Melee Gecko Codes + Guide and Discussion

[darkside1222]

0% Stamina Incurs DeadUpStar (1.02) [Achilles]
040C8CDC 4800B3DD

Been putting in mad work in the lab.

Yay nice job man!

 

[CeLL]

Would it be possible to make a code to make Fox/Falco a specific color (like the color overlays in 20XX) during their up B charging? It looks really weird to have them be yellow if the firefox flames are like blue or something lol

 

[CeLL]

Whenever I run dolphin in debug mode, when I start a game it just gives me a black screen and says invalid callstack. Any ideas?

 

[Achilles1515]

.....what did I just find....
I don't ever remember seeing red metal in the game.

Whenever I run dolphin in debug mode, when I start a game it just gives me a black screen and says invalid callstack. Any ideas?

Are you trying to run a regular Dolphin version or the DebugFast version? Try disabling codes.

 

[CeLL]

.....what did I just find....
I don't ever remember seeing red metal in the game.

View attachment 41970



Are you trying to run a regular Dolphin version or the DebugFast version? Try disabling codes.

1. That looks amazing.

2. I tried 4.0.2, 4.0-652, 4.0-4069, the DebugFast version from your thread, and the 3.5 version you posted from that thread, all with just the default settings (which includes cheats being disabled). Same thing on all of them.
[collapse="Screenshot"]

[/collapse]

 

[Achilles1515]

1. That looks amazing.

2. I tried 4.0.2, 4.0-652, 4.0-4069, the DebugFast version from your thread, and the 3.5 version you posted from that thread, all with just the default settings (which includes cheats being disabled). Same thing on all of them.
[collapse="Screenshot"]

[/collapse]

I think mine says that too. Make sure "Boot to Pause" is unchecked in the Options menu up top. Hmm. Also, you'll want to turn on Registers, Breakpoints, and Memory in the View menu at the top.

 

[CeLL]

I think mine says that too. Make sure "Boot to Pause" is unchecked in the Options menu up top. Hmm. Also, you'll want to turn on Registers, Breakpoints, and Memory in the View menu at the top.

Wow I'm silly it was just pausing immediately. Well I turned that off and now it pulls up the yellow text with the information about my hardware like usual but never goes past that :/

Edit: Got it now. Don't know what was wrong.

 

[Cyjorg]

Is there a memory address that you can check during a match to find out which players (p1, p2...) are in the game?

Was going through my notes for my version of the Neutral Spawn code and found this.

Spoiler

Player Type Check (0 = human, 1 = cpu , 3 = none) // I guess 2 doesn't exist??

SETUP:
lis r18, 0x8048
ori r18, r18, 0x0821
li r20, 0

P1:
lbz r19, 0x0 (r18)
cmpwi r19, 0x3
beq P2
li r20, 0x1000

P2:
lbz r19, 0x24 (r18)
cmpwi r19, 0x3
beq P3
addi r20, r20, 0x100

P3:
lbz r19, 0x48 (r18)
cmpwi r19, 0x3
beq P4
addi r20, r20, 0x10

P4:
lbz r19, 0x6c (r18)
cmpwi r19, 0x3
beq SETUP2
addi r20, r20, 0x1

SETUP2:
nop

It makes me sick to look at but it works. So if I'm my own code isn't fooling me the base address for player 1 is 0x80480821 and player 2 type is 0x24 from that and so on.

 

[Y-L]

Hey @Dan Salvato , would there be any chance you could fix the widescreen hack so that the off screen bubbles are in the 16:9 region instead of the 4:3 region?

 

[CPRDMBreaker2k]

PLEASE FIX IT

 

[SinsOfApathy]

It makes me sick to look at but it works. So if I'm my own code isn't fooling me the base address for player 1 is 0x80480821 and player 2 type is 0x24 from that and so on.

wParam's notes should probably be recommended reading. He has this kind of stuff documented quite well.

Static player block
-------------------

They start at 80453080
static_player_block_t //0xE90 bytes long
{
    0x04: long, player type (external index)
    0x08: long, slot type (human, cpu, demo, none)
    0x10: float, X coordinate (horizontal)
    0x14: float, Y coordinate (vertical)
    0x18: float, Z coordinate?  (depth)
    0x44: byte, bool computer?
    0x45: byte, controller index
    0x60: short, currently /displayed/ health. (ALWAYS counts up)
    0x62: short, health start value.
    0x90: int, current coins
    0x94: int, total collected.
    0xAC: byte, flag 0x40 means "eligible for multi spawn"
    0xB0: void*, pointer to player_t
    0xB4: void*, pointer to player_t for nana, if applicable
}

That's the direct copy-paste from it, but since I'm not on my desktop, it lacks personal notes like stock counters and such.

