Hacking Some works on "NoCopy Protection" for 4.0U

[pcfree]

After some hex compraing works, I provide some usual information for more skilled people to finalize the NoCopy Protection hacks for 4.0U (and maybe you can do the some work for 4.0E).
According to SoftMii package for 3.2U, the offset for NoCopy Protection are:
0x8134AA38
0x8134AA48,0x8134AA4C
0x8134AA50,0x8134AA54
0x81350370
0x813BD0F0
0x815992E8
Using 00000043.app (3.2U), original 00000073.app (4.0U), StartPatched 00000073.app and current 4.0U hacks.ini, some usual information are provided as follows:
1. 00000043.app loaded at memory address 0x8132FAE0 if treated as binary and loaded directly
2. 00000073.app loaded at 0x8132FA88 if treated as binary and loaded directly
3. offset 0x8134AA38-0x8134AA54(3.2U) seem to be at 1AF58(43.app) or 1E700(73.app) or 0x8134E188(4.0U) -- note(1)
4. offset 0x81350370(3.2U) seems to be at 20890(43.app) or 24318(73.app) or 0x81353DA0(4.0U)
5. offset 0x813BD0F0(3.2U) seems to be at 8D610(43.app) and related to 951A8(73.app) note(2)
6. offset 0x815992E8(3.2U) seems to be at 269808(43.app) or 292024(73.app) or 0x815C1AAC(4.0U)
note(1). The code in 0x8134AA48(3.2U) is not exactly the same with 0x8134E148(4.0U). Seems to be jump offset differences. Reverse/Disassemble required.
note(2). The code in 0x813BD0F0(3.2U) is different from 0x815C1AAC(4.0U), but the code around are the same. I think reverse/disassemble would solve it.

It would be great if anyone could do the further jobs. And also I would like to know which utility is better to disassemble the .app ?

--------------------------------------------------------------
The final workable offsets/values for NoCopy are there:
http://gbatemp.net/index.php?showtopic=146137

 

[vettacossx]

so i wonder if this will help along with the poor 4.0 users getting the twilight hack installed on 4.0?

 

[pcfree]

so i wonder if this will help along with the poor 4.0 users getting the twilight hack installed on 4.0?

No, This hack just helps copying and restoring savegame data that is originally copy-inhibit such as MarioKart ...

 

[pcfree]

WON'T WORK!!! Will debug it later!!

Found by comparing & disassembling. Not tested yet. I'll try it later.

[Remove NoCopy protection]
version=417
offset=0x8134E188
value=0x7C000000
offset=0x8134E198,0x8134E19C
value=0x801C0024,0x5400003C
offset=0x8134E1A0,0x8134E1A4
value=0x901C0024,0x48000018
offset=0x81353DA0
value=0x3BE00000
offset=0x815C1AAC
value=0x38600001
offset=0x813C4C30,0x813C4C34
value=0x7C000000,0x4182001C
[Region free Wii games]
version=417
offset=0x8137F3B4,0x8137D320
value=0x38600001,0x38000001

 

[stev418]

Sound good, if you have the offesets for PAL (418) I could be added to preloader hacks.ini to test it?

I used Waninkoko save extractor and installer for smash bros brawl save today (it works still

)

 

[Valermos]

Any luck getting those working?

 

[pcfree]

Sound good, if you have the offesets for PAL (418) I could be added to preloader hacks.ini to test it?

I used Waninkoko save extractor and installer for smash bros brawl save today (it works still

)

Savegame extractor/installer work for Wii games, but I still need this hack to backup/restore copy-inhibitive WiiWare savegame data.
BTW, the analysis requires PAL's .app to disassemble code but I couldn't find it now.

 

[Hells Guardian]

So in the .app file what exactly are the offset's for these patches? also might you know the offset's for the recovery menu patches as well? I'd like to patch them to the file to install on my wii so as to enable them without the use of preloader.

then my system would be set.

 

[pcfree]

So in the .app file what exactly are the offset's for these patches? also might you know the offset's for the recovery menu patches as well? I'd like to patch them to the file to install on my wii so as to enable them without the use of preloader.

then my system would be set.

The exact offset and patch values are posted in another topic:
http://gbatemp.net/index.php?showtopic=146137
If you have system menu 4.0U wad file, you can patch it by yourself. However, I think such permanent patch is very dangerous and any mis-editing may cause brick. This is why I am asking if someone could help transfering the file offset values to memory offset values for preloader so everyone could safely try it.

I don't know what "recovery menu" is used for. But if you could provide patches info for 3.2U, I might be able to find the corresponding code offset in 4.0U.

BTW, system file 00000073.app is packed in SystemMenu WAD as 00000008.app

 

[Hells Guardian]

Thanks much I already figured it out. I patched the remove copy protection and disk update check check patches as well as the move disk channel patches into the file. It's all working quite well. If I could figure out what the original values were in the system menu 3.2 hack I would already have found it for 4.0 lol. It's just a matter of finding info on the patches..... Would you like a copy of the repacked wad file I made? I installed it and it works great. Pm me for a link.

and yes the patching process is dangerous which is why I would advise that anyone looking to create these patches have preloader or some other protection in place.

the recovery menu can be used to auto boot a disk to allow one to recover from the likes of banner bricks if for whatever reason they aren't using preloader. (I am not because the preloader tool breaks the use of the rebooter tool in Gecko OS and I make use of it quite often.)

 

[pcfree]

Thanks! I already have workable update disc check and move disc channel patches from StartPatcher4ed' file. However, would you please verify if the update disc check is located at file offset 0x4F2CC? I use this value and the offset value from preloader 4.0U hacks 0x8137ED54 to get the difference 0x8132FA88. Then use the difference to transfer NoCopy Protection to hacks.ini but fails!?

I think maybe:
1. My calculations were wrong somewhere.
2. The disc update check patch locations are different between StartPatch4 and known preloader hacks, although both work.
3. .app is not loaded linearly to memory (different parts loaded in different location?)