Hacking VitaCheat/FinalCheat Database

[tomberyx]

How to find game-speed-Code.
This code is unknown and can't be found via values in game but there is a solution which I found.

1. Set ranges 81-82 (works mostly in games i think)
2.Use fuzzy search /go back game/use Fuzzy again but this time "> more" /go back game/use Fuzzy "> more" and so on until you get a few results(always search with > more) .
try all results and see what they do but avoid all values which start with 8xxxxxxx eight.
Look for a game where i found this speed code and try to imitate it yourself to learn.
3. if you found nothing set range 82-8x and try again.


you said "In Cheat Engine, you can find the assembly code (ARM code) that reads this address easily by right-clicking, but I'm not sure how to adjust it on psvita"
Can you take a picture of this process?, it helps me to understand everything better!

 

[XMYDL]

How to find game-speed-Code.
This code is unknown and can't be found via values in game but there is a solution which I found.

1. Set ranges 81-82 (works mostly in games i think)
2.Use fuzzy search /go back game/use Fuzzy again but this time "> more" /go back game/use Fuzzy "> more" and so on until you get a few results(always search with > more) .
try all results and see what they do but avoid all values which start with 8xxxxxxx eight.
Look for a game where i found this speed code and try to imitate it yourself to learn.
3. if you found nothing set range 82-8x and try again.


you said "In Cheat Engine, you can find the assembly code (ARM code) that reads this address easily by right-clicking, but I'm not sure how to adjust it on psvita"
Can you take a picture of this process?, it helps me to understand everything better!

Thank you so much for kindly replying. I was very impressed with the Speed Modify code and the A100/A200 code you wrote.
For the process I've mentioned, you may found a referrence video here.How to Edit Assembly Tutorial.(Started from 940s)

 

[tomberyx]

Thank you so much for kindly replying. I was very impressed with the Speed Modify code and the A100/A200 code you wrote.
For the process I've mentioned, you may found a referrence video here.How to Edit Assembly Tutorial.(Started from 940s)

It's possible to pointer search on Cheat Engine, but the powerful tools for that ('Find what writes to this address' and 'Find what accesses this address') require the debugger to be attached. Since the game is not actually running on the PC, we can't attach debugger. These are the most powerful ways to pointer search with Cheat engine, but they require the game to be running on the PC, not a dump of the RAM.

 

[Smoker1]

@tomberyx - You did a couple Codes for PCSB00116, The Pinball Arcade. The Codes were B200. The Addresses are all Static, so Pointers are not needed, unless there is 1 Pointer for the Ball Count, which I am still curious to know if there is one.

The biggest Pain is Pinball Heroes (No Tilt), and also Zen Pinball 2 (Ball Count)

 

[tomberyx]

Experimental Codes
Caution !
Vita device may explode if you try these codes

# Title: Pinball Heroes Complete
# ID: PCSA00109
# Region: US
# Version: 1.00
# Type: NoNpDrm
# Code Author: tomberyx
# only for VitaCheat z06 and FW 3.65+

# PCSA00109

_V0 inf.Balls [everywhere] Experimental Code
$B200 00000001 00000000
$3001 00040EA4 00000580
$0000 00000000 00000007

_V0 No Tilt [everywhere] Experimental Code
$B200 00000001 00000000
$3001 00040EA4 00000574
$0000 00000000 00000000

Coming soon "Control my Balls Code " thats gonna be the funniest code in game :-)

 

[XMYDL]

It's possible to pointer search on Cheat Engine, but the powerful tools for that ('Find what writes to this address' and 'Find what accesses this address') require the debugger to be attached. Since the game is not actually running on the PC, we can't attach debugger. These are the most powerful ways to pointer search with Cheat engine, but they require the game to be running on the PC, not a dump of the RAM.