 

[Cyjorg]

wParam's notes should probably be recommended reading. He has this kind of stuff documented quite well.

Static player block
-------------------

They start at 80453080
static_player_block_t //0xE90 bytes long
{
    0x04: long, player type (external index)
    0x08: long, slot type (human, cpu, demo, none)
    0x10: float, X coordinate (horizontal)
    0x14: float, Y coordinate (vertical)
    0x18: float, Z coordinate?  (depth)
    0x44: byte, bool computer?
    0x45: byte, controller index
    0x60: short, currently /displayed/ health. (ALWAYS counts up)
    0x62: short, health start value.
    0x90: int, current coins
    0x94: int, total collected.
    0xAC: byte, flag 0x40 means "eligible for multi spawn"
    0xB0: void*, pointer to player_t
    0xB4: void*, pointer to player_t for nana, if applicable
}

That's the direct copy-paste from it, but since I'm not on my desktop, it lacks personal notes like stock counters and such.

All of that is on the Google doc too I believe

 

[Achilles1515]

All of that is on the Google doc too I believe

Not really. Well some of it. I’m assuming you’re thinking of the data offset stuff, which is different.

These static player blocks that wParam began mapping are VERY important. They are ALWAYS in the same place in the RAM. We were using some values in these blocks as well, but just never gave order to them.

I’ve been slowly adding notes/discovering the meaning of some more of these values. My most current mapped out player block variables are seen below. The most important thing about doing this is to put some sense into the regular game functions that pull these variables. Those functions use the exact same player block offsets listed below.

And sorry about all the question marks. I just don’t things down as facts until I’m 100% certain. I started putting "unknowns" in there as I was mapping out/investigating game functions, just to know whether addresses in these blocks were read as bytes, floats, or halfwords.

Static player block
-------------------

They start at 80453080
static_player_block_t //0xE90 bytes long

P1 - 80453080
P2 - 80453f10
P3 - 80454DA0
P4 - 80455C30
P5 - 80456AC0
P6 - 80457950

{
    0x00: long, Character ID again?
    0x04: long, character ID (external index)
    0x08: long, slot type (human, cpu, demo, none), modify this to change from CPU to human midmatch
    0x10: float, X coordinate (horizontal)
    0x14: float, Y coordinate (vertical)
    0x18: float, Z coordinate?  (depth)
    0x40: float, direction facing (1=right, -1=left)
    0x44: byte, bool computer?
    0x45: byte, controller index
    0x46: byte, unknown
    0x47: byte, cpu type, applied after death.
    0x48: byte, unknown
    0x49: byte, unknown. I was using this as vs mode (=1) flag? ****.
    0x4A: byte, unknown
    0x4B: byte, unknown
    0x4C: byte, unknown
    0x4D: byte, unknown
    0x4E: byte, unknown
    0x50: float, unknown
    0x54: float, attack ratio, changing take effect immediately
    0x58: float, damage (defense) ratio, changing take effect immediately
    0x5C: float, model scale (match was started with. modifying does nothing.)
    0x60: short, currently /displayed/ health. (ALWAYS counts up)
    0x62: short, health start value.
    0x64: stamina hp - check to confirm
    0x68: int, unknown (80034de8)
    0x70: int, unknown
    0x88: int, read when dying in stamina mode?
    0x8E: byte, stocks left
    0x90: int, current coins
    0x94: int, total collected.
    0xA0: int, joystick "smashes" (8003662c - load, add 1, store back)
    0xA8: int, name tag slot #
    0xAC: byte,
        - flag 0x90 means “regular character”(?)
        - flag 0x40 means "eligible for multi spawn" (?)
        - flag 0x30 means "eligible for nana spawn"
        - comparison for 0x80 is @ 800354c0 (?)
    0xAD: byte, unknown (8003468c). Set to 0x20,0x80 and see?
        0x10 = default?
        0x20 = use stamina hp instead of damage percent, changing take effect immediately
   
    0xAE: byte, unknown
    0xB0: void*, pointer to player_t (Data Offset Start!)
    0xB4: void*, pointer to player_t for nana, if applicable

[results stats]
    0xD24: int, Damage Recovered
    0xDDC: int, air time
    0xDE0: int, ground time
}

 

[Ripple]

no version of dolphin debug works on my computer that has functional memory break points. can someone tell me if memory offset 4d64ec has something to do with player 2 being on fire

 

[Achilles1515]

no version of dolphin debug works on my computer that has functional memory break points. can someone tell me if memory offset 4d64ec has something to do with player 2 being on fire

I thought we determined that it was working when we had our Skype session? Didn't the game pause when we were looking at hitstun from a Falcon move?

