--- NewSuperMarioBros hacking hint --- Because NewSuperMarioBros is compressed, it is not possible to analyze it easily. Therefore, please use DeSmuME+hasteDS+ndsdis2. (Memory dump & disassemble) *********** Attention *********** I have only NewSuperMario(JAPAN Version). Therefore, the address and the value are different. YOU "Can Mario strengthen?" I "He strengthens depending on your effort." // Coin acquisition routine :0201FE34 E59F103C ldr r1,[r15, #+0x3c] ;r15+0x3c=*(0201fe78)=#34122132(0x0208a994) :0201FE38 E1A02104 mov r2,r4,lsl #0x2 ;r2=0(0x0) :0201FE3C E7910104 ldr r0,[r1,+r4, lsl #0x2] :0201FE40 E3500063 cmp r0,#0x63 <<< "cmp r0,#0x63" has only little. :0201FE44 17910002 ldrne r0,[r1, +r2] :0201FE48 12800001 addne r0,r0,#0x1 :0201FE4C 17810002 strne r0,[r1, +r2] :0201FE50 1A000005 bne 0201FE6C (hack 1UP routine)Coin get -> 1UP! 0201FE50 1A000005 bne 0201FE6C -> 0201FE50 E1A00000 nop(mov r0,r0) 2201FE50 E1A00000 And,"ldr r1,[r15, #+0x3c]"(0x0208a994)->There are number of coins in address 0x0208a994. ->0208A994 is hacking BaseAddress. 0208A944(-50h) Stock Item (00=Nothing 01=Mushroom 02=Flower 03=BlueShell 04=MiniMushroom 05=BigMushroom) 0208A97C(-18h) Mario x XX (BYTE) 0208A994(+00h) Coin (BYTE) 0208A99C(+08h) Score (WORD) // Master code making The "Master Code" cannot be easily made because it is compressed. STEP1:Hack LZO routine :020008E4 EB01F49E bl 0207DB64 :020008E8 EB00109E bl 02004B68 :020008EC EB01FA7B bl 0207F2E0 :020008F0 E59F1020 ldr r1,[r15, #+0x20] ;r15+0x20=*(02000918)=#33566720(0x02003000) << Mark point :020008F4 E59FE020 ldr r14,[r15, #+0x20] ;r15+0x20=*(0200091c)=#-65536(0xffff0000) :020008F8 E12FFF11 bx r1 (Jump to addr_02003000?) << "bx r1" = The interrupts point. (Hack "bx r1" -> "b 0237C000" change) (237C000-20008F8)/4-2 = DEDC0 = EA0DEDC0 220008F8 EA0DEDC0 STEP2:Look for the key input routine. :02043CF4 E59F1044 ldr r1,[r15, #+0x44] ;r15+0x44=*(02043d40)=#67109168(0x04000130) :02043CF8 E59F0044 ldr r0,[r15, #+0x44] ;r15+0x44=*(02043d44)=#12287(0x00002fff) :02043CFC E1D120B0 ldrh r2,[r1, #+0x0] ;r1+0xb0=*(040001e0)=#0(0x00000000) :02043D00 E1D310B0 ldrh r1,[r3, #+0x0] ;r3+0xb0=*(02800058)=#0(0x00000000) (--Omission--) :02043D38 E12FFF1E bx r14 (Jump to addr_02043AA4?) ->DipStar is called from address 02043D38. STEP3:Examine the distance 02043D38->02002000. (02002000-02043D38-8)/4 = FEF8B0 = EAFEF8B0 ->":02043D38 EAFEF8B0 b 02002000" Please make routine in 0237C000. STEP4:Write the hacking routine in 0237C000. stmdb r13!,{r0-r1} ldr r0,_KeyAddr ldr r1,_hackParam str r1,[r0] ldmia r13!,{r0-r1} bx r1 _KeyAddr: .long 0x02043D38 << "STEP2" Key input routine "bx r14" address. _HackParam: .long 0xEAFEF8B0 << "STEP3" branch parameter. A237C000 E92D0003 A237C004 E59F000C A237C008 E59F100C A237C00C E5801000 A237C010 E8BD0003 A237C014 E12FFF11 A237C018 02043D38 << Please correct it. A237C01C EAFEF8B0 << Please correct it. STEP5:Specify residing DipStar ahead. C0000000 02002000 F237C020 E12FFF1E Please match all the mastering codes. @Master code TYPE2(Fix crash bug) A20008F8 EA0DEDC0 << Please correct it. A237C000 E92D0003 A237C004 E59F000C A237C008 E59F100C A237C00C E5801000 A237C010 E8BD0003 A237C014 E12FFF11 A237C018 02043D38 << Please correct it. A237C01C EAFEF8B0 << Please correct it. C0000000 02002000 F237C020 E12FFF1E Please make Mario strong. ;)