Page Visitor Number:
000083
/dexter0
 Trainer Tutorial
Home
Guestbook
Trainer Tutorial
DS Hacking Tools
DS Hacking Movies
Wii Hacking
 
dexter0 @Youtube
dexter0 @USB Gecko
 
Home  >  Wii Hacking  >  Gecko Hacking Tutorial (OLD)
THIS TUTORIAL IS OUDATED! FOR ALL YOUR HACKING TUTORIAL NEEDS PLEASE CLICK THE BACK BUTTON AND FOLLOW MY NEW WiiRd TUTORIALS.

Tutorials

Gecko Hacking Tutorial

 Trainer Tutorial

Wii Hacking 101
An Intro to Wii Game Hacking
Last Updated: 6/6/08

Why I Wrote This
This is the first complete guide on Wii Hacking with the USB Gecko by Nuke. I intend this guide to be a place where people can point beginners to.

Quick Note
DO NOT PM me with questions regarding the material in this text or Wii hacking in general. If you want to know why this is bad read this. I recommend that those seeking help visit one of the various forums dedicated to Nintendo systems hacking (I am a member of a few of them).

Changelog
5/10/08 - Initial release
5/16/08 - Added comments about alignment to Example 1
6/6/08 - Decommissioned Tutorial

Table Of Contents

Introduction
----------------

The USB Gecko, originally invented by Nuke for the Gamecube, has seen some amazing developments in the past few months that put it on the cutting edge of the Wii homebrew scene and have started the Wii hacking scene. At the time of this writing no commercial company has announced any sort of Wii cheat device aside from Datel's Powersaves. The USB Gecko runs circles around Powersaves by providing a real Cheat Engine with full support for all the code types found in any good cheat device.

Toolkit box
Box shot of Nuke's USB Gecko

This Tutorial

Congratulations on your 50$ plunge into the world of game hacking. This tutoiral is designed to take you from n00b to hacker with a focus on using Nuke's USB Gecko. I assume you have no previous knowledge of hacking, but you should have Basic to Semi-Advanced computer skills to follow along. You also should have set up your Gecko by now and installed the included drivers. But you can set it aside for now, we need to go over some basics. I am going to borrow from my DS Hacking tutorial for a few things that don't change from system to system. Here we go.

Counting with 16
----------------
An Intoduction to Hexadecimal

What Is Hexadecimal

If you passed grade school, you can probably count to 10; perhaps higher? You start at 0 and count 1.. 2.. 3.. 4.. 5.. 6.. 7.. 8.. 9.. To get the next number, you start back at 0 and insert a 1 in as the second digit to get 10. Simple, right? What you are counting in is know as a base-10 number system, also called decimal, because there are 10 different numbers per digit. Before we talk about hexadecimal, we should mention a little bit about the number 0.

If I asked you to count to 4 you would probably count: 1.. 2.. 3.. 4.. However, if I asked a computer to count to 4 it would say: 0.. 1.. 2.. 3.. 4.. See the difference. When you work with computers, 0 is just as important as the other numbers. All computer counting counting starts at 0 unless it has been told otherwise. This becomes important when you deal with loops.

Now that you hopefully understand decimal and what it is, lets move to hexadecimal. Hexadecimal, also know as hex, is a base-16 numbering system. Thats right, 16 different numbers per digit. So, counting in hex works like this: 0.. 1.. 2.. 3.. 4.. 5.. 6.. 7.. 8.. 9.. A.. B.. C.. D.. E.. F.. There you have it, 16 different numbers per digit. That means that we can represent and number from 0 to 15 with a 1 digit number instead of just 0 to 9 like in decimal. So what if we want to write 16 in hex? Well, it's just like writing 10 in decimal. You reset the first digit back to zero and tack on a 1 in front. So 16 in decimal is actually 10 in hex. So how do I convert between hex and decimal? Simple! On your computer go to Start > Run > calc.exe. Switch it into scientific mode. Now click the radio button that says hex, type a number in, then click the radio button that says decimal. Done. You may also perform the reverse to convert from decimal to hex. So how do I add, subtract, etc? Don't worry, the calculator does all that for you too! It also will perform bitwise operations, although bitwise operations are beyond the scope of this tutorial.

