Homebrew Assembly Code and IDA Pro [3DS Cheat Code]

[David13]

Hello everyone,
I would like to know how to create ARM codes, use IDA Pro, etc.
Could you guide me, please?
Because on the internet, he has very few FORUM or others talking about it.
Thank you ! ! !
(Personally I found that : )

 

[FAST6191]

Computers don't understand human language, and most programmers don't understand or care to use the things a given computer might speak (it will vary from processor and processor type, and be made more complicated by whatever hardware the device maker hangs off it).

http://lioncash.github.io/ARMBook/about_the_3ds.html says ARM11 MPCore so we go find the manual for it, fortunately it is ARM so they have freely available ones (some processors won't).
http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0360f/index.html

I would say the 3ds is a bit of a jumping in at the deep end thing if you are going in without knowing anything, however if it is what motivates you then so be it and you can learn well enough with it.

The classic first cheat is to turn a RAM cheat into an assembly one.

Infinite lives in mario being the classic thought exercise.
So you have the RAM location of the lives from a standard cheat search (or someone else's standard cheat search that gave you the cheat).
You now either disassemble the binary and search (not optimal) or set a breakpoint in a debugger for the location the cheat gives you. IDA is a bit of a hybrid of the two worlds there, though at its base it is a disassembler. It can be attached to certain programs or hardware and be fed information (GDB is another such thing you might have seen in emulators over the years)
For the breakpoint thing you will probably want a break on write (often termed bpw but it will probably vary between your debuggers). When something attempts to write to that location (mainly because you went and touched an enemy in the game) the emulator/device/whatever will freeze and say this instruction tried to write to the location you said to watch.
You would then change this instruction (which would likely be a sub(tract) of some form) into something that does nothing, sets it to a certain value, adds something maybe...

Of course you then run into the first problem in that. Enemies cause death, but so do poison mushrooms, getting crushed, pits, hazards, running out of time so while it might be one value in memory there will likely be a whole bunch of things looking to reach out and touch it. Some then come the other way and do what the classic cheat devices do and every vblank (a period in the operation of most systems with a screen, fixed time apart in normal operation) will set the value they care about to a set number.

That is just basic cheats. More advanced stuff might see you have to jump to another area where you have a longer section of code to do things based upon inputs, as a kind of random thing, do a longer chain of operations...

 

[David13]

Thank you for your answer @FAST6191
And What the fuck xD

 

[FAST6191]

Don't be put off at the ARM documentation. The initial instructions to do most tasks people do are small and mostly obvious. Were it an older console like the GBA or something I would have had http://www.coranac.com/tonc/text/asm.htm and a whole bunch more to link up, however I am less familiar with 3ds homebrew and cheat making guides out there in the world (and frankly there are not as many as homebrew never took off that well with such things).

Generally there are three types of instructions here.

1) Basic housekeeping. This is the mov stuff to copy registers around or put numbers in them, the memory reading/writing stuff, setting flags and so forth.
2) The arithmetic and (Boolean) operations. The sorts of things your intro to electronics type classes will teach, save perhaps the shifting stuff which is still important here (ARM processors like their shifting).
3) The conditional stuff. The compares followed by if not even or if matching..., simple jumps,

Speaking of basic electronics I find the everything is adding notion helpful to some -- adding is adding, multiplication is a long form of adding, subtraction is just a different type of adding... and probably the how to build any gate and thus any function out of NAND gates thing that those learning logic gates will encounter.

All the fancy instructions you might see in that, or other processors you might end up playing with, serves a purpose but tends to be for specific things or for manipulating a lot of data in a specific way (commonly for video and audio but not always). For initial cheat making stuff it is mostly going to be about fiddling with simple variables, maybe adding a short extra sequence (the shifts thing from earlier is a quick way to multiply by 2,4,8,16..., much like decimal numbers add zero to the end, or indeed shift the decimal place, to multiply or divide by 10 -- now you know why experience/money/rewards multipliers are typically that arrangement).

 

[David13]

Don't be put off at the ARM documentation. The initial instructions to do most tasks people do are small and mostly obvious. Were it an older console like the GBA or something I would have had http://www.coranac.com/tonc/text/asm.htm and a whole bunch more to link up, however I am less familiar with 3ds homebrew and cheat making guides out there in the world (and frankly there are not as many as homebrew never took off that well with such things).

