ROM Hack [Spider] ARCode

[KazoWAR]

duke_srg

with the code.bins yifanlu used this

__asm__ volatile (".word 0xE1A00000");
uvl_entry();
__asm__ volatile ("bx lr");

it works fine on sysnand, but on emunand it crash the system when bx lr was executed. a fix for this was to have it execute __asm__ volatile ("svc 0x03");

for rops is something similar used? maybe if you have the rop try to execute svc 0x03 it will work on emunand.

 

[samiam144]

Made a binless version which permits you to select the name of the .cht file you want to apply.

link: http://lunarcookies.github.io/arcode.html

So if you have for example "blabla.cht" in your SD card you make and scan a qr from the address http://lunarcookies.github.io/arcode.html#blabla.cht

If the CHT has spaces in the name, I have to rename them with an underscore "_" or a dash "-" to make it work with the link right?

EDIT: Nvm, I think it doesn't need. What's the character limit for the CHT (including the .cht)?

 

[MegaSynka]

If the CHT has spaces in the name, I have to rename them with an underscore "_" or a dash "-" to make it work with the link right?

EDIT: Nvm, I think it doesn't need. What's the character limit for the CHT (including the .cht)?

20 characters

 

[duke_srg]

The payload is the entire spraying array, and up to 0x2D00 bytes are consistently available when the exploit is applied. Just do a mem dump of the rop address and see it.

That makes sence, yifanlu mentioned there is no 0x300 size limitation but I don't manage to get it working with increased size, maybe my html part is overoptimized. I'll take a look at yours if you don't mind.

UPD: MegaSynka ok, looked at your HTML, two morw questions. Why the payload repeared twice in the array and is the trailing element of each array entry just trash or zero?

duke_srg

with the code.bins yifanlu used this

__asm__ volatile (".word 0xE1A00000");
uvl_entry();
__asm__ volatile ("bx lr");

it works fine on sysnand, but on emunand it crash the system when bx lr was executed. a fix for this was to have it execute __asm__ volatile ("svc 0x03");
for rops is something similar used? maybe if you have the rop try to execute svc 0x03 it will work on emunand.

I have no address for SVC 0x03 gadget. Anyway that is not necessary because arcode.bin is based on your code, just changed file loading with constant array patched in the ROP after loading into memory. Most probably I left several issues while converting your code.
BTW, the source file in the archive is newer that bin file and the compilation result is different. Is it OK? I even had no time to check cheats is working my 9.2.0-20E console, debbuging like a blind and gone to sleep 2:30AM %) Luckily may have a little spare time at work now to revise your code, don't you mind I'll do a size optimization for it?

 

[marcoz9999]

pongozila can you make a arcode.cht file for the azure gunvolt please i cant get your codes to work thanks

 

[MegaSynka]

That makes sence, yifanlu mentioned there is no 0x300 size limitation but I don't manage to get it working with increased size, maybe my html part is overoptimized. I'll take a look at yours if you don't mind.

UPD: MegaSynka ok, looked at your HTML, two morw questions. Why the payload repeared twice in the array and is the trailing element of each array entry just trash or zero?

1. Magic numbers
2. Trash

 

[duke_srg]

1. Magic numbers

Is it only the word at 0x21C of the second 0x300 payload, or all the other magics? Code.bin data from the third 0x3oo chunk and above do not have any magics?

 

[joskez]

pongozila can you make a arcode.cht file for the azure gunvolt please i cant get your codes to work thanks

you knew what pongozila gave just the address right? you need to put the value by yourself

 

[Asia81]

SciresM : Your Shuffle Code works for me! This is awesome. Thank you :-) (maybe the code isn't working for others because they have a different Region of the game? I have EU-Version)

I have the EUR too and it's not working...
What i need to do ingame before use the code ?

I need to be in the shop ? Level select ?

 

[Binebina87]

I was on stage select, then ran the code, then entered the shop and everything costed 0 gems.

 

[hawkeye91]

adding for fire emblem awakening US~

*working*
009997D0 000F423F money
009997D4 000F423F renown


*still not tested*
STAT INCREASING ITEM
009B8B58 = ENERGY DROP
009B8B5A = SPIRIT DUST
009B8B5C = SECRET BOOK
009B8B5E = SPEEDWING
009B8B60 = GODDESS ICON
....
and etc..

 

[joskez]

I have the EUR too and it's not working...
What i need to do ingame before use the code ?

I need to be in the shop ? Level select ?

Me too have the EU ver but his code doesn't work for me, because the offset for ShopItem is different, so you need to dump FCRAM and change the first address of his code with your own offset, and you can use the cheat everywhere, if you are in the shop when you trigger the cheat, just re enter the shop

 

[pongozila]

adding for fire emblem awakening US~
*still not tested*
STAT INCREASING ITEM
009B8B58 = ENERGY DROP
009B8B5A = SPIRIT DUST
009B8B5C = SECRET BOOK
009B8B5E = SPEEDWING
009B8B60 = GODDESS ICON
....
and etc..

