ROM Hack USUM IPS Patches

Sonansune

Well-Known Member
OP
Member
Joined
Jul 2, 2015
Messages
3,730
Trophies
1
XP
2,075
Country
Canada
Support V1.0 - V1.2

Notice: Recommend to use saltysd as romfs content(cro, etc.) redirection tool.
Luma romfs redirection seems to have some kind of unkown bug? it leads the game crash during the battle scene when certain ips and cro both applied.

if you had any startup crashes with cro patches, please re-merge your ips with new mergetool.
old mergetool simply combine those ips instead of re-order them by offset, could be one of the reason that the game crashes at loading stage.

EDIT: re-upload mergetool.exe


IPS Patch collection contains multiple mono feature patch as listed below.
  1. no outlines
  2. Guarantee Catch
  3. all pokemon rename-able
  4. instant message display
  5. quick hatch
  6. AlwaysShinyForNotLockedPM
  7. walking/running speed *1.375 constantly. according to other speed hack user's posts, beyond 1.375 is not SAFE(through the wall etc...)
  8. Disable ingame NFC (wifi won't be cut off after connected. no more festival plaza or suspend the game when you try to video record your game or use pkmn-ntr debugger:ph34r:)
  9. SaltySD (https://github.com/shinyquagsire23/SaltySD) (extra two verion independent saltysd. redirect US and UM to different directory. sd:/saltysd/UltraSun or UltraMoon. original version is UltraSunMoon)
  10. PC Anywhere (overwrite the default Options/Setting menu)
  11. walk Through Wall
  12. SciresM's QR Patch (https://github.com/SciresM/SMPatcher)
  13. Exp Multiplier * 100 (can change by yourself, edit the selected byte (Hexadecimal))
  14. Catch Trainer's Pokemon
  15. Be able to learn all TM/HM
  16. No QR Scanning CoolDown (QR Injection patch include this feature.)
  17. Shiny Lock Removal
  18. Customize shiny rate
  19. inverse type chart
  20. All Stats+6 in battle
  21. Mega evolution remains, even after battle (mega-evolvED.ips)
  22. Party Mega form pkm won't revert back when loads the save (Bypass Mega check(party pkm).ips)
  23. No force trainer battle
  24. Legendaries to be played with in the Battle Royal Dome & Battle Tree(Super)
  25. Camera zoom. (must use with edited cro, check below) zoom level also can be changed by editing ips. check here. #3160
    UVvbAKr

Download: https://mega.nz/#F!yRBnDIyD!v3snrrQ8Yxfza_lTvKfMXw
USE THE PATCH BASED ON YOUR GAME VERSION!!!
For SM: https://gbatemp.net/threads/batch-tool-to-generate-ips-patches-for-pkmn-su-mo.452178/



IPS Merge Tutorial:
1: (require python)
Download attached mergeTool.txt.
put desired patches in the same directory as mergetool.
open cmd and type in
Code:
python "the script file full name"(without quotes")
new generated code.ips is your new merged ips patch with all feature you want.
OR 2: (windows, No python requirment)
download mergeTool:
https://puu.sh/A8t3A/e46f04d10b.7z
put desired patches in the same directory as this exe.
double click.
new generated code.ips is your new merged ips patch with all feature you want.
video tutorial provided by @DrGreed



CRO Editing:
for anyone interested in the wormhole cheat. (it's a gw only cheats if you don't know how to write a plugin)
I have an alternative method for it. you guys can use it before analogman release his new version plugin.

requirement:
luma cfw
godmode9

1. boot into godmode9
2. select "sysnand/emunand SD" depends on your own game installation.
3. select the file in this path: title\00040000001b5100(or 1b50 based on version of the game you want to patch)\content\00000000.app (for v1.1 and above, using 0004000E001b instead of game itself)
4. ncch image options -> mount image -> romfs\lunasoldive.cro copy this file to your sd:\luma\titles\your game id\romfs\lunasoldive.cro go to sd:/saltysd/UltraSunMoon or UltraSun or UltraMoon depends on which version saltysd you used.
5. open the file in hex, go to offset 18630(v1.0) change the bytes in this order, save it after edit. done. (v1.1&v1.2 is 186C0)
Code:
06 00 00 2A 00 00 A0 E3
to
Code:
00 00 A0 E1 03 00 A0 E3

this gives you max level wormhole all the time.





display opponent HP in battle(not stable):
v1.0:
battle.cro go to offset A8CFC.
replace "F8 40 2D E9" with "E7 FE FF EA"

v1.1:
offset A9160.

