hit tracker

Gateway ARCode Cheat-Sheet

Discussion in 'Game Cheat Codes Discussion' started by xJam.es, Jan 25, 2016.

  1. 161
    32
    28
    xJam.es

    xJam.es Loyal Member

    Joined:
    Jan 21, 2016
    Location:
    England
    Want to understand more of the Gateway ARCode's? Have a look at the list below. This was originally posted on the now-closed dscoders website many years ago, unfortunately i do know now the authors' name. I have the modified it to fit with the current Gateway format.

    0 Type
    Format: 0XXXXXXX YYYYYYYY
    Description: 32bit write of YYYYYYYY to 0XXXXXXX.
    Simple: Makes the value at address 0XXXXXXX equal the value YYYYYYYY.
    Example:
    Code:
    023D6B28 3B9ACA00 : Write 0x3B9ACA00 to Offset+0x023D6B28

    1 Type
    Format: 1XXXXXXX 0000YYYY
    Description: 16bit write of YYYY to 0XXXXXXX.
    Simple: Makes the value at address 0XXXXXXX equal the value YYYY.
    Example:
    Code:
    123D6B28 00002710 : Write 0x2710 to Offset+0x023D6B28

    2 Type
    Format: 2XXXXXXX 000000YY
    Description: 8bit write of YY to 0XXXXXXX.
    Simple: Makes the value at address 0XXXXXXX equal the value YY.
    Example:
    Code:
    223D6B28 00000032 : Write 0x32 to Offset+0x023D6B28

    3 Type
    Format: 3XXXXXXXX YYYYYYYY
    Description: 32bit if less than.
    Simple: If the value at address 0XXXXXXX is less than the value YYYYYYYY.
    Example:
    Code:
    323D6B28 10000000 : If the 4 Byte Value At Offset+0x023D6B28 Is Less Than 0x10000000

    4 Type
    Format: 4XXXXXXXX YYYYYYYY
    Description: 32bit if greater than.
    Simple: If the value at address 0XXXXXXX is greater than the value YYYYYYYY.
    Example:
    Code:
    423D6B28 10000000 : If the 4 Byte Value At Offset+0x23D6B28 Is Greater Than 0x10000000

    5 Type
    Format: 5XXXXXXXX YYYYYYYY
    Description: 32bit if equal to.
    Simple: If the value at address 0XXXXXXX is equal to the value YYYYYYYY.
    Example:
    Code:
    523D6B28 10000000 : If the 4 Byte Value At Offset+0x023D6B28 Is Equal To 0x10000000
    6 Type
    Format: 3XXXXXXXX YYYYYYYY
    Description: 32bit if not equal to.
    Simple: If the value at address 0XXXXXXX is not equal to the value YYYYYYYY.
    Example:
    Code:
    623D6B28 10000000 : If the 4 Byte Value At Offset+0x023D6B28 Is Not Equal To 0x10000000

    7 Type
    Format: 7XXXXXXXX 0000YYYY
    Description: 16bit if less than.
    Simple: If the value at address 0XXXXXXX is less than the value YYYY.
    Example:
    Code:
    723D6B28 00005400 : If The 2 Byte Value At Address Offset+0x23D6B28 Is Less Than 0x5400

    8 Type
    Format: 8XXXXXXXX 0000YYYY
    Description: 16bit if greater than.
    Simple: If the value at address 0XXXXXXX is greater than the value YYYY.
    Example:
    Code:
    823D6B28 00005400 : If The 2 Byte Value At Address Offset+0x023D6B28 Is Greater Than 0x5400

    9 Type
    Format: 9XXXXXXXX 0000YYYY
    Description: 16bit if equal to.
    Simple: If the value at address 0XXXXXXX is equal to the value YYYY.
    Example:
    Code:
    923D6B28 00005400 : If The 2 Byte Value At Address Offset+0x23D6B28 Is Equal To 0x5400

    A Type
    Format: AXXXXXXXX 0000YYYY
    Description: 16bit if not equal to.
    Simple: If the value at address 0XXXXXXX is not equal to the value YYYY.
    Example:
    Code:
    A23D6B28 00005400 : If The 2 Byte Value At Address Offset+0x23D6B28 Is Not Equal To 0x5400

