This is how I found some of the codes I have found. I'll probably add more to this and for a few other games too over time. I'm posting this in the hopes that anybody could learn from this, because finding some codes isn't hard to do. It's quite easy. I don't know much of anything, and I still find stuff. Many people should be giving it a try, you'd be surprised by how many useful things you can find just guessing, because I know I'm surprised by how much I find by guessing.

I don't know how some people start finding codes, I'm figuring out some blind ways of starting off though that tend to lead me to things. 1 that has recently lead me to some goodies while crashing games far less than I expected is searching for branches that only skip a few lines. The order I search for is like this:

"0008 ble"

"000C ble"

"0010 ble"

"0014 ble"

"0008 bge"

"000C bge"

"0010 bge"

"0014 bge"

"0008 blt"

"000C blt"

"0010 blt"

"0014 blt"

"0008 bgt"

"000C bgt"

"0010 bgt"

"0014 bgt"

I hunt down every instance of these in that order and change them to "nop" with the value "60000000". These are good to do because many things that have limits in games are usually just a branch like these that rarely skip more than a few lines. Every code I have found for Silent Hill Homecoming was found because of these 6 lines:

"0008 ble"

"000C ble"

"0010 ble"

"0008 bge"

"000C bge"

"0010 bge"

From what I recall of Disgaea 3, the majority of those codes could have been found using this method too.

Another thing I search for is floats, mainly of "1" which is "3F800000". They are created with "lis" operations. These are all possibilities:

3C003F80

3C203F80

3C403F80

3C603F80

3C803F80

3CA03F80

3CC03F80

3CE03F80

3D003F80

3D203F80

3D403F80

3D603F80

3D803F80

3DA03F80

3DC03F80

3DE03F80

3E003F80

3E203F80

3E403F80

3E603F80

3E803F80

3EA03F80

3EC03F80

3EE03F80

3F003F80

3F203F80

3F403F80

3F603F80

3F803F80

3FA03F80

3FC03F80

3FE03F80

I change the "3F80" part to "0000" and then try it out. These seem to crash a game about as much as the branches way does. Everything I found for Infamous 1 and nearly everything I found for Dead Space 2 was because I started using this method.

Dead Space 2 - Infinite Use Of Med Packs & Stasis Packs

I don't know if this will lead anywhere, but I'm looking at Skiller's code for max credits upon gaining credits at address 0x00216AC4. I searched for "blr" above it to see where the function starts. It starts at address 0x00216878 and ends at address 0x00216F04. I change it from:

00216878: 7B970020 rldicl r23,r28,0,1

to:

00216878: 4E800020 blr

The effects I notice:

1. When I pick up credits, the game freezes.

2. When I heal myself, the game freezes.

3. When I restore my stasis with a stasis pack, the game freezes.

I'm interested in #2 and #3.

I then change address 0x00216878 back to what it was:

00216878: 7B970020 rldicl r23,r28,0,1

I'm thinking to cancel all store operations, so I do:

002168C8: 90010074 stw r0,116(r1)

002168D8: 91210080 stw r9,128(r1)

002168E8: F8410028 std r2,40(r1)

0021692C: F8410028 std r2,40(r1)

00216950: F8410028 std r2,40(r1)

00216990: 90010074 stw r0,116(r1)

002169A0: 9121007C stw r9,124(r1)

002169B0: F8410028 std r2,40(r1)

00216A58: 90010074 stw r0,116(r1)

00216A68: 91210070 stw r9,112(r1)

00216A78: F8410028 std r2,40(r1)

00216AD4: 906B0028 stw r3,40(r11)

00216B20: F8410028 std r2,40(r1)

00216B34: 93F90260 stw r31,608(r25)

00216C00: F8410028 std r2,40(r1)

00216C58: F8410028 std r2,40(r1)

00216C90: 900100C0 stw r0,192(r1)

00216C9C: 912100C4 stw r9,196(r1)

00216CA8: 900100C8 stw r0,200(r1)

00216CB0: 914100CC stw r10,204(r1)

00216CDC: D00300F0 stfs f0,240(r3)

00216CFC: F821FE81 stdu r1,-384(r1)

00216D04: FB410150 std r26,336(r1)

00216D08: FBA10168 std r29,360(r1)

00216D18: FBC10170 std r30,368(r1)

00216D24: FB610158 std r27,344(r1)

00216D28: FBE10178 std r31,376(r1)

00216D2C: FB010140 std r24,320(r1)

00216D30: FB210148 std r25,328(r1)

00216D34: FB810160 std r28,352(r1)

00216D38: F8010190 std r0,400(r1)

00216D8C: D0010080 stfs f0,128(r1)

00216D9C: D1A10084 stfs f13,132(r1)

00216DA4: D0010088 stfs f0,136(r1)

00216DA8: 9001008C stw r0,140(r1)

00216E28: F8010070 std r0,112(r1)

00216E50: F8410028 std r2,40(r1)

00216E90: 900100A0 stw r0,160(r1)

00216EC0: 915F0000 stw r10,0(r31)

I change all 39 of them to do nothing:

002168C8: 60000000 nop

002168D8: 60000000 nop

002168E8: 60000000 nop

0021692C: 60000000 nop

00216950: 60000000 nop

00216990: 60000000 nop

002169A0: 60000000 nop

002169B0: 60000000 nop

00216A58: 60000000 nop

00216A68: 60000000 nop

00216A78: 60000000 nop

00216AD4: 60000000 nop

00216B20: 60000000 nop

00216B34: 60000000 nop

00216C00: 60000000 nop

00216C58: 60000000 nop

00216C90: 60000000 nop

00216C9C: 60000000 nop

00216CA8: 60000000 nop

00216CB0: 60000000 nop

00216CDC: 60000000 nop

00216CFC: 60000000 nop

00216D04: 60000000 nop

00216D08: 60000000 nop

00216D18: 60000000 nop

00216D24: 60000000 nop

00216D28: 60000000 nop

00216D2C: 60000000 nop

00216D30: 60000000 nop

00216D34: 60000000 nop

00216D38: 60000000 nop

00216D8C: 60000000 nop

00216D9C: 60000000 nop

00216DA4: 60000000 nop

00216DA8: 60000000 nop

00216E28: 60000000 nop

00216E50: 60000000 nop

00216E90: 60000000 nop

00216EC0: 60000000 nop

I tested it, and my health and stasis still increased when I used a med pack or stasis pack, so nothing in this function writes to either of them. I did notice that when I used a med pack or stasis pack, they didn't disappear from my inventory, and I could keep using them. This didn't affect ammo or nodes though, and I could still normally move or sell any item. Considering when you use a med pack or stasis pack, you lose 1 of them. So I must be looking for a subtraction operation that subtacts 1 from something. So I make a copy of the unmodified EBOOT.ELF because that's quicker than manually undoing everything, and look for all subtraction operations that subtract 1:

00216AEC: 3BEBFFFF subi r31,r11,1

I guess that's the only 1. Now I just remove it:

00216AEC: 60000000 nop

I try that out, and they were still removed from my inventory. It must be some other subtraction operation, so I find the rest of them:

002168B8: 3869FFF0 subi r3,r9,16

00216980: 3869FFF0 subi r3,r9,16

00216A00: 3863FFF0 subi r3,r3,16

00216A48: 3863FFF0 subi r3,r3,16

00216B48: 3863FFF0 subi r3,r3,16

00216DEC: 3889FFF0 subi r4,r9,16

I remove all 6 of them:

002168B8: 60000000 nop

00216980: 60000000 nop

00216A00: 60000000 nop

00216A48: 60000000 nop

00216B48: 60000000 nop

00216DEC: 60000000 nop

I try that, and the game froze when I tried to heal or get more stasis. I'm just going to go get another copy of the EBOOT.ELF and go back to all of those store operations, and try the ones that aren't the max credits one or don't store things on the stack, which is always register $r1:

00216B34: 93F90260 stw r31,608(r25)

00216CDC: D00300F0 stfs f0,240(r3)

00216EC0: 915F0000 stw r10,0(r31)

I remove those 3:

00216B34: 60000000 nop

00216CDC: 60000000 nop

00216EC0: 60000000 nop

I try that out, and the effect is back. I doubt it's a float like address 0x00216CDC stores, so I'll try the first 1 only:

00216B34: 93F90260 stw r31,608(r25)

That becomes:

00216B34: 60000000 nop

The effect is still there, so I found a code.

Infinite Use Of Med Packs & Stasis Packs

00216B34 60000000

ORIGINAL PATTERN: 93F90260

PATTERN: 60000000

I mess with that a little, return address 0x00216B34 to normal, check what happens before it or branches close to it.

00216AE4: 419E0050 beq- cr7,0x216b34

I force the branch to always go:

00216AE4: 48000050 b 0x216b34

The effect is gone, so I remove it:

00216AE4: 60000000 nop

The effect is still gone, so I go to the next branch after it:

00216AF8: 409D0008 ble- cr7,0x216b00

I first force this branch:

00216AF8: 48000008 b 0x216b00

The effect is still gone. I then remove the branch:

00216AF8: 60000000 nop

The effect is back. I then check to see what wasn't skipped:

00216AFC: 7C1F0378 mr r31,r0

That's just copying whatever register $r0 is to register $r31. I then look to see where it came from:

00216AF0: 800900B0 lwz r0,176(r9)

Register $r0 is 4 bytes from offset $00B0 of register $r9. I check to see what made register $r9. 2 Lines above it:

00216AE8: 8139000C lwz r9,12(r25)

That just kind of ends my curiosity.

Disgaea 3 - Enemy Level Modifier

I found that by looking for all instances of "270F cmpwi" in programmer's notepad 2. I set all instances values from "270F" to "0000" using HxD. I noticed every enemy I encountered was at level 9999. Here is every instance, and the few I marked:

00035FEC: 2F8A270F cmpwi cr7,r10,9999

00036C88: 2F8A270F cmpwi cr7,r10,9999

000373D0: 2F89270F cmpwi cr7,r9,9999

00037610: 2F8A270F cmpwi cr7,r10,9999

000391FC: 2F83270F cmpwi cr7,r3,9999

000393B8: 2F83270F cmpwi cr7,r3,9999

0004197C: 2F89270F cmpwi cr7,r9,9999

Main area characters replaced with me.

00041B30: 2F89270F cmpwi cr7,r9,9999

000452F8: 2F80270F cmpwi cr7,r0,9999

0005007C: 2F83270F cmpwi cr7,r3,9999

000501A8: 2F83270F cmpwi cr7,r3,9999

000552AC: 2F80270F cmpwi cr7,r0,9999

0006FC20: 2F83270F cmpwi cr7,r3,9999

all enemies at level 9999.

0007ADF8: 2F87270F cmpwi cr7,r7,9999

000C14C8: 2F80270F cmpwi cr7,r0,9999

000C14D8: 2F80270F cmpwi cr7,r0,9999

000C1790: 2F9F270F cmpwi cr7,r31,9999

000C3E34: 2F80270F cmpwi cr7,r0,9999

000C3E74: 2F80270F cmpwi cr7,r0,9999

000C6294: 2F8B270F cmpwi cr7,r11,9999

000C7648: 2F84270F cmpwi cr7,r4,9999

000EE0BC: 2F9F270F cmpwi cr7,r31,9999

000EE46C: 2F9F270F cmpwi cr7,r31,9999

000EE85C: 2F9F270F cmpwi cr7,r31,9999

000EF568: 2F9D270F cmpwi cr7,r29,9999

000FC0BC: 2F8B270F cmpwi cr7,r11,9999

00106724: 2F80270F cmpwi cr7,r0,9999

001102A0: 2F89270F cmpwi cr7,r9,9999

00110DF0: 2F80270F cmpwi cr7,r0,9999

001149D4: 2F84270F cmpwi cr7,r4,9999

00116258: 2F80270F cmpwi cr7,r0,9999

001163C4: 2F9F270F cmpwi cr7,r31,9999

00116F14: 2F9F270F cmpwi cr7,r31,9999

0012FF04: 2F80270F cmpwi cr7,r0,9999

001303DC: 2F80270F cmpwi cr7,r0,9999

0013116C: 2F80270F cmpwi cr7,r0,9999

001325E4: 2F80270F cmpwi cr7,r0,9999

00134B5C: 2F80270F cmpwi cr7,r0,9999

00134E28: 2F80270F cmpwi cr7,r0,9999

00135088: 2F80270F cmpwi cr7,r0,9999

0013564C: 2F80270F cmpwi cr7,r0,9999

00135C9C: 2F80270F cmpwi cr7,r0,9999

00135F1C: 2F80270F cmpwi cr7,r0,9999

0013BDE4: 2F80270F cmpwi cr7,r0,9999

0013E32C: 2F89270F cmpwi cr7,r9,9999

001421EC: 2F89270F cmpwi cr7,r9,9999

0015C230: 2F80270F cmpwi cr7,r0,9999

00170B88: 2F8A270F cmpwi cr7,r10,9999

001732C8: 2F87270F cmpwi cr7,r7,9999

001748E8: 2F86270F cmpwi cr7,r6,9999

00174938: 2F86270F cmpwi cr7,r6,9999

001ABD6C: 2F89270F cmpwi cr7,r9,9999

I tried these all at the same time. There may have been many effects from these that I didn't notice that might have been useful. The way I determined it from the rest was by only setting half of them to 0000.

1. There is 52 of them, so I checked the first 26 (0x00035FEC to 0x000FC0BC) by changing all of them from "270F" to "0000". Everyone was still at level 9,999, so it was within those first 26 results.

2. I then tried changing the first 13 (0x00035FEC to 0x0006FC20) from "270F" to "0000". Everyone was still at level 9,999, so it was within those first 13 results.

3. I then tried changing the first 7 (0x00035FEC to 0x0004197C) from "270F" to "0000". Things were back to normal, so it wasn't any of the first 7 results.

4. 6 results are left. I then tried changing the next 3 (0x00041B30 to 0x0005007C) from "270F" to "0000". Things were still normal, so it wasn't any of those 3.

5. 3 results are left. I tried the next 2 (0x000501A8 & 0x000552AC) and changed them from "270F" to "0000". Things were still normal.

6. There is only 1 result left, and that is address 0x0006FC20. Just to verify it, I changed it from "270F" to "0000", and everyone was back to level 9,999.

It only took 7 tests to find that code. Total time was less than 30 minutes.

Disgaea 3 - Starting HP Modifiers For Enemies & Objects

I looked at the already found code called "Infinite HP", which is at address 0x000C2DA0 with value 0x60000000. Value 0x60000000 is the NOP command, which deletes a single line of code. I went to address 0x000C2DA0 in programmer's notepad 2. I saw these 3 lines:

000C2D98: E9290008 ld r9,8(r9)

000C2D9C: 7C090050 sub r0,r0,r9

000C2DA0: F80B09C0 std r0,2496(r11)

To sum that up, it loads a 16 digit value called "r9", subtracts "r9" from "r0", and then stores the 16 digit value "r0". Since the 3rd line was erased to prevent HP from decreasing, I see it was normally storing that 16 digit value at offset $09C0. That offset told me what to look for in programmer's notepad 2. Also, it was a hunch since I found the same infinite HP code for Disgaea 1 & 2, but I recalled the HP maximum capacity to be just 8 bytes past the current HP address. I changed the code like this to test it:

000C2D98: E9290008 ld r9,8(r9)

000C2D9C: E80B09D0 ld r0,2512(r11)

000C2DA0: F80B09C0 std r0,2496(r11)

Anything that was struck instantly had its HP refilled to its maximum capacity, so when I was hit and didn't already have my unit at full HP, it was now full HP.

I now know to search for offset $09C0 for the current HP of things, and offset $09D0 is the maximum HP capacity of things.

From there, I did a crumb of thinking. When my units start a stage, they start with whatever their HP was from the last stage if I didn't heal them. But no matter where you go, enemies and objects ALWAYS started with full HP. That made me think that the code for their starting HP amount would most likely be 1 line of code that is a "LD" of offset $09D0 followed by 1 line of "STD" of offset $09C0. So I now went into programmers notepad 2 and searched for all instances of:

"09D0 LD"

I looked for every instance I saw that had this instance after it:

"09C0 STD"

There are a bunch of instances of that. From there I would change this line:

00??????: E???09D0 ld r?,2512(r?)

Into a LI code that uses the same register and set a specific value so I can set it apart from other lines I changed. Here is every last instance so you can't get confused:

0004538C: E80909D0 ld r0,2512(r9)

00045390: F80909C0 std r0,2496(r9)

00055208: E80909D0 ld r0,2512(r9)

0005520C: F80909C0 std r0,2496(r9)

00055324: E80909D0 ld r0,2512(r9)

00055328: F80909C0 std r0,2496(r9)

0006D674: E81F09D0 ld r0,2512(r31)

0006D678: F81F09C0 std r0,2496(r31)

0006EB20: E81B09D0 ld r0,2512(r27)

0006EB24: F81B09C0 std r0,2496(r27)

0006EE34: E81F09D0 ld r0,2512(r31)

0006EE38: F81F09C0 std r0,2496(r31)

0006F19C: E81F09D0 ld r0,2512(r31)

0006F1A0: F81F09C0 std r0,2496(r31)

000765A4: E81F09D0 ld r0,2512(r31)

000765A8: F81F09C0 std r0,2496(r31)

00076868: E81F09D0 ld r0,2512(r31)

0007686C: F81F09C0 std r0,2496(r31)

0007AF38: E80909D0 ld r0,2512(r9)

0007AF3C: F80909C0 std r0,2496(r9)

00080344: E81D09D0 ld r0,2512(r29)

00080348: F81D09C0 std r0,2496(r29)

000B36D8: E80A09D0 ld r0,2512(r10)

000B36DC: F80A09C0 std r0,2496(r10)

000C6E14: E80909D0 ld r0,2512(r9)

000C6E18: F80909C0 std r0,2496(r9)

000C6EEC: E80909D0 ld r0,2512(r9)

000C6EF0: F80909C0 std r0,2496(r9)

000C6FC0: E80909D0 ld r0,2512(r9)

000C6FC4: F80909C0 std r0,2496(r9)

000C7108: E88909D0 ld r4,2512(r9)

000C710C: F88909C0 std r4,2496(r9)

000EF06C: E80909D0 ld r0,2512(r9)

000EF070: F80909C0 std r0,2496(r9)

000EF76C: E80909D0 ld r0,2512(r9)

000EF770: F80909C0 std r0,2496(r9)

00100C78: E80909D0 ld r0,2512(r9)

00100C7C: F80909C0 std r0,2496(r9)

00116C10: E80909D0 ld r0,2512(r9)

00116C14: F80909C0 std r0,2496(r9)

00117684: E80909D0 ld r0,2512(r9)

00117688: F80909C0 std r0,2496(r9)

00121548: E80909D0 ld r0,2512(r9)

0012154C: F80909C0 std r0,2496(r9)

001397C8: E80909D0 ld r0,2512(r9)

001397CC: F80909C0 std r0,2496(r9)

0013BE60: E80909D0 ld r0,2512(r9)

0013BE64: F80909C0 std r0,2496(r9)

00142928: E80909D0 ld r0,2512(r9)

0014292C: F80909C0 std r0,2496(r9)

00142A4C: E80909D0 ld r0,2512(r9)

00142A50: F80909C0 std r0,2496(r9)

001616B0: E80909D0 ld r0,2512(r9)

001616B4: F80909C0 std r0,2496(r9)

001A1664: E80909D0 ld r0,2512(r9)

001A1668: F80909C0 std r0,2496(r9)

001AC0D4: E80909D0 ld r0,2512(r9)

001AC0D8: F80909C0 std r0,2496(r9)

All I did with these now is change the load operations into operations to create a specific value so I could see which address each code was at. They all end up like this now:

0004538C: 38000001 li r0,1

00045390: F80909C0 std r0,2496(r9)

00055208: 38000003 li r0,3

0005520C: F80909C0 std r0,2496(r9)

00055324: 38000005 li r0,5

00055328: F80909C0 std r0,2496(r9)

0006D674: 38000007 li r0,7

0006D678: F81F09C0 std r0,2496(r31)

0006EB20: 38000009 li r0,9

0006EB24: F81B09C0 std r0,2496(r27)

0006EE34: 3800000B li r0,11

0006EE38: F81F09C0 std r0,2496(r31)

0006F19C: 3800000D li r0,13

0006F1A0: F81F09C0 std r0,2496(r31)

000765A4: 3800000F li r0,15

000765A8: F81F09C0 std r0,2496(r31)

00076868: 38000011 li r0,17

0007686C: F81F09C0 std r0,2496(r31)

0007AF38: 38000013 li r0,19

0007AF3C: F80909C0 std r0,2496(r9)

00080344: 38000015 li r0,21

00080348: F81D09C0 std r0,2496(r29)

000B36D8: 38000017 li r0,23

000B36DC: F80A09C0 std r0,2496(r10)

000C6E14: 38000019 li r0,25

000C6E18: F80909C0 std r0,2496(r9)

000C6EEC: 3800001B li r0,27

000C6EF0: F80909C0 std r0,2496(r9)

000C6FC0: 3800001D li r0,29

000C6FC4: F80909C0 std r0,2496(r9)

000C7108: 3804001F li r4,31

000C710C: F88909C0 std r4,2496(r9)

000EF06C: 38000021 li r0,33

000EF070: F80909C0 std r0,2496(r9)

000EF76C: 38000023 li r0,35

000EF770: F80909C0 std r0,2496(r9)

00100C78: 38000025 li r0,37

00100C7C: F80909C0 std r0,2496(r9)

00116C10: 38000027 li r0,39

00116C14: F80909C0 std r0,2496(r9)

00117684: 38000029 li r0,41

00117688: F80909C0 std r0,2496(r9)

00121548: 3800002B li r0,43

0012154C: F80909C0 std r0,2496(r9)

001397C8: 3800002D li r0,45

001397CC: F80909C0 std r0,2496(r9)

0013BE60: 3800002F li r0,47

0013BE64: F80909C0 std r0,2496(r9)

00142928: 38000031 li r0,49

0014292C: F80909C0 std r0,2496(r9)

00142A4C: 38000033 li r0,51

00142A50: F80909C0 std r0,2496(r9)

001616B0: 38000035 li r0,53

001616B4: F80909C0 std r0,2496(r9)

001A1664: 38000037 li r0,55

001A1668: F80909C0 std r0,2496(r9)

001AC0D4: 38000039 li r0,57

001AC0D8: F80909C0 std r0,2496(r9)

I open HxD and go to those addresses and give them the new values. Upon playing the game, I notice all of these things:

1. When I enter a mystery gate in an item world, the enemies have 3 HP.

2. When I enter an item world, geoblocks, treasure chests, and innocents have 11 HP.

3. The NPCs I can talk to outside of any map, like the people who sell me armors, weapons, items, heal my dead units and restore their HP and SP, the classroom representative, the heart bank lady, the dimension guide, the item world lady, the evilities guy, and those few NPCs all have 15 HP.

4. Class World Dropouts have 19 HP.

5. Item World Enemies have 33 HP.

6. For those few levels that have base panels for enemies, the enemies that came from the base panel had 39 HP.

7. When I went to any story mode levels, all of the enemies had 43 HP.

8. When I wanted to fight the homeroom representatives for denying something, they all had 55 HP.

From that, I knew exactly which addresses did what. There were probably more things I didn't notice, but I could still easily check for them with these results. This took a few hours to individually check all of them because I just played the game through and whenever I noticed the current codes weren't working for certain enemies or objects, I had to go through all of the results again to figure out which exact code worked.

Disgaea 3 - Starting SP Modifiers For Enemies & Objects

I looked at the already found code called "Infinite SP", which is at address 0x000C2DA0 with value 0x60000000. Value 0x60000000 is the NOP command, which deletes a single line of code. I went to address 0x000C2DA0 in programmer's notepad 2. I saw these 3 lines:

00132430: E80B09C8 ld r0,2504(r11)

00132434: 7C090050 sub r0,r0,r9

00132438: F80B09C8 std r0,2504(r11)

The same setup as the "Infinite HP" code, just offset $09C8 instead of offset $09C0. I'd assume it also has the maximum SP capacity limit just 8 bytes after it, so I tested that again like this:

00132430: E80B09C8 ld r0,2504(r11)

00132434: E80B09D8 ld r0,2520(r11)

00132438: F80B09C8 std r0,2504(r11)

I tested it and was correct. When I used my characters that didn't have full SP or just leveled up and had them do a special attack, their SP refilled to full. That tells me that offset $09C8 is 16 digits and the current amount of SP something has, offset $09D8 is 16 digits and the current maximum amount of SP something has, and that this area of code is executed when a special attack is executed.

I'm going with the same thinking I did for the "Starting HP Modifier" codes. No matter what area you go to, NPCs, object, and enemies all start with their SP filled to its maximum amount. That means I'm going to look for something that loads 8 bytes from offset $09D8 followed by the next line which stores those 8 bytes at offset $09C8. Just like "09D8 LD" followed by an instance of "09C8 STD".

I'll list every instance again.

0004539C: E80909D8 ld r0,2520(r9)

000453A0: F80909C8 std r0,2504(r9)

For item world mystery gate enemies.

00055218: E80909D8 ld r0,2520(r9)

0005521C: F80909C8 std r0,2504(r9)

00055334: E80909D8 ld r0,2520(r9)

00055338: F80909C8 std r0,2504(r9)

0006D67C: E81F09D8 ld r0,2520(r31)

0006D680: F81F09C8 std r0,2504(r31)

0006EB28: E81B09D8 ld r0,2520(r27)

0006EB2C: F81B09C8 std r0,2504(r27)

For item world geoblocks, treasure chests, and innocents.

0006EE3C: E81F09D8 ld r0,2520(r31)

0006EE40: F81F09C8 std r0,2504(r31)

0006F1A4: E81F09D8 ld r0,2520(r31)

0006F1A8: F81F09C8 std r0,2504(r31)

For Normal World NPCs. Heart banker, shops, item worlder, dimension guide, etc...

000765AC: E81F09D8 ld r0,2520(r31)

000765B0: F81F09C8 std r0,2504(r31)

00076870: E81F09D8 ld r0,2520(r31)

00076874: F81F09C8 std r0,2504(r31)

For Class World Dropouts.

0007AF44: E80909D8 ld r0,2520(r9)

0007AF48: F80909C8 std r0,2504(r9)

0008034C: E81D09D8 ld r0,2520(r29)

00080350: F81D09C8 std r0,2504(r29)

000B36E0: E80A09D8 ld r0,2520(r10)

000B36E4: F80A09C8 std r0,2504(r10)

000C6E20: E80909D8 ld r0,2520(r9)

000C6E24: F80909C8 std r0,2504(r9)

000C6EF8: E80909D8 ld r0,2520(r9)

000C6EFC: F80909C8 std r0,2504(r9)

000C6FCC: E80909D8 ld r0,2520(r9)

000C6FD0: F80909C8 std r0,2504(r9)

000C7150: E80909D8 ld r0,2520(r9)

000C7154: F80909C8 std r0,2504(r9)

For Item World enemies.

000EF078: E80909D8 ld r0,2520(r9)

000EF07C: F80909C8 std r0,2504(r9)

000EF778: E80909D8 ld r0,2520(r9)

000EF77C: F80909C8 std r0,2504(r9)

00100C84: E80909D8 ld r0,2520(r9)

00100C88: F80909C8 std r0,2504(r9)

For story mode level enemies from enemy base panels.

00116C1C: E80909D8 ld r0,2520(r9)

00116C20: F80909C8 std r0,2504(r9)

00117690: E80909D8 ld r0,2520(r9)

00117694: F80909C8 std r0,2504(r9)

For story mode enemies.

