How to Make your own Cheat Codes

[LightKingdom666]

So it appears there are two responsible instructions (funcs) that writes the character slot during character selection. Which is not too big of an issue. More code testing would need to be done to know which hook is best. 

Do you mean "li r3, 0" and "blr"?

You cannot hook my code's source using the address you've found for numerous reasons:

Reason 1: I used a slightly diff hook than what the game actually "broke" on when I've made the code (memory breakpoint to get hook address). I explained this back in post #52 https://mariokartwii.com/showthread.php?...6#pid10656

Code:

The current hook address I didn't like because registers such as r11 weren't safe for use (which is very rare). So I needed to find a better hook address nearby.

The current hook address is within what is known as a Function.

When you get more advanced, you will learn about Function Calls -> https://mariokartwii.com/showthread.php?tid=1052

In a nutshell, my hook address was in a small small function, one without a prologue or epilogue. So its easy to know mostly what is going on in this function (form a higher level programming standpoint).

Anyway, if you scroll down a bit, the final instructions of the function are....

Address | Instruction
815b5268 | li r3, 0
815b526C | blr

Basically the function places a zero in r3 and uses the blr to return to its Parent function. It's telling the Parent function, "hey everything is good to go, keep doing what we need to do"

So anyway, this is a good hook address. At the end of functions (epilogues), registers r4 thru r12 are safe.

Same exact issue with your hook address, it's not ideal because scratch registers that are usually safe are not safe (i.e. r11)

Reason 2: Because of reason 1, r11 isn't safe (along with r10) so the code is gonna botch anyway even if its "coded right" because the source uses r11 and r10

Reason 3: You're using my default instruction for your address which won't work since the two default instructions are completely different. This also leads to you *not* including YOUR default instruction (stb r5, 0x498 (r3))

---

r27 at your hook address does appear to be the same type of constant pointer that we can use to reference the slot 0's packet (and the other slot packets)

r27 + 0x496 = slot 0's character "packet"
r27 + 0x498 = slot 0's character byte within packet
Each packet in memory separated by 0x28 bytes
r27 + 0x496 + 0x28 = slot 1's packet
r27 + 0x496 + 0x28 + 0x28 = slot 2's packet
etc etc...

Whatever game function you are currently hooked to (default instruction) appears to be a similar function to my default instruction. I can see that at 0x815B59e8 on you screenshot is li r3,0 then the instruction afterwards is blr (even though I can't see it).

Most of what I've explained won't make sense to you. It will once you become more advanced in PPC, and learn about Functions. Plus with just general experience, you will learn/know certain "tricks" and what not.

My question was more about why we have the exact same instructions but our addresses are completely different even though we are using the same region of the game.

With all that being said, we simply change the Hook address to 0x815B59e8, and it should work as long as those character values you filled in are valid.

C35B59E8 00000008
7D8802A6 4800000D
030E0F03 0E0F0000
7D6802A6 396BFFFF
38600006 395B0470
7C6903A6 8C0B0001
9C0A0028 4200FFF8
7D8803A6 38600000
60000000 00000000

What I wanted to know was why that code only works for me in Dolp
hin but not on the Wii (it freezes when I select any character).

[Vega]

To your first question: No I'm talking about your hook instruction vs mine

To your second question: We do have the same game, it's just for whatever reason, the game is using a diff func for setting slots in the character selection hence why you have a diff hook address after your Mem BP hit. This isn't a huge issue, in fact its pretty normal to stumble across incidents like this.

To your last question: It does crash on Dolphin, its just that Dolphin has certain exceptions bypassed by default (which shouldn't be configured in my opinion). You can change this setting btw to more accurately replicate real hardware

[LightKingdom666]

To your first question: No I'm talking about your hook instruction vs mine

Okay, I understand, but... why do you say "More code testing would need to be done to know which hook is best" when in your case and in mine it's the exact same hook instruction?

stb r5, 0x0498 (r3)

To your second question: We do have the same game, it's just for whatever reason, the game is using a diff func for setting slots in the character selection hence why you have a diff hook address after your Mem BP hit. This isn't a huge issue, in fact its pretty normal to stumble across incidents like this.