I've understand that CE debugger was useless while running psv games. As long as dumping RAM from psv doesn't work efficiently with ARM code corresponding, I've come to a bit confused what debugger should we use for PSV. In fact, I found out some ARM codes were wrote like this(in this example, using money):
1. Find out static address of money/pointer of money.(You may use vitacheat or BGFTP combined with any pointer searcher.)
2. Test the maximum value of the address, for example 9999999 is 0x98967f in hex.
3. Use FAGDec for decompiling eboot.bin to eboot.bin.elf
4. Use IDA Pro/ghidra opening elf file and wait.
5. Search the last 4 numbers, which is 967f in this case, then test for all the results.
6. Nop(BF00) the certain line.

However, I'm still a bit confused with invincible/unrivaled codes. What's funny is that strings in vita's eboot.bin doesn't work at all as no refers are attached. In fact, in PSP we've had a useful tool called PSPLINK. Which can set a breakpoint to PSP's game and find the running assembly code. But no similar debuggers I've found with PSVita. I would ask that if you may apply a bit more information/methods to ARM codes generating?

 

[tomberyx]

I've understand that CE debugger was useless while running psv games. As long as dumping RAM from psv doesn't work efficiently with ARM code corresponding, I've come to a bit confused what debugger should we use for PSV. In fact, I found out some ARM codes were wrote like this(in this example, using money):
1. Find out static address of money/pointer of money.(You may use vitacheat or BGFTP combined with any pointer searcher.)
2. Test the maximum value of the address, for example 9999999 is 0x98967f in hex.
3. Use FAGDec for decompiling eboot.bin to eboot.bin.elf
4. Use IDA Pro/ghidra opening elf file and wait.
5. Search the last 4 numbers, which is 967f in this case, then test for all the results.
6. Nop(BF00) the certain line.

However, I'm still a bit confused with invincible/unrivaled codes. What's funny is that strings in vita's eboot.bin doesn't work at all as no refers are attached. In fact, in PSP we've had a useful tool called PSPLINK. Which can set a breakpoint to PSP's game and find the running assembly code. But no similar debuggers I've found with PSVita. I would ask that if you may apply a bit more information/methods to ARM codes generating?

Unfortunately I'm not really good with ARM codes because I haven't had a chance to use them in games.

You just did something with FAGDec and IDA Pro/ghidra which induces me to try this process myself. I think you are on the right WAY.
Here below is an ARM code example:

_V0 Money
$A100 000XXXXX 0000BF00 BF=freeze value

What game are you using for this money code? maybe we can just focus on this game and see how far we get.

About Invincible Code:
don't worry about that, finding this code is not hard if i show you how.
But first let's try to make some arm codes... with your methode above

 

[XMYDL]

Unfortunately I'm not really good with ARM codes because I haven't had a chance to use them in games.

You just did something with FAGDec and IDA Pro/ghidra which induces me to try this process myself. I think you are on the right WAY.
Here below is an ARM code example:

_V0 Money
$A100 000XXXXX 0000BF00 BF=freeze value

What game are you using for this money code? maybe we can just focus on this game and see how far we get.

About Invincible Code:
don't worry about that, finding this code is not hard if i show you how.
But first let's try to make some arm codes... with your methode above

Let's get started!
In this case, I've chosen PCSG00568(Bullet Girls S2) for tutorial. All the files could be found here(including one simple game with no patch/addcont, a slot for savemanager on PSVita for testing. You can totally ignore this because it's just a save with 3-minute gameplay. Enter the game content simply press "triangle" all the way and no battles are needed. After epilogues are finished press L for continuing"購買部へ". I also add a vitacheat file just for max money, all the 4 pointers function as the same).[shared]

We've already known the maximum numbs is 999999 which is 0xF423F in Hex. The next step is to find the address in IDA.

 

[tomberyx]

At the moment I can't work directly for 3 days because I'm traveling by car,
but will follow everything as best as possible online.

I have found codes for Bullet Girls 2 in the past
maybe it help us to write a Money code in ARM.

