08-13-2019, 07:28 PM
(This post was last modified: 02-14-2025, 08:46 PM by Vega.
Edit Reason: upgraded
)
Steal-Mii [Vega]
This code allows you to steal anybody's Mii and add it to your Mii Channel. You also have the ability to edit your stolen Mii(s).
CAUTION: This code makes permanent edits to your Mii Channel. Even though the code simply adds a new Mii and generates a new checksum, it's possible there may be a mistake in my code which could result in a corrupted Mii Channel. As a precaution, please BACKUP your Mii Channel first before using this code. The file being edited is /shared2/menu/FaceLib/RFL_DB.dat
How it works~
1. When Online, whatever Mii you are currently viewing on the globe (or have last viewed on the globe) is the one that will be stolen once you have pressed your activator (fill in typical X, Y, Z values below).
2. You do *NOT* need to hold down the activator for a long period of time, just simply press it. You will notice a lag spike for a split second, this is normal. If there was absolutely no lag spike, then the code most likely did not execute. If you hold down the activator too long (even a tiny bit), you will end up stealing the Mii extra times. No big deal, you will just have some duplicates in your Mii Channel which you can later delete.
3. After you have stolen the Mii, simply shutdown your game and go to the Mii Channel, you will see the stolen Mii. If you try to see the Mii (i.e. license settings) before visiting the Mii Channel, you won't see the stolen Mii, this is normal.
4. If you try to do this on your own Mii, the code will detect this and not execute. If your Mii Channel is completely full, the code will detect this and not execute.
Final NOTE: This code makes use of memory addresses 0x80000A20 thru 0x80000A29. Make sure no other codes in your GCT/Cheat-Manager are using those addresses.
Video demo - https://www.youtube.com/watch?v=zrBEvE-94is
NTSC-U
C216AE3C 00000002
7FA4EB78 9421FFE0
60000000 00000000
0416AE40 48028A1D
C21D0DD8 00000004
80010024 817C0000
3D808000 A15C0004
916C0A24 B14C0A28
60000000 00000000
C274BCC8 00000002
3D808000 9421FFE0
908C0A20 00000000
040095F4 88030051
2834XXXX YYYYZZZZ
C20095F4 00000039
3D808000 816C0A20
2C0B0000 418201B4
800B0010 2C000000
418201A8 9421FF80
BC610008 3BEB000E
83CD9698 2C1E0000
41820188 83DE0010
38000025 3BA00064
397E0002 7C0903A6
800B0002 2C000000
41820014 396B004A
37BDFFFF 4082FFEC
48000158 A41F0002
B40B0002 4200FFF8
61830A24 3C800017
80A30000 6084AB00
54A5002E 7C042840
54A6463E 54A7863E
54A8C63E 7D263A14
7D294214 41820008
5529067E 81430003
5529C00E 554AC23E
7D235378 906BFFD4
3FA00001 63BDF1E0
7FC3F378 389DFFFE
7C661B78 39000000
38600000 48000040
7C690734 7CEB5630
7D2948F8 3800EFDF
7D29FE70 556B07FE
7D290038 5460083C
7D6B0378 39291021
7D295A78 394AFFFF
5523043E 4200FFCC
39080001 7C082000
41820018 38000008
7CE830AE 7C0903A6
39400007 4BFFFFAC
38000010 7C0903A6
7C690734 3800EFDF
7D2948F8 7D29FE70
7D290038 5460083C
39291021 7D290278
5523043E 4200FFDC
3C9E0002 B064F1DE
3F808016 3C608027
38800002 60630C68