V1.2:
offset A9198

if you had any startup crashes, please re-merge your ips with new mergetool.
old mergetool simply combine those ips instead of re-order them by offset, could be one of the reason that the game crashes at loading stage.


some other cheats also can be done by this way.




WARNING!!! About to enter the Devil Zone.:evil:
【Tutorial】How to integrate gw only cheats to the game (Could apply to other games)
------------------------------------------------"gw only" is true only if you don't know how to write a plugin nor rewrite a code cave version cheat-----------------------------------------------------------
Notice: same as ips patch, cro editing does not have trigger feature. in order to use it on 3ds with Luma, you need to enable "game patching" in Luma preference menu.

Requirement:
1. Not a noob(3ds hacking scene)
2. Luma CFW \ Citra
3. CTRFramework \ GDB debugger (ida pro as in the tutorial, recommend v7.0 as the time I wrote this tutorial)
4. Hex editor
5. Godmode9 (Optional)
6. hexadecimal calculator (optional)
7. understand gateshark instruction(novice level at least) and Endianess. IMPORTANT!!!

During this tutorial, I will demonstrate a cheat sample and explain the codes, but I won't go through all gateshark instructions. thus No.7 is IMPORTANT!!!


  • Step 0: (Preparation)
get all .cro files from the game.
you can use either godmode9 or grab the romfs folder when you extract your dumped game on computer.
  • godmode9:
    1. boot into godmode9
    2. select "sysnand/emunand SD" depends on your own game installation.
    3. select the file in this path: title\your game title id\content\00000000.app
    4. ncch image options -> mount image -> romfs\
    5. copy the romfs folder to your sd card.
    6. copy romfs folder from sd card to your computer.
  • Step 1:
Take a look at the cheat you want to port, have a brief understanding of the codes.
lines in bold have conditional instruction. there are multiple conditional mnemonic symbol. 3,4,5,6 are used for 4 bytes(32 bits) value. (if less than, if greater than, if equal, if not equal)
lines in purple and orange are memory writing.

[Camera zoom out(SELECT+L)Enable, (SELECT+R)Disable]
605B9F80 ED940A1C -------------------------------> if a 4 bytes value at offset 0x005B9F80 is not equal to 0xED940A1C, execute following instructions until hits D0000000 00000000
005B9F80 ED940A1C
005B9F84 ED9F1A03
005B9F88 EE300A01
005B9F8C ED840A1C
005B9F90 E2840004
005B9F94 E12FFF1E
005B9F98 00000000

D0000000 00000000 ------------------------------------> terminate conditional instruction
5803B784 E2840004 --------------------------------> if a 4 bytes value at offset 0x0803B784 is equal to 0xE2840004, same as above 6XXXXXXX
0803B784 EBFAA9FD
D0000000 00000000
DD000000 00000204 <- SELECT+L(Enable) ----------> [this instruction means: execute following instructions until hits D0000000 if select & L are pressed.] you should always ignore key trigger instructions (DD000000)
005B9F98 C4BB8000 -------------------------------------> since you want the cheat to be ON, so you pick this instead of the orange one.
D0000000 00000000
DD000000 00000104
<- SELECT+R(Disable)
005B9F98 00000000
D0000000 00000000

