Some works on "NoCopy Protection" for 4.0U

Discussion in 'Wii - Hacking' started by pcfree, Apr 5, 2009.

Apr 5, 2009
  1. pcfree
    OP

    Newcomer pcfree Advanced Member

    Joined:
    Mar 29, 2009
    Messages:
    59
    Country:
    Taiwan
    After some hex compraing works, I provide some usual information for more skilled people to finalize the NoCopy Protection hacks for 4.0U (and maybe you can do the some work for 4.0E).
    According to SoftMii package for 3.2U, the offset for NoCopy Protection are:
    0x8134AA38
    0x8134AA48,0x8134AA4C
    0x8134AA50,0x8134AA54
    0x81350370
    0x813BD0F0
    0x815992E8
    Using 00000043.app (3.2U), original 00000073.app (4.0U), StartPatched 00000073.app and current 4.0U hacks.ini, some usual information are provided as follows:
    1. 00000043.app loaded at memory address 0x8132FAE0 if treated as binary and loaded directly
    2. 00000073.app loaded at 0x8132FA88 if treated as binary and loaded directly
    3. offset 0x8134AA38-0x8134AA54(3.2U) seem to be at 1AF58(43.app) or 1E700(73.app) or 0x8134E188(4.0U) -- note(1)
    4. offset 0x81350370(3.2U) seems to be at 20890(43.app) or 24318(73.app) or 0x81353DA0(4.0U)
    5. offset 0x813BD0F0(3.2U) seems to be at 8D610(43.app) and related to 951A8(73.app) note(2)
    6. offset 0x815992E8(3.2U) seems to be at 269808(43.app) or 292024(73.app) or 0x815C1AAC(4.0U)
    note(1). The code in 0x8134AA48(3.2U) is not exactly the same with 0x8134E148(4.0U). Seems to be jump offset differences. Reverse/Disassemble required.
    note(2). The code in 0x813BD0F0(3.2U) is different from 0x815C1AAC(4.0U), but the code around are the same. I think reverse/disassemble would solve it.

    It would be great if anyone could do the further jobs. And also I would like to know which utility is better to disassemble the .app ?

    --------------------------------------------------------------
    The final workable offsets/values for NoCopy are there:
    http://gbatemp.net/index.php?showtopic=146137
     
  2. vettacossx

    Member vettacossx Wii Theme Team Founder

    Joined:
    Sep 19, 2008
    Messages:
    1,329
    Location:
    Right Behind You! Uh Oh!
    Country:
    Ireland
    so i wonder if this will help along with the poor 4.0 users getting the twilight hack installed on 4.0?
     
  3. pcfree
    OP

    Newcomer pcfree Advanced Member

    Joined:
    Mar 29, 2009
    Messages:
    59
    Country:
    Taiwan
    No, This hack just helps copying and restoring savegame data that is originally copy-inhibit such as MarioKart ...
     
  4. pcfree
    OP

    Newcomer pcfree Advanced Member

    Joined:
    Mar 29, 2009
    Messages:
    59
    Country:
    Taiwan
    WON'T WORK!!! Will debug it later!! [​IMG]
    Found by comparing & disassembling. Not tested yet. I'll try it later.

    [Remove NoCopy protection]
    version=417
    offset=0x8134E188
    value=0x7C000000
    offset=0x8134E198,0x8134E19C
    value=0x801C0024,0x5400003C
    offset=0x8134E1A0,0x8134E1A4
    value=0x901C0024,0x48000018
    offset=0x81353DA0
    value=0x3BE00000
    offset=0x815C1AAC
    value=0x38600001
    offset=0x813C4C30,0x813C4C34
    value=0x7C000000,0x4182001C
    [Region free Wii games]
    version=417
    offset=0x8137F3B4,0x8137D320
    value=0x38600001,0x38000001
     
  5. stev418

    Member stev418 GBAtemp Fan

    Joined:
    Sep 25, 2007
    Messages:
    492
    Country:
    Australia
    Sound good, if you have the offesets for PAL (418) I could be added to preloader hacks.ini to test it?

    I used Waninkoko save extractor and installer for smash bros brawl save today (it works still [​IMG] )
     
  6. Valermos

    Newcomer Valermos Newbie

    Joined:
    Mar 14, 2009
    Messages:
    7
    Country:
    United States
    Any luck getting those working?
     
  7. pcfree
    OP

    Newcomer pcfree Advanced Member

    Joined:
    Mar 29, 2009
    Messages:
    59
    Country:
    Taiwan
    Savegame extractor/installer work for Wii games, but I still need this hack to backup/restore copy-inhibitive WiiWare savegame data.
    BTW, the analysis requires PAL's .app to disassemble code but I couldn't find it now.
     
  8. Hells Guardian

    Member Hells Guardian GBAtemp Maniac

    Joined:
    Dec 25, 2008
    Messages:
    1,113
    Country:
    United States
    So in the .app file what exactly are the offset's for these patches? also might you know the offset's for the recovery menu patches as well? I'd like to patch them to the file to install on my wii so as to enable them without the use of preloader. [​IMG] then my system would be set.
     
  9. pcfree
    OP

    Newcomer pcfree Advanced Member

    Joined:
    Mar 29, 2009
    Messages:
    59
    Country:
    Taiwan
    The exact offset and patch values are posted in another topic:
    http://gbatemp.net/index.php?showtopic=146137
    If you have system menu 4.0U wad file, you can patch it by yourself. However, I think such permanent patch is very dangerous and any mis-editing may cause brick. This is why I am asking if someone could help transfering the file offset values to memory offset values for preloader so everyone could safely try it.

    I don't know what "recovery menu" is used for. But if you could provide patches info for 3.2U, I might be able to find the corresponding code offset in 4.0U.

    BTW, system file 00000073.app is packed in SystemMenu WAD as 00000008.app
     
  10. Hells Guardian

    Member Hells Guardian GBAtemp Maniac

    Joined:
    Dec 25, 2008
    Messages:
    1,113
    Country:
    United States
    Thanks much I already figured it out. I patched the remove copy protection and disk update check check patches as well as the move disk channel patches into the file. It's all working quite well. If I could figure out what the original values were in the system menu 3.2 hack I would already have found it for 4.0 lol. It's just a matter of finding info on the patches..... Would you like a copy of the repacked wad file I made? I installed it and it works great. Pm me for a link. [​IMG]


    and yes the patching process is dangerous which is why I would advise that anyone looking to create these patches have preloader or some other protection in place.

    the recovery menu can be used to auto boot a disk to allow one to recover from the likes of banner bricks if for whatever reason they aren't using preloader. (I am not because the preloader tool breaks the use of the rebooter tool in Gecko OS and I make use of it quite often.)
     
  11. pcfree
    OP

    Newcomer pcfree Advanced Member

    Joined:
    Mar 29, 2009
    Messages:
    59
    Country:
    Taiwan
    Thanks! I already have workable update disc check and move disc channel patches from StartPatcher4ed' file. However, would you please verify if the update disc check is located at file offset 0x4F2CC? I use this value and the offset value from preloader 4.0U hacks 0x8137ED54 to get the difference 0x8132FA88. Then use the difference to transfer NoCopy Protection to hacks.ini but fails!?

    I think maybe:
    1. My calculations were wrong somewhere.
    2. The disc update check patch locations are different between StartPatch4 and known preloader hacks, although both work.
    3. .app is not loaded linearly to memory (different parts loaded in different location?)
     

Share This Page