638CADBC 7D8903A6
4E800421 7C7F1B79
41800030 7FC4F378
7FA5EB78 638CB220
7D8903A6 4E800421
7C03E800 40820014
7FE3FB78 638CB2E4
7D8903A6 4E800421
B8610008 38210080
88030051 00000000
E0000000 80008000
PAL
C216AEDC 00000002
7FA4EB78 9421FFE0
60000000 00000000
0416AEE0 48028A1D
C21D0E78 00000004
80010024 817C0000
3D808000 A15C0004
916C0A24 B14C0A28
60000000 00000000
C2751208 00000002
3D808000 9421FFE0
908C0A20 00000000
04009634 88030051
2834XXXX YYYYZZZZ
C2009634 00000039
3D808000 816C0A20
2C0B0000 418201B4
800B0010 2C000000
418201A8 9421FF80
BC610008 3BEB000E
83CD9698 2C1E0000
41820188 83DE0010
38000025 3BA00064
397E0002 7C0903A6
800B0002 2C000000
41820014 396B004A
37BDFFFF 4082FFEC
48000158 A41F0002
B40B0002 4200FFF8
61830A24 3C800017
80A30000 6084AB00
54A5002E 7C042840
54A6463E 54A7863E
54A8C63E 7D263A14
7D294214 41820008
5529067E 81430003
5529C00E 554AC23E
7D235378 906BFFD4
3FA00001 63BDF1E0
7FC3F378 389DFFFE
7C661B78 39000000
38600000 48000040
7C690734 7CEB5630
7D2948F8 3800EFDF
7D29FE70 556B07FE
7D290038 5460083C
7D6B0378 39291021
7D295A78 394AFFFF
5523043E 4200FFCC
39080001 7C082000
41820018 38000008
7CE830AE 7C0903A6
39400007 4BFFFFAC
38000010 7C0903A6
7C690734 3800EFDF
7D2948F8 7D29FE70
7D290038 5460083C
39291021 7D290278
5523043E 4200FFDC
3C9E0002 B064F1DE
3F808016 3C608027
38800002 60634FA8
638CAE5C 7D8903A6
4E800421 7C7F1B79
41800030 7FC4F378
7FA5EB78 638CB2C0
7D8903A6 4E800421
7C03E800 40820014
7FE3FB78 638CB384
7D8903A6 4E800421
B8610008 38210080
88030051 00000000
E0000000 80008000
NTSC-J
C216ADFC 00000002
7FA4EB78 9421FFE0
60000000 00000000
0416AE00 48028A1D
C21D0D98 00000004
80010024 817C0000
3D808000 A15C0004
916C0A24 B14C0A28
60000000 00000000
C2750874 00000002
3D808000 9421FFE0
908C0A20 00000000
04009590 88030051
2834XXXX YYYYZZZZ
C2009590 00000039
3D808000 816C0A20
2C0B0000 418201B4
800B0010 2C000000
418201A8 9421FF80
BC610008 3BEB000E
83CD9698 2C1E0000
41820188 83DE0010
38000025 3BA00064
397E0002 7C0903A6
800B0002 2C000000
41820014 396B004A
37BDFFFF 4082FFEC
48000158 A41F0002
B40B0002 4200FFF8
61830A24 3C800017
80A30000 6084AB00
54A5002E 7C042840
54A6463E 54A7863E
54A8C63E 7D263A14
7D294214 41820008
5529067E 81430003
5529C00E 554AC23E
7D235378 906BFFD4
3FA00001 63BDF1E0
7FC3F378 389DFFFE
7C661B78 39000000
38600000 48000040
7C690734 7CEB5630
7D2948F8 3800EFDF
7D29FE70 556B07FE
7D290038 5460083C
7D6B0378 39291021
7D295A78 394AFFFF
5523043E 4200FFCC
39080001 7C082000
41820018 38000008
7CE830AE 7C0903A6
39400007 4BFFFFAC
38000010 7C0903A6
7C690734 3800EFDF
7D2948F8 7D29FE70
7D290038 5460083C
39291021 7D290278
5523043E 4200FFDC
3C9E0002 B064F1DE
3F808016 3C608027
38800002 60634948
638CAD7C 7D8903A6
4E800421 7C7F1B79
41800030 7FC4F378
7FA5EB78 638CB1E0
7D8903A6 4E800421
7C03E800 40820014
7FE3FB78 638CB2A4
7D8903A6 4E800421
B8610008 38210080
88030051 00000000
E0000000 80008000
NTSC-K
C216AF78 00000002
7FA4EB78 9421FFE0
60000000 00000000
0416AF7C 48028CDD
C21D11D4 00000004
80010024 817C0000
3D808000 A15C0004
916C0A24 B14C0A28
60000000 00000000
C273F5C8 00000002