Generally there are three types of instructions here.

1) Basic housekeeping. This is the mov stuff to copy registers around or put numbers in them, the memory reading/writing stuff, setting flags and so forth.
2) The arithmetic and (Boolean) operations. The sorts of things your intro to electronics type classes will teach, save perhaps the shifting stuff which is still important here (ARM processors like their shifting).
3) The conditional stuff. The compares followed by if not even or if matching..., simple jumps,

Speaking of basic electronics I find the everything is adding notion helpful to some -- adding is adding, multiplication is a long form of adding, subtraction is just a different type of adding... and probably the how to build any gate and thus any function out of NAND gates thing that those learning logic gates will encounter.

All the fancy instructions you might see in that, or other processors you might end up playing with, serves a purpose but tends to be for specific things or for manipulating a lot of data in a specific way (commonly for video and audio but not always). For initial cheat making stuff it is mostly going to be about fiddling with simple variables, maybe adding a short extra sequence (the shifts thing from earlier is a quick way to multiply by 2,4,8,16..., much like decimal numbers add zero to the end, or indeed shift the decimal place, to multiply or divide by 10 -- now you know why experience/money/rewards multipliers are typically that arrangement).

                         ,-------.                 /
                       ,'         `.           ,--'
                     ,'             `.      ,-;--        _.-
               pow! /                 \ ---;-'  _.=.---''
  +-------------+  ;    X        X     ---=-----'' _.-------
  |    -----    |--|                   \-----=---:i-
  +XX|'i:''''''''  :                   ;`--._ ''---':----
  /X+-)             \   \         /   /      ''--._  `-
 .XXX|)              `.  `.     ,'  ,'             ''---.
   X\/)                `.  '---'  ,'                     `-
     \                   `---+---'
      \                      |
       \.                    |
         `-------------------+

You say a lot of important and interesting things but I do not really understand them xD
You could create an example please.
For example: you have got the address of the points of life of mario with CTRPF
After you connect with the IDA debugger.
You enter the address, in the IDA-viewer
Then what to do, how to choose the right address, what value must we replace so that our character is invincible

 

[FAST6191]

Connecting IDA debugger? Didn't know there was an emulator or plugin for it, though I suppose there should be such things (all those cheat making programs like artmoney, emuhaste and such like work off similar principles).
Most people probably start out with a debugging emulator but I am not familiar with the 3ds offerings, if any actually exist, to speak on that one. It is mostly the same general concept from system to system though.

Anyway the debugger should be able to stop the emulator when it reaches an instruction that either writes to or reads the area. There are usually a bunch of such features but in this case the read breakpoint/break on read or similar will be what you want. If you have the location from your normal memory editing style cheat then set the break (or possibly log if you want to go that way) for writing to that location.
You would then proceed to die in the game to make it lose a life (similar process to how you would find the cheat in the first place).
The debugger should tell you what instruction fiddled with that memory area and the dozen or so instructions that led up to that point (or if you have the binary there you can read back up from that location).

What you do there will vary -- you have any number of options as an assembly hacker which is part of the fun. Generally though you will try to understand what the instructions leading up to that point do for the game (not so important for infinite lives where there is probably just a single subtract instruction you want to edit here but if you are doing a drop rate alteration it is then more important to know*. Once you understand what the game is doing it is usually easy to tell it to skip a given instruction or otherwise change what it thinks it should be doing such that you have made a cheat. You can't normally just press delete as that makes everything after it be in the wrong location. Not all processors have a dedicated skip/do nothing command (usually called a NOP, short for No-OPeration) so people invent their own like mov r1,r1 which copies the contents of r1 into r1 and thus does nothing. Your assembler might have such a thing for you as a kind of virtual instruction if it is nice.
I should note at this point if you are playing with infinite time cheats that some games make use of the time and will only trigger certain events at certain points, assembly hacking allows you to do things like doing a certain action refills the time rather than just holding it still.


*for stuff like drop rates you ideally will want to be able to make something like https://www.dragonflycave.com/mechanics/gen-i-capturing as you will understand how it works here. Most processors though will inevitably break it all down into very small steps so it is not like you need to stare at some assembly and be able to form an equation like those on that link, and you might still have some blanks or unknown parts if certain weapons (or status effects in the case of pokemon there) have effects not all weapons have. You might get lucky and see a way to force the probability to 100% or something but not all things will so go in expecting to have to decode it all and understand its equations.

