Difference between revisions of "Codebreaker (Nintendo DS)"

From Wiki - GameHacking.org
Jump to: navigation, search
(Added Codebreaker DS Code Types)
(Added CBDSCrypt)
Line 2: Line 2:
 
<br>
 
<br>
 
[[File:CodeBreaker_DS.jpg]] [[File:Codebreaker_(Nintendo_DS).png]]
 
[[File:CodeBreaker_DS.jpg]] [[File:Codebreaker_(Nintendo_DS).png]]
 +
 +
Using CBDSCrypt
 +
 +
[http://doc.kodewerx.org/tools.html#cbdscrypt CBDSCrypt] is a utility developed by kenobi. It is capable of both encrypting and decrypting codes for the Codebreaker DS, as well as creating master codes. A rom of the game the codes are for is required in order to use this application. To use the program, simply run it, and then drag and drop the rom image on top of the program. Paste the codes that are to be encrypted or decrypted into the left textarea, and press the appropriate button "encrypt" or "decrypt" and the resulting codes will appear in the right text area.
 +
 +
Master codes can be generated by pressing the (M) button. This program uses two methods to generate potential master codes, Parasyte's method and kenobi's method. Parasyte's method entails finding the location of the following instructions in both of the ARM executables:
 +
 +
Inst Operands Comments
 +
ldr r1, =intr_table @ 0xE59F1008
 +
ldr r0, [r1,r0,LSL#2] @ 0xE7910100
 +
ldr lr, =ret_loc @ 0xE59FE004
 +
bx r0 @ 0xE12FFF10
 +
 +
They might not be found in the ARM9 executable because of decompression, but it will always be in plain sight in the ARM7. All that is necessary is to hook that =retloc, which is always 2 words after that bx r0. It is done the same way as hooking any other pointer. This is also how Kwurdi's automatic hook search has functioned for the last two and half years, and it hasn't failed yet.
 +
 +
Kenobi's method involves simulating the ARDS's automated (M) code finder. To start, search for the 32-bit value 0x0380FFF8, beginning at the ARM7 executable. After this is found, search for the following 0x0380FFF8. Following this, search backwards for the first bx r14 (0xE12FFF13). Subtract 4 from this address and then convert it to a RAM address. To convert it to a RAM address, take the address and subtract the 32-bit value that is located at 0x30 in the ROM; then add the 32-bit value that is located at 0x38 in the ROM. The (M) code is F2[ram address] 023FC000.
  
 
     Codebreaker DS Code Types
 
     Codebreaker DS Code Types

Revision as of 21:09, 15 June 2015

Code Breaker is a cheat device developed by Pelican Accessories, currently available for PlayStation, PlayStation 2, Dreamcast and Nintendo DS. Along with competing product Action Replay, it is one of the few currently supported video game cheat devices. The original model of the Codebreaker was identical to the Gameshark in that it would use codes to hack the game. It could also use Gameshark codes as well as its own. It was well known for having a more user friendly interface and design than the Gameshark.

CodeBreaker DS.jpg Codebreaker (Nintendo DS).png

Using CBDSCrypt

CBDSCrypt is a utility developed by kenobi. It is capable of both encrypting and decrypting codes for the Codebreaker DS, as well as creating master codes. A rom of the game the codes are for is required in order to use this application. To use the program, simply run it, and then drag and drop the rom image on top of the program. Paste the codes that are to be encrypted or decrypted into the left textarea, and press the appropriate button "encrypt" or "decrypt" and the resulting codes will appear in the right text area.

Master codes can be generated by pressing the (M) button. This program uses two methods to generate potential master codes, Parasyte's method and kenobi's method. Parasyte's method entails finding the location of the following instructions in both of the ARM executables:

Inst Operands Comments ldr r1, =intr_table @ 0xE59F1008 ldr r0, [r1,r0,LSL#2] @ 0xE7910100 ldr lr, =ret_loc @ 0xE59FE004 bx r0 @ 0xE12FFF10

They might not be found in the ARM9 executable because of decompression, but it will always be in plain sight in the ARM7. All that is necessary is to hook that =retloc, which is always 2 words after that bx r0. It is done the same way as hooking any other pointer. This is also how Kwurdi's automatic hook search has functioned for the last two and half years, and it hasn't failed yet.

