Steal-Mii [Vega] - Printable Version

Code:
#Region Setting

.set region, '' #Fill in E, P, J, or K within the quotes for your region when Compiling! Lowercase letters can also be used.



#Summary: Edit DB file contents that's already in memory. Open Mii DB file, write it, close.

#NOTE: You cannot call MKWii's built-in CRC16 func to generate the CRC16 checksum. Wii Menu uses a diff CRC16 algorithm.



#Hook Address's

#NTSC-U 800095F4

#PAL    80009634

#NTSC-J 80009590

#NTSC-K 8000973C



#Directives

.set got, 13 #r13 alias is Global Offset Table



.macro call_link address

    lis r12, \address@h

    ori r12, r12, \address@l

    mtctr r12

    bctrl

.endm



.macro call_isfs address

    ori r12, r28, \address@l

    mtctr r12

    bctrl

.endm



.if    (region == 'E' || region == 'e') # RMCE

    .set ISFS_Open, 0xADBC

    .set ISFS_Read, 0xB15C

    .set ISFS_Write, 0xB220

    .set ISFS_Close, 0xB2E4

    .macro load_unk_ptr register

            lwz \register, -0x6968 (got) #func 0x800bc340

    .endm

    .set RFL_DB_filepath_ptr, 0x80270C68 #Static ptr to filename

.elseif (region == 'P' || region == 'p') # RMCP

    .set ISFS_Open, 0xAE5C

    .set ISFS_Read, 0xB1FC

    .set ISFS_Write, 0xB2C0

    .set ISFS_Close, 0xB384

    .macro load_unk_ptr register

            lwz \register, -0x6968 (got) #func 0x800bc3e0

    .endm

    .set RFL_DB_filepath_ptr, 0x80274FA8 #Static ptr to filename

.elseif (region == 'J' || region == 'j') # RMCJ

    .set ISFS_Open, 0xAD7C

    .set ISFS_Read, 0xB11C

    .set ISFS_Write, 0xB1E0

    .set ISFS_Close, 0xB2A4

    .macro load_unk_ptr register

            lwz \register, -0x6968 (got) #func 0x800bc300

    .endm

    .set RFL_DB_filepath_ptr, 0x80274948 #Static ptr to filename

.elseif (region == 'K' || region == 'k') # RMCK

    .set ISFS_Open, 0xAEF8

    .set ISFS_Read, 0xB298

    .set ISFS_Write, 0xB35C

    .set ISFS_Close, 0xB420

    .macro load_unk_ptr register

            lwz \register, -0x6948 (got) #func 0x800bc440

    .endm

    .set RFL_DB_filepath_ptr, 0x80262D88 #Static ptr to filename

.else # Invalid Region

    .err

.endif



#Grab Ptr from EVA and check if we are on our Mii. If so, bail.

lis r12, 0x8000

lwz r11, 0xA20 (r12)

cmpwi r11, 0 #Wait til game actually generates a ptr

beq- og_instruction

lwz r0, 0x10 (r11) #If data here is NULL, we are on our Mii. Hacky but it works

cmpwi r0, 0

beq- og_instruction



#Make frame

stwu sp, -0x0080 (sp)

stmw r3, 0x8 (sp)



#Backup ptr that is minus2 in reference to opp's Mii Data, need it for later.

addi r31, r11, 0xE



#Get RFL_DB.dat pointer

load_unk_ptr r30

cmpwi r30, 0

beq- pop_frame

lwz r30, 0x10 (r30) #Mii DB ptr resides at 0x10 of unk ptr



#Hijack Mii and write it to first empty Mii spot of RFL.DB if such a spot exists

li r0, 37 #37 halfwords is 74 bytes. Each mii entry is 74 bytes

li r29, 100 #Max Miis allowed in DB

addi r11, r30, 2 #Go past RNOD 4-byte header but set start ptr at minus2 relative to first mii entry

mtctr r0

loop1:

lwz r0, 0x2 (r11) #No valid mii can start with a null word, hacky but it works

cmpwi r0, 0

beq- steal_mii_loop #If zero, we found empty entry

addi r11, r11, 74

subic. r29, r29, 1

bne+ loop1

b pop_frame #Mii DB already has 100 miis, abort!

