Mark and Recall

[-LeetGamer-]

Made by TheEliteOne

Mark and Recall is a fairly easy subroutine to write. You need to be able to press a button and store your co-ords into nop lines and press another button to recall them back.

So first we need are player's co-ords, to find these try one of these methods:

X and Z

- Set a 32 Bit Unknown Search
- Move to a different location on the map
- In your cheat devise search 1=Different
- Stay still, search 0=Same
- Repeat until you have 35 results
- Save your cheats
- Test, look for a teleportation code

Y

- Set a 32 Bit Unknown Search
- Walk up a hill
- Search 2=Greater
- Stay still, search 0=Same
- Walk down a hill
- Search 3=Less
- Stay still, search 0=Same
- Repeat until you have 35 results
- save your cheats
- Test, look for a hight changing code

Once you found your code, unDMA it, if you find one offset you found them all because they are all right next to each other:

X ;Distance/Lenght
Y ;Hight
Z ;Depth

Now we are ready to write are subroutine, so open PS2DIS and the ram dump of your game, find a nop cave and follow these steps:

- Loads the first half of the true controller address into t0
- Loads the second half of the controller address into t0
- Loads the first half of the true co-ord pointer into t1
- Loads the second half of the co-ord pointer into t1
- Loads the first half of the true nop addresses into t2
- Adds the mark button value to zero and stores it in t3
- Adds the recall button value to zero and stores it in t4
- Branches to the next bne if t0 doesn't equal t3
- No operation
- Loads the current value of the x offset into t5 (t1)
- Loads the current value of the Y offset into t6 (t1)
- Loads the current value of the Z offset into t7 (t1)
- Stores the contents of t5 to the second half of the first nop address (t3)
- stores the contents of t6 to the second half of the second nop address (t3)
- Stores the contents of t7 to the second half of the third nop address (t3)
- Branches to the jr ra if t0 doesn't equal t4
- No Operation
- Loads the value of the first nop address into t5 (t3)
- Loads the value of the second nop address into t6 (t3)
- Loads the value of the third nop address into t7 (t3)
- Stores the contents of t5 to the second half of the X offset (t1)
- stores the contents of t6 to the second half of the Y offset (t1)
- Stores the contents of t7 to the second half of the Z offset (t1)
- Jr ra
- Call are subroutine

If you don't fully get it look at a few examples:

Medal of Honor Heroes:

Controller Address:

- True Addressing: 08D442B0
- False Addressing: 005442B0

UnDMA Co-ordinates:

- 0xFFFFFFFF 0x0058361C
- 0x00000070 0x00000000 ;X Axis
- 0x00000074 0x00000000 ;Y Axis
- 0x00000078 0x00000000 ;Z Axis

My Selected Nop Addresses: (True Addressing)

- 08803000
- 08803004
- 08803008

For the second Mark and the second Recall of my subroutine:

- 0880300C
- 08803010
- 08803014

And here is my hack, Double Mark and Recall:

#Double Mark & Recall
;Credit: TheEliteOne
;No freeze
;L + Up - Mark
;L + Down - Recall
;L + Left - Mark 2
;L + Right - Recall 2
0x00339D78 0x0A358080
0x00560200 0x3C0808D4
0x00560204 0x8D0842B0
0x00560208 0x3C0908D8
0x0056020C 0x8D29361C
0x00560210 0x240A0110
0x00560214 0x240B0180
0x00560218 0x240C0140
0x0056021C 0x240D0120
0x00560220 0x3C0E0880
0x00560224 0x150A0007
0x0056022C 0x8D2F0070
0x00560230 0x8D380074
0x00560234 0x8D390078
0x00560238 0xADCF3000
0x0056023C 0xADD83004
0x00560240 0xADD93008
0x00560244 0x150B0007
0x0056024C 0x8D2F0070
0x00560250 0x8D380074
0x00560254 0x8D390078
0x00560258 0xADCF300C
0x0056025C 0xADD83010
0x00560260 0xADD93014
0x00560264 0x150C0007
0x0056026C 0x8DCF3000
0x00560270 0x8DD83004
0x00560274 0x8DD93008
0x00560278 0xAD2F0070
0x0056027C 0xAD380074
0x00560280 0xAD390078
0x00560284 0x150D0007
0x0056028C 0x8DCF300C
0x00560290 0x8DD83010
0x00560294 0x8DD93014
0x00560298 0xAD2F0070
0x0056029C 0xAD380074
0x005602A0 0xAD390078
0x005602A4 0x03E00008

To view this hack and it's commnads used better try this:

- Launch Medal of Honor Heroes
- Turn on Double Mark and Recall
- Take a ram dump
- Open that ram dump in PS2DIS at the address 00560200

Now you can see all the commands used. Look at all the examples I gave above wile looking at the code in PS2DIS, I'm sure you should be able to understand it, I will reply to this thread with any help I can.

-TEO

[JohnnyMcKinney]

Cool dude, but how would you unDMA a code? Usually DMAHunter only gives you a pointer.

[Bl4Ck.KiD...]

Cool dude, but how would you unDMA a code? Usually DMAHunter only gives you a pointer.

got to the pointer of the dma an add the amount of offsets do the jump so if its 0x08900001 an ur offset was 110 then it would be 0x08900111.

[JohnnyMcKinney]

So for example:
#Blank Imposter
0xFFFFFFFF 0x004CDEB8
0x00000060 0x00000000
0x00000064 0x00000000
0x00000068 0x00000000
0x0000006C 0x00000000


Would be:
0x004CDF18

?

[Brandon]

Sweet! I'll try this out tommorrow!

[Bl4Ck.KiD...]

Nah the pointer is ur address so u put the pointer in ur decoder/ps2dis it has a jump as it's hex so the jump for the imposter is 0x08D764B0 an the offsets are 60,64,68,6c so get a hex calc an do 08D764B0+60 do that for the other offsets, an it should give u a jump that points excatly to ur code/address

[-LeetGamer-]

Cool dude, but how would you unDMA a code? Usually DMAHunter only gives you a pointer.

DMA Hunter GIVES you the pointer but the other two numbers from DMA Hunter can be used to find the offset. Google MurderFace's DMA Killing guide for more information.

Sweet! I'll try this out tommorrow!

=] Good luck!

[Lavent Sky]

I have an easier way to dma a code that only requires one ram dump, but is a bit harder to understand I'll post up a guide an how to do it.

[-LeetGamer-]

I have an easier way to dma a code that only requires one ram dump, but is a bit harder to understand I'll post up a guide an how to do it.

Lol I know a way with no ram dump :p but most coders know.

[JohnnyMcKinney]

Lol I know a way with no ram dump :p but most coders know.

I don't... The concept I use to use was find the code. Make a dump of it enabled with a weird value, and search that value. It still works with most games, but not FTB3. Some codes work that way on FTB3, but not all.