Spoiler: Bullet Girls 2 B200-Codes

# Title: Bullet Girls 2
# ID: PCSG00568
# Region: Jap
# Version: 1.01
# Type: NoNpDrm
# Code Author: tomberyx

# PCSG00568

_V0 Invincible
$B200 00000001 00000000
$0000 0003EA97 00000001

_V0 Freeze Time
$B200 00000001 00000000
$0000 0003EAA4 00000001

_V0 inf.First-Aid use
$B200 00000001 00000000
$0000 0003DDF8 00000007

_V0 inf.Mines use
$B200 00000001 00000000
$0000 0003D894 00000007

_V0 Tomberyx Curse [push-L]
$B200 00000001 00000000
$C201 00000000 00000100
$0000 0003E8EC 00000001
$0000 0003E8F0 00000001
$0000 0003E8F4 00000007

_V0 Freeze Enemies [ON-Start Off-Select]
$B200 00000001 00000000
$C201 00000001 00000008
$0000 0003EA90 00000008
$C201 00000001 00000001
$0000 0003EA90 00000000

_V0 inf.Money
$B200 00000001 00000000
$0200 0003FC80 0076ADF1

_V0 [DEBUG] Information on Enemies
$B200 00000001 00000000
$0000 0003D6C8 00000002

_V0 Cam Bird
$B200 00000001 00000000
$0200 00032070 41A00001

_V0 Zoom hold X
$B200 00000001 00000000
$C201 00000001 00004000
$0100 00032104 00000234

_V0 Hide UI [ON-OFF]
$B200 00000001 00000000
$A000 0003EA94 00000000

 

[tomberyx]

We've already known the maximum numbs is 999999 which is 0xF423F in Hex. The next step is to find the address in IDA.

The address for Money is somewhere in the eboot.bin.elf File, the value you set 99999 is not in eboot.bin.elf but in RAM, now we can ask ourselves the question " how can we find the Money address without the value 99999 ? that is a good start for our HEX journey.-)

 

[XMYDL]

At the moment I can't work directly for 3 days because I'm traveling by car,
but will follow everything as best as possible online.

I have found codes for Bullet Girls 2 in the past
maybe it help us to write a Money code in ARM.

Spoiler: Bullet Girls 2 B200-Codes

# Title: Bullet Girls 2
# ID: PCSG00568
# Region: Jap
# Version: 1.01
# Type: NoNpDrm
# Code Author: tomberyx

# PCSG00568

_V0 Invincible
$B200 00000001 00000000
$0000 0003EA97 00000001

_V0 Freeze Time
$B200 00000001 00000000
$0000 0003EAA4 00000001

_V0 inf.First-Aid use
$B200 00000001 00000000
$0000 0003DDF8 00000007

_V0 inf.Mines use
$B200 00000001 00000000
$0000 0003D894 00000007

_V0 Tomberyx Curse [push-L]
$B200 00000001 00000000
$C201 00000000 00000100
$0000 0003E8EC 00000001
$0000 0003E8F0 00000001
$0000 0003E8F4 00000007

_V0 Freeze Enemies [ON-Start Off-Select]
$B200 00000001 00000000
$C201 00000001 00000008
$0000 0003EA90 00000008
$C201 00000001 00000001
$0000 0003EA90 00000000

_V0 inf.Money
$B200 00000001 00000000
$0200 0003FC80 0076ADF1

_V0 [DEBUG] Information on Enemies
$B200 00000001 00000000
$0000 0003D6C8 00000002

_V0 Cam Bird
$B200 00000001 00000000
$0200 00032070 41A00001

_V0 Zoom hold X
$B200 00000001 00000000
$C201 00000001 00004000
$0100 00032104 00000234

_V0 Hide UI [ON-OFF]
$B200 00000001 00000000
$A000 0003EA94 00000000

Thank you so much! I'm so grateful for the enormous helpful information. I'm working on it.
Now I've found the money code! It would be possible for me to paste a video here if neccessary. Here'd be the code.

_V0 Max Money after shopping
$B200 00000000 00000000
$A100 00054562 0000BF00

Unfortunatly, I have no idea why the prefix is A100, which refers to 16-bit address. How may I figure the bit? As well, "finding the money program assembly code without address", this problem got me there——there'd seem to be lack of method, and I concerned that this would just be the point why I found invincible code was difficult. May I have a lesson?