So when do I use hex? All the time in game hacking! Everything is in hex from the values in memory to the codes you will soon create! You may be wondering why the "ancient creators of the computer" decided not to keep things simple and just use decimal. While all that is history and beyond the scope of this tutorial. I will say that is has to do with machine conversion of binary (The 1s and 0s used by machine hardware) to a more "human readable" form. After all which looks more confusing: 0100 1010 or 0x4A ;). BTW, The 0x is just notation to let people know that the number is in hex. 0x4A is the same as just 4A. It is good habit to prefix hex with a 0x

Bits and Bytes

Many people often use the two words interchangeably however they do not mean the same thing. A bit is a 1 or a 0 (base 2 numbering system ;) ). When 8 bits are put together they form a byte as you can see in the example at the end of the last paragraph. Every set of 4 bits makes up 1/2 of a byte or a nibble which is 1 digit of the byte. So from the above, 0100 represents 4 and 1010 represents A. How the conversion is done is beyond the scope of this tutorial but I will show you why there are only 16 different numbers per digit in hex. To understand this you should know some basic statistics. Each bit can be only 1 of 2 different numbers and there are 4 bits per nibble. So 2x2x2x2 or 2^4 = 16. Don't worry if this does not make sense, the only thing you need to know about bits to hack is how big of a hex number they make which we will discuss next.

8 Bit hex numbers are the smallest hex numbers you will be working with during this tutorial. An 8 bit hex number is two digits and looks this 0x4A or just 4A. If you were paying attention above you should know why it is an 8 bit hex number. Because it is made up of 8 bits. Simple! Now let's see if you were really paying attention. How big of a number (in decimal) can an 8 bit hex number hold? Think about how many numbers are in a single hex digit and how many digits are in an 8 bit hex number. The answer to part 1 is 16 and the answer to part 2 is 2. So if you take 16^2, you get 256. So an 8 bit hex number can store anything from 0 - 255. But what if you need to store a larger number? Read on to find out.

16 Bit hex numbers are the next size up. They are 4 digits and can store anything from 0 - 65535. Not much else needs to be said about them.

32 Bit is the largest sized number you will deal with in your hacking. You can hold anything from 0 - 4,294,967,295! That's huge! You can get bigger then 32 bits but I doubt you will ever need to. 24 bit hex numbers are not used for game hacking in case your wondering where they are.

Endianess

This is the last important concept with hexadecimal. Endianess is also know as the "byte order". Just like the name says, "byte order" determines the order of bytes in memory. Take this 32 Bit number for example. 0xF5 43 AE 01 (I have spaced the individual bytes apart for your convenience). In a "Big-Endian" system, the number would be written as 0xF5 43 AE 01. In a "Little Endian" system, the number would be written like 0x01 AE 43 F5. See the difference? "Little-Endian" flips the byte order so the least significant byte comes first. It is very important to note however that Endianness does NOT affect individual bytes or 8 Bit hex numbers. The Wii is a "Big-Endian" system (no flipping required W00T).

Gecko Code Types
----------------
Speaking The Gecko Language

A Note About Wii Memory

Since this guide is geared at absolute beginners, you may be asking yourself what is memory? For our purposes dealing with the Wii, memory is used to store the decompressed executable along with game data and game variables. We will not concern ourselves with the executable or game data, aside from pointers which will be discussed later. The game's variables are our primary focus. Variables are storage containers for game information that reside in memory. Variables on the Wii can be 8, 16, or 32 bits in size. They store information such as how much health you have, how many bullets are in your gun, your kart's speed, and your position on the map. Almost all codes revolve around manipulating the game's variables to achieve effects such as infinite health, ammo, or super speed. How we do this will be discussed later. The Wii actually has 2 banks of memory called MEM1 and MEM2. Each of these banks is further divided into 2 more banks of memory where the upper sub-bank mirrors the lower one (It might be a 2 mirror way as well, I'm not sure). We are not going to concern ourselves with MEM2 since it is used for graphics data. MEM1 contains the important stuff and it ranges from 0x80000000 to 0x817FFFFF for the first sub bank and from 0xC0000000 to 0xC17FFFFF for the second sub bank. There is actually more memory beyond these ranges but it is used to read buttons, operate the sound chip, send network data, etc.