 

[David13]

Connecting IDA debugger? Didn't know there was an emulator or plugin for it, though I suppose there should be such things (all those cheat making programs like artmoney, emuhaste and such like work off similar principles).
Most people probably start out with a debugging emulator but I am not familiar with the 3ds offerings, if any actually exist, to speak on that one. It is mostly the same general concept from system to system though.

Anyway the debugger should be able to stop the emulator when it reaches an instruction that either writes to or reads the area. There are usually a bunch of such features but in this case the read breakpoint/break on read or similar will be what you want. If you have the location from your normal memory editing style cheat then set the break (or possibly log if you want to go that way) for writing to that location.
You would then proceed to die in the game to make it lose a life (similar process to how you would find the cheat in the first place).
The debugger should tell you what instruction fiddled with that memory area and the dozen or so instructions that led up to that point (or if you have the binary there you can read back up from that location).

What you do there will vary -- you have any number of options as an assembly hacker which is part of the fun. Generally though you will try to understand what the instructions leading up to that point do for the game (not so important for infinite lives where there is probably just a single subtract instruction you want to edit here but if you are doing a drop rate alteration it is then more important to know*. Once you understand what the game is doing it is usually easy to tell it to skip a given instruction or otherwise change what it thinks it should be doing such that you have made a cheat. You can't normally just press delete as that makes everything after it be in the wrong location. Not all processors have a dedicated skip/do nothing command (usually called a NOP, short for No-OPeration) so people invent their own like mov r1,r1 which copies the contents of r1 into r1 and thus does nothing. Your assembler might have such a thing for you as a kind of virtual instruction if it is nice.
I should note at this point if you are playing with infinite time cheats that some games make use of the time and will only trigger certain events at certain points, assembly hacking allows you to do things like doing a certain action refills the time rather than just holding it still.


*for stuff like drop rates you ideally will want to be able to make something like https://www.dragonflycave.com/mechanics/gen-i-capturing as you will understand how it works here. Most processors though will inevitably break it all down into very small steps so it is not like you need to stare at some assembly and be able to form an equation like those on that link, and you might still have some blanks or unknown parts if certain weapons (or status effects in the case of pokemon there) have effects not all weapons have. You might get lucky and see a way to force the probability to 100% or something but not all things will so go in expecting to have to decode it all and understand its equations.

 ___________________    . , ; .
(___________________|~~~~~X.;' .
                      ' `" ' `
            TNT
     _.-^^---....,,--       
 _--                  --_ 
<                        >)
|                         |
 \._                   _./ 
    ```--. . , ; .--'''       
          | |   |             
       .-=||  | |=-.   
       `-=#$%&%$#=-'   
          | ;  :|     
 _____.,-#%&$@%#&#~,._____

To tell the truth, I am even more lost.
You could create an example, please.
How would you go about creating Mario's infinite life code?

 

[FAST6191]

I have not got a decent 3ds setup anywhere around here to do a blow by blow, and I am not sure it would help much other than to follow the exact same steps. I have a worked example for the GBA in https://gbatemp.net/threads/gbatemp-rom-hacking-documentation-project-new-2016-edition-out.73394/ if you really wanted.

Anyway are you familiar with basic RAM cheat making?

You will get an emulator cheat search (or a program that works with memory dumps).
It will give you a bunch of options to compare to the contents of memory at the last dump. Greater that, less than, same as, different to, equal to this, within this range... to use as you will.
Your first job would be to find where the lives value is kept. You can try direct numbers if you like (do remember games use hex and the search might not) but I tend to find it easier to do greater than/less than and difference searches. If you had say a life bar, time bar... instead with no direct numbers you would be doing the greater than/less than stuff anyway.
So you are in the game. Start the search thing. Now you would lose a life (jump in a pit, hit an enemy...) and do a search for something either less than or different to the starting point. Lose another life, do another search. Lose another life, do another search. During all this then things that did not change in the right way will be dropped from the list. If fewer and fewer results are being dropped each time but the list is still too big it can be helpful to mix it up and just let the game run for a bit, do as little as you possibly can (don't die though) and then do a search for things that remained the same.
Eventually you will find where the game stores its lives counter.