3D808000 9421FFE0
908C0A20 00000000
0400973C 88030051
2833XXXX YYYYZZZZ
C200973C 00000039
3D808000 816C0A20
2C0B0000 418201B4
800B0010 2C000000
418201A8 9421FF80
BC610008 3BEB000E
83CD96B8 2C1E0000
41820188 83DE0010
38000025 3BA00064
397E0002 7C0903A6
800B0002 2C000000
41820014 396B004A
37BDFFFF 4082FFEC
48000158 A41F0002
B40B0002 4200FFF8
61830A24 3C800017
80A30000 6084AB00
54A5002E 7C042840
54A6463E 54A7863E
54A8C63E 7D263A14
7D294214 41820008
5529067E 81430003
5529C00E 554AC23E
7D235378 906BFFD4
3FA00001 63BDF1E0
7FC3F378 389DFFFE
7C661B78 39000000
38600000 48000040
7C690734 7CEB5630
7D2948F8 3800EFDF
7D29FE70 556B07FE
7D290038 5460083C
7D6B0378 39291021
7D295A78 394AFFFF
5523043E 4200FFCC
39080001 7C082000
41820018 38000008
7CE830AE 7C0903A6
39400007 4BFFFFAC
38000010 7C0903A6
7C690734 3800EFDF
7D2948F8 7D29FE70
7D290038 5460083C
39291021 7D290278
5523043E 4200FFDC
3C9E0002 B064F1DE
3F808016 3C608026
38800002 60632D88
638CAEF8 7D8903A6
4E800421 7C7F1B79
41800030 7FC4F378
7FA5EB78 638CB35C
7D8903A6 4E800421
7C03E800 40820014
7FE3FB78 638CB420
7D8903A6 4E800421
B8610008 38210080
88030051 00000000
E0000000 80008000
Code creator: Vega
Code credits: Megazig (ISFS funcs), Wannikoko (CRC16)
First ASM Source:
RAM Write "Source":
Second ASM Source
Third ASM Source:
Fourth ASM Source:
This code allows you to steal anybody's Mii and add it to your Mii Channel. You also have the ability to edit your stolen Mii(s).
CAUTION: This code makes permanent edits to your Mii Channel. Even though the code simply adds a new Mii and generates a new checksum, it's possible there may be a mistake in my code which could result in a corrupted Mii Channel. As a precaution, please BACKUP your Mii Channel first before using this code. The file being edited is /shared2/menu/FaceLib/RFL_DB.dat
How it works~
1. When Online, whatever Mii you are currently viewing on the globe (or have last viewed on the globe) is the one that will be stolen once you have pressed your activator (fill in typical X, Y, Z values below).
2. You do *NOT* need to hold down the activator for a long period of time, just simply press it. You will notice a lag spike for a split second, this is normal. If there was absolutely no lag spike, then the code most likely did not execute. If you hold down the activator too long (even a tiny bit), you will end up stealing the Mii extra times. No big deal, you will just have some duplicates in your Mii Channel which you can later delete.
3. After you have stolen the Mii, simply shutdown your game and go to the Mii Channel, you will see the stolen Mii. If you try to see the Mii (i.e. license settings) before visiting the Mii Channel, you won't see the stolen Mii, this is normal.
4. If you try to do this on your own Mii, the code will detect this and not execute. If your Mii Channel is completely full, the code will detect this and not execute.
Final NOTE: This code makes use of memory addresses 0x80000A20 thru 0x80000A29. Make sure no other codes in your GCT/Cheat-Manager are using those addresses.