00121554: E80909D8 ld r0,2520(r9)

00121558: F80909C8 std r0,2504(r9)

001397D4: E80909D8 ld r0,2520(r9)

001397D8: F80909C8 std r0,2504(r9)

0013BE6C: E80909D8 ld r0,2520(r9)

0013BE70: F80909C8 std r0,2504(r9)

00142934: E80909D8 ld r0,2520(r9)

00142938: F80909C8 std r0,2504(r9)

00142A58: E80909D8 ld r0,2520(r9)

00142A5C: F80909C8 std r0,2504(r9)

001616C0: E80909D8 ld r0,2520(r9)

001616C4: F80909C8 std r0,2504(r9)

For homeroom representatives.

001A1670: E80909D8 ld r0,2520(r9)

001A1674: F80909C8 std r0,2504(r9)

001AC0DC: E80909D8 ld r0,2520(r9)

001AC0E0: F80909C8 std r0,2504(r9)

That is all of them again. Take note of the fact that all of these results are very close by the results I had for the starting HP modifiers. I noticed that after finding a few of them, and just started going back to the starting HP modifier locations and checking a few bytes past them for the instances of "09D8 ld" followed by "09C8 std". Using that, I found all of the starting SP modifiers and didn't need to bother changing the instances of "09D8 ld" into "???? li" like I did for checking the starting HP modifiers. I labeled all of them above. Considering I noticed all of these were right next to the starting HP modifiers, it only took less than a minute to make a package and test them.

Disgaea 3 - All Homeroom Representatives Love You

I honestly had no idea of how I would find this. All I could think of is that I found starting HP & SP modifiers for homeroom representatives, so I went to that area. Not knowing what to do, I just decided to "nop" any "bl" operations I found. Since the starting SP modifier for homeroom representatives is at address 0x001A1670, I went there and searched for " bl 0x". I changed the 1st 4 results I had, which were:

001A16C8: 4BFF4F75 bl 0x19663c

001A16E0: 4BF08D55 bl 0xaa434

001A1750: 4BFF4EED bl 0x19663c

001A1768: 4BF08CCD bl 0xaa434

Branches always start with " b". I cancelled them by changing the value to 0x60000000, which is "nop". So they became:

001A16C8: 60000000 nop

001A16E0: 60000000 nop

001A1750: 60000000 nop

001A1768: 60000000 nop

When I used these codes, all of the representatives on anything always loathed me, so that tells me that at least 1 of those 4 that I cancelled had something that determined how the representatives loved or loathed me. I checked them by doing 2 and then 1 of them.

1. I changed 0x001A16C8 to value 0x60000000, and 0x001A16E0 to 0x60000000. All of them still loathed me, so it's 1 of these 2.

2. I changed 0x001A16C8 to value 0x60000000. They still loathed me, so it was something in this branch that was doing it.

I went to address 0x0019663C and kind of glanced at the whole thing. I had no idea of what to do, but there were a large amount of branches. I started off by going to the 1st few branches and changing them to "nop" by giving them value 0x60000000. I kept doing that and playing the game to see what happened, and some things they liked me more, and others they hated me more. After getting sick of doing that because it wasn't telling me much, I just decided to skip past the 1st half that was loaded with branches and started just picking certain registers and setting all instances of them to 0. I ended up seeing register "r31" and only a few instances of it:

001967C8: 3BE00000 li r31,0

00196808: 3BE00000 li r31,0

00196810: 3BE00019 li r31,25

I just changed their values like this:

001967C8: 3BE07FFF li r31,32767

00196808: 3BE07FFF li r31,32767

00196810: 3BE07FFF li r31,32767

I tested that and I guess that was what I was looking for, except it caused some representatives to loathe me instead of love me. From there, I wasn't sure of what to do, but I started with a copy of the unmodified EBOOT.ELF again. I checked that function again for any "store" operations and noticed there were none. I checked for register "r31" at the end of the function, and saw:

00196A34: 7FE3FB78 mr r3,r31

That is transferring the value of register "r31" to register "r3". I then tried this:

00196A34: 38037FFF li r3,32767

That had no effect. I was still not sure of what to. I saw many instances of " bl 0x96cbc". I thought to just remove that function. I went to address 0x00096CBC:

00096CBC: 786B0760 rldicl r11,r3,0,59

I removed that entire function by changing it to "blr".

00096CBC: 4E800020 blr

I started the game, the main menu was weird, and I couldn't get to the game because it was trapped looping the new game story. So I undid that and changed it back to what it was. That meant I had to do it the longer way and "nop" all of the "bl"s in that function that went to that other function. I found these:

001967D0: 4BF004ED bl 0x96cbc

001967EC: 4BF004D1 bl 0x96cbc

00196824: 4BF00499 bl 0x96cbc

00196840: 4BF0047D bl 0x96cbc

00196868: 4BF00455 bl 0x96cbc

00196884: 4BF00439 bl 0x96cbc

001968AC: 4BF00411 bl 0x96cbc

001968C8: 4BF003F5 bl 0x96cbc

001968F0: 4BF003CD bl 0x96cbc

0019690C: 4BF003B1 bl 0x96cbc

00196934: 4BF00389 bl 0x96cbc

00196950: 4BF0036D bl 0x96cbc

00196978: 4BF00345 bl 0x96cbc

00196994: 4BF00329 bl 0x96cbc

001969BC: 4BF00301 bl 0x96cbc

001969D8: 4BF002E5 bl 0x96cbc

00196A00: 4BF002BD bl 0x96cbc

00196A1C: 4BF002A1 bl 0x96cbc

That's all of those within the function. I changed them all to "nop".

001967D0: 60000000 nop

001967EC: 60000000 nop

00196824: 60000000 nop

00196840: 60000000 nop

00196868: 60000000 nop

00196884: 60000000 nop

001968AC: 60000000 nop

001968C8: 60000000 nop

001968F0: 60000000 nop

0019690C: 60000000 nop

00196934: 60000000 nop

00196950: 60000000 nop

00196978: 60000000 nop

00196994: 60000000 nop

001969BC: 60000000 nop

001969D8: 60000000 nop

00196A00: 60000000 nop

00196A1C: 60000000 nop

I did a few of those at a time and noticed certain monster type representatives always loved me, so I changed all of these and then all representatives loved me. Made another copy of my unmodified EBOOT.ELF and tried it again, and it didn't work. I remembered I had this at the same time too:

00196A34: 7FE3FB78 mr r3,r31

I changed it back to this again:

00196A34: 38037FFF li r3,32767

I tried it and it was working again. I was happy the code was working but I thought this was a lot of lines and people like patterns, and this would have been a lot of patterns that would take forever to input. So I messed around just a little more because I knew that register "r3" was doing something. I went back to where the function was jumped to.

001A16C8: 4BFF4F75 bl 0x19663c

I decided to see if there were any store operations with register "r3". I saw this:

001A16F0: B07C0418 sth r3,1048(r28)

I also saw this and decided to mess with it just because it was a nearby store operation:

001A170C: B01C0418 sth r0,1048(r28)

I went to the lines before them and changed them to set a specific value. I went to these:

001A16EC: 3863FFFB subi r3,r3,5

001A16F0: B07C0418 sth r3,1048(r28)

001A1708: 7C004A14 add r0,r0,r9

001A170C: B01C0418 sth r0,1048(r28)

And I changed them to these:

001A16EC: 38037FFF li r3,32767

001A16F0: B07C0418 sth r3,1048(r28)

001A1708: 38007FFF li r0,32767

001A170C: B01C0418 sth r0,1048(r28)

I tried that out, and noticed about half of the representatives loved me. So I went a little further down and saw the same exact thing again:

001A1774: 3863FFFB subi r3,r3,5

001A1778: B07C0418 sth r3,1048(r28)

001A1790: 7C004A14 add r0,r0,r9

001A1794: B01C0418 sth r0,1048(r28)

I changed them the same way:

001A1774: 38037FFF li r3,32767

001A1778: B07C0418 sth r3,1048(r28)

001A1790: 38007FFF li r0,32767

001A1794: B01C0418 sth r0,1048(r28)

I played the game again, and everyone loved me. So I tested it again with an unmodified copy of the EBOOT.ELF.

001A16EC: 38037FFF li r3,32767

001A16F0: B07C0418 sth r3,1048(r28)

001A1774: 38037FFF li r3,32767

001A1778: B07C0418 sth r3,1048(r28)

I played again and there was no effect. I was thinking that should have done it. I then thought maybe by some chance it was the other 2, so I tested them with another copy of the unmodified EBOOT.ELF.

001A1708: 38007FFF li r0,32767

001A170C: B01C0418 sth r0,1048(r28)

001A1790: 38007FFF li r0,32767

001A1794: B01C0418 sth r0,1048(r28)

It worked. Another useful code found by accident, and it took a few hours of messing around to get it. Since I now know that offset $0418 is 2 bytes that determine how a representative likes me, I could probably find just 1 line of code to make this work by just searching for any instances of "0418 lhz ", but I'm fine with 2 lines of code. If somebody wants that, they should be able to easily find it themselves.

Disgaea 3 - Aptitudes Percent Modifier

Disgaea 3 - Elemental Resistances Modifier

Disgaea 3 - Move Range Modifier

Disgaea 3 - Jump Height Modifier

Disgaea 3 - Counter Attack Amount Modifier

Disgaea 3 - Lift/Throw Amount Modifier

Disgaea 3 - Attack Range Modifier

Disgaea 3 - EXP Multiplier/Max EXP

Disgaea 3 - Level Modifier

With all of these, they were things I stumbled upon by looking for something else. I did a search for many values in hopes that I would find some useful things that have limits. I did a search for the value 99,999,999 throughout the game in programmer's notepad. 99,999,999 is 0x05F5E0FF in hex. Since that is 8 digits, it takes 2 lines of code to make that value. Games usually use 1 line for "lis", and the next line is "ori". I did a search for all instances of "05F5 lis", and then checked to make sure the next line had "E0FF ori". I checked the first 3 lines after those 2 lines to see if it was a " cmpw " line follwed by a " ble- " line. These are all of the instances I ended up with:

Looking for 99,999,999, which is 0x05F5E0FF.

00180278: 3D6005F5 lis r11,1525

0018027C: 616BE0FF ori r11,r11,57599

0017FFEC: 3D2005F5 lis r9,1525

0017FFF0: 6129E0FF ori r9,r9,57599

0015F344: 3F6005F5 lis r27,1525

0015F348: 637BE0FF ori r27,r27,57599

001108B0: 3D2005F5 lis r9,1525

001108B4: 6129E0FF ori r9,r9,57599

000CB62C: 3D2005F5 lis r9,1525

000CB630: 6129E0FF ori r9,r9,57599

000CB3C4: 3D2005F5 lis r9,1525

000CB3C8: 6129E0FF ori r9,r9,57599

000C3DF0: 3D2005F5 lis r9,1525

000C3DF4: 6129E0FF ori r9,r9,57599

00072564: 3D2005F5 lis r9,1525

00072568: 6129E0FF ori r9,r9,57599

0006E108: 3D2005F5 lis r9,1525

0006E10C: 6129E0FF ori r9,r9,57599

0006DEA4: 3D2005F5 lis r9,1525

0006DEA8: 6129E0FF ori r9,r9,57599

0006CEF8: 3D6005F5 lis r11,1525

0006CEFC: 616BE0FF ori r11,r11,57599

All characters stats that weren't HP or SP were 0.

0006A994: 3D0005F5 lis r8,1525

0006A998: 6108E0FF ori r8,r8,57599

0006A860: 3D2005F5 lis r9,1525

0006A864: 6129E0FF ori r9,r9,57599

All characters HP & SP were less than 5.

0001D1A4: 3C0005F5 lis r0,1525

0001D1A8: 6000E0FF ori r0,r0,57599

I have already marked those 2, and here is what I changed all of them to:

00180278: 3D600000 lis r11,0

0018027C: 616B0001 ori r11,r11,1

0017FFEC: 3D200000 lis r9,0

0017FFF0: 61290003 ori r9,r9,3

0015F344: 3F600000 lis r27,0

0015F348: 637B0005 ori r27,r27,5

001108B0: 3D200000 lis r9,0

001108B4: 61290007 ori r9,r9,7

000CB62C: 3D200000 lis r9,0

000CB630: 61290009 ori r9,r9,9

000CB3C4: 3D200000 lis r9,0

000CB3C8: 6129000B ori r9,r9,11

000C3DF0: 3D200000 lis r9,0

000C3DF4: 6129000D ori r9,r9,13

00072564: 3D200000 lis r9,0

00072568: 6129000F ori r9,r9,15

0006E108: 3D200000 lis r9,0

0006E10C: 61290011 ori r9,r9,17

0006DEA4: 3D200000 lis r9,0

0006DEA8: 61290013 ori r9,r9,19

0006CEF8: 3D600000 lis r11,0

0006CEFC: 616B0015 ori r11,r11,21

All characters stats that weren't HP or SP were 0.

0006A994: 3D0005F5 lis r8,0

0006A998: 61080017 ori r8,r8,23

0006A860: 3D2005F5 lis r9,0

0006A864: 61290019 ori r9,r9,25

All characters HP & SP were less than 5.

0001D1A4: 3C0005F5 lis r0,0

0001D1A8: 6000001B ori r0,r0,27

That told me exactly which one of those did those 2 effects.

Out of curiousity I noticed those 2 codes are within the same function. I decided to mess with anything else I saw as a limiting thing. The way to spot limits is they are usually either 2 lines like above that define that limit by using a "lis" followed by an "ori" followed by a "cmp" operation, or just 1 line that is "cmpwi" which has the value to compare something to, followed by the next line being a either "blt" for branch if less than, or "ble" for branch if less than or equal, or "bgt" for branch if greater than, or "bge" for branch if greater than or equal to, and that branch usually only skips a few of the next lines in most cases, and one of those lines that is skipped is a store operation if it's not in the next few lines that weren't skipped. That last sentence would probably just baffle you. I got to address 0x0006CEF8, and I search for the previous instance of "4E800020 blr" because that tells me where the previous function ended, so the next line is the start of the function that contains these 2 codes. I end up with:

0006A38C: 4E800020 blr

So this function starts at address 0x0006A390. I now search for the next instance of "4E800020 blr" so I know where this function ends. I end up with:

0006D108: 4E800020 blr

I now know this function starts at address 0x0006A390 and ends at 0x0006D108. So I go address 0x0006A390 and start searching for the instance "bl". If that seems odd to you, that's because the 2 branch types I'm looking for are "blt" and "ble". I'll end encountering many things that are not what I'm looking for, but I'll just try them all anyway. Here's the list of things that I ended up with:

0006A458: 419C0190 blt- cr7,0x6a5e8

0006A4C8: 409D0094 ble- cr7,0x6a55c

0006A640: 409D0008 ble- cr7,0x6a648

0006A650: 409D0010 ble- cr7,0x6a660

0006A734: 409D0008 ble- cr7,0x6a73c

0006A7FC: 40FD0054 ble+ cr7,0x6a850

0006A86C: 409D0008 ble- cr7,0x6a874

0006A8E8: 409D0134 ble- cr7,0x6aa1c

0006A9D0: 409D0008 ble- cr7,0x6a9d8

0006AA7C: 409D000C ble- cr7,0x6aa88

0006AA90: 409D0008 ble- cr7,0x6aa98

0006AD00: 409D001C ble- cr7,0x6ad1c

0006AD40: 409D00A0 ble- cr7,0x6ade0

0006ADAC: 409D0034 ble- cr7,0x6ade0

0006AE94: 409D0008 ble- cr7,0x6ae9c

0006AEDC: 409D0008 ble- cr7,0x6aee4

0006AF0C: 409D0008 ble- cr7,0x6af14

0006AF40: 409D0008 ble- cr7,0x6af48

0006AF60: 409D000C ble- cr7,0x6af6c

0006AF74: 409D000C ble- cr7,0x6af80

0006AF88: 409D000C ble- cr7,0x6af94

0006AF9C: 409D000C ble- cr7,0x6afa8

0006AFB0: 409D000C ble- cr7,0x6afbc

0006B018: 409D0020 ble- cr7,0x6b038

0006B0C4: 409D0008 ble- cr7,0x6b0cc

0006B130: 409D0040 ble- cr7,0x6b170

0006B28C: 409D0008 ble- cr7,0x6b294

0006B29C: 409D0008 ble- cr7,0x6b2a4

0006B310: 409D000C ble- cr7,0x6b31c

0006B43C: 409D0010 ble- cr7,0x6b44c

0006B4E0: 409D0024 ble- cr7,0x6b504

0006B4F8: 409D000C ble- cr7,0x6b504

0006B51C: 409D0024 ble- cr7,0x6b540

0006B534: 409D000C ble- cr7,0x6b540

0006B558: 409D0024 ble- cr7,0x6b57c

0006B570: 409D000C ble- cr7,0x6b57c

0006B594: 409D0030 ble- cr7,0x6b5c4

0006B5DC: 409D0030 ble- cr7,0x6b60c

0006B62C: 409D002C ble- cr7,0x6b658

0006B864: 419C0014 blt- cr7,0x6b878

0006B9B4: 419C0014 blt- cr7,0x6b9c8

0006BB20: 419C0014 blt- cr7,0x6bb34

0006BDE8: 419C0014 blt- cr7,0x6bdfc

0006BF38: 419C0014 blt- cr7,0x6bf4c

0006BF98: 409D10D4 ble- cr7,0x6d06c

0006C050: 409D000C ble- cr7,0x6c05c

0006C084: 409D0024 ble- cr7,0x6c0a8

0006C09C: 409D000C ble- cr7,0x6c0a8

0006C174: 409D0030 ble- cr7,0x6c1a4

0006C218: 409D051C ble- cr7,0x6c734

0006C264: 409D0030 ble- cr7,0x6c294

0006C2AC: 409D0030 ble- cr7,0x6c2dc

0006C2F4: 409D0440 ble- cr7,0x6c734

0006C340: 409D0030 ble- cr7,0x6c370

0006C388: 409D03AC ble- cr7,0x6c734

0006C3D4: 409D0030 ble- cr7,0x6c404

0006C41C: 409D0318 ble- cr7,0x6c734

0006C468: 409D02CC ble- cr7,0x6c734

0006C4B4: 409D0030 ble- cr7,0x6c4e4

0006C4FC: 409D0238 ble- cr7,0x6c734

0006C550: 409D0030 ble- cr7,0x6c580

0006C598: 409D019C ble- cr7,0x6c734

0006C5E4: 409D0030 ble- cr7,0x6c614

0006C62C: 409D0030 ble- cr7,0x6c65c

0006C674: 409D0030 ble- cr7,0x6c6a4

0006C6BC: 409D0030 ble- cr7,0x6c6ec

0006C704: 409D0030 ble- cr7,0x6c734

0006C7E8: 409D02E0 ble- cr7,0x6cac8

0006C834: 409D0030 ble- cr7,0x6c864

0006C868: 409D0260 ble- cr7,0x6cac8

0006C890: 409D0238 ble- cr7,0x6cac8

0006C8C8: 409D0200 ble- cr7,0x6cac8

0006CA54: 409D000C ble- cr7,0x6ca60

0006CA80: 409D000C ble- cr7,0x6ca8c

0006CAAC: 409D000C ble- cr7,0x6cab8

0006CB68: 409D000C ble- cr7,0x6cb74

0006CBA4: 409D000C ble- cr7,0x6cbb0

0006CBDC: 409D000C ble- cr7,0x6cbe8

0006CC14: 409D000C ble- cr7,0x6cc20

0006CC4C: 409D000C ble- cr7,0x6cc58

0006CEF4: 409D001C ble- cr7,0x6cf10

0006CF08: 409D0008 ble- cr7,0x6cf10

0006CF58: 409D0008 ble- cr7,0x6cf60

0006CF9C: 409D000C ble- cr7,0x6cfa8

0006CFB0: 409D000C ble- cr7,0x6cfbc

0006CFC4: 409D000C ble- cr7,0x6cfd0

0006CFD8: 409D000C ble- cr7,0x6cfe4

0006D004: 409D0008 ble- cr7,0x6d00c

0006D018: 409D00AC ble- cr7,0x6d0c4

0006D0BC: 409DE024 ble+ cr7,0x6b0e0

That's all of them, and that's exactly 90 results. From there, I just "nop" all of them so that anything that may be enforcing limits will just set everything to it's maximum value, and play the game to see what has changed. I get another copy of the unmodified EBOOT.ELF, open it up with HxD, and this is what I change all of them to:

0006A458: 60000000 nop

0006A4C8: 60000000 nop

0006A640: 60000000 nop

0006A650: 60000000 nop

0006A734: 60000000 nop

0006A7FC: 60000000 nop

0006A86C: 60000000 nop

0006A8E8: 60000000 nop

0006A9D0: 60000000 nop

0006AA7C: 60000000 nop

0006AA90: 60000000 nop

0006AD00: 60000000 nop

0006AD40: 60000000 nop

0006ADAC: 60000000 nop

0006AE94: 60000000 nop

0006AEDC: 60000000 nop

0006AF0C: 60000000 nop

0006AF40: 60000000 nop

0006AF60: 60000000 nop

0006AF74: 60000000 nop

0006AF88: 60000000 nop

0006AF9C: 60000000 nop

0006AFB0: 60000000 nop

0006B018: 60000000 nop

0006B0C4: 60000000 nop

0006B130: 60000000 nop

0006B28C: 60000000 nop

0006B29C: 60000000 nop

0006B310: 60000000 nop

0006B43C: 60000000 nop

0006B4E0: 60000000 nop

0006B4F8: 60000000 nop

0006B51C: 60000000 nop

0006B534: 60000000 nop

0006B558: 60000000 nop

0006B570: 60000000 nop

0006B594: 60000000 nop

0006B5DC: 60000000 nop

0006B62C: 60000000 nop

0006B864: 60000000 nop

0006B9B4: 60000000 nop

0006BB20: 60000000 nop

0006BDE8: 60000000 nop

0006BF38: 60000000 nop

0006BF98: 60000000 nop

0006C050: 60000000 nop

0006C084: 60000000 nop

0006C09C: 60000000 nop

0006C174: 60000000 nop

0006C218: 60000000 nop

0006C264: 60000000 nop

0006C2AC: 60000000 nop

0006C2F4: 60000000 nop

0006C340: 60000000 nop

0006C388: 60000000 nop

0006C3D4: 60000000 nop

0006C41C: 60000000 nop

0006C468: 60000000 nop

0006C4B4: 60000000 nop

0006C4FC: 60000000 nop

0006C550: 60000000 nop

0006C598: 60000000 nop

0006C5E4: 60000000 nop

0006C62C: 60000000 nop

0006C674: 60000000 nop

0006C6BC: 60000000 nop

0006C704: 60000000 nop

0006C7E8: 60000000 nop

0006C834: 60000000 nop

0006C868: 60000000 nop

0006C890: 60000000 nop

0006C8C8: 60000000 nop

0006CA54: 60000000 nop

0006CA80: 60000000 nop

0006CAAC: 60000000 nop

0006CB68: 60000000 nop

0006CBA4: 60000000 nop

0006CBDC: 60000000 nop

0006CC14: 60000000 nop

0006CC4C: 60000000 nop

0006CEF4: 60000000 nop

0006CF08: 60000000 nop

0006CF58: 60000000 nop

0006CF9C: 60000000 nop

0006CFB0: 60000000 nop

0006CFC4: 60000000 nop

0006CFD8: 60000000 nop

0006D004: 60000000 nop

0006D018: 60000000 nop

0006D0BC: 60000000 nop

I played the game, and these are all of the things I noticed:

Everything had 99,999,999 HP, SP, ATK, DEF, INT, RES, HIT, and SPD.

Everything was at level 9,999, and its EXP was at its max.

Everything had 32 MOV, 99 JMP, 9 Attack Range, 9 Counters, 9 Lift/Throw Range, 5% Critical, and 99% Fire, Wind, and Ice.

I couldn't create or reincarnate characters because a menu in the stuff didn't appear, and I couldn't back out of it either.

I selected an enemy and the game froze.

Nothing could be damaged, SP couldn't be decreased, and Counters couldn't be decreased.

All aptitudes were at 255%.

Since I know all of those values are the same for every character except for each character's max EXP amount, and I'm not sure about the Critical thing. I'll just check for those ones with specific max values first. Here were the ones that had instances of "0009 cmp", and a bit of explaining:

0006B56C: 2B800009 cmplwi cr7,r0,9 It's comparing whatever value register "r0" is to the number 9.

0006B570: 409D000C ble- cr7,0x6b57c If "r0" was less than or equal to 9, then skip the next 2 lines of code.

0006B574: 38000009 li r0,9 "r0" was greater than 9, so set register "r0" to the value 9.

0006B578: 98180ACA stb r0,2762(r24) "r0" was greater than 9, so store register "r0", which is now 9, to the offset $0ACA of register "r24".

0006CBD8: 2FA90009 cmpdi cr7,r9,9 It's comparing whatever value register "r9" is to the number 9.

0006CBDC: 409D000C ble- cr7,0x6cbe8 If "r9" was less than or equal to 9, then skip the next 2 lines of code.

0006CBE0: 39200009 li r9,9 "r9" was greater than 9, so set register "r9" to the value 9.

0006CBE4: 48000010 b 0x6cbf4 "r9" was greater than 9, and now it's going to jump to address 0x0006CBF4 and continue doing whatever.

0006CC10: 2FA90009 cmpdi cr7,r9,9 It's comparing whatever value register "r9" is to the number 9.

0006CC14: 409D000C ble- cr7,0x6cc20 If "r9" was less than or equal to 9, then skip the next 2 lines of code.

0006CC18: 39200009 li r9,9 "r9" was greater than 9, so set register "r9" to the value 9.

0006CC1C: 48000010 b 0x6cc2c "r9" was greater than 9, and now it's going to jump to address 0x0006CC2C and continue doing whatever.

0006CF98: 2B800009 cmplwi cr7,r0,9 It's comparing whatever value register "r0" is to the number 9.

0006CF9C: 409D000C ble- cr7,0x6cfa8 If "r0" was less than or equal to 9, then skip the next 2 lines of code.

0006CFA0: 38000009 li r0,9 "r0" was greater than 9, so set register "r0" to the value 9.

0006CFA4: 98180AC9 stb r0,2761(r24) "r0" was greater than 9, so store register "r0", which is now 9, to the offset $0AC9 of register "r24".

0006CFAC: 2B800009 cmplwi cr7,r0,9 It's comparing whatever value register "r0" is to the number 9.

0006CFB0: 409D000C ble- cr7,0x6cfbc If "r0" was less than or equal to 9, then skip the next 2 lines of code.

0006CFB4: 38000009 li r0,9 "r0" was greater than 9, so set register "r0" to the value 9.

0006CFB8: 98180ACA stb r0,2762(r24) "r0" was greater than 9, so store register "r0", which is now 9, to the offset $0ACA of register "r24".

0006CFD4: 2B800009 cmplwi cr7,r0,9 It's comparing whatever value register "r0" is to the number 9.

0006CFD8: 409D000C ble- cr7,0x6cfe4 If "r0" was less than or equal to 9, then skip the next 2 lines of code.

0006CFDC: 38000009 li r0,9 "r0" was greater than 9, so set register "r0" to the value 9.

0006CFE0: 98180AD6 stb r0,2774(r24) "r0" was greater than 9, so store register "r0", which is now 9, to the offset $0AD6 of register "r24".

That's the 6 of them. This is how I'll change them:

0006B56C: 2B800009 cmplwi cr7,r0,9

0006B570: 60000000 nop No more branching depending on whether register "r0" was less than or equal to 9.

0006B574: 38000001 li r0,1 I'm now setting register "r0" to always be 1.

0006B578: 98180ACA stb r0,2762(r24)

0006CBD8: 2FA90009 cmpdi cr7,r9,9

0006CBDC: 60000000 nop No more branching depending on whether register "r9" was less than or equal to 9.