For you better understanding, translate this cheat into more readable english would be like this:
first, you check a 4 bytes value at offset 0x005B9F80. if the value is not equal to 0xED940A1C, you will write 1C 0A 94 ED(see the reverse order here? gateshark codes are written in big endian, but codes are little endian in actual ram) to 0x005B9F80-0x005B9F83 respectively. 03 1A 9F ED to 0x005B9F84-0x005B9F87, and so on... this purple chunk has almost all core codes on the value side.
Then, you check another 4 bytes value at offset 0x0803B784. if the value is equal to 0xE2840004, you will write FD A9 FA EB(see the same reverse order here?) to 0x0803B784-0x0803B787 respectively.
Finally, you check for the key press. if select & L are pressed, you write 00 80 BB C4 to 0x005B9F98-9B. by overwrite the 00000000 at 0x005B9F98. this memory write code completes the core codes mentioned in first part, thus it's activated.
if select & R are pressed, you set 0x005B9F98 back to 00000000, so the core codes got revert, thus it's disabled.

all the instructions are constant rapidly running as long as the cheat itself is enable in gw cheat menu, so it can "lock" all the written value and answer your key press.

By now, you should understand what does the code do. if not, make sure you do, then you can go to the next step.
  • Step 2:
Simplify the cheat.
simplified camera zoom out would look like below:
you should keep memory writing instructions only.

005B9F80 ED940A1C
005B9F84 ED9F1A03
005B9F88 EE300A01
005B9F8C ED840A1C
005B9F90 E2840004
005B9F94 E12FFF1E
005B9F98 C4BB8000

0803B784 EBFAA9FD


offsets in first 7 instructions are continuous, it used an code cave(bunch of null bytes) in code.bin; which means it can be made as an ips patch.
the last one has a much larger offset; which means normally, you can only access it during the game play.
  • Step 3:
create an ips patch if possible.
005B9F80 ED940A1C
005B9F84 ED9F1A03
005B9F88 EE300A01
005B9F8C ED840A1C
005B9F90 E2840004
005B9F94 E12FFF1E
005B9F98 C4BB8000


what you gonna do:
1. open any hex editor and create a new file.
2. add "PATCH".
Ff4sewQ

3. take the offset and subtract 0x00100000 from it. i.e. 0x005B9F80 will be 0x004B9F80.
4. type 4B9F80 in hex section after "PATCH".
kUf5jE1

5. calculate the length of one continuous bytes chunk. 4*7=28; 28-16=12; so 28 is 0x10 + 0x0C=0x1C in hexadecimal. if you can't do mental arithmetic, use a calculator.
dCUGt0X

6. type in the length 001C.
GlpvZqn

7. convert the value to little endian with your own way, put them into the hex section.(manually type or use other tool)
T0UsSq0
WNNMseU

8. add "EOF".
4K2wBPp
  • Step 4:
Locate large offset in the game.
0803B784 EBFAA9FD

in step 4, you are gonna view 3ds's ram during the game play by using 【3DS with Luma CFW & (NTR CFW + CTRFramework) OR GDB Debugger】OR【Citra & GDB Debugger】 maybe you are gonna say luma does have a ram viewer with recent commit. BUT you should know it's a highly experimental feature. I wouldn't recommend it as current state.

3DS: (for ntr method, I assume you know how to get CTRFramework to work and ntr is running in the background before you continue...)
1. launch the game.
2. play the game until you get into a valid scene for the cheat. (i.e. you need to be on the big map in order to see the camera zoom effect; in the ultra wormhole in order to see the wormhole changes, etc.)
Citra:
1. Citra -> Emulation -> Configure -> Debug -> check enable gdb stub. remember the port! (you are not going to actually DEBUG the game, so you don't have to disable jit)
2. launch the game. Citra will freeze at the title list screen. it's waiting for gdb to connect. once connected, it will resume.