    B Type
    Format: BXXXXXXX 00000000
    Description: Loads offset register.
    Simple: Used for pointers, the value at 0XXXXXXX is used as the new offset for all of the following lines.
    Example:
    Code:
    B23D6B28 00000000 : Offset Now Equals The 4 Byte Value At Address Offset+0x023D6B28
    00002000 0001869F : Write The 4 Byte Value 0x0001869F To Address Offset+0x00002000
    D2000000 00000000 : Exit All Conditionals, Reset Registers

    C Type
    Format: C0000000 ZZZZZZZZ
    Description: Repeat following lines at specified offset.
    Simple: used to write a value to an address, and then continues to write that value Z number of times to all addresses at an offset determined by the (D6, D7, D8, or DC) type following it.
    Note: used with the D6, D7, D8, and DC types. C types can not be nested.
    Example:
    Code:
    C0000000 00000005 : Repeat The Following Code 0x05 Times (int 5)
    023D6B28 0009896C : Write The 4 Byte Value 0x0009896C To Address Offset+023D6B28
    DC000000 00000010 : Offset Now Equals Offset + 0x10
    D2000000 00000000 : End Of Loop Code, Once Complete Reset All Registers

    D0 Type
    Format: D0000000 00000000
    Description: ends most recent conditional.
    Simple: type 3 through A are all "conditionals," the conditional most recently executed before this line will be terminated by it.
    Example:
    Code:
    94000130 FFFB0000
    74000100 FF00000C
    023D6B28 0009896C
    D0000000 00000000

    The 7 type line would be terminated.


    D1 Type
    Format: D1000000 00000000
    Description: ends repeat block.
    Simple: will end all conditionals within a C type code, along with the C type itself.
    Example:
    Code:
    94000130 FFFB0000
    C0000000 00000010
    8453DA0C 00000200
    023D6B28 0009896C
    D6000000 00000005
    D1000000 00000000

    The C line, 8 line, 0 line, and D6 line would be terminated.


    D2 Type
    Format: D2000000 00000000
    Description: ends all conditionals/repeats before it and sets offset and stored to zero.
    Simple: Ends all lines of code, all conditional checks and zero's all registers.
    Example:
    Code:
    94000130 FEEF0000
    C0000000 00000010
    8453DA0C 00000200
    023D6B28 0009896C
    D6000000 00000005
    D2000000 00000000

    All lines would terminate.


    D3 Type
    Format: D3000000 XXXXXXXX
    Description: sets offset.
    Simple: Sets the pointer to the absolute address XXXXXXXX.
    Note: used with the D4, D5, D6, D7, D8, and DC types.
    Example:
    Code:
    D3000000 023D6B28

    D4 Type
    Format: D4000000 YYYYYYYY
    Description: Adds to the registers value.
    Simple: Increments the value of the register by YYYYYYYY.
    Note: used with the D3, D9, DA, DB, DC types.
    Example:
    Code:
    D4000000 00000025

    D5 Type
    Format: D5000000 YYYYYYYY
    Description: Sets the registers value.
    Simple: Sets the value of the register to YYYYYYYY.
    Note: used with the D3, D9, DA, DB, and DC types.
    Example:
    Code:
    D5000000 34540099

    D6 Type
    Format: D6000000 XXXXXXXX
    Description: 32bit store and increment by 4.
    Simple: Writes the value of the register to Offset+XXXXXXXX (32-bit/4 byte) and increments the offset by 4.
    Note: used with the C, D3, and D9 types.
    Example:
    Code:
    D6000000 023D6B28

    D7 Type
    Format: D7000000 XXXXXXXX
    Description: 16bit store and increment by 2.
    Simple: Writes the value of the register to Offset+XXXXXXXX (16-bit/2 byte) and increments the offset by 2.
    Note: Used with the C, D3, and DA types.
    Example:
    Code:
    D7000000 023D6B28

    D8 Type
    Format: D8000000 XXXXXXXX
    Description: 8bit store and increment by 1.
    Simple: Writes the value of the register to Offset+XXXXXXXX (8-bit/1 byte) and increments the offset by 1.
    Note: Used with the C, D3, and DB types.
    Example:
    Code:
    D8000000 023D6B28