0006CBE0: 39200003 li r9,3 I'm now setting register "r9" to always be 3.

0006CBE4: 48000010 b 0x6cbf4

0006CC10: 2FA90009 cmpdi cr7,r9,9

0006CC14: 60000000 nop No more branching depending on whether register "r9" was less than or equal to 9.

0006CC18: 39200005 li r9,5 I'm now setting register "r9" to always be 5.

0006CC1C: 48000010 b 0x6cc2c

0006CF98: 2B800009 cmplwi cr7,r0,9

0006CF9C: 60000000 nop No more branching depending on whether register "r0" was less than or equal to 9.

0006CFA0: 38000007 li r0,7 I'm now setting register "r0" to always be 7.

0006CFA4: 98180AC9 stb r0,2761(r24)

0006CFAC: 2B800009 cmplwi cr7,r0,9

0006CFB0: 60000000 nop No more branching depending on whether register "r0" was less than or equal to 9.

0006CFB4: 38000009 li r0,9 I'm now setting register "r0" to always be 9.

0006CFB8: 98180ACA stb r0,2762(r24)

0006CFD4: 2B800009 cmplwi cr7,r0,9

0006CFD8: 60000000 nop No more branching depending on whether register "r0" was less than or equal to 9.

0006CFDC: 3800000B li r0,11 I'm now setting register "r0" to always be 11.

0006CFE0: 98180AD6 stb r0,2774(r24)

So I tried all of these and ended up with these:

All Counter Attacks were 7.

All Lift/Throw Amounts were 9.

All Attack Ranges were 11.

I now know which codes these are.

Next up, the maximum MOV value was 32, so next is to search for the instances of "0020 cmp". These are all of them:

0006CFC0: 2B800020 cmplwi cr7,r0,32 It's comparing whatever value register "r0" is to the number 32.

0006CFC4: 409D000C ble- cr7,0x6cfd0 If "r0" was less than or equal to 32, then skip the next 2 lines of code.

0006CFC8: 38000020 li r0,32 "r0" was greater than 32, so set register "r0" to the value 32.

0006CFCC: 98180AC7 stb r0,2759(r24) "r0" was greater than 32, so store register "r0", which is now 32, to the offset $0AC7 of register "r24".

That's the only 1 I see. I'll just try setting it to 17 like this:

0006CFC0: 2B800020 cmplwi cr7,r0,32

0006CFC4: 60000000 nop No more branching depending on whether register "r0" was less than or equal to 9.

0006CFC8: 38000011 li r0,17 I'm now setting register "r0" to always be 17.

0006CFCC: 98180AC7 stb r0,2759(r24)

I tried it out, and now the MOV value of everything is 17, so I've now found that code too. Next up is the JUMP value and Elemental Resistance values. I'll search for comparisons to 99, which is "0063 cmp". These are what I find:

0006B288: 2F990063 cmpwi cr7,r25,99 It's comparing whatever value register "r25" is to the number 99.

0006B28C: 409D0008 ble- cr7,0x6b294 If "r25" was less than or equal to 99, then skip the next 1 line of code.

0006B290: 3B200063 li r25,99 "r25" was greater than 99, so set register "r25" to the value 99.

0006B294: 9B380AC7 stb r25,2759(r24) Store register "r25", which is now 99, to the offset $0AC7 of register "r24".

0006B298: 2F9A0063 cmpwi cr7,r26,99 It's comparing whatever value register "r26" is to the number 99.

0006B29C: 409D0008 ble- cr7,0x6b2a4 If "r26" was less than or equal to 99, then skip the next 1 line of code.

0006B2A0: 3B400063 li r26,99 "r26" was greater than 99, so set register "r26" to the value 99.

0006B2A4: 9B580AC5 stb r26,2757(r24) Store register "r26", which is now 99, to the offset $0AC5 of register "r24".

0006B4F4: 2B800063 cmplwi cr7,r0,99 It's comparing whatever value register "r0" is to the number 99.

0006B4F8: 409D000C ble- cr7,0x6b504 If "r0" was less than or equal to 99, then skip the next 2 lines of code.

0006B4FC: 38000063 li r0,99 "r0" was greater than 99, so set register "r0" to the value 99.

0006B500: 98180AC7 stb r0,2759(r24) "r0" was greater than 99, so store register "r0", which is now 99, to the offset $0AC7 of register "r24".

0006B530: 2F800063 cmpwi cr7,r0,99 It's comparing whatever value register "r0" is to the number 99.

0006B534: 409D000C ble- cr7,0x6b540 If "r0" was less than or equal to 99, then skip the next 2 lines of code.

0006B538: 38000063 li r0,99 "r0" was greater than 99, so set register "r0" to the value 99.

0006B53C: 98180AC5 stb r0,2757(r24) "r0" was greater than 9, so store register "r0", which is now 99, to the offset $0AC5 of register "r24".

0006C04C: 2B800063 cmplwi cr7,r0,99 It's comparing whatever value register "r0" is to the number 99.

0006C050: 409D000C ble- cr7,0x6c05c If "r0" was less than or equal to 99, then skip the next 2 lines of code.

0006C054: 38000063 li r0,99 "r0" was greater than 99, so set register "r0" to the value 99.

0006C058: 98180AC7 stb r0,2759(r24) "r0" was greater than 99, so store register "r0", which is now 99, to the offset $0AC7 of register "r24".

0006C098: 2B800063 cmplwi cr7,r0,99 It's comparing whatever value register "r0" is to the number 99.

0006C09C: 409D000C ble- cr7,0x6c0a8 If "r0" was less than or equal to 99, then skip the next 2 lines of code.

0006C0A0: 38000063 li r0,99 "r0" was greater than 99, so set register "r0" to the value 99.

0006C0A4: 98180AC7 stb r0,2759(r24) "r0" was greater than 99, so store register "r0", which is now 99, to the offset $0AC7 of register "r24".

0006CA50: 2FA00063 cmpdi cr7,r0,99 It's comparing whatever value register "r0" is to the number 99.

0006CA54: 409D000C ble- cr7,0x6ca60 If "r0" was less than or equal to 99, then skip the next 2 lines of code.

0006CA58: 38000063 li r0,99 "r0" was greater than 99, so set register "r0" to the value 99.

0006CA5C: 48000010 b 0x6ca6c "r0" was greater than 99, and now it's going to jump to address 0x0006CA6C and continue doing whatever.

0006CA7C: 2FA00063 cmpdi cr7,r0,99 It's comparing whatever value register "r0" is to the number 99.

0006CA80: 409D000C ble- cr7,0x6ca8c If "r0" was less than or equal to 99, then skip the next 2 lines of code.

0006CA84: 38000063 li r0,99 "r0" was greater than 99, so set register "r0" to the value 99.

0006CA88: 48000010 b 0x6ca98 "r0" was greater than 99, and now it's going to jump to address 0x0006CA98 and continue doing whatever.

0006CAA8: 2FA00063 cmpdi cr7,r0,99 It's comparing whatever value register "r0" is to the number 99.

0006CAAC: 409D000C ble- cr7,0x6cab8 If "r0" was less than or equal to 99, then skip the next 2 lines of code.

0006CAB0: 38000063 li r0,99 "r0" was greater than 99, so set register "r0" to the value 99.

0006CAB4: 48000010 b 0x6cac4 "r0" was greater than 99, and now it's going to jump to address 0x0006CAC4 and continue doing whatever.

0006CB64: 2FA00063 cmpdi cr7,r0,99 It's comparing whatever value register "r0" is to the number 99.

0006CB68: 409D000C ble- cr7,0x6cb74 If "r0" was less than or equal to 99, then skip the next 2 lines of code.

0006CB6C: 38000063 li r0,99 "r0" was greater than 99, so set register "r0" to the value 99.

0006CB70: 48000010 b 0x6cb80 "r0" was greater than 99, and now it's going to jump to address 0x0006CB80 and continue doing whatever.

0006CBA0: 2FA00063 cmpdi cr7,r0,99 It's comparing whatever value register "r0" is to the number 99.

0006CBA4: 409D000C ble- cr7,0x6cbb0 If "r0" was less than or equal to 99, then skip the next 2 lines of code.

0006CBA8: 38000063 li r0,99 "r0" was greater than 99, so set register "r0" to the value 99.

0006CBAC: 48000010 b 0x6cbbc "r0" was greater than 99, and now it's going to jump to address 0x0006CBBC and continue doing whatever.

0006CC48: 2FA90063 cmpdi cr7,r9,99 It's comparing whatever value register "r9" is to the number 99.

0006CC4C: 409D000C ble- cr7,0x6cc58 If "r9" was less than or equal to 99, then skip the next 2 lines of code.

0006CC50: 39200063 li r9,99 "r9" was greater than 99, so set register "r9" to the value 99.

0006CC54: 48000010 b 0x6cc64 "r0" was greater than 99, and now it's going to jump to address 0x0006CC64 and continue doing whatever.

0006CF54: 2FA00063 cmpdi cr7,r0,99 It's comparing whatever value register "r0" is to the number 99.

0006CF58: 409D0008 ble- cr7,0x6cf60 If "r0" was less than or equal to 99, then skip the next 2 lines of code.

0006CF5C: F8E90000 std r7,0(r9) "r0" was greater than 99, so store whatever register "r7" is to the offset $0000 of register "r9".

I'm now just going to cancel the branches again and change the values of the "li" operations.

0006B288: 2F990063 cmpwi cr7,r25,99

0006B28C: 60000000 nop No more branching depending on whether register "r25" was less than or equal to 99.

0006B290: 3B200001 li r25,1 I'm now setting register "r25" to always be 1.

0006B294: 9B380AC7 stb r25,2759(r24)

0006B298: 2F9A0063 cmpwi cr7,r26,99

0006B29C: 60000000 nop No more branching depending on whether register "r26" was less than or equal to 99.

0006B2A0: 3B400003 li r26,3 I'm now setting register "r26" to always be 3.

0006B2A4: 9B580AC5 stb r26,2757(r24)

0006B4F4: 2B800063 cmplwi cr7,r0,99

0006B4F8: 60000000 nop No more branching depending on whether register "r0" was less than or equal to 99.

0006B4FC: 38000005 li r0,5 I'm now setting register "r0" to always be 5.

0006B500: 98180AC7 stb r0,2759(r24)

0006B530: 2F800063 cmpwi cr7,r0,99

0006B534: 60000000 nop No more branching depending on whether register "r0" was less than or equal to 99.

0006B538: 38000007 li r0,7 I'm now setting register "r0" to always be 7.

0006B53C: 98180AC5 stb r0,2757(r24)

0006C04C: 2B800063 cmplwi cr7,r0,99

0006C050: 60000000 nop No more branching depending on whether register "r0" was less than or equal to 99.

0006C054: 38000009 li r0,9 I'm now setting register "r0" to always be 9.

0006C058: 98180AC7 stb r0,2759(r24)

0006C098: 2B800063 cmplwi cr7,r0,99

0006C09C: 60000000 nop No more branching depending on whether register "r0" was less than or equal to 99.

0006C0A0: 3800000B li r0,11 I'm now setting register "r0" to always be 11.

0006C0A4: 98180AC7 stb r0,2759(r24)

0006CA50: 2FA00063 cmpdi cr7,r0,99

0006CA54: 60000000 nop No more branching depending on whether register "r0" was less than or equal to 99.

0006CA58: 3800000D li r0,13 I'm now setting register "r0" to always be 13.

0006CA5C: 48000010 b 0x6ca6c

0006CA7C: 2FA00063 cmpdi cr7,r0,99

0006CA80: 60000000 nop No more branching depending on whether register "r0" was less than or equal to 99.

0006CA84: 3800000F li r0,15 I'm now setting register "r0" to always be 15.

0006CA88: 48000010 b 0x6ca98

0006CAA8: 2FA00063 cmpdi cr7,r0,99

0006CAAC: 60000000 nop No more branching depending on whether register "r0" was less than or equal to 99.

0006CAB0: 38000011 li r0,17 I'm now setting register "r0" to always be 17.

0006CAB4: 48000010 b 0x6cac4

0006CB64: 2FA00063 cmpdi cr7,r0,99

0006CB68: 60000000 nop No more branching depending on whether register "r0" was less than or equal to 99.

0006CB6C: 38000013 li r0,19 I'm now setting register "r0" to always be 19.

0006CB70: 48000010 b 0x6cb80

0006CBA0: 2FA00063 cmpdi cr7,r0,99

0006CBA4: 60000000 nop No more branching depending on whether register "r0" was less than or equal to 99.

0006CBA8: 38000015 li r0,21 I'm now setting register "r0" to always be 21.

0006CBAC: 48000010 b 0x6cbbc

0006CC48: 2FA90063 cmpdi cr7,r9,99

0006CC4C: 60000000 nop No more branching depending on whether register "r9" was less than or equal to 99.

0006CC50: 39200017 li r9,23 I'm now setting register "r9" to always be 23.

0006CC54: 48000010 b 0x6cc64

0006CF54: 2FA00063 cmpdi cr7,r0,99

0006CF58: 38070019 li r7,25 No more branching depending on whether register "r0" was less than or equal to 99, and I changed it to a "li" operation and gave register "r7" value 25.

0006CF5C: F8E90000 std r7,0(r9)

I tried those out, and I noticed the elemental resistances were all 25%, and all JUMP values were now 3. Found 2 more codes. Next up is the aptitudes that were all 255%. I'll just search for ones that compared something to the value 255 and change them to remove the branch and set a custom value that will tell me which 1 is the correct code. Just search for instances of "00FF cmp".

0006AE90: 2FA000FF cmpdi cr7,r0,255 It's comparing whatever value register "r0" is to the number 255.

0006AE94: 409D0008 ble- cr7,0x6ae9c If "r0" was less than or equal to 255, then skip the next 1 line of code.

0006AE98: F8E90000 std r7,0(r9) "r0" was greater than 255, so store whatever register "r7" is to the offset $0000 of register "r9".

I guess that's the only instance of it. I guess I'll just try giving it a value and hope it's the code for the aptitudes.

0006AE90: 2FA000FF cmpdi cr7,r0,255

0006AE94: 38070003 li r7,3 No more branching depending on whether register "r0" was less than or equal to 255, and I changed it to a "li" operation and gave register "r7" value 3.

0006AE98: F8E90000 std r7,0(r9)

I tried it, and all aptitudes were set to 3%. Another code found. Next up is the level modifier, which puts everything's level up to 9,999. I'm going to search for instances of "270F cmp" again, remove the branches, and change or add a "li" operation to give it a certain value so I can tell which code does the effect.

Nevermind that, there isn't one. Instead, I'll now search for "2710 cmp". No result. Did a search for "270E cmp", and ended up with 1 result that wasn't one of the ones we found with the first search of "blt" and "ble".

0006A430: 2F84270E cmpwi cr7,r4,9998

0006A434: 419D2C14 bgt- cr7,0x6d048

Looking at this, it checks if something is larger than 9,998, and if it is, it jumps to address 0x006D048. I changed the 9,998 to 0 with:

0006A430: 2F840000 cmpwi cr7,r4,0

0006A434: 419D2C14 bgt- cr7,0x6d048

I tried that, and everyone was at level 9,999. I checked, and their actual EXP increased to its maximum amount, but my stats didn't increase, and I didn't unlock new special moves for my characters.

I then went to address 0x0006D048, which was where the code jumped to because unit levels were greater than 0. This is what was there:

0006D048: 3800270F li r0,9999 Register "r0" is now 9,999

0006D04C: B0180AAC sth r0,2732(r24) Register "r0", which is 9,999, is 2 bytes and stored at offset $0AAC of register "r24".

0006D050: A0780AB4 lhz r3,2740(r24) Load 2 bytes at offset $0AB4 of register $r24.

0006D054: 7C630734 extsh r3,r3 Don't know what this operation does. I'm guessing it's like the "mr" operation, but it sign extends a number.

0006D058: 3880270F li r4,9999 Register $r4 is now 9,999.

0006D05C: 4801DC31 bl 0x8ac8c Branch and link to another function starting at address 0x0008AC8C.

0006D060: 60000000 nop

0006D064: F8780000 std r3,0(r24) Store 8 byte register $r3 at offset $0000 of register $r24.

0006D068: 4BFFD580 b 0x6a5e8 Jump to address 0x0006A5E8.

Still having the previous modification of changing the comparison operation to compare to 0 instead of 9,998, I then change this line:

0006D048: 3800270F li r0,9999 Register "r0" is now 9,999

I change it to 3:

0006D048: 38000002 li r0,2 Register "r0" is now 2

I try that, and every unit is at level 2. That's another code found, but it doesn't seem to have the effects that come with the levels. Next up I'm going to find the code that gave me the max EXP. The part that makes this less easier than the rest is that different characters have different possible max amounts of EXP. However, we know that the amount of EXP a unit has determines its level, and we know a unit's level is 2 bytes at offset $0AAC, so we'll look close by for things that add a level. I'll search for a write to that offset with "0AAC sth". These are the results:

0006A464: B1380AAC sth r9,2732(r24)

0006D04C: B0180AAC sth r0,2732(r24)

Only 2 results, and we already found the result at address 0x0006D04C is used to set the level 9,999 limit, so odds are the other result is for normal leveling. So I'm looking at this, and some of it was from the earlier level 9,999 code:

0006A428: A0180AAC lhz r0,2732(r24) The level of a unit is 2 bytes and loaded to register $r0 from offset $0AAC of register $r24.

0006A42C: 7C040734 extsh r4,r0 Don't know, but it seems to do the same thing as "mr", so now $r0 & $r4 are the same.

0006A430: 2F84270E cmpwi cr7,r4,9998 Comparing the unit's level to 9,998.

0006A434: 419D2C14 bgt- cr7,0x6d048 If a unit's level is greater than 9,998, it branches to a function that sets it to 9,999.

0006A438: EBB80000 ld r29,0(r24) I don't know what this is, but it's 8 bytes.

0006A43C: A0780AB4 lhz r3,2740(r24) This thing is close to the offset of a character's level, but I don't know what it is.

0006A440: 38840001 addi r4,r4,1 $r4 is the level, and this adds +1 to it.

0006A444: 7C630734 extsh r3,r3 Don't know, but it's 2 bytes from offset $0AB4.

0006A448: 7C8407B4 extsw r4,r4 I'm guessing this operation just sign extends things. Nothing important, $r4 is $r4.

0006A44C: 48020841 bl 0x8ac8c Go to another function starting at address 0x0008AC8C, do stuff, return to address 0x0006A450.

0006A450: 60000000 nop

0006A454: 7FBD1800 cmpd cr7,r29,r3 Compare $r29 to $r3, and it's 8 bytes.

0006A458: 419C0190 blt- cr7,0x6a5e8 If $r29 is less than $r3, jump to address 0x0006A5E8.

0006A45C: A1380AAC lhz r9,2732(r24) The level of a unit is 2 bytes and loaded to register $r9 from offset $0AAC of register $r24.

0006A460: 39290001 addi r9,r9,1 This adds 1 to the current level of a unit.

0006A464: B1380AAC sth r9,2732(r24) This stores the new level, which is $r9, to offset $0AAC of register $r24.

Looking at all of this, I'm guessing those last 5 lines compare EXP to the next amount of EXP required to level up, and adds a level if it gets high enough. I'm guessing that the "bl 0x8ac8c" goes to the code that calculates how much EXP is required for the next level up. To check this stuff, I changed this line:

0006A460: 39290001 addi r9,r9,1

I gave it a specific value, 3.

0006A458: 38090003 li r9,3

I tried the game with this, and when any leveled up, their level became 3 even if they were already higher than 3. I now know that comparison branch determines if you've reached the correct amount of EXP to level up. You level up if $r29 is greater than or equal to $r3, so $r29 must be the amount of EXP something has. I then changed that line back to what it was and then removed the branch:

0006A458: 419C0190 blt- cr7,0x6a5e8

That became this:

0006A458: 60000000 nop

Every unit was leveled up to 9,999, their EXP was maxed out, and their stats increased. The only problem was I didn't get my new special moves. Something in this whole function gave me the specials, and I'm not sure of what to do. I'm going to find something that affects the EXP specifically rather than the level of a unit. From above, I learned that $r29 was my current EXP.

0006A438: EBB80000 ld r29,0(r24) I don't know what this is, but it's 8 bytes.

0006A43C: A0780AB4 lhz r3,2740(r24) This thing is close to the offset of a character's level, but I don't know what it is.

0006A440: 38840001 addi r4,r4,1 $r4 is the level, and this adds +1 to it.

0006A444: 7C630734 extsh r3,r3 Don't know, but it's 2 bytes from offset $0AB4.

0006A448: 7C8407B4 extsw r4,r4 I'm guessing this operation just sign extends things. Nothing important, $r4 is $r4.

0006A44C: 48020841 bl 0x8ac8c Go to another function starting at address 0x0008AC8C, do stuff, return to address 0x0006A450.

0006A450: 60000000 nop

0006A454: 7FBD1800 cmpd cr7,r29,r3 Compare $r29 to $r3, and it's 8 bytes.

0006A458: 419C0190 blt- cr7,0x6a5e8 If $r29 is less than $r3, jump to address 0x0006A5E8.

From the 1st line, $r29 is 8 bytes loaded from offset $0000 of register $r24. To test that's correct, I create a value and store it at that offset like this

0006A434: 381D0005 li r29,5

0006A438: FBB80000 std r29,0(r24)

I play the game, and everyone has exactly 5 EXP. So I now know offset $0000 is the offset for EXP, which sucks because that has to be the most commonly used offset of anything for every game on every console. Ignoring that, I'm going to check every instance of "0000 std" and hive them a specific value to store. These are what I find:

0006A5C0: F81B0000 std r0,0(r27)

0006A844: F80B0000 std r0,0(r11)

0006A85C: F80A0000 std r0,0(r10)

0006A870: F92A0000 std r9,0(r10)

0006A9C8: F80B0000 std r0,0(r11)

0006A9D4: F90B0000 std r8,0(r11)

0006ACCC: FB9D0000 std r28,0(r29)

0006AD64: F8090000 std r0,0(r9)

0006ADD0: F8090000 std r0,0(r9)

0006AE14: F9490000 std r10,0(r9)

0006AE58: F9490000 std r10,0(r9)

0006AE98: F8E90000 std r7,0(r9)

0006B1FC: F80B0000 std r0,0(r11)

0006B484: F80B0000 std r0,0(r11)

0006C0F0: F92B0000 std r9,0(r11)

0006C148: F80B0000 std r0,0(r11)

0006C910: F96A0000 std r11,0(r10)

0006CCB0: F8090000 std r0,0(r9)

0006CCF4: F8090000 std r0,0(r9)

0006CD4C: F8090000 std r0,0(r9)

0006CE5C: F92B0000 std r9,0(r11)

0006CE68: F8CB0000 std r6,0(r11)

0006CEEC: F8A90000 std r5,0(r9)

0006CF0C: F9690000 std r11,0(r9)

0006CF14: F80A0000 std r0,0(r10)

0006CF5C: F8E90000 std r7,0(r9)

0006CF70: F8090000 std r0,0(r9)

0006D064: F8780000 std r3,0(r24)

That's all 28 of them. Now I just create a "li" operation before all of them with a specific value and hope the game doesn't freeze or anything because I'm too lazy to check if I'm messing up something obvious.

0006A5C0: 60000000 nop

0006A844: 60000000 nop

0006A85C: 60000000 nop

0006A870: 60000000 nop

0006A9C8: 60000000 nop

0006A9D4: 60000000 nop

0006ACCC: 60000000 nop

0006AD64: 60000000 nop

0006ADD0: 60000000 nop

0006AE14: 60000000 nop

0006AE58: 60000000 nop

0006AE98: 60000000 nop

0006B1FC: 60000000 nop

0006B484: 60000000 nop

0006C0F0: 60000000 nop

0006C148: 60000000 nop

0006C910: 60000000 nop

0006CCB0: 60000000 nop

0006CCF4: 60000000 nop

0006CD4C: 60000000 nop

0006CE5C: 60000000 nop

0006CE68: 60000000 nop

0006CEEC: 60000000 nop

0006CF0C: 60000000 nop

0006CF14: 60000000 nop

0006CF5C: 60000000 nop

0006CF70: 60000000 nop

0006D064: 60000000 nop

I tried that out, and do things that normally increase a unit's EXP. So I kill an enemy with 1 unit, kill an enemy with a team attack, kill an enemy with a tower attack, heal something, create a new character, and reincarnate a character since those are the only things I can think of that increase EXP. I did that stuff, and nothing happened. Now I don't know what to do for sure. I looked at other codes, and Skiller found the code for max mana after a single unit kills anything. You get mana when you kill something, and you also get EXP when you kill something, so I'm hoping they are in the same area.

Max Mana After 1 Unit Kills Anything (Found by Skiller)

000C5210 7F890040

I first go to address 0x000C5210. I search for the 1st instance of "blr" above and below that address so I know the size of the entire function. So the function starts at 0x000C2ADC and ends at 0x000C73F4. So I go to address 0x000C2ADC and start searching for instances of "0000 std". These are what I encountered:

000C55A0: F81C0000 std r0,0(r28)

000C55B4: F93C0000 std r9,0(r28)

000C56E4: F8090000 std r0,0(r9)

000C56F8: F9690000 std r11,0(r9)

000C5708: F8090000 std r0,0(r9)

000C5724: F9230000 std r9,0(r3)

000C5734: F80B0000 std r0,0(r11)

000C5750: F9230000 std r9,0(r3)

000C5940: F81F0000 std r0,0(r31)

000C5954: F93F0000 std r9,0(r31)

000C5A84: F8090000 std r0,0(r9)

000C5A98: F9690000 std r11,0(r9)

000C5AA8: F8090000 std r0,0(r9)

000C5AC4: F92B0000 std r9,0(r11)

000C5AD4: F8090000 std r0,0(r9)

000C5AF0: F92B0000 std r9,0(r11)

000C5C0C: F81F0000 std r0,0(r31)

000C5C20: F93F0000 std r9,0(r31)

000C5D50: F8090000 std r0,0(r9)

000C5D64: F9690000 std r11,0(r9)

000C5D74: F8090000 std r0,0(r9)

000C5D90: F92B0000 std r9,0(r11)

000C5DA0: F80B0000 std r0,0(r11)

000C5DBC: F92B0000 std r9,0(r11)

000C6C94: F8090000 std r0,0(r9)

000C6CA8: F9690000 std r11,0(r9)

000C6CB8: F8090000 std r0,0(r9)

000C6CD4: F92B0000 std r9,0(r11)

000C6CE4: F80B0000 std r0,0(r11)

000C6D00: F92B0000 std r9,0(r11)

That's all 30 instances of that. Now I'm just going to nop all of them:

000C55A0: 60000000 nop

000C55B4: 60000000 nop

000C56E4: 60000000 nop

000C56F8: 60000000 nop

000C5708: 60000000 nop

000C5724: 60000000 nop

000C5734: 60000000 nop

000C5750: 60000000 nop

000C5940: 60000000 nop

000C5954: 60000000 nop

000C5A84: 60000000 nop

000C5A98: 60000000 nop

000C5AA8: 60000000 nop

000C5AC4: 60000000 nop

000C5AD4: 60000000 nop

000C5AF0: 60000000 nop

000C5C0C: 60000000 nop

000C5C20: 60000000 nop

000C5D50: 60000000 nop

000C5D64: 60000000 nop

000C5D74: 60000000 nop

000C5D90: 60000000 nop

000C5DA0: 60000000 nop

000C5DBC: 60000000 nop

000C6C94: 60000000 nop

000C6CA8: 60000000 nop

000C6CB8: 60000000 nop

000C6CD4: 60000000 nop

000C6CE4: 60000000 nop

000C6D00: 60000000 nop

I tried that, and my EXP didn't change when I killed anything or used something like heal. Looks like I found the right place. Now I just go to every address just above those and change whatever it is to a "li" operation with the same register and a specific value so I know know what which addresses are the correct ones.