3.
  • NTR:
    launch CTRFP menu. go to Options, and select second entry. press X and select jump to address/offset, type in 803B784. take a note of 0x30(48) bytes start from 0x0803B784; the more the better. (avoid similar code chunk when used for later searching up bytes)
  • GDB:
    1. enter luma menu. enable debugger. go to process list and select your game process(usually the one with game name or some code name. should always be the third or second from last)
    2. on ida pro. you select Debugger -> attach -> remote gdb debugger -> debug options -> set specific options -> change the processor type from intel x86 to arm little endian -> OK twice and back to "debug application setup"
    3. fill the hostname with your 3ds ip address shown on luma menu (citra: open cmd/powershell, type in ipconfig /all. you will see an ipv4 address, it's your computer local ip). fill the port too. you can check "save network settings as default" if you don't want to type in the same ip and port everytime.
    4. Luma:
      hit multiple OK. if there is a small pop out box has a suspending button, hit it.
      Citra:
      hit multiple OK. ignore the pop out suspending box for now.
      play the game until you get into a valid scene for the cheat. (i.e. you need to be on the big map in order to see the camera zoom effect; in the ultra wormhole in order to see the wormhole changes, etc.)
      then click the suspending button.
    5. click the hex window once, and press G on your keyboard. type in the offset 803B784 and hit OK.
    6. take a note of 0x30(48) bytes start from 0x0803B784 ; the more the better. (avoid similar code chunk when used for later searching up bytes)
4. you do it in a few ways.
1) general guessing:
for example, the cheat is about camera zoom on the map, which means it's related to the map. then you are gonna look for file named like map.cro, etc. (which has the keyword you want)
sadly, you can't find any cro with "map" in its name. in this case, you can go through all the cro to check their names. ha! found a similar name "field". since multiple files have "field" in their names, you want to go with the largest one "FieldRo.cro" first.
open the "FieldRo.cro" in hex editor and search for your noted hex bytes. you should get 1 result only; if not, go back to step 3 and take a larger bytes string than previously.

2) python script:
download this python script. https://github.com/Sepero/SearchBin/raw/master/searchbin.py
put the script in the same directory as those .cro files you previously extracted.
open a cmd window or powershell in above directory with shift + right click. (btw, on new version win10, you can use regedit to change right click powershell back to cmd if you want to stick with it)
type in
Code:
for %i in (*.cro) do (python searchbin.py -p "put your noted bytes here!" %i)
i.e. searchbin.py -p "0000A0E3"

3) grep (if you know how to use it:P)
5. you should located the offset in the correct cro by now.
  • Step 5:
Editing and usage.
1. type in the hex value from cheat to replace original one. (remember reverse order!)
2. if the offset in the cheat is not continuous. repeat 3-5 in Step 4 respectively.
3. save the changes.
4. copy the cro into this directory on your 3ds sd card. /luma/titles/your game title id/romfs (other games may have relative path, you need to keep the same path as you see in godmode9 or extracted romfs folder)
5. Launch the game and have fun.:)

This tutorial took me quite a while to complete. If you like it, PLEASE CONSIDER DONATE A LIKE~~~ :ph34r:




credit: ymyn for amazing cheat codes, SciresM for researching and amazing works, pk3ds for No.18-No.20 @Windylacine
 

Attachments

  • mergeTool_ordered.txt
    1.1 KB · Views: 3,960
Last edited by Sonansune,

Rynam

Member
Newcomer
Joined
Nov 8, 2016
Messages
9
Trophies
0
Age
31
XP
94
Country
Switzerland
Looks like i'm obviously doing something wrong. Every ips that includes the Always Shiny one lets my 3ds Crash when i start the game. All the others seem to work tho.
 

Xantja

Member
Newcomer
Joined
Nov 8, 2017
Messages
10
Trophies
0
Age
31
XP
41
Country
Italy
not work for me. i'll put shiny.ips and fastwalk.ips in luma\titles\ultramoon id\. enable game patch activated in luma menu.

i need a code.ips?
 

Dexter

Member
Newcomer
Joined
Sep 21, 2015
Messages
22
Trophies
0
Age
34
XP
88
Country
Poland
not work for me. i'll put shiny.ips and fastwalk.ips in luma\titles\ultramoon id\. enable game patch activated in luma menu.

i need a code.ips?
You need to merge them and be sure that after merging the filename is named code.ips.
 
General chit-chat
Help Users
    NeoGaming @ NeoGaming: just about to go see monika again