Here you can make the classic action replay/gameshark/codebreaker/whatever code with this address you found for the lives counter.

For something like this most are happy enough with that but there are people that can run ROMs but can't use cheats so you can go a step further and edit the ROM.
Not all emulators will have debugging tools but there are usually ones made you can use.

This debugger will have a feature called breakpoints. They break (as in stop -- see the button on your keyboard probably near print screen and scroll lock) the game at a given point that you tell it to. Here you would take the location you found in the simple cheating finding thing above and tell the breakpoint that if anything writes to that location to stop the game and tell me what is happening then.
So you have set the breakpoint and now play the game. Presumably you would die or gain a life and the debugger would stop everything and say something just reached out and touched that area you said to watch. This is what it was doing and this is what happened just before it did.
This what did the deed and what happened before is what you would study to figure out what it is doing. If you went to the location in a disassembler (another tool that is part of debugging, your emulator might even have one inbuilt but IDA is one if not) you would also be able to see what happens next. In an emulator you could also do something called next instruction so you can advance one instruction at a time and see what happens after that.
This figuring out what it is doing will require you to understand at least some of the so called assembly instructions. In practice most assembly instructions are simplistic things that do a very small task, but line up enough of them and you have computing that is useful for people. Even the more complicated instructions are usually just simple maths, but done on a lot of things at once.

Basic ideas of how games work will tell you it probably goes something like this
If [player dies] then do this
Read lives value
subtract one from lives value
check if player now has zero (or negative) lives
if zero (or negative) then goto game over
else write back the value
return to checkpoint/level start

Writing it at a higher level like that is easy but in reality most simple handheld devices (of which ARM devices, and thus Nintendo, does tend to go in for) will mean each step has to be broken down into smaller steps than even that. You need not understand the full nuances of all of those (at least not at first) and you can probably figure out that the subtract one part is all you really need to fiddle with to stop lives from being an issue. Most would tell it to do nothing (the NOP thing covered before) or add a number instead (change the sub to add sort of thing).
You could go further and bypass the whole thing, for other things that might even do better (if you are doing it for health you might also be able to make it ignore any knockback effects at the same time if you go back enough), but if you only have a simple goal then go with that. Go back far enough and you might even be able to find where it detects you touched an enemy and tell it to ignore that -- not only infinite lives but walk through/intro enemies as well.

You might find yourself with a bit of a problem for this -- such a thing is probably not big enough to warrant a real function (programmers use functions to do complicated tasks they have to do a lot in a given program rather than write out the same thing each time). To that end death or losing lives happens in multiple ways and each of those might have their own thing that plays with the lives counter. It is not a problem for the simple cheat thing from before as all that does is hold the one location storing the lives at a fixed value. Some like this as it means you don't have infinite lives but instead can make it so that jumping in a pit gives you a one up but enemies, time, hazards other than pits... all still lose lives.
If you wanted to have infinite lives though then you would either have to find the other things that play with that memory area and sort those. Or you could do what the cheat stuff from the start is doing if it were in hardware and add a small instruction that runs all the time (most use something called a vblank, which is a hardware forced routine that runs every time the screen redraws (so 60 times a second for most things) that constantly writes to the area so it always refreshes. The latter is not without its downsides -- I always remember Goldeneye on the N64. I made a health cheat but the explosions caused so much damage that you would die before it had a chance to refill the health -- normal bullets would not bother you but explosions still could as they did so much. Enough of this detour though.

 

[David13]

I have not got a decent 3ds setup anywhere around here to do a blow by blow, and I am not sure it would help much other than to follow the exact same steps. I have a worked example for the GBA in https://gbatemp.net/threads/gbatemp-rom-hacking-documentation-project-new-2016-edition-out.73394/ if you really wanted.

Anyway are you familiar with basic RAM cheat making?