Yep they do work too! =D Thanks!

EDIT: BTW, your codes should go better like this:

209B8B56 = SERAPH ROBE
209B8B58 = ENERGY DROP
209B8B5A = SPIRIT DUST
209B8B5C = SECRET BOOK
209B8B5E = SPEEDWING
209B8B60 = GODDESS ICON
209B8B62 = TALISMAN
209B8B64 = BOOTS

Using a "0" instead of the "2" in each line will eventually make you overwrite the next 4 lines, like:
009B8B58 will write in the lines of 58-59-5A-5B
wich means
009B8B58 = 209B8B58 209B8B59 209B8B5A 209B8B5B

Using a "1" instead of "0" will go like this:
109B8B58 will only write the lines 58-59
wich means
109B8B58 = 209B8B58 209B8B59

and yet since the MAX value of these items is x99, the BEST way the code would go is:
209B8B58, because will only wirte the line 58

So like anything above 209B8B58 00000063, is just "waste of code"

209B8B58 00000063 = 99x ENERGY DROP
209B8B58 000000FF = 99x ENERGY DROP
109B8B58 00000063 = 99x ENERGY DROP
109B8B58 000000FF = 99x ENERGY DROP
109B8B58 0000FFFF = 99x ENERGY DROP

Or you could go like this:
009B8B56 00630063 = 99x SERAPH ROBE + 99x ENERGY DROP

PS: If you already knew that, don't feel ofended! =D Plus I leave this here as a quick explanation for those who don't know!

PPS:Knowledge is power; Learning is empowering; Not knowing is not shameful, but not willing to learn is!

 

[Lord M]

Kingdom Hearts 3D (E)

Max Munny
03B1FEC0 0098967F
03B62BDC 0098967F

Sora MAX HP
03B1FECC 03E703E7
03B62BE8 03E703E7

 

[hawkeye91]

Yep they do work too! =D Thanks!
-snip-

thank you

imho i think it will be much better if there is a thread dedicated only for ar codes / cht only..

 

[SciresM]

I found a bug in arcode.

Code type EXXXXXXX YYYYYYYY does not work as intended.

It should, if working properly, copy YYYYYYYY bytes to 0x14000000+XXXXXXX -- and the code looks like it should do this, but it actually doesn't.

You start by doing

Offset = CodeOffset + (First8 & 0xFFFFFFF);
Data = Second8;

Then, you loop to read data and write it, using
while ((Data > 0x00) && (ProcessedLines < LineCount))
{
...
}

There are two bugs here.

1. You check if Data should be Double 32 bit improperly.

if (Data >= 0x04)//Double 32bit
{
....
}
else if (Data >= 0x04)//32bit
{
This should be
if (Data >= 0x08) //Double 32 bit.
{
....
}
else if (Data >= 0x04)//32bit
{

2. Data is an unsigned int, not a signed int.

As declared at the top, unsigned int Data = 0;.

However, your condition for continuing the loop is that "(Data > 0x00)"

Data, as an unsigned int, will always be > 0 unless it is exactly equal to zero.

I guess this isn't actually an issue if your reading-the-correct-number-of-bytes code works properly, but because of bug #1 if data % 8 != 0 Code type EXXXXXXX YYYYYYYY will currently read until the code ends to the specified offset instead of reading only the specified number of bytes.

 

[Asia81]

Me too have the EU ver but his code doesn't work for me, because the offset for ShopItem is different, so you need to dump FCRAM and change the first address of his code with your own offset, and you can use the cheat everywhere, if you are in the shop when you trigger the cheat, just re enter the shop

Thanks for info <3
But for find my offset, how i can do it ?

 

[SciresM]

Thanks for info <3
But for find my offset, how i can do it ?

Make a RAM dump with the game open, search for "ShopItem", then add 0x18 to the offset of that text.

 

[duke_srg]

I found a bug in arcode.

Please hold on for a while. I revised KazoWAR's code resulting two times shorted source and binary. As soon as KazoWAR will give a permission, I'll publish it on Gitgub so anyone will be able to contribute.

BTW, what is the most commonly working cheat for european console, I need it for testing

 

[Asia81]

Make a RAM dump with the game open, search for "ShopItem", then add 0x18 to the offset of that text.

http://image.noelshack.com/fichiers/2015/13/1427308893-sans-titre.png

my offset is 032523F6 ?

E32523F6 00000064
D0D001A0 00000000
00000005 D0D001A1
00000000 00000012
D0D001A1 00000000
00000026 D0D001A1
00000000 00000050
D0D001A1 00000000
00000BB8 D0D001A0
00000000 00002710
D0D001A0 00000000
000055F0 D0D001A0
00000000 0000BB80
D0D001A0 00000000
D2000000 00000000

I tried with 32523DE too, but it's not working.
I haven't +0, but +9458 or other...