Video demo - https://www.youtube.com/watch?v=zrBEvE-94is
NTSC-U
C216AE3C 00000002
7FA4EB78 9421FFE0
60000000 00000000
0416AE40 48028A1D
C21D0DD8 00000004
80010024 817C0000
3D808000 A15C0004
916C0A24 B14C0A28
60000000 00000000
C274BCC8 00000002
3D808000 9421FFE0
908C0A20 00000000
040095F4 88030051
2834XXXX YYYYZZZZ
C20095F4 00000039
3D808000 816C0A20
2C0B0000 418201B4
800B0010 2C000000
418201A8 9421FF80
BC610008 3BEB000E
83CD9698 2C1E0000
41820188 83DE0010
38000025 3BA00064
397E0002 7C0903A6
800B0002 2C000000
41820014 396B004A
37BDFFFF 4082FFEC
48000158 A41F0002
B40B0002 4200FFF8
61830A24 3C800017
80A30000 6084AB00
54A5002E 7C042840
54A6463E 54A7863E
54A8C63E 7D263A14
7D294214 41820008
5529067E 81430003
5529C00E 554AC23E
7D235378 906BFFD4
3FA00001 63BDF1E0
7FC3F378 389DFFFE
7C661B78 39000000
38600000 48000040
7C690734 7CEB5630
7D2948F8 3800EFDF
7D29FE70 556B07FE
7D290038 5460083C
7D6B0378 39291021
7D295A78 394AFFFF
5523043E 4200FFCC
39080001 7C082000
41820018 38000008
7CE830AE 7C0903A6
39400007 4BFFFFAC
38000010 7C0903A6
7C690734 3800EFDF
7D2948F8 7D29FE70
7D290038 5460083C
39291021 7D290278
5523043E 4200FFDC
3C9E0002 B064F1DE
3F808016 3C608027
38800002 60630C68
638CADBC 7D8903A6
4E800421 7C7F1B79
41800030 7FC4F378
7FA5EB78 638CB220
7D8903A6 4E800421
7C03E800 40820014
7FE3FB78 638CB2E4
7D8903A6 4E800421
B8610008 38210080
88030051 00000000
E0000000 80008000
PAL
C216AEDC 00000002
7FA4EB78 9421FFE0
60000000 00000000
0416AEE0 48028A1D
C21D0E78 00000004
80010024 817C0000
3D808000 A15C0004
916C0A24 B14C0A28
60000000 00000000
C2751208 00000002
3D808000 9421FFE0
908C0A20 00000000
04009634 88030051
2834XXXX YYYYZZZZ
C2009634 00000039
3D808000 816C0A20
2C0B0000 418201B4
800B0010 2C000000
418201A8 9421FF80
BC610008 3BEB000E
83CD9698 2C1E0000
41820188 83DE0010
38000025 3BA00064
397E0002 7C0903A6
800B0002 2C000000
41820014 396B004A
37BDFFFF 4082FFEC
48000158 A41F0002
B40B0002 4200FFF8
61830A24 3C800017
80A30000 6084AB00
54A5002E 7C042840
54A6463E 54A7863E
54A8C63E 7D263A14
7D294214 41820008
5529067E 81430003
5529C00E 554AC23E
7D235378 906BFFD4
3FA00001 63BDF1E0
7FC3F378 389DFFFE
7C661B78 39000000
38600000 48000040
7C690734 7CEB5630
7D2948F8 3800EFDF
7D29FE70 556B07FE
7D290038 5460083C
7D6B0378 39291021
7D295A78 394AFFFF
5523043E 4200FFCC
39080001 7C082000
41820018 38000008
7CE830AE 7C0903A6
39400007 4BFFFFAC
38000010 7C0903A6
7C690734 3800EFDF
7D2948F8 7D29FE70
7D290038 5460083C
39291021 7D290278
5523043E 4200FFDC
3C9E0002 B064F1DE
3F808016 3C608027
38800002 60634FA8
638CAE5C 7D8903A6
4E800421 7C7F1B79
41800030 7FC4F378
7FA5EB78 638CB2C0
7D8903A6 4E800421
7C03E800 40820014
7FE3FB78 638CB384
7D8903A6 4E800421
B8610008 38210080
88030051 00000000
E0000000 80008000
NTSC-J
C216ADFC 00000002
7FA4EB78 9421FFE0
60000000 00000000
0416AE00 48028A1D
C21D0D98 00000004
80010024 817C0000
3D808000 A15C0004
916C0A24 B14C0A28
60000000 00000000
C2750874 00000002
3D808000 9421FFE0
908C0A20 00000000
04009590 88030051
2834XXXX YYYYZZZZ
C2009590 00000039
3D808000 816C0A20
2C0B0000 418201B4
800B0010 2C000000
418201A8 9421FF80
BC610008 3BEB000E
83CD9698 2C1E0000
41820188 83DE0010
38000025 3BA00064
397E0002 7C0903A6
800B0002 2C000000
41820014 396B004A
37BDFFFF 4082FFEC
48000158 A41F0002
B40B0002 4200FFF8
