TMNT Ubisoft Game NTSC-U AR Gamecube

[Ralf@gc-forever]

@Wiitendo: Make a in-game RAM dump (0x80000000-0x817FFFFF) of the game, post it here in the thread and I'll see what I can do.

[Andross89]

So that doesn't allow to be converted to an actual AR code using GCNcrypt. I've double checked everything and it comes up as an invalid code when inputting into an actual AR. So I'll have to really look into that to figure it out.

It should. The problem is creating an ID and making sure no other game is using it. For testing, I created it with the ID "123" and it worked correctly:

W100-UA8N-EKEE1
1NP3-K95M-P2AXC
J7Y6-TCFC-VEZDE
9H6F-RY6R-FHDXK
Z82W-G581-WG6J4
36DZ-HMPN-D7TQP
TGA2-7QKV-1AMJV
5WEE-CE6Y-P9A8X
KE87-7A7E-Q0V80
1QYR-QHBJ-UUKXP
J4Y4-YPW4-M77RB
YTWV-9JMJ-2K20N

[Wiitendo]

Ralf, here is my dump of the game.


https://drive.google.com/file/d/1UQVnPO ... drive_link

[Ralf@gc-forever]

I can't download your RAM dump, the Google Drive folder is password protected.

[Wiitendo]

Here Ralf, I don't know why my google drive is doing that.
https://file.io/y3ckidBPYdjO

[Wiitendo]

Andross, I figured out what was going on. My card I use for the Action Replay was dieing. Changed it out to another I have and works perfectly.

[Ralf@gc-forever]

Okay, here's what I've found out so far.

Code: Select all

1. Master code

(m)
C401E2F0 0000FF01

The master code must be encrypted with a proper (and unused) game ID.

e.g.

GameID: 4FF (should be unused)
Region: NTSC-U

(m)
R167-HUT4-NECVN
QCB0-2QBJ-MD0XR


2. Infinite HP

Decrease HP function (Turtles & enemies)
801942F8: 9421FFD0  stwu   r1,-48(r1)
801942FC: 7C0802A6  mflr   r0
80194300: 90010034  stw    r0,52(r1)
80194304: DBE10020  stfd   f31,32(r1)
80194308: F3E10028  psq_st f31,40(r1),0,0
8019430C: 39610020  addi   r11,r1,32
80194310: 4BEB0C0D  bl     0x80044f1c
80194314: 80A30018  lwz    r5,24(r3)      ; r3: base pointer
80194318: 3C808037  lis    r4,-32713
8019431C: C0047A60  lfs    f0,31328(r4)
80194320: FFE00890  fmr    f31,f1         ; f31: decrease value
80194324: 80850004  lwz    r4,4(r5)
80194328: 83EDA068  lwz    r31,-24472(r13)
8019432C: FC010040  fcmpo  cr0,f1,f0
80194330: 83640048  lwz    r27,72(r4)
80194334: 83CDA064  lwz    r30,-24476(r13)
80194338: 83ADA05C  lwz    r29,-24484(r13)
8019433C: 838DA060  lwz    r28,-24480(r13)
80194340: 908DA05C  stw    r4,-24484(r13)
80194344: 908DA060  stw    r4,-24480(r13)
80194348: 906DA068  stw    r3,-24472(r13)
8019434C: 906DA064  stw    r3,-24476(r13)
80194350: 41810014  bgt-   0x80194364
80194354: 3C80803C  lis    r4,-32708
80194358: 38A00001  li     r5,1
8019435C: 3884B685  subi   r4,r4,18811
80194360: 4BF581D5  bl     0x800ec534
80194364: C01B0174  lfs    f0,372(r27)    ; f0: old hp
80194368: 3C608037  lis    r3,-32713
8019436C: C0437A60  lfs    f2,31328(r3)   ; f2: min hp (0.0)
80194370: EC20F828  fsubs  f1,f0,f31      ; f1: new hp = old hp - decrease value
80194374: C07B00D4  lfs    f3,212(r27)    ; f3: max hp
80194378: 4BF123D5  bl     0x800a674c     ; check min/max hp values
8019437C: D03B0174  stfs   f1,372(r27)    ; store new hp
80194380: 93EDA068  stw    r31,-24472(r13)
80194384: 93ADA05C  stw    r29,-24484(r13)
80194388: 938DA060  stw    r28,-24480(r13)
8019438C: 93CDA064  stw    r30,-24476(r13)
80194390: E3E10028  psq_l  f31,40(r1),0,0
80194394: CBE10020  lfd    f31,32(r1)
80194398: 39610020  addi   r11,r1,32
8019439C: 4BEB0BCD  bl     0x80044f68
801943A0: 80010034  lwz    r0,52(r1)
801943A4: 7C0803A6  mtlr   r0
801943A8: 38210030  addi   r1,r1,48
801943AC: 4E800020  blr