000C559C: 38000001 r0,1

000C55B0: 38090003 r9,3

000C56E0: 38000005 r0,5

000C56F4: 380B0007 r11,7

000C5704: 38000009 r0,9

000C5720: 3809000B r9,11

000C5730: 3800000D r0,13

000C574C: 3809000F r9,15

000C593C: 38000011 r0,17

000C5950: 38090013 r9,19

000C5A80: 38000015 r0,21

000C5A94: 380B0017 r11,23

000C5AA4: 38000019 r0,25

000C5AC0: 3809001B r9,27

000C5AD0: 3800001D r0,29

000C5AEC: 3809001F r9,31

000C5C08: 38000021 r0,33

000C5C1C: 38090023 r9,35

000C5D4C: 38000025 r0,37

000C5D60: 380B0027 r11,39

000C5D70: 38000029 r0,41

000C5D8C: 3809002B r9,43

000C5D9C: 3800002D r0,45

000C5DB8: 3809002F r9,47

000C6C90: 38000031 r0,49

000C6CA4: 380B0033 r11,51

000C6CB4: 38000035 r0,53

000C6CD0: 38090037 r9,55

000C6CE0: 38000039 r0,57

000C6CFC: 3809003B r9,59

I try that out, and anything I do maxes out a unit to level 9,999 with the increased stats and EXP but none of the special attacks. I decide to check the codes I overwrote because I probably erased a bunch of branches that check things. These are the ones that had branches:

000C5594: E81C0000 ld r0,0(r28)

000C5598: E90101F0 ld r8,496(r1)

000C559C: 7C080214 add r0,r8,r0

000C55A0: F81C0000 std r0,0(r28)

000C55A4: 3D200100 lis r9,256

000C55A8: 792907C6 rldcl r9,r9,r0,62

000C55AC: 7FA04800 cmpd cr7,r0,r9

000C55B0: 409D0008 ble- cr7,0xc55b8

000C55B4: F93C0000 std r9,0(r28)

000C56DC: E8090000 ld r0,0(r9)

000C56E0: 7C110214 add r0,r17,r0

000C56E4: F8090000 std r0,0(r9)

000C56E8: 3D600100 lis r11,256

000C56EC: 796B07C6 rldcl r11,r11,r0,62

000C56F0: 7FA05800 cmpd cr7,r0,r11

000C56F4: 409D0008 ble- cr7,0xc56fc

000C56F8: F9690000 std r11,0(r9)

000C5718: E8030000 ld r0,0(r3)

000C571C: 7FA04800 cmpd cr7,r0,r9

000C5720: 409D0034 ble- cr7,0xc5754

000C5724: F9230000 std r9,0(r3)

000C5744: E8030000 ld r0,0(r3)

000C5748: 7FA04800 cmpd cr7,r0,r9

000C574C: 409D0008 ble- cr7,0xc5754

000C5750: F9230000 std r9,0(r3)

000C5938: E81F0000 ld r0,0(r31)

000C593C: 7C150214 add r0,r21,r0

000C5940: F81F0000 std r0,0(r31)

000C5944: 3D200100 lis r9,256

000C5948: 792907C6 rldcl r9,r9,r0,62

000C594C: 7FA04800 cmpd cr7,r0,r9

000C5950: 409D0008 ble- cr7,0xc5958

000C5954: F93F0000 std r9,0(r31)

000C5A7C: E8090000 ld r0,0(r9)

000C5A80: 7C190214 add r0,r25,r0

000C5A84: F8090000 std r0,0(r9)

000C5A88: 3D600100 lis r11,256

000C5A8C: 796B07C6 rldcl r11,r11,r0,62

000C5A90: 7FA05800 cmpd cr7,r0,r11

000C5A94: 409D0008 ble- cr7,0xc5a9c

000C5A98: F9690000 std r11,0(r9)

000C5AB8: E80B0000 ld r0,0(r11)

000C5ABC: 7FA04800 cmpd cr7,r0,r9

000C5AC0: 409D0034 ble- cr7,0xc5af4

000C5AC4: F92B0000 std r9,0(r11)

000C5AE4: E80B0000 ld r0,0(r11)

000C5AE8: 7FA04800 cmpd cr7,r0,r9

000C5AEC: 409D0008 ble- cr7,0xc5af4

000C5AF0: F92B0000 std r9,0(r11)

000C5C04: E81F0000 ld r0,0(r31)

000C5C08: 7C150214 add r0,r21,r0

000C5C0C: F81F0000 std r0,0(r31)

000C5C10: 3D200100 lis r9,256

000C5C14: 792907C6 rldcl r9,r9,r0,62

000C5C18: 7FA04800 cmpd cr7,r0,r9

000C5C1C: 409D0008 ble- cr7,0xc5c24

000C5C20: F93F0000 std r9,0(r31)

000C5D48: E8090000 ld r0,0(r9)

000C5D4C: 7C190214 add r0,r25,r0

000C5D50: F8090000 std r0,0(r9)

000C5D54: 3D600100 lis r11,256

000C5D58: 796B07C6 rldcl r11,r11,r0,62

000C5D5C: 7FA05800 cmpd cr7,r0,r11

000C5D60: 409D0008 ble- cr7,0xc5d68

000C5D64: F9690000 std r11,0(r9)

000C5D84: E80B0000 ld r0,0(r11)

000C5D88: 7FA04800 cmpd cr7,r0,r9

000C5D8C: 409D0034 ble- cr7,0xc5dc0

000C5D90: F92B0000 std r9,0(r11)

000C5DB0: E80B0000 ld r0,0(r11)

000C5DB4: 7FA04800 cmpd cr7,r0,r9

000C5DB8: 409D0008 ble- cr7,0xc5dc0

000C5DBC: F92B0000 std r9,0(r11)

000C6C8C: E8090000 ld r0,0(r9)

000C6C90: 7C030214 add r0,r3,r0

000C6C94: F8090000 std r0,0(r9)

000C6C98: 3D600100 lis r11,256

000C6C9C: 796B07C6 rldcl r11,r11,r0,62

000C6CA0: 7FA05800 cmpd cr7,r0,r11

000C6CA4: 409D0008 ble- cr7,0xc6cac

000C6CA8: F9690000 std r11,0(r9)

000C6CC8: E80B0000 ld r0,0(r11)

000C6CCC: 7FA04800 cmpd cr7,r0,r9

000C6CD0: 409D0034 ble- cr7,0xc6d04

000C6CD4: F92B0000 std r9,0(r11)

000C6CF4: E80B0000 ld r0,0(r11)

000C6CF8: 7FA04800 cmpd cr7,r0,r9

000C6CFC: 409D0008 ble- cr7,0xc6d04

000C6D00: F92B0000 std r9,0(r11)

That's 15 of them. I undid those ones and tried the game with the other ones that didn't overwrite a branch. This is what I noticed:

1. A single unit killing another unit normally or with a special attack always had 45 EXP.

2. Units in a group attack or tower attack all got 13 EXP.

3. Units that used restorative special stuff like healing or espoir had 57 EXP.

Out of those, I didn't have the chance to find a place where I could open a treasure chest with EXP in it, but I know one of the other codes changed that too.

Disgaea 3 - Item Rarity Modifier

Disgaea 3 - MV Modifier

Disgaea 3 - JMP Modifier

Disgaea 3 - Attack Range Modifier

I wasn't sure how to approach this one. All I know specifically about items is that rarity under 8 is legendary, and rarity from 8 to 31 is rare, and 32 and higher is normal. I decided to search for things that compare something to 31 and set them to 0 in the hope of finding them. I search for instances of "001F cmp", these are the results:

000089D4: 2B8A001F cmplwi cr7,r10,31

00009088: 2B84001F cmplwi cr7,r4,31

00009124: 2B84001F cmplwi cr7,r4,31

0000918C: 2B84001F cmplwi cr7,r4,31

0001BA0C: 2F9F001F cmpwi cr7,r31,31

000269E4: 2B80001F cmplwi cr7,r0,31

00026AE0: 2B80001F cmplwi cr7,r0,31

00026C5C: 2B80001F cmplwi cr7,r0,31

0002B9FC: 2B8B001F cmplwi cr7,r11,31

0002FBD4: 2B80001F cmplwi cr7,r0,31

000317D0: 2F80001F cmpwi cr7,r0,31

00056494: 2F83001F cmpwi cr7,r3,31

00056B18: 2F80001F cmpwi cr7,r0,31

000613B0: 2F98001F cmpwi cr7,r24,31

0006186C: 2F9F001F cmpwi cr7,r31,31

000618A8: 2F83001F cmpwi cr7,r3,31

0006408C: 2F99001F cmpwi cr7,r25,31

00064F00: 2880001F cmplwi cr1,r0,31

0006B334: 2B80001F cmplwi cr7,r0,31

00085B1C: 2B80001F cmplwi cr7,r0,31

0009D270: 2B80001F cmplwi cr7,r0,31

000A94C8: 2F89001F cmpwi cr7,r9,31

000A9714: 2F89001F cmpwi cr7,r9,31

000EB534: 2F96001F cmpwi cr7,r22,31

000EF508: 2F88001F cmpwi cr7,r8,31

0011134C: 2F89001F cmpwi cr7,r9,31

00113328: 2F80001F cmpwi cr7,r0,31

001133E8: 2F80001F cmpwi cr7,r0,31

0011344C: 2F80001F cmpwi cr7,r0,31

001135C0: 2F80001F cmpwi cr7,r0,31

00113710: 2F80001F cmpwi cr7,r0,31

00118EB4: 2F88001F cmpwi cr7,r8,31

00119660: 2F80001F cmpwi cr7,r0,31

00128C58: 2B80001F cmplwi cr7,r0,31

0012A0D4: 2F99001F cmpwi cr7,r25,31

00137EF0: 2F80001F cmpwi cr7,r0,31

00138318: 2F99001F cmpwi cr7,r25,31

0013A0B0: 2F80001F cmpwi cr7,r0,31

0013CA14: 2F88001F cmpwi cr7,r8,31

00161358: 2F88001F cmpwi cr7,r8,31

001AA0CC: 2F80001F cmpwi cr7,r0,31

001B9904: 2F89001F cmpwi cr7,r9,31

001E7ADC: 2B83001F cmplwi cr7,r3,31

002024E0: 2F9F001F cmpwi cr7,r31,31

002056AC: 2B03001F cmplwi cr6,r3,31

00210228: 2B85001F cmplwi cr7,r5,31

00210460: 2B85001F cmplwi cr7,r5,31

00210580: 2B9E001F cmplwi cr7,r30,31

00210684: 2B85001F cmplwi cr7,r5,31

0021076C: 2B9E001F cmplwi cr7,r30,31

00210A90: 2B9E001F cmplwi cr7,r30,31

00215878: 2B80001F cmplwi cr7,r0,31

00215CB0: 2F9D001F cmpwi cr7,r29,31

00215F04: 2B89001F cmplwi cr7,r9,31

00215F9C: 2F8A001F cmpwi cr7,r10,31

00216928: 2F9E001F cmpwi cr7,r30,31

0021697C: 2F9E001F cmpwi cr7,r30,31

00216DC8: 2B8B001F cmplwi cr7,r11,31

00216E70: 2B8B001F cmplwi cr7,r11,31

00216FB4: 2B8B001F cmplwi cr7,r11,31

002171E0: 2F8A001F cmpwi cr7,r10,31

002175D4: 2F80001F cmpwi cr7,r0,31

00217D30: 2B89001F cmplwi cr7,r9,31

00217DE8: 2F8A001F cmpwi cr7,r10,31

0021805C: 2B8B001F cmplwi cr7,r11,31

002183CC: 2B8A001F cmplwi cr7,r10,31

00218934: 2B8A001F cmplwi cr7,r10,31

002189FC: 2F8A001F cmpwi cr7,r10,31

00218C2C: 2B8B001F cmplwi cr7,r11,31

00218CD4: 2B8A001F cmplwi cr7,r10,31

00218E10: 2F8A001F cmpwi cr7,r10,31

0021919C: 2F8A001F cmpwi cr7,r10,31

0021D1F8: 2B80001F cmplwi cr7,r0,31

0021D264: 2B80001F cmplwi cr7,r0,31

0021EBFC: 2F9F001F cmpwi cr7,r31,31

0021EC14: 2B9F001F cmplwi cr7,r31,31

It's a long list of 76 possibilities, which sucks, but I have nothing better to go by so I'm going to change all of them to compare to 128. If it's setting rarity, all I need to do to check is find an item with rarity less than 128 and one greater than 128. Just change them all like this:

000089D4: 2B8A0080 cmplwi cr7,r10,128

00009088: 2B840080 cmplwi cr7,r4,128

00009124: 2B840080 cmplwi cr7,r4,128

0000918C: 2B840080 cmplwi cr7,r4,128

0001BA0C: 2F9F0080 cmpwi cr7,r31,128

000269E4: 2B800080 cmplwi cr7,r0,128

00026AE0: 2B800080 cmplwi cr7,r0,128

00026C5C: 2B800080 cmplwi cr7,r0,128

0002B9FC: 2B8B0080 cmplwi cr7,r11,128

0002FBD4: 2B800080 cmplwi cr7,r0,128

000317D0: 2F800080 cmpwi cr7,r0,128

00056494: 2F830080 cmpwi cr7,r3,128

00056B18: 2F800080 cmpwi cr7,r0,128

000613B0: 2F980080 cmpwi cr7,r24,128

0006186C: 2F9F0080 cmpwi cr7,r31,128

000618A8: 2F830080 cmpwi cr7,r3,128

0006408C: 2F990080 cmpwi cr7,r25,128

00064F00: 28800080 cmplwi cr1,r0,128

0006B334: 2B800080 cmplwi cr7,r0,128

00085B1C: 2B800080 cmplwi cr7,r0,128

0009D270: 2B800080 cmplwi cr7,r0,128

000A94C8: 2F890080 cmpwi cr7,r9,128

000A9714: 2F890080 cmpwi cr7,r9,128

000EB534: 2F960080 cmpwi cr7,r22,128

000EF508: 2F880080 cmpwi cr7,r8,128

0011134C: 2F890080 cmpwi cr7,r9,128

00113328: 2F800080 cmpwi cr7,r0,128

001133E8: 2F800080 cmpwi cr7,r0,128

0011344C: 2F800080 cmpwi cr7,r0,128

001135C0: 2F800080 cmpwi cr7,r0,128

00113710: 2F800080 cmpwi cr7,r0,128

00118EB4: 2F880080 cmpwi cr7,r8,128

00119660: 2F800080 cmpwi cr7,r0,128

00128C58: 2B800080 cmplwi cr7,r0,128

0012A0D4: 2F990080 cmpwi cr7,r25,128

00137EF0: 2F800080 cmpwi cr7,r0,128

00138318: 2F990080 cmpwi cr7,r25,128

0013A0B0: 2F800080 cmpwi cr7,r0,128

0013CA14: 2F880080 cmpwi cr7,r8,128

00161358: 2F880080 cmpwi cr7,r8,128

001AA0CC: 2F800080 cmpwi cr7,r0,128

001B9904: 2F890080 cmpwi cr7,r9,128

001E7ADC: 2B830080 cmplwi cr7,r3,128

002024E0: 2F9F0080 cmpwi cr7,r31,128

002056AC: 2B030080 cmplwi cr6,r3,128

00210228: 2B850080 cmplwi cr7,r5,128

00210460: 2B850080 cmplwi cr7,r5,128

00210580: 2B9E0080 cmplwi cr7,r30,128

00210684: 2B850080 cmplwi cr7,r5,128

0021076C: 2B9E0080 cmplwi cr7,r30,128

00210A90: 2B9E0080 cmplwi cr7,r30,128

00215878: 2B800080 cmplwi cr7,r0,128

00215CB0: 2F9D0080 cmpwi cr7,r29,128

00215F04: 2B890080 cmplwi cr7,r9,128

00215F9C: 2F8A0080 cmpwi cr7,r10,128

00216928: 2F9E0080 cmpwi cr7,r30,128

0021697C: 2F9E0080 cmpwi cr7,r30,128

00216DC8: 2B8B0080 cmplwi cr7,r11,128

00216E70: 2B8B0080 cmplwi cr7,r11,128

00216FB4: 2B8B0080 cmplwi cr7,r11,128

002171E0: 2F8A0080 cmpwi cr7,r10,128

002175D4: 2F800080 cmpwi cr7,r0,128

00217D30: 2B890080 cmplwi cr7,r9,128

00217DE8: 2F8A0080 cmpwi cr7,r10,128

0021805C: 2B8B0080 cmplwi cr7,r11,128

002183CC: 2B8A0080 cmplwi cr7,r10,128

00218934: 2B8A0080 cmplwi cr7,r10,128

002189FC: 2F8A0080 cmpwi cr7,r10,128

00218C2C: 2B8B0080 cmplwi cr7,r11,128

00218CD4: 2B8A0080 cmplwi cr7,r10,128

00218E10: 2F8A0080 cmpwi cr7,r10,128

0021919C: 2F8A0080 cmpwi cr7,r10,128

0021D1F8: 2B800080 cmplwi cr7,r0,128

0021D264: 2B800080 cmplwi cr7,r0,128

0021EBFC: 2F9F0080 cmpwi cr7,r31,128

0021EC14: 2B9F0080 cmplwi cr7,r31,128

I tried that, and I noticed items had the rare appearance, but they didn't have the correct population, so I've at least found something. I narrowed them down by trying 1/2 at a time to figure out exactly which one did the trick.

1. There's 76 total, so I did the first 38 of them, which is everything from the beginning up to address 0x00138318. The effect was still present, so it was within the first 38 results.

2. Half of 38 is 19, so I tried everything from the beginning up to address 0x00064F00. The effect was now gone, so that means it was within the other 19 results.

3. Half of 19 is 9.5, so I tried 10 of them from address 0x0006B334 up to address 0x001133E8. The effect was present, so it's within these 10 results.

4. Half of 10 is 5, so I tried everything from address 0x0006B334 up to address 0x000A9714. The effect was still present, so it's 1 of those 5.

5. Half of 5 is 2.5, so I tried 3 from address 0x0006B334 up to address 0x0009D270. The effect was still present, so it's one of those 3.

6. 3 are left, so I tried the first 2, which are addresses 0x0006B334 and 0x00085B1C. The effect was gone.

7. That just leaves the 1 result at 0x0009D270. I tried only that one, and the effect was there again.

So it's this one:

0009D270: 2B800080 cmplwi cr7,r0,128

Now that I know it's that one, I need to go to that address and look nearby to see what loads something into register $r0 and/or where register $r0 is being stored. This is the first thing I see:

0009D26C: 48000348 b 0x9d5b4

0009D270: 2B80001F cmplwi cr7,r0,31

I don't see anything nearby after it that is a storing operation. Since that "b" is just before the comparison, that means something branches to address 0x0009D270. So I then search for "x9D270" to see what branches to it. I end up with only 1 place branching to it:

0009D5C4: 4BFFFCAC b 0x9d270

I then look above that, and see all of this:

0009D5B0: 48000018 b 0x9d5c8

0009D5B4: 881C00E8 lbz r0,232(r28)

0009D5B8: 3BE00002 li r31,2

0009D5BC: 2B800007 cmplwi cr7,r0,7

0009D5C0: 409DFCC0 ble+ cr7,0x9d280

0009D5C4: 4BFFFCAC b 0x9d270

I see that $r0 is 1 byte and loaded from offset $00E8, and after it is loaded it is compared to the number 7. Any rarity from 0 to 7 is legendary, and I'm betting that "ble+" goes to code that gives things the legendary appearance. Since I'm now mostly certain offset $00E8 is an item's popularity, and it's only 1 byte, I would be looking for instances of "00E8 lbz" to find what reads that value and then uses it. These are my results:

00064EF8: 881E00E8 lbz r0,232(r30)

00064F74: 887E00E8 lbz r3,232(r30)

0006ABCC: 880900E8 lbz r0,232(r9)

0006B31C: 880900E8 lbz r0,232(r9)

00085B08: 881E00E8 lbz r0,232(r30)

000A02D0: 88FF00E8 lbz r7,232(r31)

000A0AC0: 88F700E8 lbz r7,232(r23)

000A0E9C: 88F700E8 lbz r7,232(r23)

000A122C: 88F700E8 lbz r7,232(r23)

000EDAE8: 887D00E8 lbz r3,232(r29)

000F1DA8: 887E00E8 lbz r3,232(r30)

000F2C00: 887E00E8 lbz r3,232(r30)

00105EC8: 887F00E8 lbz r3,232(r31)

00105F20: 881F00E8 lbz r0,232(r31)

0015F888: 88AB00E8 lbz r5,232(r11)

001B2344: 893E00E8 lbz r9,232(r30)

There are 17 results. I'm going to test these by changing them into a "li" operation with the value 1, like this:

00064EF8: 38000001 li r0,1

00064F74: 38030001 li r3,1

0006ABCC: 38000000 li r0,1

0006B31C: 38000000 li r0,1

00085B08: 38000000 li r0,1

000A02D0: 38070001 li r7,1

000A0AC0: 38070001 li r7,1

000A0E9C: 38070001 li r7,1

000A122C: 38070001 li r7,1

000EDAE8: 38030001 li r3,1

000F1DA8: 38030001 li r3,1

000F2C00: 38030001 li r3,1

00105EC8: 38030001 li r3,1

00105F20: 38000000 li r0,1

0015F888: 38050001 li r5,1

001B2344: 38090001 li r9,1

I tried that, went to a shop and looked at the items. These are the things I noticed excluding the comparison at 0x0009D270 since we already know what that one does:

All items have the legendary stat increase, and the legendary starting population limit of 6. That could all be the result of 1 correct address doing both things, or 2 addresses separate addresses doing those 2 different effects. From there I just do the method of trying half of the results at one time.

1. There's 17 results, so I try the first 9 results with the last one being address 0x000A122C. I checked, and things still have the stat boost and the 6 population. So stuff within those 1st 9 results is doing the trick.

2. 9 results left, so I try the first 5 results with the last result being address 0x00085B08. I checked, and things still have the stat boost and the 6 population. So the effects are from things within the 1st 5 results.

3. 5 results left, so I try the first 3 results with the last result being address 0x0006ABCC. I checked, and things still have the stat boost and the 6 population. So the effects are from things within the 1st 3 results.

4. 3 results left, so I try the first 2 results, which are addresses 0x00064EF8 and 0x00064F74. I checked, and things still have the stat boost and the 6 population. So the effects are from things within the 1st 2 results.

5. 2 results left, so I try only the first result, which is address 0x00064EF8, I checked, and items have the legendary stat increase but not the population of 6.

6. 1 result left, so I try just the 2nd result, which is address 0x00064F74. I checked, and items have the population of 6 but not the legendary stat increase. I guess those were 2 separate things, but they are close to each other and in the same function.

With that, I can make 3 separate codes to give things the legendary effect, but it doesn't save it since those don't actually have the game set an item's rarity but makes the game read things like they are a certain rarity. Using that, you could make the game think every item is legendary and save, but the second you play without the codes those items will be treated like normal items. To actually find what sets the rarity amount, I'd need to search for a store operation of 1 byte to that offset instead of a load operation. I'm now going to search for instances of "00E8 stb". I'm specifically going to search for it within the function that has the 2 that allowed me to make items seem legendary by giving them the stat increase and the population of 6. I go to one of those 2 and then search for the first instance of "blr" above and below it to see where the function starts and ends. I end up with the function being within 0x00064D58 and 0x000652F8. I search for instances of "00E8 stb" in that area, and these are the results:

00064EBC: 987E00E8 stb r3,232(r30)

00064ECC: 987E00E8 stb r3,232(r30)

Those are the only 2 results. If it is 1 or both of these, that's great. I then go to the address just right before them and overwrite the operation to be a "li" that sets the value to 1 or 3 of whichever register is being stored:

00064EB8: 38030001 li r3,1

00064EC8: 38030003 li r3,3

I try the game, and all items are at rarity 3. I've now found a rarity modifier. Since the rarity is in this function, there's probably a bunch of other things about items that are set in this function. But I still checked the other one since it was nearby and looked at it all:

00064EA8: 2F800027 cmpwi cr7,r0,39 Something is compared to the number 39.

00064EAC: 409D0018 ble- cr7,0x64ec4 If that thing is less than or equal to 39, jump down to address 0x00064EC4 and continue code.

00064EB0: 38600008 li r3,8 That "something" wasn't less than or equal to 39. Give register $r3 the value 8.

00064EB4: 48045581 bl 0xaa434 Go to address 0x000AA434, do stuff, return to address 0x00064EB8.

00064EB8: 60000000 nop

00064EBC: 987E00E8 stb r3,232(r30) Store the value of $r3 at offset $00E8 of register $r30, which is an item's rarity.

00064EC0: 48000010 b 0x64ed0 Go to 0x00064ED0 and continue code.

00064EC4: 7FA3EB78 mr r3,r29 That "something" was less than or equal to 39. Copy register $r29's value to register $r3.

00064EC8: 4BFFC881 bl 0x61748 Go to address 0x00061748, do stuff, return to address 0x00064ECC.

00064ECC: 987E00E8 stb r3,232(r30) Store the value of $r3 at offset $00E8 of register $r30, which is an item's rarity.

Looking at this, that branch at address 0x00064EAC is the only thing that goes to the last 3 lines of code. I then thought to just delete that branch with a "nop".

00064EAC: 409D0018 ble- cr7,0x64ec4

That becomes:

00064EAC: 60000000 nop

I tried that, and every item had a rarity of 8 or less and was legendary. With that branch gone, it creates 8, branches to address 0x000AA434, does stuff, returns to address 0x00064EB8, and stores that rarity amount. I then deleted that branch and link operation:

00064EB4: 48045581 bl 0xaa434

That becomes:

00064EB4: 60000000 nop

Now every item has rarity 8. That must mean that the stuff at address 0x000AA434 must take whatever is in register $r3 and generate a random number that is less than what $r3 was.

From this point, I'm going to take a lazy guess and check approach to things and use this area:

00064EA0: 881E00EE lbz r0,238(r30)

00064EA4: 7C000774 extsb r0,r0

00064EA8: 2F800027 cmpwi cr7,r0,39

00064EAC: 409D0018 ble- cr7,0x64ec4

00064EB0: 38600008 li r3,8

00064EB4: 48045581 bl 0xaa434

00064EB8: 60000000 nop

00064EBC: 987E00E8 stb r3,232(r30)

00064EC0: 48000010 b 0x64ed0

00064EC4: 7FA3EB78 mr r3,r29

00064EC8: 4BFFC881 bl 0x61748

00064ECC: 987E00E8 stb r3,232(r30)

All I'm going to do is create a value for register $r3, and store that register at multiple offsets of register $r30. I'm going to start it by creating the value "7F7F" and applying it to the next lower offsets.