I use the exact same versions that are posted in this forum and they work for me (generally speaking, I have seen some excpetions where it doesn't break on things that I know are being read but it's not often). I really dont see a reason why they shouldn't work for everyone as long as Dolphin executable will boot up.

 

[Ripple]

nothing breaks anymore for no reason.

no version of dolphin debugfast 4 works on my computer. I cant run 64bit, and 32 bit gives me the **Assertion: see log** error despite having cheats off.

so then I go back to using 3.0-865 debugfast and that doesn't break on anything unless I directly write over a memory address

I have done this with memory address 4d64ec because its always either 1 or 0 depending on if the opponent is on fire but never breaks when I cause a player to be on fire

 

[Cyjorg]

nothing breaks anymore for no reason.

no version of dolphin debugfast 4 works on my computer. I cant run 64bit, and 32 bit gives me the **Assertion: see log** error despite having cheats off.

so then I go back to using 3.0-865 debugfast and that doesn't break on anything unless I directly write over a memory address

I have done this with memory address 4d64ec because its always either 1 or 0 depending on if the opponent is on fire but never breaks when I cause a player to be on fire

Make sure you're setting memory check points at 0x804d64ec and not 0x004d64ec.

Not really. Well some of it. I’m assuming you’re thinking of the data offset stuff, which is different.

These static player blocks that wParam began mapping are VERY important. They are ALWAYS in the same place in the RAM. We were using some values in these blocks as well, but just never gave order to them.

I’ve been slowly adding notes/discovering the meaning of some more of these values. My most current mapped out player block variables are seen below. The most important thing about doing this is to put some sense into the regular game functions that pull these variables. Those functions use the exact same player block offsets listed below.

And sorry about all the question marks. I just don’t things down as facts until I’m 100% certain. I started putting "unknowns" in there as I was mapping out/investigating game functions, just to know whether addresses in these blocks were read as bytes, floats, or halfwords.

Static player block
-------------------

They start at 80453080
static_player_block_t //0xE90 bytes long

P1 - 80453080
P2 - 80453f10
P3 - 80454DA0
P4 - 80455C30
P5 - 80456AC0
P6 - 80457950

{
    0x00: long, Character ID again?
    0x04: long, character ID (external index)
    0x08: long, slot type (human, cpu, demo, none), modify this to change from CPU to human midmatch
    0x10: float, X coordinate (horizontal)
    0x14: float, Y coordinate (vertical)
    0x18: float, Z coordinate?  (depth)
    0x40: float, direction facing (1=right, -1=left)
    0x44: byte, bool computer?
    0x45: byte, controller index
    0x46: byte, unknown
    0x47: byte, cpu type, applied after death.
    0x48: byte, unknown
    0x49: byte, unknown. I was using this as vs mode (=1) flag? ****.
    0x4A: byte, unknown
    0x4B: byte, unknown
    0x4C: byte, unknown
    0x4D: byte, unknown
    0x4E: byte, unknown
    0x50: float, unknown
    0x54: float, attack ratio, changing take effect immediately
    0x58: float, damage (defense) ratio, changing take effect immediately
    0x5C: float, model scale (match was started with. modifying does nothing.)
    0x60: short, currently /displayed/ health. (ALWAYS counts up)
    0x62: short, health start value.
    0x64: stamina hp - check to confirm
    0x68: int, unknown (80034de8)
    0x70: int, unknown
    0x88: int, read when dying in stamina mode?
    0x8E: byte, stocks left
    0x90: int, current coins
    0x94: int, total collected.
    0xA0: int, joystick "smashes" (8003662c - load, add 1, store back)
    0xA8: int, name tag slot #
    0xAC: byte,
        - flag 0x90 means “regular character”(?)
        - flag 0x40 means "eligible for multi spawn" (?)
        - flag 0x30 means "eligible for nana spawn"
        - comparison for 0x80 is @ 800354c0 (?)
    0xAD: byte, unknown (8003468c). Set to 0x20,0x80 and see?
        0x10 = default?
        0x20 = use stamina hp instead of damage percent, changing take effect immediately
  
    0xAE: byte, unknown
    0xB0: void*, pointer to player_t (Data Offset Start!)
    0xB4: void*, pointer to player_t for nana, if applicable

[results stats]
    0xD24: int, Damage Recovered
    0xDDC: int, air time
    0xDE0: int, ground time
}

Ah. I had some of that documented in my notes. Even on my phone I swear that 0xe90 apart seems familiar. Regardless, Have we tried contacting wParam? His email is on his site

 

[SinsOfApathy]

Ah. I had some of that documented in my notes. Even on my phone I swear that 0xe90 apart seems familiar.