All About Codes

You have probably seen a Gecko code at some point. They look something like this: 020FCA24 00000001. REMEMBER! EVERYTHING IN A GECKO CODE IS IN HEX! Most Gecko codes contain 3 parts. The first two digits of the code is the code type (in this case the 02). The code type tells the Gecko what to do and how to use the rest of the numbers in the code. In most code types, the second part of the code (in this case 0FCA24) is the address or the location in memory the code will be working with. If you have been paying close attention you may be wondering why the address part of the code is only 6 digits while memory ranges listed in the last paragraph are 8. This will be discussed on a code by code basis because it is a bit confusing. The last 8 digits are, in most codes, the value. What the value does depends on the code type. We will discuss the Gecko code types next. I will be adding to the code type list as I use the codes in my examples so not all of the code types will be listed.

RAM Write Codes
There are three different RAM Write Codes. Which one you use depends on what size of a value you need to write. Thats right, we have codes for 8, 16, and 32 bit values. RAM Write codes are the most basic and are the foundation for many complex codes. As their name implies, when run, they will constantly write a value to the RAM. This can be useful for keeping your health full and your gun always loaded.

00XXXXXX ZZZZ00YY
This is the 8-bit value write. 00 is the code type, XXXXXX is the address you want to write to, and YY is the value you want to write. The ZZZZs are the number of data to write - 1. Go ahead and just leave these as zeros for now. We might use them later.

01XXXXXX ZZZZYYYY
This is the 16-bit value write. The ZZZZs are the number of data to write - 1 Go ahead and just leave these as zeros for now. We might use them later.

2XXXXXXX YYYYYYYY
This is the 32-bit value write. 32-bit values are 8 digits long so they take up the whole value portion.

Wrap up
I know it's not much right now but it is what we will be using for today. There are a lot more code types which I did not discuss here mainly because I am not using them in my example.

Real World Examples
----------------
Using The Gecko

Congratulations on actually reading through all of the stuff above and not just skipping it. If you did skip it, "Shame on you (unless you already know it ;))". We are now actually going to hack a game with our USB Gecko to get a hands on example of all that boring stuff you just learned and to understand concepts which knowledge of hex and code types alone will not teach you. I highly recommend that you follow along with your Gecko. Now before we get started we need a few things.

Things You Will Need

The first part of this tutorial told you to install your Gecko drivers so I am assuming you already did, right? Now drivers are only half the package. You need a way to boot the game up with the cheat engine and you need some PC software to operate it. Head on over to USBGecko.com and grab either the GECKO REGION FREE Loader or the regular Gecko Loader. I am going to use the regular Gecko Loader for now. You will also need the Gecko Client no matter which loader you download so grab it. Now, at the moment, the Gecko Client has no built in search functions so we need to get a program that can perform comparative searching. Renegade 64 by Viper is the perfect program since it can search memory dumps (more on that later) that the Gecko Client exports. You can grab Renegade over at Kodewerx or download it directly. Next, you will want to have a piece of scratch paper (or notepad) handy to jot down notes during your hacking. Last but definently not least, you'll want to have the windows calculator handy for HEX conversions and addition/subtraction. Got all that? OK, lets start.

Example 1 (Infinite Lives)

Yes, I know it is one of the easiest codes to make but this tutorial is geared twoards beginners. Today we are going to be making an infinite lives code for Super Mario Galaxy. I have an NTSC Wii but you can follow along if you have a PAL or JAP Wii. Our code address just might be different.

Getting Started
I am going to use the twilight hack to launch the Gecko Loader. I am not aware of any other ways to load the Gecko Loader (other than that unreleased homebrew channel). If you know how to do it another way skip step 1.
1. Start up your Wii and insert Twilight Princess. When the game loads, start it and load up the twilight hack. Once you have control of link, walk backwards or talk to the man in front of you.
2. Once the Gecko Loader has started pop out Twilight Princess and insert Mario Galaxy. At this time, start up the Gecko Client on your PC and choose File -> Connect. If you are using the Region Free loader, press restart. If you are using the regular Gecko loader, choose Start Game and select option 5 from the list, then click "Start Game".
3. Your Wii drive will now spin up and the game will load. Go ahead and open up the Remote Debugger from the Gecko Client. Click the "Freeze Game" button and confirm that your game is frozen. If it is, proceed to unfreeze it by clicking "Unfreeze Game". If your game did not freeze, shutdown your wii and repeat the steps again.
4. If you haven't already done so, launch Renegade 64. We are now ready to begin hacking.