00064EA0 38037F7F li r3,32639

00064EA4 B07E00E6 sth r3,230(r30)

00064EA8 B07E00E4 sth r3,228(r30)

00064EAC B07E00E2 sth r3,226(r30)

00064EB0 B07E00E0 sth r3,224(r30)

00064EB4 B07E00DE sth r3,222(r30)

00064EB8 B07E00DC sth r3,220(r30)

00064EBC B07E00DA sth r3,218(r30)

00064EC0 B07E00D8 sth r3,216(r30)

00064EC4 B07E00D6 sth r3,214(r30)

00064EC8 B07E00D4 sth r3,212(r30)

00064ECC B07E00D2 sth r3,210(r30)

I try the game, go to a store and look at things, buy them, equip them, and go into the item worlds of them. These are what I notice:

1. When I go into an item's world, and I'm on stage 127.

That's something. Now I just need to narrow it down by removing some of those writes. I'm doing 11 writes, so I'll remove the last 6:

00064EA0 38037F7F li r3,32639

00064EA4 B07E00E6 sth r3,230(r30)

00064EA8 B07E00E4 sth r3,228(r30)

00064EAC B07E00E2 sth r3,226(r30)

00064EB0 B07E00E0 sth r3,224(r30)

00064EB4 B07E00DE sth r3,222(r30)

00064EB8 60000000 nop

00064EBC 60000000 nop

00064EC0 60000000 nop

00064EC4 60000000 nop

00064EC8 60000000 nop

00064ECC 60000000 nop

I play again, and still get the same effect, so it's 1 of them. 5 left, so remove 3:

00064EA0 38037F7F li r3,32639

00064EA4 B07E00E6 sth r3,230(r30)

00064EA8 B07E00E4 sth r3,228(r30)

00064EAC 60000000 nop

00064EB0 60000000 nop

00064EB4 60000000 nop

00064EB8 60000000 nop

00064EBC 60000000 nop

00064EC0 60000000 nop

00064EC4 60000000 nop

00064EC8 60000000 nop

00064ECC 60000000 nop

I play again, and the effect is gone. So it was 1 of the 3 I removed. I'll try the first 2 of those 3 I removed:

00064EA0 38037F7F li r3,32639

00064EA4 60000000 nop

00064EA8 60000000 nop

00064EAC B07E00E2 sth r3,226(r30)

00064EB0 B07E00E0 sth r3,224(r30)

00064EB4 60000000 nop

00064EB8 60000000 nop

00064EBC 60000000 nop

00064EC0 60000000 nop

00064EC4 60000000 nop

00064EC8 60000000 nop

00064ECC 60000000 nop

The effect is back again. It's 1 of those 2. I'll remove the second 1:

00064EA0 38037F7F li r3,32639

00064EA4 60000000 nop

00064EA8 60000000 nop

00064EAC B07E00E2 sth r3,226(r30)

00064EB0 60000000 nop

00064EB4 60000000 nop

00064EB8 60000000 nop

00064EBC 60000000 nop

00064EC0 60000000 nop

00064EC4 60000000 nop

00064EC8 60000000 nop

00064ECC 60000000 nop

The effect is there again, but we aren't exactly there. Item worlds don't go higher than 100, and before it was at stage 127 instead of 32639, which means it's 1 byte. To check which 1 of those 2 bytes it is, I change it to store 1 byte:

00064EA0 38037F7F li r3,32639

00064EA4 60000000 nop

00064EA8 60000000 nop

00064EAC 987E00E2 stb r3,226(r30)

00064EB0 60000000 nop

00064EB4 60000000 nop

00064EB8 60000000 nop

00064EBC 60000000 nop

00064EC0 60000000 nop

00064EC4 60000000 nop

00064EC8 60000000 nop

00064ECC 60000000 nop

I play, and the effect is still there, so it's 1 byte at offset $00E2. I didn't bother pursuing this farther since it seems the stage you go to isn't synched with the item's level, not that that is important. If I did though, I'd just be searching around for "00E2 stb".

Now I'm just going back to writing to the next set of lower offsets:

00064EA0 38037F7F li r3,32639

00064EA4 B07E00D0 sth r3,208(r30)

00064EA8 B07E00CE sth r3,206(r30)

00064EAC B07E00CC sth r3,204(r30)

00064EB0 B07E00CA sth r3,202(r30)

00064EB4 B07E00C8 sth r3,200(r30)

00064EB8 B07E00C6 sth r3,198(r30)

00064EBC B07E00C4 sth r3,196(r30)

00064EC0 B07E00C2 sth r3,194(r30)

00064EC4 B07E00C0 sth r3,192(r30)

00064EC8 B07E00BE sth r3,190(r30)

00064ECC B07E00BC sth r3,188(r30)

I play the game, and these are the things I notice about items:

1. The item levels were 127, the name different, stats messed up, wrong price, and in the wrong order when sorted. No effects when I went into the item world, so item level and item world stage are 2 separate things. I don't know why they made them separate, but I don't care.

Now I'm just going to try some more offsets again:

00064EA0 38037F7F li r3,32639

00064EA4 B07E00BA sth r3,186(r30)

00064EA8 B07E00B8 sth r3,184(r30)

00064EAC B07E00B6 sth r3,182(r30)

00064EB0 B07E00B4 sth r3,180(r30)

00064EB4 B07E00B2 sth r3,178(r30)

00064EB8 B07E00B0 sth r3,176(r30)

00064EBC B07E00AE sth r3,174(r30)

00064EC0 B07E00AC sth r3,172(r30)

00064EC4 B07E00AA sth r3,170(r30)

00064EC8 B07E00A8 sth r3,168(r30)

00064ECC B07E00A6 sth r3,166(r30)

I play, and I don't notice anything worth caring about, so I'm going to start going the other way:

00064EA0 38037F7F li r3,32639

00064EA4 B07E00E8 sth r3,232(r30)

00064EA8 B07E00EA sth r3,234(r30)

00064EAC B07E00EC sth r3,236(r30)

00064EB0 B07E00EE sth r3,238(r30)

00064EB4 B07E00F0 sth r3,240(r30)

00064EB8 B07E00F2 sth r3,242(r30)

00064EBC B07E00F4 sth r3,244(r30)

00064EC0 B07E00F6 sth r3,246(r30)

00064EC4 B07E00F8 sth r3,248(r30)

00064EC8 B07E00FA sth r3,250(r30)

00064ECC B07E00FC sth r3,252(r30)

I play the game and notice these things:

1. Item types were changed, along with their icons. Items had 32 MV & 99 JMP. Items had a massive attack range. For some reason the innocents had bigger values than usual. My critical hit amount was changed too.

Found a few great goodies, now I just need to find which exact offsets they were. I remove the last 6 of the 11 writes:

00064EA0 38037F7F li r3,32639

00064EA4 B07E00E8 sth r3,232(r30)

00064EA8 B07E00EA sth r3,234(r30)

00064EAC B07E00EC sth r3,236(r30)

00064EB0 B07E00EE sth r3,238(r30)

00064EB4 B07E00F0 sth r3,240(r30)

00064EB8 60000000 nop

00064EBC 60000000 nop

00064EC0 60000000 nop

00064EC4 60000000 nop

00064EC8 60000000 nop

00064ECC 60000000 nop

I tried that, and all of that stuff still works. So it's in those 5. I remove the last 3:

00064EA0 38037F7F li r3,32639

00064EA4 B07E00E8 sth r3,232(r30)

00064EA8 B07E00EA sth r3,234(r30)

00064EAC 60000000 nop

00064EB0 60000000 nop

00064EB4 60000000 nop

00064EB8 60000000 nop

00064EBC 60000000 nop

00064EC0 60000000 nop

00064EC4 60000000 nop

00064EC8 60000000 nop

00064ECC 60000000 nop

I now try this, and now only the item type and icon have changed. I don't really care about those, so I'm not going to pursue them. I'm going to try the first 2 of the remaining 3 now:

00064EA0 38037F7F li r3,32639

00064EA4 60000000 nop

00064EA8 60000000 nop

00064EAC B07E00EC sth r3,236(r30)

00064EB0 B07E00EE sth r3,238(r30)

00064EB4 60000000 nop

00064EB8 60000000 nop

00064EBC 60000000 nop

00064EC0 60000000 nop

00064EC4 60000000 nop

00064EC8 60000000 nop

00064ECC 60000000 nop

I tried it, and items were back to having great innocents, high MV, JMP, and attack ranges. Now I just need to figure out which is which from these offsets. I'll try only the first 1:

00064EA0 38037F7F li r3,32639

00064EA4 60000000 nop

00064EA8 60000000 nop

00064EAC B07E00EC sth r3,236(r30)

00064EB0 60000000 nop

00064EB4 60000000 nop

00064EB8 60000000 nop

00064EBC 60000000 nop

00064EC0 60000000 nop

00064EC4 60000000 nop

00064EC8 60000000 nop

00064ECC 60000000 nop

I tried that, and items only had high MV and JMP. Now I can divide these:

00064EA0 38037F7F li r3,32639

00064EA4 60000000 nop

00064EA8 60000000 nop

00064EAC 987E00EC stb r3,236(r30)

00064EB0 987E00EE stb r3,238(r30)

00064EB4 60000000 nop

00064EB8 60000000 nop

00064EBC 60000000 nop

00064EC0 60000000 nop

00064EC4 60000000 nop

00064EC8 60000000 nop

00064ECC 60000000 nop

I tried that, and now items have high MV and very good innocents. Next I'll try the other 2 just to make sure:

00064EA0 38037F7F li r3,32639

00064EA4 60000000 nop

00064EA8 60000000 nop

00064EAC 987E00ED stb r3,237(r30)

00064EB0 987E00EF stb r3,239(r30)

00064EB4 60000000 nop

00064EB8 60000000 nop

00064EBC 60000000 nop

00064EC0 60000000 nop

00064EC4 60000000 nop

00064EC8 60000000 nop

00064ECC 60000000 nop

I tried that, and now item have high JMP and a large attack range. Now I know these 4 offsets:

$00EC = 1 byte, MV amount.

$00ED = 1 byte, JMP amount.

$00EE = 1 byte, seems to affect the values of innocents, but I don't know what this is exactly.

$00EF = 1 byte, attack range.

I'm going to hunt down the MV amount now. Since it was at 32, that must be it's limit. So I can either go by searching within this function for "00EC stb" or "0020 cmp". I'm going to go with the "00EC stb" route. I searched within the function, and there is only 1 instance of that:

00064E04: 981E00EC stb r0,236(r30)

I check the previous line with it:

00064E00: A00300CE lhz r0,206(r3)

00064E04: 981E00EC stb r0,236(r30)

I don't know where it's loading that value from, but I'm changing it to a "li" operation.

00064E00: 38000017 li r0,23

00064E04: 981E00EC stb r0,236(r30)

I check the items at the shop, and they have 23 MV. Found that fast. The same can be applied to finding the JMP value too, either "00ED stb" or "0063 cmp". I'm going with the "00ED stb" again. I search for that within the function, there's only 1 instance, and it is the next 2 lines after the 2 lines for the MV value:

00064E08: 880300AF lbz r0,175(r3)

00064E0C: 981E00ED stb r0,237(r30)

Just need to change it to a "li" again and try it:

00064E08: 38000051 li r0,81

00064E0C: 981E00ED stb r0,237(r30)

I tried it, items had 81 JMP, perfect. And I'll come back to this area after I find the attack range code. To find the attack range, I look for "00EF stb":

00064DE0: 880300AE lbz r0,174(r3)

00064DE4: 981E00EF stb r0,239(r30)

Once again, only 1 instance and it is very close to the other 2. I just change it to a "li" again:

00064DE0: 38000009 li r0,9

00064DE4: 981E00EF stb r0,239(r30)

I try that out, and equipped items give me an increased attack range, so it's perfect. Now for something that is potentially interesting, just look at all of this:

00064DC4: B3FE00C8 sth r31,200(r30) Items get modified name, price, order, and whatever else. Unknown?

00064DC8: 880300AD lbz r0,173(r3)

00064DCC: 981E00EE stb r0,238(r30) This was the thing that affected innocent's level

00064DD0: A00300CA lhz r0,202(r3)

00064DD4: 981E00EA stb r0,234(r30) Item type and/or item icon.

00064DD8: A00300D2 lhz r0,210(r3)

00064DDC: B01E00CE sth r0,206(r30)

00064DE0: 880300AE lbz r0,174(r3)

00064DE4: 981E00EF stb r0,239(r30) Item attack range.

00064DE8: 880300B1 lbz r0,177(r3)

00064DEC: 981E00F2 stb r0,242(r30) Affects the critical hit ratio.

00064DF0: 880300B0 lbz r0,176(r3)

00064DF4: 981E00F3 stb r0,243(r30) Also affects the critical hit ratio.

00064DF8: 38000000 li r0,0

00064DFC: B01E00CA sth r0,202(r30) Item level, but doesn't affect item world stage.

00064E00: A00300CE lhz r0,206(r3)

00064E04: 981E00EC stb r0,236(r30) Item MV.

00064E08: 880300AF lbz r0,175(r3)

00064E0C: 981E00ED stb r0,237(r30) Item JMP.

I tried some of these and labeled them.

Disgaea 3 - Item Population Limit Modifier

I honestly had hoped the previous stuff would have found it in 1 of those offsets, but somehow I didn't encounter it. My next idea is that rarity determines population, and I previously just encountered something that made the game treat items as being normal, rare, or legendary without the stat increases or shiny name. I'm looking at this from before:

"6. 1 result left, so I try just the 2nd result, which is address 0x00064F74. I checked, and items have the population of 6 but not the legendary stat increase. I guess those were 2 separate things, but they are close to each other and in the same function."

I'm going to go to address 0x00064F74 and look around. Nothing seems obvious to me, so I just decide to mess with the first few store operations I see that do a 1 byte write:

00064F80: 987E00F4 stb r3,244(r30)

00064FD8: 981E00EB stb r0,235(r30)

Those are the closest 2 after it. With these, I just go to the addresses before them and change them to a "li" operation for the same register and give them a specific value and hope it's 1 of them:

00064F7C 38030002 li r3,2

00064FD4 38000003 li r0,3

I play the game and check the items, and they all have a population capacity of 3. I lucked out again and found it quickly.

Disgaea 3 - New Items' Innocents' Level Modifier

I don't know what to do, but I'm still guessing it's within the function from 0x00064D58 to 0x000652F8 that all of the other stuff for items was at. All I know that helps is that different types of innocents have different limits, and there isn't much data to a innocent other than a name, value, and type, so it's probably going to be a very low offset too. I know they can get as high as 9,999, and that means it's 2 bytes. So I'm just going to find every instance of "sth" and give them a value and hope something happens. These are all of them within that function:

00064DC4: B3FE00C8 sth r31,200(r30)

00064DDC: B01E00CE sth r0,206(r30)

00064DFC: B01E00CA sth r0,202(r30)

00064F8C: B01E00CC sth r0,204(r30)

00064F9C: B01E00CC sth r0,204(r30)

00064FB0: B01E00CC sth r0,204(r30)

00065050: B3BC0004 sth r29,4(r28)

00065298: B01E00E4 sth r0,228(r30)

That's all 8 of them. I just go to the address before them and create a value using a "li" and the same register:

00064DC0 381F0001 li r31,1

00064DD8 38000003 li r0,3

00064DF8 38000005 li r0,5

00064F88 38000007 li r0,7

00064F98 38000009 li r0,9

00064FAC 3800000B li r0,11

0006504C 381D000D li r29,13

00065294 3800000F li r0,15

Using that, no results. Either it's not in this function or it's actually 4 bytes instead of 2. Just to make sure, I'll also search for all instances of "stw" in the function too:

00064E6C: 911E0040 stw r8,64(r30)

00065140: 901C0000 stw r0,0(r28)

00065168: 913C0000 stw r9,0(r28)

00065198: 913C0000 stw r9,0(r28)

000651C8: 913C0000 stw r9,0(r28)

000651E0: 901C0000 stw r0,0(r28)

000651F4: 901C0000 stw r0,0(r28)

00065208: 901C0000 stw r0,0(r28)

00065224: 913C0000 stw r9,0(r28)

00065230: 901C0000 stw r0,0(r28)

00065260: 913C0000 stw r9,0(r28)

00065274: 901C0000 stw r0,0(r28)

There's 12 results. I'll just go to the address before each and make a "li" operation with a specific value and for the same register:

00064E68 38080001 li r8,1

0006513C 38000003 li r0,3

00065164 38090005 li r9,5

00065194 38090007 li r9,7

000651C4 38090009 li r9,9

000651DC 3800000B li r0,11

000651F0 3800000D li r0,13

00065204 3800000F li r0,15

00065220 38090011 li r9,17

0006522C 38000013 li r0,19

0006525C 38090015 li r9,21

00065270 38000017 li r0,23

I tried that, and different types of innocents had different values that were all the same. Jackpot. With all of this, I'm just going to take a guess and see if I can make them all use that last instance. I'm looking at this:

00065264: A01C0004 lhz r0,4(r28)

00065268: 2F800048 cmpwi cr7,r0,72

0006526C: 409E000C bne- cr7,0x65278

00065270: 38000001 li r0,1

00065274: 901C0000 stw r0,0(r28)

I highlighted and searched for instances of "x6526" and searched, and noticed many things branch to address 0x00065264. Checking a bit more, this is the only thing that skips the last store operation:

0006526C: 409E000C bne- cr7,0x65278

I removed that with a "nop":

0006526C: 60000000 nop

I also changed this line:

00065270: 38000001 li r0,1

I gave it a different value:

00065270: 38000007 li r0,7

I tried the game, and every innocents' level was at level 7. Lucky again. I didn't really stop there, because I'm assuming the next offset might be the innocent type modifier. So I tried this:

00065268: 38000001 li r0,1

0006526C: B01C0004 sth r0,4(r28)

I tried that out, and every item had the exact same innocent. It was a Dietician. I'm still getting lucky. I was writing down the list of them, but then I kept having to restart the whole thing of modify EBOOT.ELF, make package, install package, start game, load game, go to store and check. That's about 5 minutes per innocent digit checked. I then had a smart idea of how to make the game tell me which digit certain innocents were. I modified this:

0006526C: 409E000C bne- cr7,0x65278

00065270: 38000001 li r0,1

00065274: 901C0000 stw r0,0(r28)

I changed it to this:

0006526C: 60000000 nop

00065270: 801C0004 lwz r0,4(r28)

00065274: 901C0000 stw r0,0(r28)

It now loads the digit the innocent is, and then stores it as its value. Worked great and saved me a lot of time, but it didn't work on a few that had a limit of either 100 or 200, but their specialist digit was higher than that.

Disgaea 3 - New Items' Populations Are Full

Yeah, definitely not sure of this one, but I have a thought. I'm assuming something in this function with the other item and innocent stuff from range 0x00064D58 to 0x000652F8 should do the trick. Items seem to have random amounts of innocents, so that means there's a comparison somewhere that's deciding this stuff. Since you get random amounts of innocents, that means it's a comparison of 2 registers and not a comparison of 1 register to a specific value. My idea is to find these the comparisons, and replace the line before it to give whatever registers being compared a certain value. Time to find all comparisons by searching for "cmp":

00064F54: 7FA93800 cmpd cr7,r9,r7

00065280: 7F99D000 cmpw cr7,r25,r26

There's 2 ways I need to test these. I'll change it to compare 1 of the registers to a specific value, and if that doesn't work, I'll change it so the other register compares to the value. If neither works, I could then just search for the other comparisons that already compare to a specific value just in case it does and then does some random number generating thing. Time to try:

00064F54: 2F890002 cmpwi cr7,r9,2

00065280: 2F990002 cmpwi cr7,r25,2

I tried that, and that wasn't it. I'll try the other 2 registers now:

00064F54: 2F870002 cmpwi cr7,r7,2

00065280: 2F9A0002 cmpwi cr7,r26,2

I tried that, and every item had exactly 2 innocents. I'm amazed that I found it. Now I just change their values:

00064F54: 2F870002 cmpwi cr7,r7,2

00065280: 2F9A0004 cmpwi cr7,r26,4

I try that, and they all have 4 innocents. Another code found.

Disgaea 3 - Can Control Anything

Disgaea 3 - Unlimited Movement & Actions

This was a long and slow process with absolutely nothing to go with. If it weren't for the fact I found this for the first 2 games on the PS2, I'm not sure I would have even bothered trying to find this. All I know is that there is something that separates my units from enemies. First I need to pick where I want to insert the code for testing. I'm choosing to insert it in the code where infinite HP is:

000C2D80: 81770074 lwz r11,116(r23)

000C2D84: E8010308 ld r0,776(r1)

000C2D88: 54091838 rlwinm r9,r0,3,0,28

000C2D8C: 7D2907B4 extsw r9,r9

000C2D90: 7D344A14 add r9,r20,r9

000C2D94: E80B09C0 ld r0,2496(r11)

000C2D98: E9290008 ld r9,8(r9)

000C2D9C: 7C090050 sub r0,r0,r9

000C2DA0: F80B09C0 std r0,2496(r11)

I would normally have just tried setting many offsets, but I know I'd be going about it just a little wrong because that's what I was doing for finding this code for the first 2 games. I know a unit's HP is at offset $09C0 of register $r11.

000C2D80: 81770074 lwz r11,116(r23)

000C2D94: E80B09C0 ld r0,2496(r11)

000C2DA0: F80B09C0 std r0,2496(r11)

Register $r11 is an address loaded from offset $0074 of register $r23. Instead of writing values to offsets of register $r11, I need to write values to offsets of $r23. I see that since I'm overwriting that area, I'll be free to use either register $r0 or $r9. The code I'm looking for was 1 byte at offset $0355 for Disgaea 1 and at offset $0365 for Disgaea 2, so I'm more likely to encounter it going up in the offsets. I'll start by writing to stuff starting at offset $0300:

000C2D80: 38000000 li r0,0

000C2D84: 90170300 stw r0,768(r23)

000C2D88: 90170304 stw r0,772(r23)

000C2D8C: 90170308 stw r0,776(r23)

000C2D90: 9017030C stw r0,780(r23)

000C2D94: 90170310 stw r0,784(r23)

000C2D98: 90170314 stw r0,788(r23)

000C2D9C: 90170318 stw r0,792(r23)

000C2DA0: 9017031C stw r0,796(r23)

I try that, hit some unit without killing it, and see if it changes. So I attack 1 of my units and 1 enemy unit. I'm looking for 1 thing, either my unit I attacked becomes and enemy, or the enemy I attack becomes my unit. That didn't happen, so I just need to keep checking.

000C2D80: 38000000 li r0,0

000C2D84: 90170320 stw r0,800(r23)

000C2D88: 90170324 stw r0,804(r23)

000C2D8C: 90170328 stw r0,808(r23)

000C2D90: 9017032C stw r0,812(r23)

000C2D94: 90170330 stw r0,816(r23)

000C2D98: 90170334 stw r0,820(r23)

000C2D9C: 90170338 stw r0,824(r23)

000C2DA0: 9017033C stw r0,828(r23)

I didn't become an enemy, and an enemy didn't become my unit, so I just keep on going:

000C2D80: 38000000 li r0,0

000C2D84: 90170340 stw r0,832(r23)

000C2D88: 90170344 stw r0,836(r23)

000C2D8C: 90170348 stw r0,840(r23)

000C2D90: 9017034C stw r0,844(r23)

000C2D94: 90170350 stw r0,848(r23)

000C2D98: 90170354 stw r0,852(r23)

000C2D9C: 90170358 stw r0,856(r23)

000C2DA0: 9017035C stw r0,860(r23)

And going...

000C2D80: 38000000 li r0,0

000C2D84: 90170360 stw r0,864(r23)

000C2D88: 90170364 stw r0,868(r23)

000C2D8C: 90170368 stw r0,872(r23)

000C2D90: 9017036C stw r0,876(r23)

000C2D94: 90170370 stw r0,880(r23)

000C2D98: 90170374 stw r0,884(r23)

000C2D9C: 90170378 stw r0,888(r23)

000C2DA0: 9017037C stw r0,892(r23)

And going...

000C2D80: 38000000 li r0,0

000C2D84: 90170380 stw r0,896(r23)

000C2D88: 90170384 stw r0,900(r23)

000C2D8C: 90170388 stw r0,904(r23)

000C2D90: 9017038C stw r0,908(r23)

000C2D94: 90170390 stw r0,912(r23)

000C2D98: 90170394 stw r0,916(r23)

000C2D9C: 90170398 stw r0,920(r23)

000C2DA0: 9017039C stw r0,924(r23)

Still going...

000C2D80: 38000000 li r0,0

000C2D84: 901703A0 stw r0,928(r23)

000C2D88: 901703A4 stw r0,932(r23)

000C2D8C: 901703A8 stw r0,936(r23)

000C2D90: 901703AC stw r0,940(r23)

000C2D94: 901703B0 stw r0,944(r23)

000C2D98: 901703B4 stw r0,948(r23)

000C2D9C: 901703B8 stw r0,952(r23)

000C2DA0: 901703BC stw r0,956(r23)

Still going like the energizer bunny...

000C2D80: 38000000 li r0,0

000C2D84: 901703C0 stw r0,960(r23)

000C2D88: 901703C4 stw r0,964(r23)

000C2D8C: 901703C8 stw r0,968(r23)

000C2D90: 901703CC stw r0,972(r23)

000C2D94: 901703D0 stw r0,976(r23)

000C2D98: 901703D4 stw r0,980(r23)

000C2D9C: 901703D8 stw r0,984(r23)

000C2DA0: 901703DC stw r0,988(r23)

I'm starting to worry at this point, but I'm still going:

000C2D80: 38000000 li r0,0

000C2D84: 901703E0 stw r0,992(r23)

000C2D88: 901703E4 stw r0,996(r23)

000C2D8C: 901703E8 stw r0,1000(r23)

000C2D90: 901703EC stw r0,1004(r23)

000C2D94: 901703F0 stw r0,1008(r23)

000C2D98: 901703F4 stw r0,1012(r23)

000C2D9C: 901703F8 stw r0,1016(r23)

000C2DA0: 901703FC stw r0,1020(r23)

If it's here, it's much further than I'd have guessed. Still going...

000C2D80: 38000000 li r0,0

000C2D84: 90170400 stw r0,1024(r23)

000C2D88: 90170404 stw r0,1028(r23)

000C2D8C: 90170408 stw r0,1032(r23)

000C2D90: 9017040C stw r0,1036(r23)

000C2D94: 90170410 stw r0,1040(r23)

000C2D98: 90170414 stw r0,1044(r23)

000C2D9C: 90170418 stw r0,1048(r23)

000C2DA0: 9017041C stw r0,1052(r23)

I'm really get impatient now. I don't know if the creators changed it or something.

000C2D80: 38000000 li r0,0

000C2D84: 90170420 stw r0,1024(r23)

000C2D88: 90170424 stw r0,1028(r23)

000C2D8C: 90170428 stw r0,1032(r23)

000C2D90: 9017042C stw r0,1036(r23)

000C2D94: 90170430 stw r0,1040(r23)

000C2D98: 90170434 stw r0,1044(r23)

000C2D9C: 90170438 stw r0,1048(r23)

000C2DA0: 9017043C stw r0,1052(r23)

I hit an enemy, and it became my unit. Jackpot! That 1 byte I am looking for is 1 of these 32 bytes. Not only that, but once something is attacked, it can now move again and attack again. I think I just found unlimited movement & action too which is also great. Time to cut this in half.