61830A24 3C800017
80A30000 6084AB00
54A5002E 7C042840
54A6463E 54A7863E
54A8C63E 7D263A14
7D294214 41820008
5529067E 81430003
5529C00E 554AC23E
7D235378 906BFFD4
3FA00001 63BDF1E0
7FC3F378 389DFFFE
7C661B78 39000000
38600000 48000040
7C690734 7CEB5630
7D2948F8 3800EFDF
7D29FE70 556B07FE
7D290038 5460083C
7D6B0378 39291021
7D295A78 394AFFFF
5523043E 4200FFCC
39080001 7C082000
41820018 38000008
7CE830AE 7C0903A6
39400007 4BFFFFAC
38000010 7C0903A6
7C690734 3800EFDF
7D2948F8 7D29FE70
7D290038 5460083C
39291021 7D290278
5523043E 4200FFDC
3C9E0002 B064F1DE
3F808016 3C608027
38800002 60634948
638CAD7C 7D8903A6
4E800421 7C7F1B79
41800030 7FC4F378
7FA5EB78 638CB1E0
7D8903A6 4E800421
7C03E800 40820014
7FE3FB78 638CB2A4
7D8903A6 4E800421
B8610008 38210080
88030051 00000000
E0000000 80008000
NTSC-K
C216AF78 00000002
7FA4EB78 9421FFE0
60000000 00000000
0416AF7C 48028CDD
C21D11D4 00000004
80010024 817C0000
3D808000 A15C0004
916C0A24 B14C0A28
60000000 00000000
C273F5C8 00000002
3D808000 9421FFE0
908C0A20 00000000
0400973C 88030051
2833XXXX YYYYZZZZ
C200973C 00000039
3D808000 816C0A20
2C0B0000 418201B4
800B0010 2C000000
418201A8 9421FF80
BC610008 3BEB000E
83CD96B8 2C1E0000
41820188 83DE0010
38000025 3BA00064
397E0002 7C0903A6
800B0002 2C000000
41820014 396B004A
37BDFFFF 4082FFEC
48000158 A41F0002
B40B0002 4200FFF8
61830A24 3C800017
80A30000 6084AB00
54A5002E 7C042840
54A6463E 54A7863E
54A8C63E 7D263A14
7D294214 41820008
5529067E 81430003
5529C00E 554AC23E
7D235378 906BFFD4
3FA00001 63BDF1E0
7FC3F378 389DFFFE
7C661B78 39000000
38600000 48000040
7C690734 7CEB5630
7D2948F8 3800EFDF
7D29FE70 556B07FE
7D290038 5460083C
7D6B0378 39291021
7D295A78 394AFFFF
5523043E 4200FFCC
39080001 7C082000
41820018 38000008
7CE830AE 7C0903A6
39400007 4BFFFFAC
38000010 7C0903A6
7C690734 3800EFDF
7D2948F8 7D29FE70
7D290038 5460083C
39291021 7D290278
5523043E 4200FFDC
3C9E0002 B064F1DE
3F808016 3C608026
38800002 60632D88
638CAEF8 7D8903A6
4E800421 7C7F1B79
41800030 7FC4F378
7FA5EB78 638CB35C
7D8903A6 4E800421
7C03E800 40820014
7FE3FB78 638CB420
7D8903A6 4E800421
B8610008 38210080
88030051 00000000
E0000000 80008000
Code creator: Vega
Code credits: Megazig (ISFS funcs), Wannikoko (CRC16)
First ASM Source:
Code:
#Bypass Wiimmfi Block
#Hook Addr's
#NTSC-U 8016AE3C
#PAL 8016AEDC
#NTSC-J 8016ADFC
#NTSC-K 8016AF78
#Set 2nd arg for IOS_Open
mr r4, r29
#Execute First instruction of ios_open
stwu sp, -0x0020 (sp)RAM Write "Source":
Code:
#Addr's
#NTSC-U 8016AE40
#PAL 8016AEE0
#NTSC-J 8016AE00
#NTSC-K 8016AF7C
#At Address, rewrite the bl instruction with its address + 4.Second ASM Source
Code:
#Store MAC Address to EVA
#NTSC-U 801D0DD8
#PAL 801D0E78
#NTSC-J 801D0D98
#NTSC-K 801D11D4
#r28 is MAC ptr
lwz r0, 0x0024 (sp) #OG Instruction
lwz r11, 0 (r28)
lis r12, 0x8000
lhz r10, 0x4 (r28)
stw r11, 0xA24 (r12)
sth r10, 0xA28 (r12)Third ASM Source:
Code:
#Store unk ptr aka some online Mii data/Mii charicon ptr (r4) to EVA
#NTSC-U 8074BCC8
#PAL 80751208
#NTSC-J 80750874
#NTSC-K 8073F5c8
lis r12, 0x8000
stwu sp, -0x0020 (sp) #OG Instruction
stw r4, 0xA20 (r12)Fourth ASM Source:
Code:
#Region Setting
.set region, '' #Fill in E, P, J, or K within the quotes for your region when Compiling! Lowercase letters can also be used.