Your notes have the sub_player pointer (Which has 0xE90 apart listed) and stock information (which does not, and even this is only P1 and P2). So yeah, your notes have 2 things out of the entirety of that struct.

Given that it's hosted on a Google Doc, you should be able to just write a formula to calculate all of the offsets instead of manually putting in that kind of information.

 

[Achilles1515]

Make sure you're setting memory check points at 0x804d64ec and not 0x004d64ec.



Ah. I had some of that documented in my notes. Even on my phone I swear that 0xe90 apart seems familiar. Regardless, Have we tried contacting wParam? His email is on his site

Yeah, it's familiar because you've used the player blocks before. I did contact wParam on his gmail, basically just telling him he is amazing blah blah blah did you know smash is still being played blah blah blah and I did get a response. This might sound heartless, but we recently found all his notes, which is what we all wanted from him and I don't think there's much else to obtain from contacting him. He hasn't done any Melee hacking since the Crazy Mod (9 years ago....) so he's just not going to remember the specifics of anything else we would love to ask him. Nonetheless, I would still love to chat with him about his actual methods for all this stuff and how they did it "in the old days". 9 years is a long time ago...

 

[SinsOfApathy]

Yeah, it's familiar because you've used the player blocks before. I did contact wParam on his gmail, basically just telling him he is amazing blah blah blah did you know smash is still being played blah blah blah and I did get a response. This might sound heartless, but we recently found all his notes, which is what we all wanted from him and I don't think there's much else to obtain from contacting him. He hasn't done any Melee hacking since the Crazy Mod (9 years ago....) so he's just not going to remember the specifics of anything else we would love to ask him. Nonetheless, I would still love to chat with him about his actual methods for all this stuff and how they did it "in the old days". 9 years is a long time ago...

He would've just used the PSO Ethernet exploit (or given that a lot of his help came from the AR forums, maybe the Datel method), and GCNRD or whatever it was called. It's basically a debugger running off an actual Gamecube. From there, it wouldn't be really any different than how we find stuff, beyond the fact that he had the knowledge to recognize C functions in PPC ASM and to figure out the exploit itself.

Edit: Yeah, straight from his own page:

There are many people besides myself who deserve credit for these modifications. Parasyte and kenobi for the GCNCrypt and the Gamecube Remote Debugger, without which none of this would ever have been possible, along with everyone at the AR Central forums. Many codes from arcentral.net were used as a basis for knowing where to start looking in the debugger to make interesting changes, and of course everyone likes a little positive feedback now and again .

Honestly, if he was still doing it now, he'd probably have the entire game mapped at this point lol

 

[CeLL]

Single Player Battlefield Background in Vs. Melee (1.02)
04219d08 60000000

View attachment 37278

Get money.

I was trying to convert this into a dol mod and got at offset 0x168E8 -> 60000000, but that causes the game not to start at all in Dolphin (just goes to a black screen, doesn't even show the memory card prompts).

 

[Achilles1515]

I was trying to convert this into a dol mod and got at offset 0x168E8 -> 60000000, but that causes the game not to start at all in Dolphin (just goes to a black screen, doesn't even show the memory card prompts).

Well Cell, you done f***ed up.

If you follow that mini guide I wrote you really should have no problem finding the DOL offset.

For that code above, open up a ram.raw that you dumped from a vanilla 1.02 ISO with no codes enabled. Go to line 0x219d08 and copy like 10 lines of data. Then open your 1.02 DOL, search for that data you just copied and it should give you one match which is the offset. In general, RAM values are about 0x3000 more than the DOL offset. But that's just a rule of thumb. For the "free space" at the beginning of the DOL, all the equivalent RAM offsets are exactly +0x3000.

 

[CeLL]

Well Cell, you done f***ed up.

If you follow that mini guide I wrote you really should have no problem finding the DOL offset.