 

[Smoker1]

Experimental Codes
Caution !
Vita device may explode if you try these codes

# Title: Pinball Heroes Complete
# ID: PCSA00109
# Region: US
# Version: 1.00
# Type: NoNpDrm
# Code Author: tomberyx
# only for VitaCheat z06 and FW 3.65+

# PCSA00109

_V0 inf.Balls [everywhere] Experimental Code
$B200 00000001 00000000
$3001 00040EA4 00000580
$0000 00000000 00000007

_V0 No Tilt [everywhere] Experimental Code
$B200 00000001 00000000
$3001 00040EA4 00000574
$0000 00000000 00000000

Coming soon "Control my Balls Code " thats gonna be the funniest code in game :-)

Here are all the Codes I did back in the Day for it

Spoiler: PCSA00109 Codes to go on

_V0 Ball 3-1stRun-Pain
$0000 81D9F280 00000003

_V0 Always 6x-1stRun-Pain
$0000 81D9F1AC 00000006

_V0 9999999 Points-1stRun-Pain
$0200 81D9F1A4 0098967F

_V0 Ball 3-PSN-Pain
$0000 81D9F130 00000003

_V0 9999999 Points-PSN-Pain
$0200 81D9F054 0098967F

_V0 6x Bonus-PSN-Pain
$0000 81D9F05C 00000006

_V0 LeftRampCount-PSN-Pain
$0000 81E641D4 00000063

_V0 MiddleRampCount-PSN-Pain
$0000 81E641F4 00000063

_V0 RightRampCount-PSN-Pain
$0000 81E64214 00000063

_V0 NoTilt-PSN-Pain-Problems
$0000 81D9F128 00000000

_V0 Ball 3-PSN-Bowling
$0000 81E617F0 00000003

_V0 9999999 Points-PSN-Bowling
$0200 81E61714 0098967F

_V0 6x Bonus-PSN-Bowling
$0000 81E6171C 00000006

 

[tomberyx]

Here are all the Codes I did back in the Day for it

Spoiler: PCSA00109 Codes to go on

_V0 Ball 3-1stRun-Pain
$0000 81D9F280 00000003

_V0 Always 6x-1stRun-Pain
$0000 81D9F1AC 00000006

_V0 9999999 Points-1stRun-Pain
$0200 81D9F1A4 0098967F

_V0 Ball 3-PSN-Pain
$0000 81D9F130 00000003

_V0 9999999 Points-PSN-Pain
$0200 81D9F054 0098967F

_V0 6x Bonus-PSN-Pain
$0000 81D9F05C 00000006

_V0 LeftRampCount-PSN-Pain
$0000 81E641D4 00000063

_V0 MiddleRampCount-PSN-Pain
$0000 81E641F4 00000063

_V0 RightRampCount-PSN-Pain
$0000 81E64214 00000063

_V0 NoTilt-PSN-Pain-Problems
$0000 81D9F128 00000000

_V0 Ball 3-PSN-Bowling
$0000 81E617F0 00000003

_V0 9999999 Points-PSN-Bowling
$0200 81E61714 0098967F

_V0 6x Bonus-PSN-Bowling
$0000 81E6171C 00000006

I tried from your codes only Ball and Tilt, so far i can say all codes are Semi-Static but its fine if we can Profit from it. This game is a pain to get pointers or B200 Codes so i tried some experimental B200 codes and they worked pretty good (Finger cross)

 

[XMYDL]

Thank you so much! I'm so grateful for the enormous helpful information. I'm working on it.
Now I've found the money code! It would be possible for me to paste a video here if neccessary. Here'd be the code.

_V0 Max Money after shopping
$B200 00000000 00000000
$A100 00054562 0000BF00
Unfortunatly, I have no idea why the prefix is A100, which refers to 16-bit address. How may I figure the bit? As well, "finding the money program assembly code without address", this problem got me there——there'd seem to be lack of method, and I concerned that this would just be the point why I found invincible code was difficult. May I have a lesson?

