard to keep up with a cheat released here, sometimes they are in a post and easily missed.

Thanks

Usually @matias3ds updates the OP with them. So check it regularly.

 

[wangch]

Oops sorry ^^, it's 0x100, 0xF8 = NumberOfCharacterSlots, 0x108 = NumberOfPartySlots.



I generally don't like Beat 'em ups, so i never played it and i don't plan on making codes for it.

Hello, ask you a question. Is there any way to get the code of all the items or weapons in a game through some tools? Your Fire Emblem editor has the code of all the items in it?

 

[Falo]

Hello, ask you a question. Is there any way to get the code of all the items or weapons in a game through some tools? Your Fire Emblem editor has the code of all the items in it?

Currently no, i didn't look into items yet, maybe in the full version.

But a Save Editor is much harder todo on these Unreal Engine games, because data is encrypted and or serialized (Dragon Quest XI S uses both).
Same problem as SAO:FB, you can't just define some structures and hope that it works (like on Fire Emblem), the data is stored in a much more complicated way.
Here something to read on what i mean (C#): https://stackoverflow.com/questions/3052202/how-to-analyse-contents-of-binary-serialization-stream

 

[wangch]

Currently no, i didn't look into items yet, maybe in the full version.

But a Save Editor is much harder todo on these Unreal Engine games, because data is encrypted and or serialized (Dragon Quest XI S uses both).
Same problem as SAO:FB, you can't just define some structures and hope that it works (like on Fire Emblem), the data is stored in a much more complicated way.
Here something to read on what i mean (C#): https://stackoverflow.com/questions/3052202/how-to-analyse-contents-of-binary-serialization-stream

Thank you for your reply. Many game item codes are continuous. If there is an item, I can find the item code by changing the number of items. Then I can guess some other item codes by increasing. But what should I do if I don't have a discontinuous item?
How did you find fire's item code and weapon code? It's certainly not a variable number. Memory and archive addresses should be searched the same way.

 

[Falo]

On Fire Emblem, the items are a "400 * 4 byte array" right at the start of the SaveGame and the Savegame matches the games memory, so it was easy to do.

This is different in each game. I haven't looked into the item data of DQXIS, so i don't know how it's stored, but it will surely be stored as an array of classes, not an array of data.

 

[wangch]

On Fire Emblem, the items are a "400 * 4 byte array" right at the start of the SaveGame and the Savegame matches the games memory, so it was easy to do.

This is different in each game. I haven't looked into the item data of DQXIS, so i don't know how it's stored, but it will surely be stored as an array of classes, not an array of data.

I know what you mean. I just want to know how you found the simpler code like fire. How did you find it? It's a little difficult. I don't think I can learn it.

 

[Falo]

For Fire Emblem, i didn't search for it, i found it in the executable and then in the savegame.

There is a function called "nn:: Prepo:: PlayReport:: SetBuffer", the second reference to that import is a function where you can find the main pointer:

.text:0000000000561634 FB CD 14 94 BL __ZN2nn5prepo10PlayReport9SetBufferEPvm ; nn:: Prepo:: PlayReport:: SetBuffer(void *,ulong)
.text:0000000000561638 E0 63 01 91 ADD X0, SP, #0x170+var_118 ; Rd = Op1 + Op2
.text:000000000056163C ED FE FF 97 BL sub_5611F0 ; Branch with Link
.text:0000000000561640 79 A0 00 90 ADRP X25, #pMain@PAGE ; Address of Page
.text:0000000000561644 39 87 44 F9 LDR X25, [X25,#pMain@PAGEOFF] ; Load from Memory

pMain == 0x196D908 -> 0x19D76F0

just go to main+0x19D76F0 and the pointer there leads you directly to the Savegame and 0x0 of the savegame is the item table.

edit:

a bit more info on how i did end up finding this import call, i was searching for "Money" in the string table and guess what?:

  nn::prepo::PlayReport::PlayReport(&v26, "iron17_castle");
  nn::prepo::PlayReport::SetBuffer(&v26, v3, v2);
  sub_5611F0(&v26);
  v4 = pMain;
  v5 = sub_395C40(&pMain->ptr->player);
  sub_55CC10((__int64)&v27, 64, "%02d:%02d,", v5 / 0xE10uLL, v5 % 0xE10 / 0x3CuLL, v6, v7, v8, v9, v10, v11, v12, v25);
  LODWORD(v28) = nn::prepo::PlayReport::Add(&v26, "PlayTime", &v27);
  if ( (_DWORD)v28 )
    goto LABEL_20;
  v15 = Player::GetMoney(&v4->ptr->player);
  LODWORD(v28) = nn::prepo::PlayReport::Add(&v26, "Money", v15);
  if ( (_DWORD)v28 )
    goto LABEL_20;
  v16 = Player::GetInstructLevel(&v4->ptr->activities);
  LODWORD(v28) = nn::prepo::PlayReport::Add(&v26, "InstructLevel", v16);
  if ( (_DWORD)v28 )
    goto LABEL_20;
  LODWORD(v28) = nn::prepo::PlayReport::Add(&v26, "InstructExp", (unsigned __int16)v4->ptr->activities.InstructExp);
  if ( (_DWORD)v28 )
    goto LABEL_20;
  LODWORD(v28) = nn::prepo::PlayReport::Add(&v26, "PlayLog_Wark", (unsigned __int8)v4->ptr->activities.PlayLogValues[0]);