Kenobi's method involves simulating the ARDS's automated (M) code finder. To start, search for the 32-bit value 0x0380FFF8, beginning at the ARM7 executable. After this is found, search for the following 0x0380FFF8. Following this, search backwards for the first bx r14 (0xE12FFF13). Subtract 4 from this address and then convert it to a RAM address. To convert it to a RAM address, take the address and subtract the 32-bit value that is located at 0x30 in the ROM; then add the 32-bit value that is located at 0x38 in the ROM. The (M) code is F2[ram address] 023FC000.

   Codebreaker DS Code Types
   ---------------------------------------
   Auto Game Recognizer (Code Type 0x0000)
   ---------------------------------------
   0000YYYY XXXXXXXX
   YYYY = Game's Header CRC16
   XXXXXXXX = ID of the Game's Nintendo
   -------------------------------------
   Bit Constant Write (Code Type 0x00)
   -------------------------------------
   0 XXXXXXX 000000 YY
   00 = Code Type Or Byte
   Address = XXXXXXX
   YY = 8-bit Value
   --------------------------------------
   Bit Constant Write (Code Type 0x10)
   --------------------------------------
   XXXXXXX 1 0000 YYYY
   10 = Code Type Or Byte
   Address = XXXXXXX
   YYYY = 16-bit Value
   --------------------------------------
   Bit Constant Write (Code Type 0x20)
   --------------------------------------
   2 XXXXXXX YYYYYYYY
   20 = Code Type Or Byte
   Address = XXXXXXX
   YYYYYYYY = 32-bit Value
   ---------------------------------------------
   8 / Increment/Decrement Bit (Code Type 0x30)
   ---------------------------------------------
   3 000UYYYY XXXXXXX
   30 = Code Type Or Byte
   Address = XXXXXXX
   U = Bit-type Write, 0 for 8 and 1 for 16-bit
   YYYY = 8/16-bit Value to increment by
   NOTE: YYYY is signed so it can do the increment and decrement
   -------------------------------------------
   Bit Increment/Decrement (Code Type 0x38)
   -------------------------------------------
   3 XXXXXXX YYYYYYYY
   38 = Code Type Or Byte
   Address = XXXXXXX
   YYYYYYYY = 8/16-bit Value to increment by
   NOTE: YYYYYYYY is signed so it can do the increment and decrement
   ---------------------------------------------
   Serial Repeat Constant Write (Code Type 0x40)
   ---------------------------------------------
   4 XXXXXXX TWWWZZZZ
   YYYYYYYY VVVVVVVV
   40 = Code Type Or Byte
   Address = XXXXXXX
   T = Bit-type Write, 0 for 32-bit, 16-bit for 1 & 2 for 8
   WWW = Number of times to repeat
   ZZZZ = Increase Address by (Multiply by data size (1 << (2-T)))
   YYYYYYYY = Start Value
   VVVVVVVV = Increase Value by
   Example: This code:
   42010000 00050001 <--0001 * 4 = 0004 to Increase Address by
   63636363 00000000
   Is the same as:
   22010000 63636363
   22010004 63636363
   22010008 63636363
   2201000C 63636363
   22010010 63636363
   ---------------------------
   Copy Bytes (Code Type 0x50)
   ---------------------------
   5 XXXXXXX YYYYYYYY
   ZZZZZZZZ 00000000
   50 = Code Type Or Byte
   XXXXXXX = Address to copy to
   YYYYYYYY = Number of bytes to copy
   ZZZZZZZZ = Address to copy from
   -----------------------------