Know Your Tools
*Set Breakpoints
This launches the actual debugger. We may discuss the debugger in a later example.
*Dump Range
This allows you to dump a range of Wii memory for viewing and comparing in an external program such as Renegade.
*Freeze/Unfreeze console
This allows you to pause/unpause the execution of the game. We may use this feature in a later example.
*Fill Range
Not sure what exactly it does at the moment.
*Upload Cheat Patch
Upload a cheat (.gct) file for testing.

I will go over Renegade 64 as we use it in our examples. It looks intimidating but we will only be using 1 part of it.

Creating The code
Now that the game has loaded, select a file that prefurably is not new and click start. We need to start searching the game's memory to find what address holds the number of lives. Turn your attention back to the Gecko Client. Lets take out first memory dump. Click the "Dump Range (HEX)" button, a window will appear asking what range of memory you would like to dump. We are going to use the first sub-bank of MEM1 (0x80000000 through 0x817FFFFF [REMEMBER, IT'S IN HEX]). Fill in the start and end fields without the 0x and click "Dump Memory". Pick a location to save it and give it a name like dump1-# of lives (It makes the searching esier to use a decriptive name for each dump). Click "Save". The game will lock up for about 20 seconds. If the progress bar stops filling up, DON'T PANIC! Wait 20 seconds before you try to restart your Wii. Sometimes the program just locks up while dumping memory.

The dump Memory Window
The dump memory window.

OK, now we need to change the number of lives we have and get another memory dump. Head over behind the stairs leading up to the kitchen and grab the free life.

Mario Gets a Life
Mario finds an extra life

Got It? Good, your number of lives is now 5. Let's take another memory dump. If you closed the memory dump window, reopen it and enter in the correct address values for our range (see above). Now click "Dump Memory" again and give it a name like "dump2-5". Click save and wait 20 seconds. We now have two dumps to compare but lets get one more just in case 2 is not enough to narrow down the results to a managable number. Go ahead and get yourself into a level where you can loose lives. I am going to head into the kitchen and fly to the Ghostly Galaxy. Once you are inside the galaxy, find a way to loose a life.

Once you have been respawned, you now will have four lives again. Perform another dump using the same range of memory as before. Call it "dump3-4". We now should have enough searches to narrow our number of possible addresses down to a manageble number.

Open Renegade up then open up the cheat search by going to "Cheating" -> "Code Search". Yes it looks a little confusing but I will walk you through it. We are going to ignore the "Extended Search Options" in this example so don't worry about those. First things first. We need to set our search size. I am going to guess that lives is a 16-bit value so select "16-bit (2 bytes)". Don't worry about all that aligned vs unaligned stuff. Now why did I guess lives is a 16 bit value you ask? Past experience with other games. Trust me, as you hack more codes you will learn to make educated guesses like this.

Codesearch

Moving along. Leave "Compare To" alone as we are starting a new search. Next head down to "Search Type". Since we know exactly how many lives we have in each of our dumps as the game is nice enough to write it to the screen we are going to use a "Known Value" search so leave that drop down menu right where it is. Now for the value. In the first dump we had 4 lives so enter a value of 4 into the box. BUT WAIT!! Remember, it NEEDS to be in HEX and since we are performing 16-bit searchs we need to pad it to a 16-bit number. Now as you learned before, 4 in decimal is the same as 4 in HEX so we are good there. But what about all this padding business? Well a 16-bit number is four digits or 2 bytes long so we need to pad the other 3 digits with zero. This does not change the value of the number but makes it a true 16-bit number. It's just like taking 3 in decimal and adding a bunch of zeros on infront like this: 0003. It's still the number 3 isn't it? So your code will now look like this: 0004. Note that we do not need to put a 0x in front. Renegade expects hex values so you don't need to tell it we are giving it hex values. Everything should not look like this.