000C2D80: 38000000 li r0,0

000C2D84: 90170420 stw r0,1024(r23)

000C2D88: 90170424 stw r0,1028(r23)

000C2D8C: 90170428 stw r0,1032(r23)

000C2D90: 9017042C stw r0,1036(r23)

000C2D94: 60000000 nop

000C2D98: 60000000 nop

000C2D9C: 60000000 nop

000C2DA0: 60000000 nop

The enemies still became mine, but the unlimited movement & action thing was gone. Cut in half:

000C2D80: 38000000 li r0,0

000C2D84: 90170420 stw r0,1024(r23)

000C2D88: 90170424 stw r0,1028(r23)

000C2D8C: 60000000 nop

000C2D90: 60000000 nop

000C2D94: 90170430 stw r0,1040(r23)

000C2D98: 90170434 stw r0,1044(r23)

000C2D9C: 60000000 nop

000C2DA0: 60000000 nop

The enemies didn't become mine, but the unlimited movement and actions were back. Cut in half:

000C2D80: 38000000 li r0,0

000C2D84: 60000000 nop

000C2D88: 60000000 nop

000C2D8C: 90170428 stw r0,1032(r23)

000C2D90: 60000000 nop

000C2D94: 90170430 stw r0,1040(r23)

000C2D98: 60000000 nop

000C2D9C: 60000000 nop

000C2DA0: 60000000 nop

The enemies didn't become mine, but the unlimited movement and actions were still there. Cut in half:

000C2D80: 38000000 li r0,0

000C2D84: 60000000 nop

000C2D88: 60000000 nop

000C2D8C: 60000000 nop

000C2D90: B017042C sth r0,1036(r23)

000C2D94: B0170430 sth r0,1040(r23)

000C2D98: 60000000 nop

000C2D9C: 60000000 nop

000C2DA0: 60000000 nop

The enemies didn't become mine, the unlimited movement was there, but the actions were acting a little odd. Cut in half:

000C2D80: 38000000 li r0,0

000C2D84: 60000000 nop

000C2D88: 60000000 nop

000C2D8C: 60000000 nop

000C2D90: 9817042E stb r0,1038(r23)

000C2D94: 98170432 stb r0,1042(r23)

000C2D98: 60000000 nop

000C2D9C: 60000000 nop

000C2DA0: 60000000 nop

The enemies didn't become mine, the unlimited movement was gone and so were the unlimited actions. Checking:

000C2D80: 38000000 li r0,0

000C2D84: 60000000 nop

000C2D88: 60000000 nop

000C2D8C: 60000000 nop

000C2D90: 9817042F stb r0,1039(r23)

000C2D94: 98170433 stb r0,1043(r23)

000C2D98: 60000000 nop

000C2D9C: 60000000 nop

000C2DA0: 60000000 nop

The enemies became mine, no unlimited movement or actions.

000C2D80: 38000000 li r0,0

000C2D84: 60000000 nop

000C2D88: 60000000 nop

000C2D8C: 60000000 nop

000C2D90: 9817042F stb r0,1039(r23)

000C2D94: 98170430 stb r0,1040(r23)

000C2D98: 60000000 nop

000C2D9C: 60000000 nop

000C2DA0: 60000000 nop

The enemies were still mine, and there was unlimited movement but not unlimited actions. A last check:

000C2D80: 38000000 li r0,0

000C2D84: 60000000 nop

000C2D88: 60000000 nop

000C2D8C: 60000000 nop

000C2D90: 98170431 stb r0,1041(r23)

000C2D94: B0170432 sth r0,1042(r23)

000C2D98: 60000000 nop

000C2D9C: 60000000 nop

000C2DA0: 60000000 nop

I had unlimited actions. I'm not sure how these 3 bytes work together, but I say screw it and just write to all 4 bytes for both unlimited movement and actions. With this, I now know that offset $042F is 1 byte that determines whether a unit is yours, an enemy, an ally, or whatever, and the value 0 makes them mine. For the code to allow me to control enemies and other things in the previous 2 Disgaea games, it was just changing a thing that loaded a byte from that offset which determined which menu you were given. That means I'm going to look for instances of "042F lbz". These are all of the instances I encountered:

0004E4BC: 8809042F lbz r0,1071(r9)

0004E94C: 8809042F lbz r0,1071(r9)

000553B4: 8803042F lbz r0,1071(r3)

00065964: 881F042F lbz r0,1071(r31)

000659B4: 881F042F lbz r0,1071(r31)

000659EC: 881F042F lbz r0,1071(r31)

00065A14: 881F042F lbz r0,1071(r31)

00065A50: 881F042F lbz r0,1071(r31)

00065B4C: 8804042F lbz r0,1071(r4)

0007ABA8: 881F042F lbz r0,1071(r31)

000808F8: 881F042F lbz r0,1071(r31)

00089554: 8803042F lbz r0,1071(r3)

000897C4: 881F042F lbz r0,1071(r31)

000899F8: 881F042F lbz r0,1071(r31)

0008A178: 8803042F lbz r0,1071(r3)

0008A34C: 8803042F lbz r0,1071(r3)

0008BA6C: 8803042F lbz r0,1071(r3)

0008BC5C: 8803042F lbz r0,1071(r3)

0008BE34: 8803042F lbz r0,1071(r3)

0009E748: 8805042F lbz r0,1071(r5)

0009EB80: 881D042F lbz r0,1071(r29)

0009F414: 881D042F lbz r0,1071(r29)

000ACD60: 893E042F lbz r9,1071(r30)

000ACD6C: 8808042F lbz r0,1071(r8)

000AFEE4: 893F042F lbz r9,1071(r31)

000AFEEC: 881B042F lbz r0,1071(r27)

000AFFEC: 893F042F lbz r9,1071(r31)

000AFFF4: 881B042F lbz r0,1071(r27)

000B0FA8: 893F042F lbz r9,1071(r31)

000B0FB0: 8816042F lbz r0,1071(r22)

000B1AC0: 893F042F lbz r9,1071(r31)

000B1AC8: 881B042F lbz r0,1071(r27)

000B1BE0: 893F042F lbz r9,1071(r31)

000B1BE8: 881B042F lbz r0,1071(r27)

000B1CD8: 893F042F lbz r9,1071(r31)

000B1CE0: 881B042F lbz r0,1071(r27)

000B304C: 8938042F lbz r9,1071(r24)

000B3054: 881F042F lbz r0,1071(r31)

000B3224: 8818042F lbz r0,1071(r24)

000B32A0: 8818042F lbz r0,1071(r24)

000B330C: 8818042F lbz r0,1071(r24)

000B33D0: 8818042F lbz r0,1071(r24)

000B70BC: 893F042F lbz r9,1071(r31)

000B70C4: 881B042F lbz r0,1071(r27)

000B729C: 881F042F lbz r0,1071(r31)

000B737C: 881F042F lbz r0,1071(r31)

000B7460: 893F042F lbz r9,1071(r31)

000B7468: 881C042F lbz r0,1071(r28)

000B773C: 8815042F lbz r0,1071(r21)

000B7DCC: 8815042F lbz r0,1071(r21)

000B7F28: 8818042F lbz r0,1071(r24)

000B91E4: 8815042F lbz r0,1071(r21)

000B9934: 8815042F lbz r0,1071(r21)

000B9A90: 8812042F lbz r0,1071(r18)

000BBEC4: 8813042F lbz r0,1071(r19)

000BC19C: 8813042F lbz r0,1071(r19)

000BC2A0: 8810042F lbz r0,1071(r16)

000C14E4: 8808042F lbz r0,1071(r8)

000C14F4: 8804042F lbz r0,1071(r4)

000C150C: 8804042F lbz r0,1071(r4)

000C387C: 8817042F lbz r0,1071(r23)

000C3E08: 880F042F lbz r0,1071(r15)

000C3E48: 8817042F lbz r0,1071(r23)

000C3F00: 8817042F lbz r0,1071(r23)

000C3F18: 880F042F lbz r0,1071(r15)

000C5DFC: 8817042F lbz r0,1071(r23)

000C5ED8: 8817042F lbz r0,1071(r23)

000C5F78: 880F042F lbz r0,1071(r15)

000C633C: 880F042F lbz r0,1071(r15)

000C6840: 8817042F lbz r0,1071(r23)

000C7080: 8817042F lbz r0,1071(r23)

000C70A8: 8817042F lbz r0,1071(r23)

000C737C: 880F042F lbz r0,1071(r15)

000F94FC: 881F042F lbz r0,1071(r31)

000FA248: 881D042F lbz r0,1071(r29)

0010128C: 8809042F lbz r0,1071(r9)

00101378: 8809042F lbz r0,1071(r9)

00101C78: 8809042F lbz r0,1071(r9)

00102044: 881F042F lbz r0,1071(r31)

0010204C: 893C042F lbz r9,1071(r28)

00102EB8: 881F042F lbz r0,1071(r31)

00102EC0: 892B042F lbz r9,1071(r11)

001039B0: 881D042F lbz r0,1071(r29)

00103C84: 881F042F lbz r0,1071(r31)

00104080: 881F042F lbz r0,1071(r31)

0010439C: 881F042F lbz r0,1071(r31)

001057A4: 881F042F lbz r0,1071(r31)

0010590C: 881F042F lbz r0,1071(r31)

001094B0: 881F042F lbz r0,1071(r31)

001108C8: 8808042F lbz r0,1071(r8)

001109AC: 881F042F lbz r0,1071(r31)

00110DCC: 881D042F lbz r0,1071(r29)

00110F64: 881F042F lbz r0,1071(r31)

001127A8: 8803042F lbz r0,1071(r3)

001127BC: 8803042F lbz r0,1071(r3)

00114018: 881D042F lbz r0,1071(r29)

001148D8: 8803042F lbz r0,1071(r3)

00114974: 881C042F lbz r0,1071(r28)

00114980: 881E042F lbz r0,1071(r30)

00114D68: 881D042F lbz r0,1071(r29)

00119408: 881D042F lbz r0,1071(r29)

0011AA18: 8819042F lbz r0,1071(r25)

0011AA88: 881E042F lbz r0,1071(r30)

0011ADDC: 8819042F lbz r0,1071(r25)

0011AEB0: 8819042F lbz r0,1071(r25)

0011AEF0: 8819042F lbz r0,1071(r25)

0011AFB0: 8819042F lbz r0,1071(r25)

0011B0D0: 8819042F lbz r0,1071(r25)

0011B1F0: 8819042F lbz r0,1071(r25)

0011B310: 8819042F lbz r0,1071(r25)

0011B994: 881D042F lbz r0,1071(r29)

0011C180: 8819042F lbz r0,1071(r25)

0011C1F0: 881D042F lbz r0,1071(r29)

001260A8: 881D042F lbz r0,1071(r29)

001260B0: 893F042F lbz r9,1071(r31)

001260C4: 881D042F lbz r0,1071(r29)

001260CC: 893F042F lbz r9,1071(r31)

00126408: 881D042F lbz r0,1071(r29)

00126410: 893F042F lbz r9,1071(r31)

00126424: 881D042F lbz r0,1071(r29)

0012642C: 893F042F lbz r9,1071(r31)

00126994: 881D042F lbz r0,1071(r29)

0012699C: 893F042F lbz r9,1071(r31)

001269B0: 881D042F lbz r0,1071(r29)

001269B8: 893F042F lbz r9,1071(r31)

00126C08: 881D042F lbz r0,1071(r29)

00126C10: 893F042F lbz r9,1071(r31)

00126C24: 881D042F lbz r0,1071(r29)

00126C2C: 893F042F lbz r9,1071(r31)

0012B2C8: 8809042F lbz r0,1071(r9)

0012B348: 8809042F lbz r0,1071(r9)

0012B3C4: 8809042F lbz r0,1071(r9)

0012B4BC: 8809042F lbz r0,1071(r9)

0012B900: 891D042F lbz r8,1071(r29)

0012C150: 8809042F lbz r0,1071(r9)

00133254: 8809042F lbz r0,1071(r9)

0013332C: 880B042F lbz r0,1071(r11)

001336F4: 8809042F lbz r0,1071(r9)

001337C0: 880A042F lbz r0,1071(r10)

00133814: 8809042F lbz r0,1071(r9)

00133AEC: 880A042F lbz r0,1071(r10)

00133AF4: 892B042F lbz r9,1071(r11)

00133D70: 8809042F lbz r0,1071(r9)

00134168: 8929042F lbz r9,1071(r9)

00134170: 880B042F lbz r0,1071(r11)

00136760: 8867042F lbz r3,1071(r7)

00136974: 8867042F lbz r3,1071(r7)

00136AC0: 886A042F lbz r3,1071(r10)

00136D30: 8867042F lbz r3,1071(r7)

00136E88: 886A042F lbz r3,1071(r10)

00136FF8: 886A042F lbz r3,1071(r10)

00137A3C: 881D042F lbz r0,1071(r29)

00137D5C: 881D042F lbz r0,1071(r29)

00137E78: 881D042F lbz r0,1071(r29)

00137EA8: 881D042F lbz r0,1071(r29)

00137F54: 881D042F lbz r0,1071(r29)

00137FC8: 881D042F lbz r0,1071(r29)

00137FF8: 881D042F lbz r0,1071(r29)

00138028: 881D042F lbz r0,1071(r29)

0013837C: 881D042F lbz r0,1071(r29)

001385CC: 881D042F lbz r0,1071(r29)

00138754: 881D042F lbz r0,1071(r29)

00139940: 881D042F lbz r0,1071(r29)

0013A59C: 881D042F lbz r0,1071(r29)

0013B614: 881C042F lbz r0,1071(r28)

0013B7DC: 881C042F lbz r0,1071(r28)

0013BBE4: 881C042F lbz r0,1071(r28)

0013BC44: 881C042F lbz r0,1071(r28)

0013BD4C: 881C042F lbz r0,1071(r28)

0013BED4: 881C042F lbz r0,1071(r28)

0013C3FC: 881D042F lbz r0,1071(r29)

0013C708: 881D042F lbz r0,1071(r29)

0013E300: 881F042F lbz r0,1071(r31)

0013EB3C: 8809042F lbz r0,1071(r9)

0013EDDC: 880B042F lbz r0,1071(r11)

0013EF48: 8964042F lbz r11,1071(r4)

0013FD0C: 880B042F lbz r0,1071(r11)

0014002C: 8809042F lbz r0,1071(r9)

00140308: 8963042F lbz r11,1071(r3)

001421C0: 881F042F lbz r0,1071(r31)

001443D4: 881D042F lbz r0,1071(r29)

00145944: 8809042F lbz r0,1071(r9)

00145DB4: 880B042F lbz r0,1071(r11)

001470C4: 880A042F lbz r0,1071(r10)

0014944C: 8809042F lbz r0,1071(r9)

00149D30: 880A042F lbz r0,1071(r10)

00149E64: 8809042F lbz r0,1071(r9)

00149F04: 880B042F lbz r0,1071(r11)

0014A0E0: 880A042F lbz r0,1071(r10)

0014A268: 8809042F lbz r0,1071(r9)

0014A6D8: 8809042F lbz r0,1071(r9)

0014ACFC: 8804042F lbz r0,1071(r4)

0014AD0C: 8809042F lbz r0,1071(r9)

0014B1E0: 892A042F lbz r9,1071(r10)

0014B1E8: 880B042F lbz r0,1071(r11)

001528BC: 8809042F lbz r0,1071(r9)

00152E78: 8809042F lbz r0,1071(r9)

00153488: 886B042F lbz r3,1071(r11)

00153A8C: 886B042F lbz r3,1071(r11)

00153D70: 8809042F lbz r0,1071(r9)

00153F34: 8803042F lbz r0,1071(r3)

001541E8: 892A042F lbz r9,1071(r10)

001541F0: 880B042F lbz r0,1071(r11)

00156578: 8803042F lbz r0,1071(r3)

001565EC: 8803042F lbz r0,1071(r3)

00156AD8: 8809042F lbz r0,1071(r9)

00156BA4: 8809042F lbz r0,1071(r9)

00156C14: 8809042F lbz r0,1071(r9)

00156C74: 8809042F lbz r0,1071(r9)

00156E28: 8809042F lbz r0,1071(r9)

00156EE0: 8809042F lbz r0,1071(r9)

00157060: 8809042F lbz r0,1071(r9)

00157118: 8809042F lbz r0,1071(r9)

00157298: 8809042F lbz r0,1071(r9)

00157350: 8809042F lbz r0,1071(r9)

001574D0: 8809042F lbz r0,1071(r9)

00157588: 8809042F lbz r0,1071(r9)

0015A118: 8809042F lbz r0,1071(r9)

0015A518: 8809042F lbz r0,1071(r9)

0015A8D0: 8803042F lbz r0,1071(r3)

0015C2CC: 880A042F lbz r0,1071(r10)

0015C3F4: 8809042F lbz r0,1071(r9)

0015C694: 880A042F lbz r0,1071(r10)

0015C8AC: 8809042F lbz r0,1071(r9)

0015CD84: 8809042F lbz r0,1071(r9)

0015D978: 892A042F lbz r9,1071(r10)

0015D980: 880B042F lbz r0,1071(r11)

0015DC08: 892A042F lbz r9,1071(r10)

0015DC10: 880B042F lbz r0,1071(r11)

00162F30: 8803042F lbz r0,1071(r3)

00163264: 8809042F lbz r0,1071(r9)

001686E0: 8809042F lbz r0,1071(r9)

00168EB0: 8809042F lbz r0,1071(r9)

00168F0C: 8804042F lbz r0,1071(r4)

00168F54: 880B042F lbz r0,1071(r11)

00169950: 8803042F lbz r0,1071(r3)

0016A060: 880B042F lbz r0,1071(r11)

0016A330: 8809042F lbz r0,1071(r9)

0016AB44: 8809042F lbz r0,1071(r9)

0019A9B4: 881F042F lbz r0,1071(r31)

0019B630: 881F042F lbz r0,1071(r31)

0019BBB8: 881F042F lbz r0,1071(r31)

0019C3F8: 881F042F lbz r0,1071(r31)

0019C7C0: 881F042F lbz r0,1071(r31)

0019C894: 881F042F lbz r0,1071(r31)

0019D934: 881F042F lbz r0,1071(r31)

0019E004: 881F042F lbz r0,1071(r31)

0019E658: 881F042F lbz r0,1071(r31)

0019EEDC: 881F042F lbz r0,1071(r31)

That's 249 results, and it's going to take a few hours to go through all of them. Here is the way I changed them all:

0004E4BC: 38000000 li r0,0

0004E94C: 38000000 li r0,0

000553B4: 38000000 li r0,0

00065964: 38000000 li r0,0

000659B4: 38000000 li r0,0

000659EC: 38000000 li r0,0

00065A14: 38000000 li r0,0

00065A50: 38000000 li r0,0

00065B4C: 38000000 li r0,0

0007ABA8: 38000000 li r0,0

000808F8: 38000000 li r0,0

00089554: 38000000 li r0,0

000897C4: 38000000 li r0,0

000899F8: 38000000 li r0,0

0008A178: 38000000 li r0,0

0008A34C: 38000000 li r0,0

0008BA6C: 38000000 li r0,0

0008BC5C: 38000000 li r0,0

0008BE34: 38000000 li r0,0

0009E748: 38000000 li r0,0

0009EB80: 38000000 li r0,0

0009F414: 38000000 li r0,0

000ACD60: 38090000 li r9,0

000ACD6C: 38000000 li r0,0

000AFEE4: 38090000 li r9,0

000AFEEC: 38000000 li r0,0

000AFFEC: 38090000 li r9,0

000AFFF4: 38000000 li r0,0

000B0FA8: 38090000 li r9,0

000B0FB0: 38000000 li r0,0

000B1AC0: 38090000 li r9,0

000B1AC8: 38000000 li r0,0

000B1BE0: 38090000 li r9,0

000B1BE8: 38000000 li r0,0

000B1CD8: 38090000 li r9,0

000B1CE0: 38000000 li r0,0

000B304C: 38090000 li r9,0

000B3054: 38000000 li r0,0

000B3224: 38000000 li r0,0

000B32A0: 38000000 li r0,0

000B330C: 38000000 li r0,0

000B33D0: 38000000 li r0,0

000B70BC: 38090000 li r9,0

000B70C4: 38000000 li r0,0

000B729C: 38000000 li r0,0

000B737C: 38000000 li r0,0

000B7460: 38090000 li r9,0

000B7468: 38000000 li r0,0

000B773C: 38000000 li r0,0

000B7DCC: 38000000 li r0,0

000B7F28: 38000000 li r0,0

000B91E4: 38000000 li r0,0

000B9934: 38000000 li r0,0

000B9A90: 38000000 li r0,0

000BBEC4: 38000000 li r0,0

000BC19C: 38000000 li r0,0

000BC2A0: 38000000 li r0,0

000C14E4: 38000000 li r0,0

000C14F4: 38000000 li r0,0

000C150C: 38000000 li r0,0

000C387C: 38000000 li r0,0

000C3E08: 38000000 li r0,0

000C3E48: 38000000 li r0,0

000C3F00: 38000000 li r0,0

000C3F18: 38000000 li r0,0

000C5DFC: 38000000 li r0,0

000C5ED8: 38000000 li r0,0

000C5F78: 38000000 li r0,0

000C633C: 38000000 li r0,0

000C6840: 38000000 li r0,0

000C7080: 38000000 li r0,0

000C70A8: 38000000 li r0,0

000C737C: 38000000 li r0,0

000F94FC: 38000000 li r0,0

000FA248: 38000000 li r0,0

0010128C: 38000000 li r0,0

00101378: 38000000 li r0,0

00101C78: 38000000 li r0,0

00102044: 38000000 li r0,0

0010204C: 38090000 li r9,0

00102EB8: 38000000 li r0,0

00102EC0: 38090000 li r9,0

001039B0: 38000000 li r0,0

00103C84: 38000000 li r0,0

00104080: 38000000 li r0,0

0010439C: 38000000 li r0,0

001057A4: 38000000 li r0,0

0010590C: 38000000 li r0,0

001094B0: 38000000 li r0,0

001108C8: 38000000 li r0,0

001109AC: 38000000 li r0,0

00110DCC: 38000000 li r0,0

00110F64: 38000000 li r0,0

001127A8: 38000000 li r0,0

001127BC: 38000000 li r0,0

00114018: 38000000 li r0,0

001148D8: 38000000 li r0,0

00114974: 38000000 li r0,0

00114980: 38000000 li r0,0

00114D68: 38000000 li r0,0

00119408: 38000000 li r0,0

0011AA18: 38000000 li r0,0

0011AA88: 38000000 li r0,0

0011ADDC: 38000000 li r0,0

0011AEB0: 38000000 li r0,0

0011AEF0: 38000000 li r0,0

0011AFB0: 38000000 li r0,0

0011B0D0: 38000000 li r0,0

0011B1F0: 38000000 li r0,0

0011B310: 38000000 li r0,0

0011B994: 38000000 li r0,0

0011C180: 38000000 li r0,0

0011C1F0: 38000000 li r0,0

001260A8: 38000000 li r0,0

001260B0: 38090000 li r9,0

001260C4: 38000000 li r0,0

001260CC: 38090000 li r9,0

00126408: 38000000 li r0,0

00126410: 38090000 li r9,0

00126424: 38000000 li r0,0

0012642C: 38090000 li r9,0

00126994: 38000000 li r0,0

0012699C: 38090000 li r9,0

001269B0: 38000000 li r0,0

001269B8: 38090000 li r9,0

00126C08: 38000000 li r0,0

00126C10: 38090000 li r9,0

00126C24: 38000000 li r0,0

00126C2C: 38090000 li r9,0

0012B2C8: 38000000 li r0,0

0012B348: 38000000 li r0,0

0012B3C4: 38000000 li r0,0

0012B4BC: 38000000 li r0,0

0012B900: 38080000 li r8,0

0012C150: 38000000 li r0,0

00133254: 38000000 li r0,0

0013332C: 38000000 li r0,0

001336F4: 38000000 li r0,0

001337C0: 38000000 li r0,0

00133814: 38000000 li r0,0

00133AEC: 38000000 li r0,0

00133AF4: 38090000 li r9,0

00133D70: 38000000 li r0,0

00134168: 38090000 li r9,0

00134170: 38000000 li r0,0

00136760: 38030000 li r3,0

00136974: 38030000 li r3,0

00136AC0: 38030000 li r3,0

00136D30: 38030000 li r3,0

00136E88: 38030000 li r3,0

00136FF8: 38030000 li r3,0

00137A3C: 38000000 li r0,0

00137D5C: 38000000 li r0,0

00137E78: 38000000 li r0,0

00137EA8: 38000000 li r0,0

00137F54: 38000000 li r0,0

00137FC8: 38000000 li r0,0

00137FF8: 38000000 li r0,0

00138028: 38000000 li r0,0

0013837C: 38000000 li r0,0

001385CC: 38000000 li r0,0

00138754: 38000000 li r0,0

00139940: 38000000 li r0,0

0013A59C: 38000000 li r0,0

0013B614: 38000000 li r0,0

0013B7DC: 38000000 li r0,0

0013BBE4: 38000000 li r0,0

0013BC44: 38000000 li r0,0

0013BD4C: 38000000 li r0,0

0013BED4: 38000000 li r0,0

0013C3FC: 38000000 li r0,0

0013C708: 38000000 li r0,0

0013E300: 38000000 li r0,0

0013EB3C: 38000000 li r0,0

0013EDDC: 38000000 li r0,0

0013EF48: 38110000 li r11,0

0013FD0C: 38000000 li r0,0

0014002C: 38000000 li r0,0

00140308: 38110000 li r11,0

001421C0: 38000000 li r0,0

001443D4: 38000000 li r0,0

00145944: 38000000 li r0,0

00145DB4: 38000000 li r0,0

001470C4: 38000000 li r0,0

0014944C: 38000000 li r0,0

00149D30: 38000000 li r0,0

00149E64: 38000000 li r0,0

00149F04: 38000000 li r0,0

0014A0E0: 38000000 li r0,0

0014A268: 38000000 li r0,0

0014A6D8: 38000000 li r0,0

0014ACFC: 38000000 li r0,0

0014AD0C: 38000000 li r0,0

0014B1E0: 38090000 li r9,0

0014B1E8: 38000000 li r0,0

001528BC: 38000000 li r0,0

00152E78: 38000000 li r0,0

00153488: 38030000 li r3,0

00153A8C: 38030000 li r3,0

00153D70: 38000000 li r0,0

00153F34: 38000000 li r0,0

001541E8: 38090000 li r9,0

001541F0: 38000000 li r0,0

00156578: 38000000 li r0,0

001565EC: 38000000 li r0,0

00156AD8: 38000000 li r0,0

00156BA4: 38000000 li r0,0

00156C14: 38000000 li r0,0

00156C74: 38000000 li r0,0

00156E28: 38000000 li r0,0

00156EE0: 38000000 li r0,0

00157060: 38000000 li r0,0

00157118: 38000000 li r0,0

00157298: 38000000 li r0,0

00157350: 38000000 li r0,0

001574D0: 38000000 li r0,0

00157588: 38000000 li r0,0

0015A118: 38000000 li r0,0

0015A518: 38000000 li r0,0

0015A8D0: 38000000 li r0,0

0015C2CC: 38000000 li r0,0

0015C3F4: 38000000 li r0,0

0015C694: 38000000 li r0,0

0015C8AC: 38000000 li r0,0

0015CD84: 38000000 li r0,0

0015D978: 38090000 li r9,0

0015D980: 38000000 li r0,0

0015DC08: 38090000 li r9,0

0015DC10: 38000000 li r0,0

00162F30: 38000000 li r0,0

00163264: 38000000 li r0,0

001686E0: 38000000 li r0,0

00168EB0: 38000000 li r0,0

00168F0C: 38000000 li r0,0

00168F54: 38000000 li r0,0

00169950: 38000000 li r0,0

0016A060: 38000000 li r0,0

0016A330: 38000000 li r0,0

0016AB44: 38000000 li r0,0

0019A9B4: 38000000 li r0,0

0019B630: 38000000 li r0,0

0019BBB8: 38000000 li r0,0

0019C3F8: 38000000 li r0,0

0019C7C0: 38000000 li r0,0

0019C894: 38000000 li r0,0

0019D934: 38000000 li r0,0

0019E004: 38000000 li r0,0

0019E658: 38000000 li r0,0

0019EEDC: 38000000 li r0,0

A long story shortened: I tried these 32 of them at a time, over and over until I hit this batch of them:

001385CC: 38000000 li r0,0

00138754: 38000000 li r0,0

00139940: 38000000 li r0,0

0013A59C: 38000000 li r0,0

0013B614: 38000000 li r0,0

0013B7DC: 38000000 li r0,0

0013BBE4: 38000000 li r0,0

0013BC44: 38000000 li r0,0

0013BD4C: 38000000 li r0,0

0013BED4: 38000000 li r0,0

0013C3FC: 38000000 li r0,0

0013C708: 38000000 li r0,0

0013E300: 38000000 li r0,0

0013EB3C: 38000000 li r0,0

0013EDDC: 38000000 li r0,0

0013EF48: 38110000 li r11,0

0013FD0C: 38000000 li r0,0

0014002C: 38000000 li r0,0

00140308: 38110000 li r11,0

001421C0: 38000000 li r0,0

001443D4: 38000000 li r0,0

00145944: 38000000 li r0,0

00145DB4: 38000000 li r0,0

001470C4: 38000000 li r0,0

0014944C: 38000000 li r0,0

00149D30: 38000000 li r0,0

00149E64: 38000000 li r0,0

00149F04: 38000000 li r0,0

0014A0E0: 38000000 li r0,0

0014A268: 38000000 li r0,0

0014A6D8: 38000000 li r0,0

0014ACFC: 38000000 li r0,0

When I played, I was able to select enemies and use them as if they were my own, but I couldn't move other things like geocubes. I thought that was great. I then split it in half, so I tried just the first 16 of them:

001385CC: 38000000 li r0,0

00138754: 38000000 li r0,0

00139940: 38000000 li r0,0

0013A59C: 38000000 li r0,0

0013B614: 38000000 li r0,0

0013B7DC: 38000000 li r0,0

0013BBE4: 38000000 li r0,0

0013BC44: 38000000 li r0,0

0013BD4C: 38000000 li r0,0

0013BED4: 38000000 li r0,0

0013C3FC: 38000000 li r0,0

0013C708: 38000000 li r0,0

0013E300: 38000000 li r0,0

0013EB3C: 38000000 li r0,0

0013EDDC: 38000000 li r0,0

0013EF48: 38110000 li r11,0

I tried that, and the effect was gone. So it was in the second batch. I then tried the first 8 of the second batch of them:

0013FD0C: 38000000 li r0,0

0014002C: 38000000 li r0,0

00140308: 38110000 li r11,0

001421C0: 38000000 li r0,0

001443D4: 38000000 li r0,0

00145944: 38000000 li r0,0

00145DB4: 38000000 li r0,0

001470C4: 38000000 li r0,0

I played, and I could control enemies again. Then tried just the first 4 of them:

0013FD0C: 38000000 li r0,0

0014002C: 38000000 li r0,0

00140308: 38110000 li r11,0

001421C0: 38000000 li r0,0

The effect was gone again, so I tried the first 2 of the second batch:

001443D4: 38000000 li r0,0

00145944: 38000000 li r0,0

The effect was still gone, so I tried the first 1 of the second batch:

00145DB4: 38000000 li r0,0

The effect was back again. That means I have found my area, so I go to address 0x00145DB4 and look around:

00145D98: A0091FA6 lhz r0,8102(r9) I don't know what it's loading.