    D9 Type
    Format: D9000000 XXXXXXXX
    Description: 32bit load.
    Simple: Loads the value at Offset+XXXXXXXX to the register (32-bit/4 bytes).
    Note: used with the D5 and D6 types.
    Example:
    Code:
    D9000000 023D6B28

    DA Type
    Format: DA000000 XXXXXXXX
    Description: 16bit load.
    Simple:Loads the value at Offset+XXXXXXXX to the register (16-bit/2 bytes).
    Note: used with the D5 and D7 types.
    Example:
    Code:
    DA000000 023D6B28

    DB Type
    Format: DB000000 XXXXXXXX
    Description: 8bit load.
    Simple: Loads the value at Offset+XXXXXXXX to the register (8-bit/1 byte).
    Note: used with the D5 and D8 types.
    Example:
    Code:
    DB000000 023D6B28

    DC Type
    Format: DC000000 XXXXXXXX
    Description: Adds an offset to the current offset. (Dual Offset)
    Simple: Sets The Offset Register To Offset+XXXXXXXX Without Performing Read/Write.
    Note: used with the C, D3, D5, D9, D8, DB types.
    Example:
    Code:
    DC000000 00000100

    E Type
    Format:
    EXXXXXXX UUUUUUUU
    YYYYYYYY YYYYYYYY
    Description: writes Y to X for U bytes.
    Simple: writes the values at Y (Y can be any length) to addresses starting at X, for U. number of bytes.
    Example:
    Code:
    E23D6B28 00000010
    1244F2F2 02354653
    23FEDA20 542FEBC0
    D2000000 00000000

    Special Codes: Built outsite the ARCode format, The Gateway Team have given us a little bonus.


    DD Type
    Format: DD000000 XXXXXXXX
    Description: triggers the following code on single or combined keypress. Keypress code stops when terminated with D0 Type code. These can be stacked, i.e. A(01)+Left(20) would be 00000021

    Keys:
    0x00000001=A
    0x00000002=B
    0x00000004=Select
    0x00000008=Start
    0x00000010=Right
    0x00000020=Left
    0x00000040=Up
    0x00000080=Down
    0x00000100=R
    0x00000200=L
    0x00000400=X
    0x00000800=Y

    Example:
    Code:
    DD000000 00000021
    1AE40233 000000FF
    D0000000 00000000
    Not Implemented: These codes are part of the ARCode format but have not been confirmed built by the Gateway Team.

    F Type
    Format: FXXXXXXX UUUUUUUU
    Description: Memory Copy
    Simple: Copies UUUUUUUU bytes from the current offset, into the address Offset+XXXXXXXX
    Example:
    Code:
    D3000000 023D6B28
    F23D6B2C 00000004
    D2000000 00000000
    Jargon Buster
    • 0x - Hex Value
    • Absolute Address - The exact address used. I.E. an absolute pointer 0x00FF would move the pointer by 0x00FF from zero.
    • Offset - (aka Offset Register) An Address relative to the pointers current position. I.E. offset 0x01 would mean the pointers current position + 1
    • Pointer - Your current position in the RAM. When the pointer is set, any code used is run at this location (read/write).
    • Register - (aka Store Register) A temporary value which can be changed by code - useful for doing addition/subtraction or when requiring a variable.
    • Relative Address - The movement of the pointer from the current position. I.E. a relative pointer 0x00FF would move the pointer by 0x00FF from it's current offset.
     
    Last edited by a moderator: May 29, 2016
    T.K, guymelef, Zuriki and 4 others like this.
  2. 9
    0
    0
    entoptic

    entoptic Loyal Member

    Joined:
    Jan 28, 2016
    Thanks for your awesome guide, I learned a lot from it. I made my first cheat code today!


    Is you description for 9 Type correct? Your examples for D0/D1/D2 use the 16 bit that's in the first half where X is in XXXX0000.

    I am trying to look at a code that gives for FF Explorers that uses it similarly:
    [Infinite Health]
    980D2406 F7FF0800 <- if 16 bit at 80D2406 equals 0800 (dec: 2048, in the dump it isn't)
    B80D2404 00000000 <- go to offset 80D2404
    50000000 006DDEEC <- if the value at 80D2404 is 006DDEEC, then (in my dump it isn't)
    00000088 0000270F <- move to HP offset and set to dec:9,999
    D2000000 00000000v <- end

    I've tried to decipher it, but it still doesn't make sense how the 9 and 5 Type works (and code works fine).

