ROM Hack [Spider] ARCode

[MegaSynka]

Made a binless version which permits you to select the name of the .cht file you want to apply.

link: http://lunarcookies.github.io/arcode.html

So if you have for example "blabla.cht" in your SD card you make and scan a qr from the address http://lunarcookies.github.io/arcode.html#blabla.cht

 

[SciresM]

SciresM correct me if i'm wrong, Februarysn0w offset is 3252A40

so the AR should be :

E3252A40 00000064
D0D001A0 00000000
00000005 D0D001A1
00000000 00000012
D0D001A1 00000000
00000026 D0D001A1
00000000 00000050
D0D001A1 00000000
00000BB8 D0D001A0
00000000 00002710
D0D001A0 00000000
000055F0 D0D001A0
00000000 0000BB80
D0D001A0 00000000
D2000000 00000000

No, the offset is 0x3252A58.
So, the code is:

E3252A58 00000064
D0D001A0 00000000
00000005 D0D001A1
00000000 00000012
D0D001A1 00000000
00000026 D0D001A1
00000000 00000050
D0D001A1 00000000
00000BB8 D0D001A0
00000000 00002710
D0D001A0 00000000
000055F0 D0D001A0
00000000 0000BB80
D0D001A0 00000000
D2000000 00000000

 

[joskez]

Thanks to ad2099 and SciresM now i know where is my mistake, i didn't change the last number of the offset, so for me it's 3259458 right?

 

[liomajor]

Made a binless version which permits you to select the name of the .cht file you want to apply.

link: http://lunarcookies.github.io/arcode.html

So if you have for example "blabla.cht" in your SD card you make and scan a qr from the address http://lunarcookies.github.io/arcode.html#blabla.cht

Thx, works good

This would be awesome too like duke_srg tried: lunarcookies.github.io/arcode.html#AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD

Offset > Value, limitless repeatings to execute cheat without any extra files on internal sd.

 

[someonewhodied]

Could i suggest maybe ask mods to create a new section for these codes or something? So we can have like a thread for each game or something?
it would make listing codes loads easier.


Also we could use something similar to ds flashcarts' cheat.dat format to create large data files with codes sorted by game.

 

[SciresM]

Thanks to ad2099 and SciresM now i know where is my mistake, i didn't change the last number of the offset, so for me it's 3259458 right?

Correct.

 

[Februarysn0w]

thank you a lot! finally I understand the what the code mean.

Thank you so much your help.

 

[liomajor]

MegaSynka

Could you create a HTML for memorydump too please?

Example: lunarcookies.github.io/memdump.html#1

1 / 2 / 3 ... and so on to create FCRAM1.bin / FCRAM2.bin / FCRAM3.bin ...

 

[MegaSynka]

MegaSynka

Could you create a HTML for memorydump too please?

Example: lunarcookies.github.io/memdump.html#1

1 / 2 / 3 ... and so on to create FCRAM1.bin / FCRAM2.bin / FCRAM3.bin ...

http://gbatemp.net/threads/issue-performing-multiple-memory-dumps-on-emunand.384790/#post-5413198

 

[marcoz9999]

hello guys can you please help me calculate my offset i dont know how please and thanks

 

[joskez]

hello guys can you please help me calculate my offset i dont know how please and thanks

E32523C4 00000064
D0D001A0 00000000
00000005 D0D001A1
00000000 00000012
D0D001A1 00000000
00000026 D0D001A1
00000000 00000050
D0D001A1 00000000
00000BB8 D0D001A0
00000000 00002710
D0D001A0 00000000
000055F0 D0D001A0
00000000 0000BB80
D0D001A0 00000000
D2000000 00000000

 

[marcoz9999]

thanks

 

[duke_srg]

Yep... it just freezes on emunand... I even got a RED screen...

Red screen is OK, there are several debug options in that version, like green screen means only 1 cheat option is passed to arcode.bin, and red is over than one. Looks like C part of the code needs to be fixed more, will work tonight.

 

[duke_srg]

Made a binless version which permits you to select the name of the .cht file you want to apply.

link: http://lunarcookies.github.io/arcode.html

So if you have for example "blabla.cht" in your SD card you make and scan a qr from the address http://lunarcookies.github.io/arcode.html#blabla.cht

binless, are you sure? How did you fit all the AR code processing in the ROP code?

 

[MegaSynka]

binless, are you sure? How did you fit all the AR code processing in the ROP code?

Payload is big enough to hold both the ROP chain and a relatively small code.bin

 

[dsrules]

hello guys can you please help me calculate my offset i dont know how please and thanks

E32523D8
take the S address and add +0x18

 

[duke_srg]

Payload is big enough to hold both the ROP chain and a relatively small code.bin

Compiled code.bin is several kilobytes, payload is 768 bytes total, with about 250 bytes free after copy/launch. Correct my where I'm wrong or better contribute to the github Spider3DStools

 

[liomajor]

duke_srg it works pretty good, tested it myself with two games^^

 

[duke_srg]

duke_srg it works pretty good, tested it myself with two games^^

I'm not complaining it's not working, I'm just a bit amazed because see something new in a ROP coding, MegaSynka managed to integrate code part into ROP which I thought was impossible because of the ROP code size limitations - code.bin was always way bigger we can fit. If there is no 768 bytes limit, we can fit at cheats from the URL, if not, then there might be too tight to have the ROP with both the code and AR inside.
I believe he will open the source, because there are several more things can be done with such technique, like binless VC injection.

 

[MegaSynka]

The payload is the entire spraying array, and up to 0x2D00 bytes are consistently available when the exploit is applied. Just do a mem dump of the rop address and see it.