Renegade Window

Now click the big "Search" button and browse to your first dump (should be "dump1-4"). After a few seconds the results box will fill up with a lot of results and a line will appear under "Search History". I came up with 41994 results but your number WILL vary. That is WAAAAY to many. Renegade won't even show you the results until its under 1000. So what next? Well we a going to perform a comparison search against our last search using our second dump. So go ahead and enter 0005 into the "Value(s)" box since we had 5 lives when we took our second dump. Notice the "Compare To" drop down menu now says "Search 1". Click the "Search" button and browse to your second dump (should be "dump2-5").

Wow, that was a HUGE drop in results. So what happened? Basically, on the first search we performed, Renegade looked through our dump for all instances of 0004 and remembered the address of each one. Then on our second search, Renegade looked at those same addresses but in the second file and checked if their value was now 0005. If it was not, they were eliminated from the results. Just for kicks lets have Renegade search our third dump. Change the "Value(s)" box back to 0004, click "Search" and select our third dump (should be "dump3-4"). Our results have dropped to exactly 1. Go ahead and click on the "Show Results" button.

 

Results
The Results Window

You can see our 1 address and it's values during all three of our searches. The address I came up with was 0x00F63CF0. If you got a different address don't worry. Now, we need to test our address. Jump back to the Gecko Tool. What we are going to do now is poke the memory address with a different value and see what happens. However, we have to do one more VERY important thing with the address before we poke it. If you notice, the first digit of your address is 0. See Renegade's addresses begin at 0x00000000 which is the start of the file and all other addresses proceed up from their. However, Wii memory begins at 0x80000000 so we have to add 0x80000000 to our addres to get 0x80F63CF0. If you have not noticed, the shortcut to do this is to replace the first digit of the address with an 8 ;)

Now before we go on I would like to pause and talk about alignment. As you remember each byte in memory, or every 8-bit number has a unique address in memory that identifies it from the rest. What you need to understand is that if each byte (8-bit number) has a unique address in memory than a 16-bit number contains two addresses in memory, one for each of its bytes. And guess what? A 32-bit number contains four addresses in memory, one for each of its four bytes. Now the key part of this is that the address of a 32-bit or 16-bit value is the exact same address as the first 8-bit value in the number. That means that if you were to just ignore all 3 or 1 other digits in a 32-bit or 16-bit number and just look at those first two digits, the address of the big 32-bit or 16-bit number would be the exact same address as the one those first two digits reside at. Remember that.

Consider the 32-bit number 12345678 at the address of 80000000. Remember, this means that 12 is the 8-bit value at 80000000. But what about 34 56 78 (Noticed, I spaced them apart)? Where do they reside? Well just increase the address by one to get the next byte (2 digits) of the 32-bit number. So, can you guess where the byte 34 actually resides in memory? It's not 80000000 but actually 80000001. The byte 56 would therefore by at 80000002 and 78 at 80000003. 16-bit numbers are the exact same except a 16-bit number contains only 2 bytes. So, if we had the 16-bit number 1234 at address 80000000 then the byte 12 would be at 80000000 and the byte 34 would be at 80000001. What you also need to understand is that data is what you make it. If I came across 97 00 06 89 A6 F8 in memory I would not have a clue what that data is. It could be 8 8-bit numbers. It could be 3 16-bit numbers. It could be a 32-bit number and 2 8-bit numbers or a 32-bit number and a 16-bit number. I don't know.

So lets bring our current example back into this alignment discussion. As you remember, we have discovered our lives address is at 80F63CF0 and the current value is 0004. Remember, we have been performing 16-bit searches. It is extremely important to remember the search size when you are aligning values. If you remember what you just learned you should be able to tell me where that actual byte that contains our number of lives is. It's not at 80F63CF0 but at 80F63CF1. But it is just as valid to say that lives is at 80F63CF0 with a value of 0x0004. The key is the extra two zeros at the beginning of the value. If you told me that lives was at 80F63CF0 with a value of 0x04 then you would be wrong. You should understand exactly why this would be wrong too. What we doing by adding on those extra two zeros so we can say that lives is at 80F63CF0 with a value of 0x0004 is called aligning. It would also be just as valid to say that lives is at 80F63CEE with a value of 0x00000004.