Isn't there a way to fix that? Does that guarantee that my code will always work regardless of the site where I download the games?

To your last question: It does crash on Dolphin, its just that Dolphin has certain exceptions bypassed by default (which shouldn't be configured in my opinion). You can change this setting btw to more accurately replicate real hardware

Yes, in fact, I notice that when I press the + button (in Dolphin), which is basically used to change the character's costume or color palette, I get this error:

"Invalid write to 0x000084b4, PC = 0x80002370"

I actually notice that depending on the character's slot, the "Invalid write to 0x00" varies considerably:

Slot 0: "Invalid write to 0x000084a9, PC = 0x80002370"
Slot 1: "Invalid write to 0x000084a9, PC = 0x80002370"

Slot 2: "Invalid write to 0x000084b4, PC = 0x80002370"
Slot 3: "Invalid write to 0x000084b4, PC = 0x80002370"

Slot 4: "Invalid write to 0x000084a9, PC = 0x80002370"
Slot 5: "Invalid write to 0x000084b7, PC = 0x80002370"

I don't know if this has anything to do with it.

But anyway, what could I do to fix the error so it doesn't crash on the Wii?

[Vega]

Okay, I understand, but... why do you say "More code testing would need to be done to know which hook is best" when in your case and in mine it's the exact same hook instruction?

stb r5, 0x0498 (r3)

Yes they are the same instructions but this instruction is at two diff hooks (locations/functions). As mentioned earlier, the game uses 2 (or more) funcs that involve a store instruction (i.e. the stb) to write the slot to the character packet in memory. Now why did you end up finding a different hook/func than me? It means under certain circumstances, "your" func is used by the game at times instead of "mine". Figuring out exactly why would require more analysis. Which one to use? Not sure, but in similar situations you may need to use both codes. Meaning you would use both C3 codes when running the game.

It's crucial that you understand how C2/C3 codes actually work.

1. The Code Handler placees a backwards branch at the hook address (i.e. 0x815B59E8) replacing w/e instruction was originally there (i.e. default instruction, this is why C2/C3 codes need their default instruction in the source)
2. The backwards branch goes to where the rest of your code is located (determined automatically by the Code Handler, around 0x80002XXX memory)
3. The "00000000" final part of a C2/C3 code tells the code handler to use a forward branch (exact branch auto calc'd by Code Handler).
4. Once code has completed, forward branch goes to hook address + 4 (0x815B59EC)

If the game doesnt execute the hook address, it means the code won't get executed.

Isn't there a way to fix that? Does that guarantee that my code will always work regardless of the site where I download the games?

It just means we need to find a better hook, or it's the case where you need both C3 codes in your GCT/Cheat-Manager to ensure the character selection mods occur 100% of the time. It has nothing to do with what site you got the game from.

But anyway, what could I do to fix the error so it doesn't crash on the Wii?

Your current code simply won't work for the reasons I've mentioned in my previous posts.

Did you try the code I've created using your Hook?

C35B59E8 00000008
7D8802A6 4800000D
030E0F03 0E0F0000
7D6802A6 396BFFFF
38600006 395B0470
7C6903A6 8C0B0001
9C0A0028 4200FFF8
7D8803A6 38600000
60000000 00000000

Btw if nothing happens (as if code doesnt exist), that means the game probably used my hook/func. Meaning you would need both codes applied.

Here's mine if you need it
C35B5268 00000008
7D8802A6 4800000D
RRTTVVXX YYZZ0000
7D6802A6 396BFFFF
38600006 395B0470
7C6903A6 8C0B0001
9C0A0028 4200FFF8
7D8803A6 38600000
60000000 00000000