For that code above, open up a ram.raw that you dumped from a vanilla 1.02 ISO with no codes enabled. Go to line 0x219d08 and copy like 10 lines of data. Then open your 1.02 DOL, search for that data you just copied and it should give you one match which is the offset. In general, RAM values are about 0x3000 more than the DOL offset. But that's just a rule of thumb. For the "free space" at the beginning of the DOL, all the equivalent RAM offsets are exactly +0x3000.

LMAO I didn't copy the 2. I went to 0x19d08 FailFish

 

[CeLL]

So I'm trying to convert a C2 code to a dol mod but when I try to convert "b 0xFFECEC3B" to hex with ASM<>WiiRd I get "Error: ignoring least significant bits in branch offset." What is wrong?

 

[Achilles1515]

So I'm trying to convert a C2 code to a dol mod but when I try to convert "b FFECEC3B" to hex with ASM<>WiiRd I get "Error: ignoring least significant bits in branch offset." What is wrong?

b 0xffecec3b

 

[CeLL]

b 0xffecec3b

Sorry I had the 0x I forgot to type it.

 

[Achilles1515]

Sorry I had the 0x I forgot to type it.

Where are you trying to branch to/from?

 

[SinsOfApathy]

Sorry I had the 0x I forgot to type it.

Branch works with an offset from the address it's executed from. So, unless it's pointing to a label within your own code, you have to manually create the branch.

So, 8045D930 to 80002300 would be b -4568624 (BA49D0).

 

[CeLL]

To 0x8000514C in the RAM from 0x80136510 in the RAM. Just following Sham Rock's guide.

 

[SinsOfApathy]

To 0x8000514C in the RAM from 0x80136510 in the RAM. Just following Sham Rock's guide.

Then it's b -1250244, which is 0xECEC3C.

To figure it out, open Calculator in accessories, point view to Programmer, then click the radio button next to HEX. From there you can input 0x8000514C - 0x80136510 to get the value.

 

[Cyjorg]

Another useless code with an unnecessarily long name

Hold L+R+A+Start During Stage Load to Return to the CSS(1.02) [Jorgasms]
0425b8bc 38600002

This button combo used to bring you back to the Main Menu which annoyed me lol

 

[CeLL]

Another useless code with an unnecessarily long name

Hold L+R+A+Start During Stage Load to Return to the CSS(1.02) [Jorgasms]
0480b8bc 36000002

This button combo used to bring you back to the Main Menu which annoyed me lol

Actually it's just L+R+Start. No A required.

Edit: And I just tried it in Dolphin and it didn't do anything

Edit: Now it works but it sends me to the sudden death CSS

Edit: Now it works well

 

[Cyjorg]

Actually it's just L+R+Start. No A required.

Edit: And I just tried it in Dolphin and it didn't do anything

Yeah that code I posted was just flat wrong...it's fixed.

 

[Cyjorg]

@ CeLL
Yeah I messed it up TWICE. Not my day. It's fixed for real this time

 

[CeLL]

I'm trying to convert the gecko code to hold Z while selecting a character to get a lowercase version to a DOL mod, but I think I don't quite understand how to get the memory address of the line the C2 code is overwriting. Looking at C223C28C 0000000B I would think the address is 8023C28C, so I converted it and overwrote that line in the DOL, but it didn't do anything, so I set a break point in Dolphin for that line of code and it wasn't hit when I was entering a name.

 

[Cyjorg]

Isn't there a code that allows all player to control the debug menu? I can't seem to find it

 

[SinsOfApathy]

I'm trying to convert the gecko code to hold Z while selecting a character to get a lowercase version to a DOL mod, but I think I don't quite understand how to get the memory address of the line the C2 code is overwriting. Looking at C223C28C 0000000B I would think the address is 8023C28C, so I converted it and overwrote that line in the DOL, but it didn't do anything, so I set a break point in Dolphin for that line of code and it wasn't hit when I was entering a name.

Check for a code that changes BA. It should be 40, if I remember right.

 

[flieskiller]

NOT IMPORTANT REQUEST: in Develop mode, D-pad down toggles the c-stick controls between the Develop camera and the Multiplayer controls (with attacks)

 

[Ripple]

I cannot, for the life of me, find where shield stun is located in memory. it seems to be dynamic

 

[SinsOfApathy]

I cannot, for the life of me, find where shield stun is located in memory. it seems to be dynamic

Float @ Offset 0x23A0 for remaining time according to the Google Doc. Haven't actually looked though (nor what struct it's part of, since the doc is kind of **** at organization.)