But wait! Would you question me if I told you that lives is at 80F63CF0 with a value of 0x00040000? That is also perfectly legal too. You may wonder why we would want to add four extra zeros onto the end of what could have been a perfect 16-bit number but we will use this trick very soon. In fact it's coming up next.

Go ahead and enter your new address (the one we found with Renegade) into the "Poke Memory (HEX)" address box. Now we need a value. How about 99? BUT WAIT! GUESS WHAT (you know what's coming)? It needs to be in HEX! If you are to lazy to convert 99 to HEX it comes out to be 0x63. Now we need to pad/align it to a 16-bit value since we have been doing 16-bit searches so you will end up with 0x0063. Enter that into the Value box without the 0x as Gecko Tool expects HEX. Click "Poke". you will be greeted by an error saying the value you entered is not DWORD (32-bit) in size. Yes, this is a minor problem with Gecko Tool but one we can work around. Remember what we just learned last paragraph. Uh-Huh, we are going to use it! We need a 32-bit value to make the Gecko Client happy so we will just align our 16-bit value to 32-bits. Now, why not just back up the address by two and tack on the two zeros at the beginning to make 806F63CEE for our address and 0x00000004 for our value. Yes this would work, but not in this case. You see, if you did this and clicked poke, Gecko would write a 00 to 806F63CEE, a 00 to 806F63CEF, 00 to 806F63CF0, and a 04 to 806F63CF1. This would be fine except what you don't know (because you did not look) is that the game seems to be storing other stuff at 806F63CEE and 806F63CEF. I can tell because the values at those addresses are not zero making it unsafe to zero them out without cause.

Collecting Coins
A diagram showing the memory around the lives address.

Ok so we have our address and our value, so now we need to make a code. Since we always want to have 99 lives let's use a constant write code. But which constant write code to use? You actually could use any of them. If you want an 8-bit constant write you would need to shift your address up 1 to 0x80F63CF1 since as we learned earlier that is where the byte value for lives actually is. If you want a 16-bit consatnt write you could use our current address. If you want a 32-bit constant write you could shift the address down by 2 (which I just said was unsafe) or you could simply use our current address and tack on those extra four zeros like we did when we poked the memory. I will opt for the 16-bit option so my code becomes 01F63CF0 00000063. So what happened to the 8 at the beginning? Well, the code engine knows that the Wii's memory begins at 0x80000000 so for the time being I am just going to tell you that it automatically adds 0x80000000 to your address. It actually is a bit more complicated but we will go over that when we talk about pointers.

99 Lives
Mario with 99 lives

Creating The Code List
So you have your brand new code but how do you package it up for use with the Gecko Cheat Engine? You need to create a .gct file and for that you'll need a HEX editor. I recommend you grab yourself a copy of Hex Workshop. It is not free but there is a 30-day trial. What you'll want to do before opening Hex Workshop is lay out your code in Notepad so get Notepad open. The start of any code list always must begin with 00D0C0DE 00D0C0DE so paste that on the first line. On the next line, add your new code: 01F63CF0 00000063. All code lists must finish with 00000000 00000000 so tack that on the last line. Now that you have your code all laid out and correct, proceed to remove all the spaces between the 2 blocks of numbers. Don't worry about the line breaks. Select all the text and copy it.

Open up Hex Workshop and start a new document. Hex Workshop has a nice feature which it can paste in text to the open document but interpret it as HEX. Go to "Edit" -> "Paste Special". Choose "CF_TEXT" and check the box that says"Interpret as a hexadecimal string". Click "Paste" and then "OK". Hex Workshop has pasted all of our code into the document as HEX just how we want it. Save the document as whatever.gct and close Hex Workshop.

Congratulations. You now have a fully packaged and ready to distribute code. Pat yourself on the back, it wasn't easy. Enjoy your new code. With that, this example is concluded.
Gecko Hacking Tutorial   |   June. 06 2008