#Summary: Edit DB file contents that's already in memory. Open Mii DB file, write it, close.
#NOTE: You cannot call MKWii's built-in CRC16 func to generate the CRC16 checksum. Wii Menu uses a diff CRC16 algorithm.
#Hook Address's
#NTSC-U 800095F4
#PAL 80009634
#NTSC-J 80009590
#NTSC-K 8000973C
#Directives
.set got, 13 #r13 alias is Global Offset Table
.macro call_link address
lis r12, \address@h
ori r12, r12, \address@l
mtctr r12
bctrl
.endm
.macro call_isfs address
ori r12, r28, \address@l
mtctr r12
bctrl
.endm
.if (region == 'E' || region == 'e') # RMCE
.set ISFS_Open, 0xADBC
.set ISFS_Read, 0xB15C
.set ISFS_Write, 0xB220
.set ISFS_Close, 0xB2E4
.macro load_unk_ptr register
lwz \register, -0x6968 (got) #func 0x800bc340
.endm
.set RFL_DB_filepath_ptr, 0x80270C68 #Static ptr to filename
.elseif (region == 'P' || region == 'p') # RMCP
.set ISFS_Open, 0xAE5C
.set ISFS_Read, 0xB1FC
.set ISFS_Write, 0xB2C0
.set ISFS_Close, 0xB384
.macro load_unk_ptr register
lwz \register, -0x6968 (got) #func 0x800bc3e0
.endm
.set RFL_DB_filepath_ptr, 0x80274FA8 #Static ptr to filename
.elseif (region == 'J' || region == 'j') # RMCJ
.set ISFS_Open, 0xAD7C
.set ISFS_Read, 0xB11C
.set ISFS_Write, 0xB1E0
.set ISFS_Close, 0xB2A4
.macro load_unk_ptr register
lwz \register, -0x6968 (got) #func 0x800bc300
.endm
.set RFL_DB_filepath_ptr, 0x80274948 #Static ptr to filename
.elseif (region == 'K' || region == 'k') # RMCK
.set ISFS_Open, 0xAEF8
.set ISFS_Read, 0xB298
.set ISFS_Write, 0xB35C
.set ISFS_Close, 0xB420
.macro load_unk_ptr register
lwz \register, -0x6948 (got) #func 0x800bc440
.endm
.set RFL_DB_filepath_ptr, 0x80262D88 #Static ptr to filename
.else # Invalid Region
.err
.endif
#Grab Ptr from EVA and check if we are on our Mii. If so, bail.
lis r12, 0x8000
lwz r11, 0xA20 (r12)
cmpwi r11, 0 #Wait til game actually generates a ptr
beq- og_instruction
lwz r0, 0x10 (r11) #If data here is NULL, we are on our Mii. Hacky but it works
cmpwi r0, 0
beq- og_instruction
#Make frame
stwu sp, -0x0080 (sp)
stmw r3, 0x8 (sp)
#Backup ptr that is minus2 in reference to opp's Mii Data, need it for later.