So now I'm keeping moving onto ammos.

 

[tomberyx]

Thank you so much! I'm so grateful for the enormous helpful information. I'm working on it.
Now I've found the money code! It would be possible for me to paste a video here if neccessary. Here'd be the code.

_V0 Max Money after shopping
$B200 00000000 00000000
$A100 00054562 0000BF00

Unfortunatly, I have no idea why the prefix is A100, which refers to 16-bit address. How may I figure the bit? As well, "finding the money program assembly code without address", this problem got me there——there'd seem to be lack of method, and I concerned that this would just be the point why I found invincible code was difficult. May I have a lesson?

Very good ! Nice !
A100 means Value 000FFFFF
A200 means Value FFFFFFFF
A000 menas Value 00000FF
I can not go in detail at the Moment but if you not sure use always A200

About Invincible Code , I need to play the game to see how I did it in the past I can't right now but will show you step by step how I did it when I have more time.

It would help all of us here if you could make videos or pictures of how you got the money code with your method. Please share your experiences with us if you're ready for it.

 

[tomberyx]

About invincible code
i think i did it that way. first search the Money address if this address is in 82XXXXX
then the invincible code must be in the range 82-83

Lets start
1. get a hit from enemy at this moment the character will deform or get a color turn Vita cheat on
and set range on 82-83 and search with fuzzy
go back to game make another search with < if the Character is not blinkng and
next > if you get an hit, repeat it until you got a few results.

short example; 1st Hit / no Hit < / Hit > / No hit </ Hit > and so on.....

If you try the results set all values to zero bcause zero=No hit or maybe 1= No Hit

_V0 Invincible
$B200 00000001 00000000
$0000 0003EA97 00000001 1=Invincible


sometimes you can't find the right code but for that i have another solution and 2 more. Will show you in time

 

[tomberyx]

So now I'm keeping moving onto ammos.

I guess for this Code you need something like that

_V0 Ammo
$B200 00000000 00000000
$A100 000XXXXX 0000BF00
$A100 000YYYYY 0000BF00

 

[XMYDL]

About invincible code
i think i did it that way. first search the Money address if this address is in 82XXXXX
then the invincible code must be in the range 82-83

Lets start
1. get a hit from enemy at this moment the character will deform or get a color turn Vita cheat on
and set range on 82-83 and search with fuzzy
go back to game make another search with < if the Character is not blinkng and
next > if you get an hit, repeat it until you got a few results.

short example; 1st Hit / no Hit < / Hit > / No hit </ Hit > and so on.....

If you try the results set all values to zero bcause zero=No hit or maybe 1= No Hit

_V0 Invincible
$B200 00000001 00000000
$0000 0003EA97 00000001 1=Invincible


sometimes you can't find the right code but for that i have another solution and 2 more. Will show you in time

Thank you so much! I've now understand that HIT is a situation that counted by system in RAM. So if NO HIT=1, will we need to search in a contradict way in fuzzy? Which is changing all the ">" into "<".

Last but not least, I may have to apologize that my next reply may be late due to time-lag here.(which means I'm going to sleep:-(

 

[XMYDL]

Very good ! Nice !
A100 means Value 000FFFFF
A200 means Value FFFFFFFF
A000 menas Value 00000FF
I can not go in detail at the Moment but if you not sure use always A200

About Invincible Code , I need to play the game to see how I did it in the past I can't right now but will show you step by step how I did it when I have more time.

It would help all of us here if you could make videos or pictures of how you got the money code with your method. Please share your experiences with us if you're ready for it.

Surely I will explain fully after I've conquered these fuzzy things. What I want to add about is that apparently A100 codes can't be change into A200 codes. For example, the money code above can't be change into A200. I understood what bit means, but I didn't understand it while using ARM codes.

 

[XMYDL]

I guess for this Code you need something like that

_V0 Ammo
$B200 00000000 00000000
$A100 000XXXXX 0000BF00
$A100 000YYYYY 0000BF00

Thank you! But why there'd be two lines of ARM codes?