    The other infinite health code makes perfect sense:
    680D2404 00000000 <- if this address isn't blank, then
    B80D2404 00000000 <- go to offset 80D2404
    10000088 0000FFFF <- move to HP offset and set to dec:65,535
    D2000000 00000000 <- end
     
  3. 161
    32
    28
    xJam.es

    xJam.es Loyal Member

    Joined:
    Jan 21, 2016
    Location:
    England
    Firstly, thanks for the feedback. I'm glad you've found this guide useful and 'grats on your first cheat!

    Now, the RAM will use signed bytes so a number starting F is negative. These codes are using negative pointer references. Which is why you may not be seeing 2048 in the first instance.

    Could you tell me what value is in your dump at 0x080D2404 (the 4 hex values from this point?) I can then explain it a bit better?

    Secondly Type B loads the pointer, however in your example it doesn't load pointer 0x080D2404, what is does is read the 32bit value of 0x080D2404 and loads that value as the new (relative)pointer.

    Hard to explain so let me say it a different way... For example.

    Code:
    # location 080D2404 = value 00000005
    B80D2404 00000000 < this would load the value 5 and move the pointer +5 bytes
     
  4. 403
    12
    0
    msparky83

    msparky83 Loyal Member

    Joined:
    Jun 23, 2006
    Ah geez, gotta love those negative pointers :rolleyes:

    On another note, im glad a lot of people have gotten your program to work and have delved into pointer code making. This is the way the community should work......."together"
     
  5. 161
    32
    28
    xJam.es

    xJam.es Loyal Member

    Joined:
    Jan 21, 2016
    Location:
    England
    Thanks msparky83, if the hacking community didn't share then it wouldn't exist. And i'm all for sharing!
     
    makikatze likes this.
  6. 9
    0
    0
    entoptic

    entoptic Loyal Member

    Joined:
    Jan 28, 2016
    Starting at 80D2400 it is:
    34 35 0D 08 04 08 3F 08

    The line in the code that has a 9 Type references offset 80D2406 not 80D2404. So it should be reading:

    3F 08

    Isn't RAM hex read backwards? So like if you look for a 16 bit code of WXYZ at position 80D2406 then it reads:

    34 35 0D 08 04 YZ WX 08

    That's how the gateway hex editor shows the values at least.
     
  7. 403
    12
    0
    msparky83

    msparky83 Loyal Member

    Joined:
    Jun 23, 2006
    Yes sir, you are correct. The reverse of those values is called little endian. Therefore an address with a value of 270f (9,999 in decimal) would read as "0f 27" inside of gateways hex editor/reader.
     
  8. 161
    32
    28
    xJam.es

    xJam.es Loyal Member

    Joined:
    Jan 21, 2016
    Location:
    England
    As sparky' said, little endian (aka right-to-left) is used by the 3ds processor and so you have to read integers backwards (unless you're Arabic :p)

    Soo .. the code you are looking at (16 bit conditional) is a little more complicated then i wrote, i might add an advanced tips section to make this bit clear but there is something called a bitmask (that's the F7FF) alongside the value. this however is not necessary for now, i will make one of 2 assumptions:
    - this code block was copied and modified out of an old AR code (i.e. the hacker just used an old template)
    - this code was built using a code builder tool not adapted for Gateway.

    If you do want me to talk you through bitmasks just ask, it's advanced+ :p
     
  9. 8
    2
    3
    Rohul1997

    Rohul1997 Loyal Member

    Joined:
    Jan 29, 2016
    Could I please get a bit more explanation on what the D6, D7, and D8 types actually do?
    Thanks in advance
     
  10. 161
    32
    28
    xJam.es

    xJam.es Loyal Member

    Joined:
    Jan 21, 2016
    Location:
    England
    Hi There, Type D6/7/8 All read a value and move the pointer depending on the bit legnth.

    For example if the pointer is at location 0 and you use D6, you will read 32bit value at 0 (4 bits long) and then move the pointer forward 4 bits.

    So now your pointer location is 4, and your data register contains the 32bit value you just read.

    D7 and D8 are the same, but the pointer moves 2 and 1 bits respectively due to the integer size.