addi r31, r11, 0xE
#Get RFL_DB.dat pointer
load_unk_ptr r30
cmpwi r30, 0
beq- pop_frame
lwz r30, 0x10 (r30) #Mii DB ptr resides at 0x10 of unk ptr
#Hijack Mii and write it to first empty Mii spot of RFL.DB if such a spot exists
li r0, 37 #37 halfwords is 74 bytes. Each mii entry is 74 bytes
li r29, 100 #Max Miis allowed in DB
addi r11, r30, 2 #Go past RNOD 4-byte header but set start ptr at minus2 relative to first mii entry
mtctr r0
loop1:
lwz r0, 0x2 (r11) #No valid mii can start with a null word, hacky but it works
cmpwi r0, 0
beq- steal_mii_loop #If zero, we found empty entry
addi r11, r11, 74
subic. r29, r29, 1
bne+ loop1
b pop_frame #Mii DB already has 100 miis, abort!
steal_mii_loop:
lhzu r0, 0x2 (r31)
sthu r0, 0x2 (r11)
bdnz+ steal_mii_loop
#Set MAC Address Ptr
ori r3, r12, 0xA24
#Do custom CRC-8 Modulo-128 algo to generate new System/Client ID
lis r4, 0x0017 #Set MAGIC first two bytes
lwz r5, 0 (r3) #Load MAC prefix + 1 extra byte
ori r4, r4, 0xAB00 #Finish Magic Mask, left aligned
clrrwi r5, r5, 8 #Clear out junk byte, r5 now is Mac prefix only, left aligned
cmplw r4, r5 #Compare MAGIC mask vs Prefix mask
rlwinm r6, r5, 8, 0xFF #Extract first byte, right justified
rlwinm r7, r5, 16, 0xFF #Extract 2nd
rlwinm r8, r5, 24, 0xFF #Extract 3rd
add r9, r6, r7 #Add 1st + 2nd byte
add r9, r9, r8 #Add subresult with 3rd byte
beq- 0x8 #Take branch based on MAGIC compare
rlwinm r9, r9, 0, 0x7F #MAGIC NOT met, AND with 0x7F
lwz r10, 0x3 (r3) #Load rest of MAC
slwi r9, r9, 24 #Left justify the Client ID byte
srwi r10, r10, 8 #Remove junk byte that was loaded on far right
or r3, r9, r10 #Create the whole Client ID
#Write System/Client ID to stolen Mii, so user has editing perms
stw r3, -0x2C (r11)
#Write CRC16 checksum to end of .dat file
lis r29, 0x0001
ori r29, r29, 0xF1E0
mr r3, r30
subi r4, r29, 2
#Do the CRC16
mr r6,r3
li r8,0
li r3,0
b CTR_Setup1
Loop1:
extsh r9, r3
sraw r11, r7, r10
not r9,r9
li r0, -0x1021
srawi r9, r9, 31
rlwinm r11, r11, 0, 31, 31
and r9, r9, r0
rlwinm r0, r3, 1, 0, 30
or r11, r11, r0
addi r9, r9, 0x1021
xor r9, r9, r11
subi r10, r10, 1
rlwinm r3, r9, 0, 16, 31
bdnz+ Loop1
addi r8,r8,1
CTR_Setup1:
cmpw r8, r4
beq- CTR_Setup2
li r0, 8
lbzx r7, r8, r6
mtctr r0
li r10, 7
b Loop1
CTR_Setup2:
li r0, 16
mtctr r0
Loop2:
extsh r9, r3
li r0, -0x1021
not r9, r9
srawi r9, r9, 31
and r9, r9, r0
rlwinm r0, r3, 1, 0, 30
addi r9, r9, 0x1021
xor r9, r9, r0
rlwinm r3, r9, 0, 16, 31
bdnz+ Loop2
#Write the CRC16
addis r4, r30, 0x0002
sth r3, 0xFFFFF1DE (r4) #Store at 0x1F1DE in reference to r29
#Open .dat with write perms
lis r28, 0x8016 #Upper bits for ISFS Func calls
lis r3, RFL_DB_filepath_ptr@h
li r4, 2
ori r3, r3, RFL_DB_filepath_ptr@l
call_isfs ISFS_Open
mr. r31, r3
blt- pop_frame
#Write the file, then close
mr r4, r30
mr r5, r29
call_isfs ISFS_Write
cmpw r3, r29
bne- pop_frame
mr r3, r31
call_isfs ISFS_Close
#Pop frame
pop_frame:
lmw r3, 0x8 (sp)
addi sp, sp, 0x80
#Original Instruction
og_instruction:
lbz r0, 0x0051 (r3)