Coding Questions and other Quandaries
Medal Of Honor Vanguard Wii (USA)

In-game Button Cheat Code Decoder

There were only 3 codes posted online for this game. I wanted to find the other 5.

I started tracing the cheat code routine, learned some stuff from it, but thought, "there's got to be an easier way."

The James Bond Way Smile

With a couple of C0 codes and one C2 code, I made a decoder that returned the button values of all the button cheat codes. Total runtime of the decoder around 6 hours.

One of the thing I needed was to simulate the buttons being pressed and released constantly. I used a trick I found that works in pretty much every Wii game; Auto Fire.
When searching for the games button activators addresses you'll usually come up with about 20 - 30 something returns. If you go through these one at a time, writing a 0x0, then press the fire/action button. See if you have auto fire, if not, uncheck that addresses box and move on to the next one. Sometimes 2 addresses may have to be held to 0x0 for the auto fire effect.

In this game, those addresses are:

808C9F80 00000000
808C9F20 00000000

I found the byte that keeps the "Enter Cheat Code" dialog box open. This is normally opened in the game by pressing Up Down Up Down in the pause menu. However, when you enter a invalid code it tells you so and waits for you to do the U D U D thing again to enter another code. With the byte held to 0x1, if a bad button combo was entered, the game immediately waits for another code to be entered. "Cheat Code Bad" is only displayed for a blink of an eye. If a valid code is entered, the game automatically drops you out of the pause menu back into game play.

All the existing codes used the D-pad exclusively, with 6 button presses needed for a code entry, so the only values I needed to randomly write to the button cheat code entry addresses was 1 - 2 - 4 - 8.

Here is the code to do that:

c0000000 00000004
3d608000 898b03b1
398c0001 2c0c0008
41a00008 39800001
998b03b1 4e800020

#Source

C0 Insert:
lis r11, 0x8000 #Upper half word of EVA
lbz r12, 0x3B1 (r11) #Load byte from EVA 0x800003B1
addi r12, r12, 0x1 #Add 1 to it
cmpwi r12, 0x8 #The value here will set up the speed of the 1 - 2 - 4 - 8 "rotation"; for this game 0x8 worked.
blt+ loc_0x18 #If the value is = to or > than
li r12, 0x1 #Reset EVA byte to 0x1

loc_0x18:
stb r12, 0x3B1 (r11) #Store updated byte to EVA
blr


Now for the 1 - 2 - 4 - 8 portion:

c0000000 00000006
3d608000 898b03b1
88ab03b0 2c0c0008
4ca20020 1ca50002
2c050009 41a00008
38a00001 98ab03b0
4e800020 00000000

C0 Insert:
lis r11, 0x8000 #Upper half word of EVA
lbz r12, 0x3B1 (r11) #Load r12 with byte from above code
lbz r5, 0x3B0(r11) #Load our current 1 - 2 - 4 - 8 byte value to r5
cmpwi r12, 0x8 #Compare value in EVA code above with 0x8
bnelr+ #If not equal end C0
mulli r5, r5, 0x2 #Multiply current value in 1 - 2 - 4 - 8 byte EVA
cmpwi r5, 0x9 #See if that value is greater than 0x8
blt+ store_it #If less than, store new multiplied value
li r5, 0x1 #If it's greater than 0x8, reset the byte to 0x1

store_it:
stb r5, 0x3B0 (r11)
blr

Notice that I have not loaded a 0x1 or any value in EVA 0x800003B0
That's because I'm lazy, and knew I could prime the pump by poking any value in that byte.
In hindsight, it's a good thing. Randomly poking this value while the code was running, changed the algorithm of the values being entered into the button cheat, and quickly fleshed out some new button codes.

Here is the portion where we store the 1 - 2 - 4 - 8:

The 6 Button presses are entered in half words sequentially 0x8077E540 -> 0x8077E54A

The original store command:

8035f638 sth r27, 0xC (r3)

The insert to write the value from EVA instead:

loc_0x0:
lis r11, 0x8000 #Upper half of EVA
lbz r27, 0x3B0 (r11) #Load current 1 - 2 - 4 - 8 value into r27
sth r27, 12 (r3) #Original store command

Implementation:

Autofire code and C2 codes disabled until in the pause menu. Game freezes with ram writes and C2 running on boot up.
C0 codes doing their thing. At this point, EVA 0x800003B1 is cycling 1 -> 8

Once in the pause menu, I held the Enter Cheat Code always enabled address to 0x1

I knew the addresses of all the cheat enable bytes that get set to 0x1 when a valid code is entered.
I set write bp's on the 5 that there were no button codes for.

I enabled the C2 and auto fire codes.

Poked the byte at 0x800003B0 to get the 1 - 2 - 4 - 8 rotation going.

Finally, I taped down the A button and let it rip.

As hoped, the button press addresses auto filled again and again with random 1 - 2 - 4 - 8

After about 4 minutes, the breakpoint tripped, and I found one of the 5 unknown button codes: InvisiMOH Mode

Copied down the 6 button values that tripped it and deciphered into the correct D-pad values to be pressed.

I kept this up, and when it seemed it was only finding already know button combos, I would poke 0x800003B0 to change the algorithm.

It would usually pop out a new code not long after doing that.


Happy Hacking!!!
Reply


Messages In This Thread
RE: Coding Questions and other Quandaries - by Hackwiz - 03-31-2022, 02:18 PM

Forum Jump:


Users browsing this thread: 35 Guest(s)