    -- let me know if that helps :)
     
  11. 8
    2
    3
    Rohul1997

    Rohul1997 Loyal Member

    Joined:
    Jan 29, 2016
    Ok thanks I think I understand a bit. Just to be 100% sure could you please explain what happens in this example?

    31234567 00002500
    D9000000 01234567
    D4000000 00000100
    D6000000 01234567
    D2000000 00000000
     
  12. 161
    32
    28
    xJam.es

    xJam.es Loyal Member

    Joined:
    Jan 21, 2016
    Location:
    England
    Code:
    31234567 00002500 <- if the value at Address 0x01234567 is less than 0x2500 then {
    D9000000 01234567 <- Load into the register, the value at address 0x01234567
    D4000000 00000100 <- Add 0x0100 to the register value
    D6000000 01234567 <- Write the register value to address 0x01234567
    D2000000 00000000 <- } Exit Code (end of code)
     
  13. 8
    2
    3
    Rohul1997

    Rohul1997 Loyal Member

    Joined:
    Jan 29, 2016
    Thank you very much this has really helped a lot
     
  14. 7
    1
    3
    Zuriki

    Zuriki Loyal Member

    Joined:
    Mar 13, 2016
    **Edit:** I managed to resolve my own issue. Was just a single character out of place.

    New question: is there any way to do 8bit conditionals?
     
    Last edited by a moderator: Mar 13, 2016
  15. 161
    32
    28
    xJam.es

    xJam.es Loyal Member

    Joined:
    Jan 21, 2016
    Location:
    England
    The documentation shows the 16-bit conditionals as 7,8,9,A type codes. You can achieve an 8-bit test by using a "bitmask" to ignore the first byte. If you try a code (for example) 9XXXXXXX 00FFYYYY where x's are your offset and y's are your desired value this would produce an 8-bit is equal to test (remember to make your reference 1 byte shorter shorter as you need to read 16-bits even if you're not checking them all)
     
  16. 7
    1
    3
    Zuriki

    Zuriki Loyal Member

    Joined:
    Mar 13, 2016
    I'm not sure I understand. If the code is

    Code:
    9XXXXXXX MMMMYYYY
    Is MMMM the bitmask?

    You also say to make the reference one byte shorter, but I'm not sure in what way you mean...

    So for example, if I'm doing this test:
    • On this address range (0x08000000 - 0x0800000F)
    • I wish to test the address 0x08000002 to see if it is equal to 02

    Code:
    0x08000000 | 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    Code:
    98000002 00FF0002
    
    or
    
    98000002 00FF0002
    
    I can't say I'm particularly confident with the use of bitmasks.
     
  17. 161
    32
    28
    xJam.es

    xJam.es Loyal Member

    Joined:
    Jan 21, 2016
    Location:
    England
    Hi there, the code only needs to be made shorter if it comes out 1 byte too long (as per the example). if your code is the right length already then you're good to go.

    As per your code, yes the 4 bytes labelled MMMM are the bitmask.

    Your example(s) is correct for what you are trying to achieve.
     
  18. 17
    0
    1
    Jitsuryoku

    Jitsuryoku Loyal Member

    Joined:
    Jun 4, 2015
    I'm trying to understand the following code:
    If i get this correctly it simply sets the offset to and writes E1D109B6 into 00B6B328
    Only thing I don't get is it would seem the writable memory seems to start at 00EC0000.

    Is there something I am missing?
     
  19. 161
    32
    28
    xJam.es

    xJam.es Loyal Member

    Joined:
    Jan 21, 2016
    Location:
    England
    You are right,
    Code:
    D3000000 00000000 : Set offset to 0x00000000
    00B6B328 E1D109B6 : 32-bit write to offset 0x00B6B328
    Apparently if you use the NTR RAM dumping you can get memory ranges in the lower region that Gateway doesn't have enough free RAM to see.
     
    Last edited by a moderator: Mar 17, 2016
    Jitsuryoku likes this.
  20. 17
    0
    1
    Jitsuryoku

    Jitsuryoku Loyal Member

    Joined:
    Jun 4, 2015
    Thanks for the confirmation.

    This is actually a code for Monster Hunter 4 (US) that I tried to port to EU (because most addresses could be calculated, but this one wasn't 1 of them).
    I guess this memory block is out of my reach until tools to read full memory without restarting a game are available. :D
     

Share This Page