In/Decrease HP function
80193EEC: 9421FFC0  stwu   r1,-64(r1)
...
80193F78: FC00F800  fcmpu  cr0,f0,f31
80193F7C: 418200B0  beq-   0x8019402c
80193F80: FC20F890  fmr    f1,f31
80193F84: 4BEAC549  bl     0x800404cc
80193F88: C01F7A60  lfs    f0,31328(r31)
80193F8C: FC200818  frsp   f1,f1          ; f1: in/decrease value
80193F90: FC1F0040  fcmpo  cr0,f31,f0     ; sign check
80193F94: 40810010  ble-   0x80193fa4
80193F98: 7F03C378  mr     r3,r24
80193F9C: 4800035D  bl     0x801942f8     ; decrease hp
80193FA0: 4800000C  b      0x80193fac
80193FA4: 7F03C378  mr     r3,r24
80193FA8: 480000B5  bl     0x8019405c     ; increase hp

Caller function
80102340: 9421FFE0  stwu   r1,-32(r1)
...
80102380: C025017C  lfs    f1,380(r5)     ; f1: in/decrease value
80102384: 808500A8  lwz    r4,168(r5)
80102388: 48091B65  bl     0x80193eec     ; in/decrease hp

There are nine references to the 0x80102340 function and (with a little bit of luck) maybe only one is used for the turtles and another one for the enemies.

80143824: 4BFBEB1D  bl     0x80102340     ; decrease turtel hp ???
8017F21C: 4BF83125  bl     0x80102340     ; decrease enemy  hp ???
80180F08: 4BF81439  bl     0x80102340     ; ...
801812C4: 4BF8107D  bl     0x80102340
80183578: 4BF7EDC9  bl     0x80102340
801BD070: 4BF452D1  bl     0x80102340
801BF0D0: 4BF43271  bl     0x80102340
801BF91C: 4BF42A25  bl     0x80102340
801D4710: 4BF2DC31  bl     0x80102340

You can test a single caller address for Infinite Turtle HP with a nop (0x60000000) instruction.

e.g.

Test address 0x80143824 for Infinite Turtle HP

Raw
04143824 60000000

Encrypted (w/ GID 4FF)
6N3C-K1MN-MVJK8
0XBM-QPB8-V2Z9J

It's also possible to shrink the old Infinite Health All Turtles code a bit:

Infinite Health All Turtles v2
80005000: 83640048  lwz    r27,72(r4)
80005004: A01B00D4  lhz    r0,212(r27)    ; r0: max hp
80005008: 288042C8  cmplwi cr1,r0,17096   ; turtle ? (max hp == 100.0)
8000500C: 40860008  bne-   cr1,0x80005014 ; no
80005010: EFFF0828  fsubs  f31,f31,f1     ; yes, f31: decrease value = 0.0
80005014: 4818F320  b      0x80194334
80194330: 4BE70CD0  b      0x80005000

Infinite Health All Turtles v2 (AR code format, raw)
04005000 83640048
04005004 A01B00D4
04005008 288042C8
0400500C 40860008
04005010 EFFF0828
04005014 4818F320
04194330 4BE70CD0

Infinite Health All Turtles v2 (AR code format, encrypted w/ GID 4FF)
P5VN-PFEH-HF7PJ
BXJ8-34G8-7105Z
P41R-ZB0Q-NT4TT
CCNJ-XAG3-37597
095J-GV4U-8RE97
MQHC-FRKB-ADY7M
44WP-R6ZF-CPKP0
H17C-HA39-24102

Infinite Health All Turtles v2 (Gecko/WiiRD code format)
C2194330 00000003
83640048 A01B00D4
288042C8 40860008
EFFF0828 00000000


3. Different languages (don't know whether the game supports other languages than English or not)

Set language function
80091124: 4BF838B9  bl     0x800149dc     ; SDK OSGetLanguage (r3)
80091128: 5460063E  rlwinm r0,r3,0,24,31
8009112C: 2C000002  cmpwi  r0,2
80091130: 41820020  beq-   0x80091150
80091134: 40800010  bge-   0x80091144
80091138: 2C000000  cmpwi  r0,0
8009113C: 41820034  beq-   0x80091170
80091140: 48000030  b      0x80091170
80091144: 2C000004  cmpwi  r0,4
80091148: 40800028  bge-   0x80091170
8009114C: 48000014  b      0x80091160
80091150: 4BFFED7D  bl     0x8008fecc     ; get address of main struct (r3: 0x80422690)
80091154: 38000006  li     r0,6           ; FRE_US ID
80091158: 90030014  stw    r0,20(r3)
8009115C: 48000020  b      0x8009117c
80091160: 4BFFED6D  bl     0x8008fecc
80091164: 38000007  li     r0,7           ; SPA_US ID
80091168: 90030014  stw    r0,20(r3)
8009116C: 48000010  b      0x8009117c
80091170: 4BFFED5D  bl     0x8008fecc
80091174: 38000005  li     r0,5           ; ENG_US ID, default
80091178: 90030014  stw    r0,20(r3)      ; store language ID (0x804226A4)
8009117C: 80010014  lwz    r0,20(r1)
80091180: 83E1000C  lwz    r31,12(r1)
80091184: 7C0803A6  mtlr   r0
80091188: 38210010  addi   r1,r1,16
8009118C: 4E800020  blr

Language Modifier v1
04091174 380000xx

Language Modifier v2
044226A4 000000xx

xx = Language ID

00 - ENG_EU
01 - FRE_EU
02 - SPA_EU
03 - ITA
04 - GER
05 - ENG_US
06 - FRE_US
07 - SPA_US
08 - JPN