00145D9C: 2F800018 cmpwi cr7,r0,24 Whatever it loaded, it's being compared to 24.

00145DA0: 409E0014 bne- cr7,0x145db4 If whatever it was wasn't 24, it'll go down to address 0x00145DB4 and continue with the code.

00145DA4: 38600004 li r3,4 It was 24, so now give register $r3 the value 4.

00145DA8: 4BF3DB75 bl 0x8391c Go to address 0x0008391C, do stuff, return to address 0x00145DAC.

00145DAC: 60000000 nop

00145DB0: 480000C8 b 0x145e78 Go down to address 0x00145E78, continue code.

00145DB4: 880B042F lbz r0,1071(r11) Register $r0 wasn't 24, so it comes here. It loads 1 byte from offset $042F, which is the byte that determines whether they are your units or some other units.

00145DB8: 7C1C0774 extsb r28,r0 Register $r0 is copied to register $r28.

00145DBC: 2C1C0000 cmpwi r28,0 Register $r28, which determines whether a unit is yours or something else, is compared to 0, which is the value that makes things your unit.

00145DC0: 40820064 bne- 0x145e24 If it wasn't 0, it wasn't your unit, and it then jumps down to address 0x00145E24, which must be the code to give you the enemies' menu.

00145DC4: 38600001 li r3,1 Don't know, don't care, all I know is that everything starting here going to address 0x00145E20 is code specifically for your units.

00145DC8: 4BF3DB55 bl 0x8391c Don't know, don't care.

00145DCC: 60000000 nop

00145DD0: 8162B1A8 lwz r11,-20056(r2) Don't know, don't care.

00145DD4: 8122B394 lwz r9,-19564(r2) Don't know, don't care.

00145DD8: 80090000 lwz r0,0(r9) Don't know, don't care.

00145DDC: 900B0000 stw r0,0(r11) Don't know, don't care.

00145DE0: 8122B750 lwz r9,-18608(r2) Don't know, don't care.

00145DE4: 93890000 stw r28,0(r9) Don't know, don't care.

00145DE8: 3860000A li r3,10 Don't know, don't care.

00145DEC: 4BFBA9B9 bl 0x1007a4 Don't know, don't care.

00145DF0: 8122B754 lwz r9,-18604(r2) Don't know, don't care.

00145DF4: 9B890000 stb r28,0(r9) Don't know, don't care.

00145DF8: 83A2BD68 lwz r29,-17048(r2) Don't know, don't care.

00145DFC: 807D0000 lwz r3,0(r29) Don't know, don't care.

00145E00: 38800000 li r4,0 Don't know, don't care.

00145E04: 4BF4435D bl 0x8a160 Don't know, don't care.

00145E08: 60000000 nop

00145E0C: 813D0000 lwz r9,0(r29) Don't know, don't care.

00145E10: B389016E sth r28,366(r9) Don't know, don't care.

00145E14: 38600002 li r3,2 Don't know, don't care.

00145E18: 4BFB0559 bl 0xf6370 Don't know, don't care.

00145E1C: 60000000 nop

00145E20: 48000058 b 0x145e78 It skips past all the below code. Remember address 0x00145DC0 with the branch? It's skips the code for your units and goes to the code just below this line.

00145E24: 38600001 li r3,1 Don't know, don't care, this is the code that is used by things that aren't your units.

00145E28: 4BF3DAF5 bl 0x8391c Don't know, don't care.

00145E2C: 60000000 nop

00145E30: 8122B394 lwz r9,-19564(r2) Don't know, don't care.

00145E34: 80890000 lwz r4,0(r9) Don't know, don't care.

00145E38: 7C8407B4 extsw r4,r4 Don't know, don't care.

00145E3C: 8122B1A8 lwz r9,-20056(r2) Don't know, don't care.

00145E40: 90890000 stw r4,0(r9) Don't know, don't care.

00145E44: 1C840498 mulli r4,r4,1176 Don't know, don't care.

00145E48: 8002B028 lwz r0,-20440(r2) Don't know, don't care.

00145E4C: 7C840214 add r4,r4,r0 Don't know, don't care.

00145E50: 8062B014 lwz r3,-20460(r2) Don't know, don't care.

00145E54: 78840020 rldicl r4,r4,0,1 Don't know, don't care.

00145E58: 38A00000 li r5,0 Don't know, don't care.

00145E5C: 4BF6CF89 bl 0xb2de4 Don't know, don't care.

00145E60: 60000000 nop

00145E64: 38600016 li r3,22 Don't know, don't care.

00145E68: 4BFBA93D bl 0x1007a4 Don't know, don't care.

00145E6C: 38600002 li r3,2 Don't know, don't care.

00145E70: 4BFB0501 bl 0xf6370 Don't know, don't care.

00145E74: 60000000 nop

00145E78: 8122B1BC lwz r9,-20036(r2) Don't know, don't care, but starting here the enemy doesn't skip this code and neither do your units, so that means everything from address 0x00145DC4 to 0x00145E20 is your unit, and everything from address 0x00145E24 to 0x00145E74 is for things that aren't your units.

Going by that thinking, if I remove the branch at 0x00145DC0, then I should be able to control enemies. So I try it:

00145DC0: 40820064 bne- 0x145e24

That becomes:

00145DC0 60000000 nop

I try that out, and I can control enemies. I'm still noticing that I can control things like geocubes, treasure chests, and whatever other things. I have a guess as to what to do. I'm looking at this branch:

00145DB0: 480000C8 b 0x145e78

This branch skips by both player units and enemies. Maybe if I delete that, it might give me control of those things too:

00145DB0 60000000 nop

I try that, and my guess was right. I can control those things too now.

After all of this, I still need a way of using that unlimited movement and action, and I don't think it will be too useful if I need to get hit to allow me to hit back. When I'm looking at the above code, it specifically runs when I select any unit. That makes this area sound just perfect, making it activate the code when I select a unit. So I look in the area for your units specifically:

00145DB4: 880B042F lbz r0,1071(r11)

00145DB8: 7C1C0774 extsb r28,r0

00145DBC: 2C1C0000 cmpwi r28,0

00145DC0: 40820064 bne- 0x145e24

00145DC4: 38600001 li r3,1

00145DC8: 4BF3DB55 bl 0x8391c

00145DCC: 60000000 nop

00145DD0: 8162B1A8 lwz r11,-20056(r2)

00145DD4: 8122B394 lwz r9,-19564(r2)

00145DD8: 80090000 lwz r0,0(r9)

00145DDC: 900B0000 stw r0,0(r11)

00145DE0: 8122B750 lwz r9,-18608(r2)

00145DE4: 93890000 stw r28,0(r9)

00145DE8: 3860000A li r3,10

00145DEC: 4BFBA9B9 bl 0x1007a4

00145DF0: 8122B754 lwz r9,-18604(r2)

00145DF4: 9B890000 stb r28,0(r9)

00145DF8: 83A2BD68 lwz r29,-17048(r2)

00145DFC: 807D0000 lwz r3,0(r29)

00145E00: 38800000 li r4,0

00145E04: 4BF4435D bl 0x8a160

00145E08: 60000000 nop

00145E0C: 813D0000 lwz r9,0(r29)

00145E10: B389016E sth r28,366(r9)

00145E14: 38600002 li r3,2

00145E18: 4BFB0559 bl 0xf6370

00145E1C: 60000000 nop

00145E20: 48000058 b 0x145e78

I need to figure out which register has the address I need to write the value to. I know that address 0x00145DB4 loads from register $r11, and the unlimited movement and action is just the next 4 bytes. I see address 0x00145DD0 loads 4 bytes from register $r2. I don't know if that is the same thing $r11 was previously, so I go back up and see where it was previously loaded from, and see this:

00145D78: 817D0000 lwz r11,0(r29)

Now I know $r11 was loaded from offset $0000 of register $r29. I now check for where register $r29 came from. I go up a little further, and find this:

00145D4C: 83A2BD68 lwz r29,-17048(r2)

Register $r29 is loaded from offset $BD68 of register $r2. Now I start checking above that, and it seems like nothing creates or modifies it for miles, and everything loads stuff from it nonstop. I'm guessing that never changes. So now I know my chain of offsets:

Offset $0430 of offset $0000 of offset of $BD68 of register $r2 is my unlimited movement and action. I look at the player code for anything with offset $BD68 of register $r2:

00145DC4: 38600001 li r3,1

00145DC8: 4BF3DB55 bl 0x8391c

00145DCC: 60000000 nop

00145DD0: 8162B1A8 lwz r11,-20056(r2)

00145DD4: 8122B394 lwz r9,-19564(r2)

00145DD8: 80090000 lwz r0,0(r9)

00145DDC: 900B0000 stw r0,0(r11)

00145DE0: 8122B750 lwz r9,-18608(r2)

00145DE4: 93890000 stw r28,0(r9)

00145DE8: 3860000A li r3,10

00145DEC: 4BFBA9B9 bl 0x1007a4

00145DF0: 8122B754 lwz r9,-18604(r2)

00145DF4: 9B890000 stb r28,0(r9)

00145DF8: 83A2BD68 lwz r29,-17048(r2)

00145DFC: 807D0000 lwz r3,0(r29)

00145E00: 38800000 li r4,0

00145E04: 4BF4435D bl 0x8a160

00145E08: 60000000 nop

00145E0C: 813D0000 lwz r9,0(r29)

00145E10: B389016E sth r28,366(r9)

00145E14: 38600002 li r3,2

00145E18: 4BFB0559 bl 0xf6370

00145E1C: 60000000 nop

00145E20: 48000058 b 0x145e78

I see one. It's this address:

00145DF8: 83A2BD68 lwz r29,-17048(r2)

Now I need something with offset $0000 of register $r29. I see that's the next line:

00145DFC: 807D0000 lwz r3,0(r29)

With that, all I need to do is write the value 0 to the 4 bytes at offset $0430 of register $r3. The next line already creates the value 0 for a register:

00145E00: 38800000 li r4,0

Now I just need to store register $r4 at offset $0430 of register $r3 and it should work perfect. The next line is a problem though:

00145E04: 4BF4435D bl 0x8a160

It's a "bl" operation, so it goes somewhere else and does whatever. I'm lazy and it might change registers $r3 or $r4, but if I delete it, it might screw up the game and cause it not to work. I was feeling very lazy, and saw that "nop" right after it. I could just try putting this in the "nop":

00145E08: 90830430 stw r4,1072(r3)

I could have tried that, because there might not have been any modification to either of those registers from that "bl", but I doubt that. Instead, I can just move that "bl" down 1 line, and subtract 4 from its value since it's being moved down 1 line and the place it is jumping to is a previous address, that way it doesn't jumped to the wrong place and mess up the game. Since I did that, I can now put the 1 line of code in without risking messing anything up.

00145E04: 90830430 stw r4,1072(r3)

00145E08: 4BF44359 bl 0x8a160

I tried that, and now my units have unlimited movement and actions. Works great.

Disgaea 3 - Infinite HP For You, Enemies Die From 1 Hit

Since I just found that area that told me the 1 byte that separates me from enemies, this makes things easier. First, I go to the area of the infinite HP code from codefreak and look at things again:

000C2D78: 2F800000 cmpwi cr7,r0,0 Don't know.

000C2D7C: 409E4444 bne- cr7,0xc71c0 Don't know.

000C2D80: 81770074 lwz r11,116(r23) It's loading the unit's data from offset $0074 of register $r23. So register $r23 is what I'll get that byte at offset $042F from.

000C2D84: E8010308 ld r0,776(r1) Don't know.

000C2D88: 54091838 rlwinm r9,r0,3,0,28 Don't know.

000C2D8C: 7D2907B4 extsw r9,r9 Don't know.

000C2D90: 7D344A14 add r9,r20,r9 Don't know.

000C2D94: E80B09C0 ld r0,2496(r11) Load unit's current HP.

000C2D98: E9290008 ld r9,8(r9) Don't know.

000C2D9C: 7C090050 sub r0,r0,r9 Current HP - $r9 = new current health. I guess $r9 must be the amount of damage subtracted from your HP.

000C2DA0: F80B09C0 std r0,2496(r11) Store new amount of health.

000C2DA4: 4800000C b 0xc2db0 Go to address 0x000C2DB0 and continue with the code.

Since I'm going to overwrite HP with either 0 or the max amount of HP a unit can have, this will take a few lines. $r0 and & $r9 were being used to calculate damage, so I'm free to use those 2 registers.

000C2D78: 2F800000 cmpwi cr7,r0,0 Don't know.

000C2D7C: 409E4444 bne- cr7,0xc71c0 Don't know.

000C2D80: 81770074 lwz r11,116(r23) It's loading the unit's data from offset $0074 of register $r23. So register $r23 is what I'll get that byte at offset $042F from.

000C2D84: E8010308 ld r0,776(r1) Don't know.

000C2D88: 8817042F lbz r0,1071(r23) I'm loading that byte that tells the game whether a unit is mine or something else.

000C2D8C: 2F800000 cmpwi cr7,r0,0 I'm comparing that byte to the value 0, which is the value that means it's my unit.

000C2D90: 419E000C beq- cr7,0xc2d9c If it's the byte that makes it my unit, skip these next 2 lines.

000C2D94: 38000000 li r0,0 Create the value 0 since it's not my unit.

000C2D98: 48000008 b 0xc2da0 Skip the next 1 line.

000C2D9C: E80B09D0 ld r0,2512(r11) Load the max HP the unit has since it's my unit.

000C2DA0: F80B09C0 std r0,2496(r11) If it's my unit, it's storing its max HP as its current HP. If not, it's storing 0 as its current HP.

000C2DA4: 4800000C b 0xc2db0 Go to address 0x000C2DB0 and continue with the code.

I try that out, and it works perfectly just like it did for the previous 2 Disgaea games.

Disgaea 3 - Newly Created Or Reincarnated Characters Start With Max Mana

Disgaea 3 - Boost A Non Character Specific Skill For Max Mana

Disgaea 3 - Boost A Character Specific Skill For Max Mana

Disgaea 3 - Buy A Skill Or Evility For Max Mana

Disgaea 3 - Buy Something From The Skill World For Max Mana

Disgaea 3 - Homeroom Stuff Maxes Out Mana

Disgaea 3 - Enter The Reincarnate Or Create A New Character Menus For Max Mana

Disgaea 3 - Max Mana After Multiple Units Kill Anything Together

Disgaea 3 - Max Mana After Tower Attacks

These weren't too tough to find at all thanks to Skiller already finding a code that gives you max mana if a single unit kills something:

Max Mana After 1 Unit Kills Anything

000C5210 7F890040

That gives you 9,999,999 mana. I went to that area to see what was going on:

000C51F4: 80080A70 lwz r0,2672(r8) 4 bytes are loaded into register $r0 from offset $0A70 of register $r8.

000C51F8: 7C00C214 add r0,r0,r24 Something is added to those 4 bytes.

000C51FC: 90080A70 stw r0,2672(r8) The new something is stored back where it came from.

000C5200: 816F0074 lwz r11,116(r15) Offset $0074 is the address that points to where a lot of data about indidivual units is at.

000C5204: 3D200098 lis r9,152 Register $r9 is value 0x00980000

000C5208: 6129967F ori r9,r9,38527 Register $r9 is now value 0x0098967F. That in decimal is 9,999,999.

000C520C: 800B0A70 lwz r0,2672(r11) Something is loaded from offset $0A70 of register $r11 and is 4 bytes.

000C5210: 7F804840 cmplw cr7,r0,r9 That something is compared to the value 9,999,999 since that's what register $r9 is.

000C5214: 409D0008 ble- cr7,0xc521c If that something is less than or equal to 9,999,999, then skip the next line of code.

000C5218: 912B0A70 stw r9,2672(r11) That something was higher than 9,999,999, so store 9,999,999 to offset $0A70 of register $r11. That means offset $0A70 is a unit's mana.

000C521C: 80770074 lwz r3,116(r23) Don't know, don't care.

I now know what offset is a unit's mana. From there I need to search for instances of "0A70 stw" and change the line before them to different values:

0005511C: 900B0A70 stw r0,2672(r11)

00055138: 912B0A70 stw r9,2672(r11)

000566EC: 907B0A70 stw r3,2672(r27)

0006E6B4: 901B0A70 stw r0,2672(r27)

0007FAEC: 937D0A70 stw r27,2672(r29)

0007FB30: 939D0A70 stw r28,2672(r29)

0007FB74: 939D0A70 stw r28,2672(r29)

0007FBB8: 939D0A70 stw r28,2672(r29)

0007FBFC: 939D0A70 stw r28,2672(r29)

0007FC40: 939D0A70 stw r28,2672(r29)

0007FC84: 937D0A70 stw r27,2672(r29)

0007FCCC: 939D0A70 stw r28,2672(r29)

0007FD14: 901D0A70 stw r0,2672(r29)

0007FD5C: 901D0A70 stw r0,2672(r29)

0007FDA4: 935D0A70 stw r26,2672(r29)

0007FDE8: 935D0A70 stw r26,2672(r29)

0007FE2C: 939D0A70 stw r28,2672(r29)

0007FE70: 939D0A70 stw r28,2672(r29)

0007FEE4: 937C0A70 stw r27,2672(r28)

0007FF54: 937C0A70 stw r27,2672(r28)

0007FFC4: 937C0A70 stw r27,2672(r28)

00080038: 901C0A70 stw r0,2672(r28)

000800AC: 901C0A70 stw r0,2672(r28)

0008011C: 935C0A70 stw r26,2672(r28)

00080164: 901D0A70 stw r0,2672(r29)

000C3BC0: 900B0A70 stw r0,2672(r11)

000C3BDC: 91230A70 stw r9,2672(r3)

000C3CF4: 900B0A70 stw r0,2672(r11)

000C3D10: 912B0A70 stw r9,2672(r11)

000C43CC: 901D0A70 stw r0,2672(r29)

000C43E0: 913D0A70 stw r9,2672(r29)

000C444C: 901D0A70 stw r0,2672(r29)

000C4460: 913D0A70 stw r9,2672(r29)

000C45E0: 901D0A70 stw r0,2672(r29)

000C45F4: 913D0A70 stw r9,2672(r29)

000C4660: 901D0A70 stw r0,2672(r29)

000C4674: 913D0A70 stw r9,2672(r29)

000C470C: 90090A70 stw r0,2672(r9)

000C4720: 91690A70 stw r11,2672(r9)

000C4730: 90090A70 stw r0,2672(r9)

000C474C: 91230A70 stw r9,2672(r3)

000C4768: 900A0A70 stw r0,2672(r10)

000C4784: 91230A70 stw r9,2672(r3)

000C49BC: 901F0A70 stw r0,2672(r31)

000C49D0: 913F0A70 stw r9,2672(r31)

000C4A34: 901F0A70 stw r0,2672(r31)

000C4A48: 913F0A70 stw r9,2672(r31)

000C4BC4: 901F0A70 stw r0,2672(r31)

000C4BD8: 913F0A70 stw r9,2672(r31)

000C4C3C: 901F0A70 stw r0,2672(r31)

000C4C50: 913F0A70 stw r9,2672(r31)

000C4CE4: 90090A70 stw r0,2672(r9)

000C4CF8: 91690A70 stw r11,2672(r9)

000C4D08: 90090A70 stw r0,2672(r9)

000C4D24: 912B0A70 stw r9,2672(r11)

000C4D3C: 90080A70 stw r0,2672(r8)

000C4D58: 912B0A70 stw r9,2672(r11)

000C4E78: 901F0A70 stw r0,2672(r31)

000C4E8C: 913F0A70 stw r9,2672(r31)

000C4EF0: 901F0A70 stw r0,2672(r31)

000C4F04: 913F0A70 stw r9,2672(r31)

000C5084: 901F0A70 stw r0,2672(r31)

000C5098: 913F0A70 stw r9,2672(r31)

000C50FC: 901F0A70 stw r0,2672(r31)

000C5110: 913F0A70 stw r9,2672(r31)

000C51A4: 90090A70 stw r0,2672(r9)

000C51B8: 91690A70 stw r11,2672(r9)

000C51C8: 90090A70 stw r0,2672(r9)

000C51E4: 912B0A70 stw r9,2672(r11)

000C51FC: 90080A70 stw r0,2672(r8)

000C5218: 912B0A70 stw r9,2672(r11)

0010A818: 913F0A70 stw r9,2672(r31)

0010A828: 913F0A70 stw r9,2672(r31)

0010A840: 913F0A70 stw r9,2672(r31)

0010A8A8: 901F0A70 stw r0,2672(r31)

0010A8BC: 917F0A70 stw r11,2672(r31)

0013CE78: 90090A70 stw r0,2672(r9)

0015F020: 900B0A70 stw r0,2672(r11)

00184BD4: 901C0A70 stw r0,2672(r28)

00184C54: 901C0A70 stw r0,2672(r28)

00185078: 901C0A70 stw r0,2672(r28)

001897E4: 901E0A70 stw r0,2672(r30)

00189948: 901E0A70 stw r0,2672(r30)

00189AAC: 901E0A70 stw r0,2672(r30)

00189C10: 901E0A70 stw r0,2672(r30)

00189D74: 901E0A70 stw r0,2672(r30)

0018D7DC: 913E0A70 stw r9,2672(r30)

001A8E80: 90070A70 stw r0,2672(r7)

001ABC94: 900B0A70 stw r0,2672(r11)

001AE074: 900B0A70 stw r0,2672(r11)

001AED08: 900B0A70 stw r0,2672(r11)

001AEF28: 90040A70 stw r0,2672(r4)

001B9AEC: 900B0A70 stw r0,2672(r11)

001B9B50: 900B0A70 stw r0,2672(r11)

That's 94 results. I'm thinking about things that modify a unit's mana. You gain mana by having a single unit kill anything, a group kills something, a tower attack, a magichange thing that to this day I never have used once, winning levels, treasure cheats, and probably more things. Whatever gains mana also enforces a limit of 9,999,999 upon it, so I'd actually need to check a few lines before the "0A70 stw". I'm also thinking of the things that subtract mana from a character, like reincarnating a character, buying skills, boosting skills, buying evilities, doing stuff in the classroom, whatever things in the skill world, and probably a few other things I didn't notice. To find the ones that give you mana, look a few lines before the "0A70 stw" operation for something like this, along with a "add" somewhere nearby the beginning. I'm going to fill in an example and change the registers, $r?, from numbers to letters to kind of show what things might be:

000C51F4: 8???0A70 lwz rB,2672(rA) The current mana is loaded into register $rB.

000C51F8: 7????214 add rB,rB,rC Something is added to the mana, so something that increases mana has occured.

000C51FC: 9???0A70 stw rB,2672(rA) The amount of mana is stored back where it came from.

000C5200: 8???0074 lwz rA,116(rD) Offset $0074 is the address that points to where a lot of data about indidivual units is at.

000C5204: 3??00098 lis rB,152 Register $rB is value 0x00980000

000C5208: 6???967F ori rB,rB,38527 Register $rB is now value 0x0098967F. That in decimal is 9,999,999.

000C520C: 8???0A70 lwz rC,2672(rA) The current mana is loaded from offset $0A70 and is 4 bytes.

000C5210: 7F????40 cmplw cr7,rB,rC The mana is compared to the value 9,999,999.

000C5214: 409D0008 ble- cr7,0xc521c Checking if the new amount of mana is greater than 9,999,999.

000C5218: 9???0A70 stw rB,2672(rA) The new amount of mana was greater than 9,999,999, so store the number 9,999,999 as the new mana.

That's how it enforces a limit.