You will get an emulator cheat search (or a program that works with memory dumps).
It will give you a bunch of options to compare to the contents of memory at the last dump. Greater that, less than, same as, different to, equal to this, within this range... to use as you will.
Your first job would be to find where the lives value is kept. You can try direct numbers if you like (do remember games use hex and the search might not) but I tend to find it easier to do greater than/less than and difference searches. If you had say a life bar, time bar... instead with no direct numbers you would be doing the greater than/less than stuff anyway.
So you are in the game. Start the search thing. Now you would lose a life (jump in a pit, hit an enemy...) and do a search for something either less than or different to the starting point. Lose another life, do another search. Lose another life, do another search. During all this then things that did not change in the right way will be dropped from the list. If fewer and fewer results are being dropped each time but the list is still too big it can be helpful to mix it up and just let the game run for a bit, do as little as you possibly can (don't die though) and then do a search for things that remained the same.
Eventually you will find where the game stores its lives counter.

Here you can make the classic action replay/gameshark/codebreaker/whatever code with this address you found for the lives counter.

For something like this most are happy enough with that but there are people that can run ROMs but can't use cheats so you can go a step further and edit the ROM.
Not all emulators will have debugging tools but there are usually ones made you can use.

This debugger will have a feature called breakpoints. They break (as in stop -- see the button on your keyboard probably near print screen and scroll lock) the game at a given point that you tell it to. Here you would take the location you found in the simple cheating finding thing above and tell the breakpoint that if anything writes to that location to stop the game and tell me what is happening then.
So you have set the breakpoint and now play the game. Presumably you would die or gain a life and the debugger would stop everything and say something just reached out and touched that area you said to watch. This is what it was doing and this is what happened just before it did.
This what did the deed and what happened before is what you would study to figure out what it is doing. If you went to the location in a disassembler (another tool that is part of debugging, your emulator might even have one inbuilt but IDA is one if not) you would also be able to see what happens next. In an emulator you could also do something called next instruction so you can advance one instruction at a time and see what happens after that.
This figuring out what it is doing will require you to understand at least some of the so called assembly instructions. In practice most assembly instructions are simplistic things that do a very small task, but line up enough of them and you have computing that is useful for people. Even the more complicated instructions are usually just simple maths, but done on a lot of things at once.

Basic ideas of how games work will tell you it probably goes something like this
If [player dies] then do this
Read lives value
subtract one from lives value
check if player now has zero (or negative) lives
if zero (or negative) then goto game over
else write back the value
return to checkpoint/level start

Writing it at a higher level like that is easy but in reality most simple handheld devices (of which ARM devices, and thus Nintendo, does tend to go in for) will mean each step has to be broken down into smaller steps than even that. You need not understand the full nuances of all of those (at least not at first) and you can probably figure out that the subtract one part is all you really need to fiddle with to stop lives from being an issue. Most would tell it to do nothing (the NOP thing covered before) or add a number instead (change the sub to add sort of thing).
You could go further and bypass the whole thing, for other things that might even do better (if you are doing it for health you might also be able to make it ignore any knockback effects at the same time if you go back enough), but if you only have a simple goal then go with that. Go back far enough and you might even be able to find where it detects you touched an enemy and tell it to ignore that -- not only infinite lives but walk through/intro enemies as well.

You might find yourself with a bit of a problem for this -- such a thing is probably not big enough to warrant a real function (programmers use functions to do complicated tasks they have to do a lot in a given program rather than write out the same thing each time). To that end death or losing lives happens in multiple ways and each of those might have their own thing that plays with the lives counter. It is not a problem for the simple cheat thing from before as all that does is hold the one location storing the lives at a fixed value. Some like this as it means you don't have infinite lives but instead can make it so that jumping in a pit gives you a one up but enemies, time, hazards other than pits... all still lose lives.
If you wanted to have infinite lives though then you would either have to find the other things that play with that memory area and sort those. Or you could do what the cheat stuff from the start is doing if it were in hardware and add a small instruction that runs all the time (most use something called a vblank, which is a hardware forced routine that runs every time the screen redraws (so 60 times a second for most things) that constantly writes to the area so it always refreshes. The latter is not without its downsides -- I always remember Goldeneye on the N64. I made a health cheat but the explosions caused so much damage that you would die before it had a chance to refill the health -- normal bullets would not bother you but explosions still could as they did so much. Enough of this detour though.

OMG your hack level is so incredible xD
Personally I stopped myself at action Replay codes.
I think I'll have to reread at least 10 times your comment before understanding all you have just said.
In any case a big THANKS for your help