steal_mii_loop:

lhzu r0, 0x2 (r31)

sthu r0, 0x2 (r11)

bdnz+ steal_mii_loop



#Set MAC Address Ptr

ori r3, r12, 0xA24



#Do custom CRC-8 Modulo-128 algo to generate new System/Client ID

lis r4, 0x0017 #Set MAGIC first two bytes

lwz r5, 0 (r3) #Load MAC prefix + 1 extra byte

ori r4, r4, 0xAB00 #Finish Magic Mask, left aligned

clrrwi r5, r5, 8 #Clear out junk byte, r5 now is Mac prefix only, left aligned

cmplw r4, r5 #Compare MAGIC mask vs Prefix mask

rlwinm r6, r5, 8, 0xFF #Extract first byte, right justified

rlwinm r7, r5, 16, 0xFF #Extract 2nd

rlwinm r8, r5, 24, 0xFF #Extract 3rd

add r9, r6, r7 #Add 1st + 2nd byte

add r9, r9, r8 #Add subresult with 3rd byte

beq- 0x8 #Take branch based on MAGIC compare

rlwinm r9, r9, 0, 0x7F #MAGIC NOT met, AND with 0x7F

lwz r10, 0x3 (r3) #Load rest of MAC

slwi r9, r9, 24 #Left justify the Client ID byte

srwi r10, r10, 8 #Remove junk byte that was loaded on far right

or r3, r9, r10 #Create the whole Client ID



#Write System/Client ID to stolen Mii, so user has editing perms

stw r3, -0x2C (r11)



#Write CRC16 checksum to end of .dat file

lis r29, 0x0001

ori r29, r29, 0xF1E0

mr r3, r30

subi r4, r29, 2



#Do the CRC16

mr r6,r3

li r8,0

li r3,0

b CTR_Setup1



Loop1:

extsh r9, r3

sraw r11, r7, r10

not r9,r9

li r0, -0x1021

srawi r9, r9, 31

rlwinm r11, r11, 0, 31, 31

and r9, r9, r0

rlwinm r0, r3, 1, 0, 30

or r11, r11, r0

addi r9, r9, 0x1021

xor r9, r9, r11

subi r10, r10, 1

rlwinm r3, r9, 0, 16, 31

bdnz+ Loop1



addi r8,r8,1



CTR_Setup1:

cmpw r8, r4

beq- CTR_Setup2

li r0, 8

lbzx r7, r8, r6

mtctr r0

li r10, 7

b Loop1



CTR_Setup2:

li r0, 16

mtctr r0



Loop2:

extsh r9, r3

li r0, -0x1021

not r9, r9

srawi r9, r9, 31

and r9, r9, r0

rlwinm r0, r3, 1, 0, 30

addi r9, r9, 0x1021

xor r9, r9, r0

rlwinm r3, r9, 0, 16, 31

bdnz+ Loop2



#Write the CRC16

addis r4, r30, 0x0002

sth r3, 0xFFFFF1DE (r4) #Store at 0x1F1DE in reference to r29



#Open .dat with write perms

lis r28, 0x8016 #Upper bits for ISFS Func calls

lis r3, RFL_DB_filepath_ptr@h

li r4, 2

ori r3, r3, RFL_DB_filepath_ptr@l

call_isfs ISFS_Open

mr. r31, r3

blt- pop_frame



#Write the file, then close

mr r4, r30

mr r5, r29

call_isfs ISFS_Write

cmpw r3, r29

bne- pop_frame

mr r3, r31

call_isfs ISFS_Close



#Pop frame

pop_frame:

lmw r3, 0x8 (sp)

addi sp, sp, 0x80



#Original Instruction

og_instruction:

lbz r0, 0x0051 (r3)