   Pointer Code (Code Type 0x60)
   -----------------------------
   6 XXXXXXX YYYYYYYY
   BCTUVVVV ZZZZZZZZ
   60 = Code Type Or Byte
   XXXXXXX = Pointer Address
   YYYYYYYY = 8 / 16 Bit Value
   ZZZZZZZZ = Offset to add to the Pointer Address
   B = Bit-type Write, 0 for 8-bit, 16-bit for 1 & 2 for 32
   C = Condition Enabled, 0 for disabled, 1 for enabled
   T = the Condition type to check against
   0 = If equal to VVVV
   1 = If not equal to VVVV
   2 = If lesser than VVVV
   3 = If greater than VVVV
   4 = If AND VVVV equal to 0000
   5 = If AND VVVV not equal to 0000
   6 = If AND VVVV equal to VVVV
   7 = If AND VVVV not equal to VVVV
   U = Bit-type Load, 0 for 8 and 1 for 16-bit
   VVVV = Conditional Value to check against
   -----------------------------------------------
   8 / Bit Special Bitwise Write (Code Type 0x70)
   -----------------------------------------------
   7 00TBYYYY XXXXXXX
   70 = Code Type Or Byte
   Address = XXXXXXX
   T = Operation type, 0 for OR, for 1 AND 2 for XOR
   B = Bit-type Write, 0 for 8 and 1 for 16-bit
   YYYY = 8/16-Bit Value
   ----------------------------------------------
   Bit Write On Bootup-Hook 1 (Code Type 0xA0)
   ----------------------------------------------
   AXXXXXXX YYYYYYYY
   A0 = Code Type Or Byte
   Address = XXXXXXX
   YYYYYYYY = Value
   ----------------------------------------------
   Bit Write On Bootup-Hook 2 (Code Type 0xA8)
   ----------------------------------------------
   AXXXXXXX YYYYYYYY
   A8 = Code Type Or Byte
   Address = XXXXXXX
   YYYYYYYY = Value
   -----------------------------------------
   Bit Conditional Check (Code Type 0xD0)
   -----------------------------------------
   DXXXXXXX ZZTUYYYY
   D0 = Code Type Or Byte
   Address = XXXXXXX
   ZZ = Lines to skip, 00 means 01 by default
   T = the Condition type to check against
   0 = If equal to YYYY
   1 = If not equal to YYYY
   2 = If lesser than YYYY
   3 = If greater than YYYY
   4 = If AND YYYY equal to 0000
   5 = If AND YYYY not equal to 0000
   6 = If AND YYYY equal to YYYY
   7 = If AND YYYY not equal to YYYY
   U = Bit-type Load, 0, 1 for 8-bit and 16-bit for
   YYYY = Conditional Value to check against
   -----------------------------------
   Enable Code-Hook 1 (Code Type 0xF0)
   -----------------------------------
   FXXXXXXX TYYYYYYY
   F0 = Code Type Or Byte
   XXXXXXX = Hook Address
   T = Type of Hook to use
   0 = Hook almost any 2 opcodes, LDR PC =
   1 = Hook almost any BL opcode, BL function
   2 = Hook almost any.long address, DC. D ADDR; BX
   3 = Hook almost any BX Register opcode, BX Ry
   YYYYYYY = Cheat Engine Address
   -----------------------------------
   Enable Code-Hook 2 (Code Type 0xF8)
   -----------------------------------
   FXXXXXXX TPPPPPPP
   F8 = Code Type Or Byte
   XXXXXXX = Cheat Engine Hook Address
   T = Type of Hook to use
   0 = Hook almost any 2 opcodes, LDR PC =
   1 = Hook almost any BL opcode, BL function
   2 = Hook almost any.long address, DC. D ADDR; BX
   3 = Hook almost any BX Register opcode, BX Ry
   PPPPPPP = Parameters that will be used later
   Reprinted from GSCENTRAL 

External Links