It takes forever to get a character to get 9,999,999 mana, so I used Skiller's code and got a few of my character's mana maxed out and saved to make finding this stuff easier. If I didn't use characters that were already maxed out, there's a chance I'd miss a code that increases mana. So now I just go to the line before every 1 of those 94 results, and change the line into a "li" operation and set a specific value that will tell me which line does what:

00055118: 38000001 li r0,1

00055134: 38090003 li r9,3

000566E8: 38030005 li r3,5

0006E6B0: 38000007 li r0,7

0007FAE8: 38110009 li r27,9

0007FB2C: 3812000B li r28,11

0007FB70: 3812000D li r28,13

0007FBB4: 3812000F li r28,15

0007FBF8: 38120011 li r28,17

0007FC3C: 38120013 li r28,19

0007FC80: 38110015 li r27,21

0007FCC8: 38120017 li r28,23

0007FD10: 38000019 li r0,25

0007FD58: 3800001B li r0,27

0007FDA0: 3810001D li r26,29

0007FDE4: 3810001F li r26,31

0007FE28: 38120021 li r28,33

0007FE6C: 38120023 li r28,35

0007FEE0: 38110025 li r27,37

0007FF50: 38110027 li r27,39

0007FFC0: 38110029 li r27,41

00080034: 3800002B li r0,43

000800A8: 3800002D li r0,45

00080118: 3810002F li r26,47

00080160: 38000031 li r0,49

000C3BBC: 38000033 li r0,51

000C3BD8: 38090035 li r9,53

000C3CF0: 38000037 li r0,55

000C3D0C: 38090039 li r9,57

000C43C8: 3800003B li r0,59

000C43DC: 3809003D li r9,61

000C4448: 3800003F li r0,63

000C445C: 38090041 li r9,65

000C45DC: 38000043 li r0,67

000C45F0: 38090045 li r9,69

000C465C: 38000047 li r0,71

000C4670: 38090049 li r9,73

000C4708: 3800004B li r0,75

000C471C: 380B004D li r11,77

000C472C: 3800004F li r0,79

000C4748: 38090051 li r9,81

000C4764: 38000053 li r0,83

000C4780: 38090055 li r9,85

000C49B8: 38000057 li r0,87

000C49CC: 38090059 li r9,89

000C4A30: 3800005B li r0,91

000C4A44: 3809005D li r9,93

000C4BC0: 3800005F li r0,95

000C4BD4: 38090061 li r9,97

000C4C38: 38000063 li r0,99

000C4C4C: 38090065 li r9,101

000C4CE0: 38000067 li r0,103

000C4CF4: 380B0069 li r11,105

000C4D04: 3800006B li r0,107

000C4D20: 3809006D li r9,109

000C4D38: 3800006F li r0,111

000C4D54: 38090071 li r9,113

000C4E74: 38000073 li r0,115

000C4E88: 38090075 li r9,117

000C4EEC: 38000077 li r0,119

000C4F00: 38090079 li r9,121

000C5080: 3800007B li r0,123

000C5094: 3809007D li r9,125

000C50F8: 3800007F li r0,127

000C510C: 38090081 li r9,129

000C51A0: 38000083 li r0,131

000C51B4: 380B0085 li r11,133

000C51C4: 38000087 li r0,135

000C51E0: 38090089 li r9,137

000C51F8: 3800008B li r0,139

000C5214: 3809008D li r9,141

0010A814: 3809008F li r9,143

0010A824: 38090091 li r9,145

0010A83C: 38090093 li r9,147

0010A8A4: 38000095 li r0,149

0010A8B8: 380B0097 li r11,151

0013CE74: 38000099 li r0,153

0015F01C: 3800009B li r0,155

00184BD0: 3800009D li r0,157

00184C50: 3800009F li r0,159

00185074: 380000A1 li r0,161

001897E0: 380000A3 li r0,163

00189944: 380000A5 li r0,165

00189AA8: 380000A7 li r0,167

00189C0C: 380000A9 li r0,169

00189D70: 380000AB li r0,171

0018D7D8: 380900AD li r9,173

001A8E7C: 380000AF li r0,175

001ABC90: 380000B1 li r0,177

001AE070: 380000B3 li r0,179

001AED04: 380000B5 li r0,181

001AEF24: 380000B7 li r0,183

001B9AE8: 380000B9 li r0,185

001B9B4C: 380000BB li r0,187

I tried the game with all of those. This is what I noticed:

1. When I created a new character, that new character had 7 mana.

2. When I killed anything with a tower attack, I got 85 mana.

3. When I killed anything in a group attack, I got 89 mana.

4. When I boosted a non character specific skill, I got 157 mana.

5. When I boosted a character specific skill, I got 159 mana.

6. When I bought a skill or evility, I got 161 mana.

7. When I bought something from the skill world, I got 163 mana.

8. When I went into the reincarnate or create a character menu, I got 175 mana.

9. When I tried anything in the classroom that I voted on, I got 183 mana.

That's how I found all of those. If there are other things that affect mana that I didn't find, they are in that list somewhere.

Rank A & B Created Or Reincarnated Characters Do Not Need Approval To Be Created

I'm slightly amazed I found this by accident. I was mainly looking for something that would allow me to change how many points I could disperse on stats for reincarnated or newly created characters. I didn't know where to start, but I did find a code that gave somebody max mana if they entered the reincarnate or create a character menu. If the code does that, the next few menus from that process might be there too, along with the possibility of setting how many points I can use. So I went to that area:

Enter The Reincarnate Or Create A New Character Menus For Max Mana

001AEF20 3C000098

001AEF24 6000967F

From there, I immediately searched for the first instance of "blr" above and below that result to figure out the length of the function. The function was from 0x001AE994 to 0x001AF230. I'm not sure of what to do, but going from menu to menu was probably "bl" operations. I then decided to find all of them and remove them in the hope that it in some way affected the points:

001AEA48: 4BF47E41 bl 0xf6888

001AEA58: 4BF478FD bl 0xf6354

001AEA94: 4BF4799D bl 0xf6430

001AEAA0: 4BED4E7D bl 0x8391c

001AEAB0: 4BF47DD9 bl 0xf6888

001AEAC0: 4BF47895 bl 0xf6354

001AEAFC: 4BF47935 bl 0xf6430

001AEB08: 4BED4E15 bl 0x8391c

001AEC00: 4BED7495 bl 0x86094

001AEC7C: 4BF47C0D bl 0xf6888

001AEC8C: 4BF476C9 bl 0xf6354

001AEC98: 4BED8871 bl 0x87508

001AECA4: 4BED4C79 bl 0x8391c

001AED20: 4BED87E9 bl 0x87508

001AED54: 4BED4E4D bl 0x83ba0

001AEDF0: 4BE70C29 bl 0x1fa18

001AEE04: 4BE7115D bl 0x1ff60

001AEE70: 4BE71351 bl 0x201c0

001AEE98: 4BEDD235 bl 0x8c0cc

001AEEE4: 4BF479A5 bl 0xf6888

001AEEF4: 4BF47461 bl 0xf6354

001AEF14: 4BED4A09 bl 0x8391c

001AEFE4: 4BFE6665 bl 0x195648

001AF084: 4806256D bl 0x2115f0

001AF174: 4BFE6EE5 bl 0x196058

001AF19C: 4BED8B55 bl 0x87cf0

001AF1AC: 4BED4771 bl 0x8391c

001AF1D4: 4BFFEFAD bl 0x1ae180

001AF20C: 4BFE61E9 bl 0x1953f4

There's 29 of them. I removed all of them:

001AEA48: 60000000 nop

001AEA58: 60000000 nop

001AEA94: 60000000 nop

001AEAA0: 60000000 nop

001AEAB0: 60000000 nop

001AEAC0: 60000000 nop

001AEAFC: 60000000 nop

001AEB08: 60000000 nop

001AEC00: 60000000 nop

001AEC7C: 60000000 nop

001AEC8C: 60000000 nop

001AEC98: 60000000 nop

001AECA4: 60000000 nop

001AED20: 60000000 nop

001AED54: 60000000 nop

001AEDF0: 60000000 nop

001AEE04: 60000000 nop

001AEE70: 60000000 nop

001AEE98: 60000000 nop

001AEEE4: 60000000 nop

001AEEF4: 60000000 nop

001AEF14: 60000000 nop

001AEFE4: 60000000 nop

001AF084: 60000000 nop

001AF174: 60000000 nop

001AF19C: 60000000 nop

001AF1AC: 60000000 nop

001AF1D4: 60000000 nop

001AF20C: 60000000 nop

I tried that, and when I went to create a character it got to the screen where you would normally select a class, there was nothing there and I had to restart the game. I hate when that happens, it makes the process a lot slower. So I divided them in half because I was going to get rid of that stupid effect so I could check everything else:

001AEA48: 60000000 nop

001AEA58: 60000000 nop

001AEA94: 60000000 nop

001AEAA0: 60000000 nop

001AEAB0: 60000000 nop

001AEAC0: 60000000 nop

001AEAFC: 60000000 nop

001AEB08: 60000000 nop

001AEC00: 60000000 nop

001AEC7C: 60000000 nop

001AEC8C: 60000000 nop

001AEC98: 60000000 nop

001AECA4: 60000000 nop

001AED20: 60000000 nop

001AED54: 60000000 nop

That annoying effect was gone, so it was in the 2nd batch. The menus acted like I was holding down on the D-pad so picking things was a little more difficult. I then try the 1st half of the 2nd batch:

001AEDF0: 60000000 nop

001AEE04: 60000000 nop

001AEE70: 60000000 nop

001AEE98: 60000000 nop

001AEEE4: 60000000 nop

001AEEF4: 60000000 nop

001AEF14: 60000000 nop

The effect was back. Now the 1st half of that batch:

001AEDF0: 60000000 nop

001AEE04: 60000000 nop

001AEE70: 60000000 nop

001AEE98: 60000000 nop

The effect was gone. Now the first 2 of the 2nd batch:

001AEEE4: 60000000 nop

001AEEF4: 60000000 nop

It was back again. Now just the 1st 1:

001AEEE4: 60000000 nop

It's still there, so now I'll know to try all the results again, but leave this 1 alone. So I tried them, and noticed I didn't go to the place where voting occurs when I wanted to create a genius character, but I still lost mana for it. I thought that was very interesting, and it wouldn't allow me to make those characters that required a vote. I then decided to check which "bl" operation made that happen. I tried the 1st 14 results again:

001AEA48: 60000000 nop

001AEA58: 60000000 nop

001AEA94: 60000000 nop

001AEAA0: 60000000 nop

001AEAB0: 60000000 nop

001AEAC0: 60000000 nop

001AEAFC: 60000000 nop

001AEB08: 60000000 nop

001AEC00: 60000000 nop

001AEC7C: 60000000 nop

001AEC8C: 60000000 nop

001AEC98: 60000000 nop

001AECA4: 60000000 nop

001AED20: 60000000 nop

I tried that, and the effect was gone, so it must have been in the 2nd batch of 14. I tried the next 7 of the 2nd batch:

001AED54: 60000000 nop

001AEDF0: 60000000 nop

001AEE04: 60000000 nop

001AEE70: 60000000 nop

001AEE98: 60000000 nop

001AEEF4: 60000000 nop

001AEF14: 60000000 nop

The effect was still gone, so it must have been in the other 7. I try the next 4 of batch 2:

001AEFE4: 60000000 nop

001AF084: 60000000 nop

001AF174: 60000000 nop

001AF19C: 60000000 nop

The effect was back, so it's 1 of those 4. I then try the first 2:

001AEFE4: 60000000 nop

001AF084: 60000000 nop

The effect was gone, so it was 1 of the other 2. I try the next 1:

001AF174: 60000000 nop

The effect was back. That was the "bl" that caused it. I then checked the area out to see what lead there:

001AF118: 80090000 lwz r0,0(r9) Don't know.

001AF11C: 2F800003 cmpwi cr7,r0,3 Don't know.

001AF120: 409D0030 ble- cr7,0x1af150 Doesn't branch to 0x001AF16C.

001AF124: 8122CF88 lwz r9,-12408(r2) Don't know.

001AF128: 81290000 lwz r9,0(r9) Don't know.

001AF12C: A0090004 lhz r0,4(r9) Don't know.

001AF130: 2F800038 cmpwi cr7,r0,56 Don't know.

001AF134: 419E001C beq- cr7,0x1af150 Doesn't branch to 0x001AF16C.

001AF138: 2F800045 cmpwi cr7,r0,69 Don't know.

001AF13C: 419E0014 beq- cr7,0x1af150 Doesn't branch to 0x001AF16C.

001AF140: 2F800046 cmpwi cr7,r0,70 Don't know.

001AF144: 419E000C beq- cr7,0x1af150 Doesn't branch to 0x001AF16C.

001AF148: 2F800047 cmpwi cr7,r0,71 Don't know.

001AF14C: 409E0020 bne- cr7,0x1af16c This branches to 0x001AF16C.

001AF150: 8122CEE8 lwz r9,-12568(r2) Don't know.

001AF154: 38000000 li r0,0 Don't know.

001AF158: 90090000 stw r0,0(r9) Don't know.

001AF15C: 8122CF38 lwz r9,-12488(r2) Don't know.

001AF160: 3800000D li r0,13 Don't know.

001AF164: 90090000 stw r0,0(r9) Don't know.

001AF168: 4800004C b 0x1af1b4 This skips past that area.

001AF16C: 38605209 li r3,21001 Don't know.

001AF170: 38800000 li r4,0 Don't know.

001AF174: 4BFE6EE5 bl 0x196058 This is the the jump to the function I removed that prevented me from voting on genius characters.

001AF178: 4800003C b 0x1af1b4 Don't know.

001AF17C: 8122CEB4 lwz r9,-12620(r2) Don't know.

I saw only 1 thing throughout this function went to that function:

001AF14C: 409E0020 bne- cr7,0x1af16c

I then thought to just delete the branch:

001AF14C 60000000 nop

I tried that, and then I was able to make those characters without needing to vote for approval. Also, since jumping to address 0x00196058 is the start of a function that controls every last bit of the voting process. Odds are if I didn't get sick of this game, I could have found everything that jumped to this function and made them skip the voting process and approve things. If every skipped that function, that would be a large amount of space anyone could use for anything they wanted.

Disgaea 3 - All Skills At Level 99

Disgaea 3 - Skill Boost Level Modifier

Disgaea 3 - Skill Modifier

With these, I had an easier time finding these since I found the code to control enemies. I had that code on, so there was a big chunk of code for the enemies that wasn't being used by anything that I could write over, the stuff in that area uses the same offsets where character data was at, and that area of code activates when you select something. I now have this big chunk of code to erase and use however I want to:

00145E1C: 60000000 nop Everything starting here...

00145E20: 48000058 b 0x145e78

00145E24: 38600001 li r3,1

00145E28: 4BF3DAF5 bl 0x8391c

00145E2C: 60000000 nop

00145E30: 8122B394 lwz r9,-19564(r2)

00145E34: 80890000 lwz r4,0(r9)

00145E38: 7C8407B4 extsw r4,r4

00145E3C: 8122B1A8 lwz r9,-20056(r2)

00145E40: 90890000 stw r4,0(r9)

00145E44: 1C840498 mulli r4,r4,1176

00145E48: 8002B028 lwz r0,-20440(r2)

00145E4C: 7C840214 add r4,r4,r0

00145E50: 8062B014 lwz r3,-20460(r2)

00145E54: 78840020 rldicl r4,r4,0,1

00145E58: 38A00000 li r5,0

00145E5C: 4BF6CF89 bl 0xb2de4

00145E60: 60000000 nop

00145E64: 38600016 li r3,22

00145E68: 4BFBA93D bl 0x1007a4

00145E6C: 38600002 li r3,2

00145E70: 4BFB0501 bl 0xf6370

00145E74: 60000000 nop ...Up to this line can be erased and used in any way I need to.

00145E78: 8122B1BC lwz r9,-20036(r2)

So I first start by erasing it all:

00145E1C: 60000000 nop

00145E20: 60000000 nop

00145E24: 60000000 nop

00145E28: 60000000 nop

00145E2C: 60000000 nop

00145E30: 60000000 nop

00145E34: 60000000 nop

00145E38: 60000000 nop

00145E3C: 60000000 nop

00145E40: 60000000 nop

00145E44: 60000000 nop

00145E48: 60000000 nop

00145E4C: 60000000 nop

00145E50: 60000000 nop

00145E54: 60000000 nop

00145E58: 60000000 nop

00145E5C: 60000000 nop

00145E60: 60000000 nop

00145E64: 60000000 nop

00145E68: 60000000 nop

00145E6C: 60000000 nop

00145E70: 60000000 nop

00145E74: 60000000 nop

00145E78: 8122B1BC lwz r9,-20036(r2)

I now need to get those correct offsets so I can write to the correct area for character data. From before, when I found the code that gave me unlimited movement and action, I learned the offsets I needed. I kind of took a guess in thinking it was register $r29, and I was right. Next I need to find at least 2 registers I can use that won't mess anything up. To do that, I check after this area for load operations and "li" operations. I see these 1st few:

00145E78: 8122B1BC lwz r9,-20036(r2)

00145E7C: 80690000 lwz r3,0(r9)

00145E80: 7C6307B4 extsw r3,r3

00145E84: 38800000 li r4,0

00145E88: 4BFB0A01 bl 0xf6888

The next few lines before the "bl" use registers $r3, $r4, and $r9. I now have 3 registers I can use. I can now make the 1st 3 lines that get the offsets and make a value to apply:

00145E1C: 807D0000 lwz r3,0(r29)

00145E20: 80830074 lwz r4,424(r3)

00145E24: 3809???? li r9,whatever value I want

00145E28: 60000000 nop

00145E2C: 60000000 nop

00145E30: 60000000 nop

00145E34: 60000000 nop

00145E38: 60000000 nop

00145E3C: 60000000 nop

00145E40: 60000000 nop

00145E44: 60000000 nop

00145E48: 60000000 nop

00145E4C: 60000000 nop

00145E50: 60000000 nop

00145E54: 60000000 nop

00145E58: 60000000 nop

00145E5C: 60000000 nop

00145E60: 60000000 nop

00145E64: 60000000 nop

00145E68: 60000000 nop

00145E6C: 60000000 nop

00145E70: 60000000 nop

00145E74: 60000000 nop

With this, I'm good to go. From that, I did this:

00145E1C: 807D0000 lwz r3,0(r29)

00145E20: 80830074 lwz r4,424(r3)

00145E24: 38090000 li r9,0

00145E28: F92409B0 std r9,2480(r4)

00145E2C: F92409B8 std r9,2488(r4)

00145E30: F92409A0 std r9,2472(r4)

00145E34: F92409A8 std r9,2464(r4)

00145E38: F9240990 std r9,2456(r4)

00145E3C: F9240998 std r9,2448(r4)

00145E40: F9240980 std r9,2440(r4)

00145E44: F9240988 std r9,2432(r4)

00145E48: F9240970 std r9,2424(r4)

00145E4C: F9240978 std r9,2416(r4)

00145E50: F9240960 std r9,2408(r4)

00145E54: F9240968 std r9,2400(r4)

00145E58: F9240950 std r9,2392(r4)

00145E5C: F9240958 std r9,2384(r4)

00145E60: F9240940 std r9,2376(r4)

00145E64: F9240948 std r9,2368(r4)

00145E68: F9240930 std r9,2360(r4)

00145E6C: F9240938 std r9,2352(r4)

00145E70: F9240920 std r9,2344(r4)

00145E74: F9240928 std r9,2336(r4)

Any character I select while playing will run this code, and set a bunch of its data to 0. I don't remember what that exact set of stuff did, but I eventually made my way down to offsets $0898, $08A0, and $08A8. I went into my skills and noticed my skill levels were set to 0. I checked it a little and it they actually started at offset $089C, and each skill's level is 1 byte of data. I then kept going down until I got to offsets $07D8 to $0800. When I messed with those, the game froze when I tried checking a unit's special moves. I wasn't sure what it had to do with skills. I then tried copying the data to itself:

00145E1C: 807D0000 lwz r3,0(r29)

00145E20: 80830074 lwz r4,424(r3)

00145E24: 812407E0 lwz r9,2016(r4)

00145E28: 912407E4 stw r9,2020(r4)

00145E2C: 60000000 nop

00145E30: 60000000 nop

00145E34: 60000000 nop

00145E38: 60000000 nop

00145E3C: 60000000 nop

00145E40: 60000000 nop

00145E44: 60000000 nop

00145E48: 60000000 nop

00145E4C: 60000000 nop

00145E50: 60000000 nop

00145E54: 60000000 nop

00145E58: 60000000 nop

00145E5C: 60000000 nop

00145E60: 60000000 nop

00145E64: 60000000 nop

00145E68: 60000000 nop

00145E6C: 60000000 nop

00145E70: 60000000 nop

00145E74: 60000000 nop

I then checked my special skills, and I noticed my 5th and 6th ones were replaced with the 3rd and 4th skills. I had 2 of the same 2 skills. I tried those skills, and they worked perfectly. I checked other units, and it was the same with them. That means each skill is 2 bytes, and they actually start at offset $089C. I then needed a way to figure out what the digits. It took a moment of thinking, and then I thought I could just replace a unit's HP & SP with the skill digits, type them on my computer in the calculator, and have them converted to hexadecimal to see what they were. I started doing that and it worked perfectly:

00145E1C: 807D0000 lwz r3,0(r29) Offset where some character data is at.

00145E20: 80830074 lwz r4,424(r3) Offset where the more useful character data is at.

00145E24: E92407DC ld r9,2012(r4) Loading the first 4 skills of a unit.

00145E28: F92409C0 std r9,2496(r4) Storing the first 4 skills as the unit's current HP.

00145E2C: 812407E4 lwz r9,2020(r4) Loading skills 5 & 6.

00145E30: 912409D0 stw r9,2512(r4) Storing skills 5 & 6 as the unit's HP capacity.

00145E34: E92407E8 ld r9,2024(r4) Loading skills 6, 7, 8, & 9.

00145E38: F92409C8 std r9,2504(r4) Storing skills 6, 7, 8, & 9 as the unit's current SP.

00145E3C: 812407F0 lwz r9,2032(r4) Loading skills 10 & 11.

00145E40: 912409D8 stw r9,2520(r4) Storing skills 10 & 11 as the unit's SP capacity.

00145E44: 60000000 nop

00145E48: 60000000 nop

00145E4C: 60000000 nop

00145E50: 60000000 nop

00145E54: 60000000 nop

00145E58: 60000000 nop

00145E5C: 60000000 nop

00145E60: 60000000 nop

00145E64: 60000000 nop

00145E68: 60000000 nop

00145E6C: 60000000 nop

00145E70: 60000000 nop

00145E74: 60000000 nop

It worked great. If you are wondering why I only used the HP & SP capacities to check 2 skills instead of 4, it's because it moved everything too far to the left on the screen causing me to not be able to see all of the numbers. I actually could have had these also store results to ATK, DEF, INT, RES, HIT, and SPD, since they were also 8 bytes and immediately after the SP capacity, but for some reason the game wasn't doing it correctly. Once I was done with that, I didn't have what I needed to add skills yet for some reason. I was assuming that if I added more digits after my skills, I would get new skills. That didn't work, so something must have been setting how many skills I have. So I kept going down further in the offsets, and when I got to the offsets from $0658 to $0680, I noticed the EXP of my skills was reduced to 0. I checked that and it was a value that was 4 bytes, and they started at offset $065C. I kept going further down, and didn't seem to have any luck. I then decided to start going up and eventually modified offset $0AC8. When I went to my skills, they were all gone. I then made the game read the value to me again:

00145E1C: 807D0000 lwz r3,0(r29)

00145E20: 80830074 lwz r4,424(r3)

00145E24: E9240AC8 ld r9,2760(r4)

00145E28: F92409C0 std r9,2496(r4)

00145E2C: 60000000 nop

00145E30: 60000000 nop

00145E34: 60000000 nop

00145E38: 60000000 nop

00145E3C: 60000000 nop

00145E40: 60000000 nop

00145E44: 60000000 nop

00145E48: 60000000 nop

00145E4C: 60000000 nop

00145E50: 60000000 nop

00145E54: 60000000 nop

00145E58: 60000000 nop

00145E5C: 60000000 nop

00145E60: 60000000 nop

00145E64: 60000000 nop

00145E68: 60000000 nop

00145E6C: 60000000 nop

00145E70: 60000000 nop

00145E74: 60000000 nop

When I used the calculator on my computer to convert my current HP value to hexadecimal for multiple units, I noticed 1 of the bytes was always the exact same amount of skills that unit had. It was the 1 byte at offset $0ACE. I messed with that and the other stuff for skills and I kept getting something that wasn't a skill when I tried adding skills. I didn't pursue it much more than that because after about a month of messing with this game, I just got sick of it. Instead I just kept going down in the offsets until I was at $0060. That removed the boost from my skills. The boost was only 1 byte for each skill. I thought having skills boosted was more useful than their levels going up, which didn't seem to do anything. I wasn't sure of how to search for stuff for skills, so I just started searching for instances of "089C" that were either load or addition operations. I ended up with these:

000682F8: 3929089C addi r9,r9,2204

00068778: 8809089C lbz r0,2204(r9)

000689EC: 3803089C addi r0,r3,2204

00069274: 3929089C addi r9,r9,2204

00069768: 381C089C addi r0,r28,2204

0006A0C4: 381C089C addi r0,r28,2204

0006A200: 381F089C addi r0,r31,2204

000A8304: 8809089C lbz r0,2204(r9)

000A912C: 381F089C addi r0,r31,2204

000ACD40: 8889089C lbz r4,2204(r9)

00106794: 380B089C addi r0,r11,2204

00107108: 381D089C addi r0,r29,2204

0013198C: 380B089C addi r0,r11,2204

This was different searching for skills, because it's not like the game has individual functions for each skill slot. You won't see a game doing that, or it's code would be insanely larger. For this game, you won't see individual code for offsets $089D, $089E, $089F, $08A0, and on and on like that. Games would require larger amounts of memory, or else they would have a lot less variety of things. So when I looked around these results, I noticed something interesting for some of them:

000682E8: 7D29F214 add r9,r9,r30

000682EC: 392907DC addi r9,r9,2012 Skill modifier offset.

000682F0: 79270020 rldicl r7,r9,0,1

000682F4: 7D2BF214 add r9,r11,r30

000682F8: 3929089C addi r9,r9,2204 Skill level modifier offset.

000682FC: 792A0020 rldicl r10,r9,0,1

00068300: 5569103A rlwinm r9,r11,2,0,29

00068304: 7D29F214 add r9,r9,r30

00068308: 3929065C addi r9,r9,1628 Skill EXP modifier offset.

0006830C: 79280020 rldicl r8,r9,0,1

00068740: 88030ACE lbz r0,2766(r3) Amount of skills offset.

00068744: 3B600000 li r27,0

00068748: 7C090774 extsb r9,r0

0006874C: 2C090000 cmpwi r9,0

00068750: 4081011C ble- 0x6886c

00068754: 380307DC addi r0,r3,2012 Skill modifier offset.

00068758: 781E0020 rldicl r30,r0,0,1

0006875C: 3B600000 li r27,0

00068760: 3B800000 li r28,0

00068764: 2E250000 cmpdi cr4,r5,0

00068768: 83229540 lwz r25,-27328(r2)

0006876C: 2DA40000 cmpdi cr3,r4,0

00068770: 7D3DE214 add r9,r29,r28

00068774: 79290020 rldicl r9,r9,0,1

00068778: 8809089C lbz r0,2204(r9) Skill level modifier offset.

0006877C: 7C000774 extsb r0,r0

000689DC: 88030ACE lbz r0,2766(r3) Amount of skills offset.

000689E0: 7C090774 extsb r9,r0

000689E4: 2C090000 cmpwi r9,0

000689E8: 4081012C ble- 0x68b14

000689EC: 3803089C addi r0,r3,2204 Skill level modifier offset.

000689F0: 781B0020 rldicl r27,r0,0,1

000689F4: 380307DC addi r0,r3,2012 Skill modifier offset.

000689F8: 781C0020 rldicl r28,r0,0,1

000689FC: 3803065C addi r0,r3,1628 Skill EXP modifier offset.

00068A00: 781E0020 rldicl r30,r0,0,1

00069244: 893F0ACE lbz r9,2766(r31) Amount of skills offset.

00069248: 7D290774 extsb r9,r9

0006924C: 3929FFFF subi r9,r9,1

00069250: 7F893000 cmpw cr7,r9,r6

00069254: 409D00FC ble- cr7,0x69350

00069258: 39660001 addi r11,r6,1

0006925C: 7D6B07B4 extsw r11,r11

00069260: 5569083C rlwinm r9,r11,1,0,30

00069264: 7D29FA14 add r9,r9,r31

00069268: 392907DC addi r9,r9,2012 Skill modifier offset.

0006926C: 79270020 rldicl r7,r9,0,1

00069270: 7D2BFA14 add r9,r11,r31

00069274: 3929089C addi r9,r9,2204 Skill level modifier offset.

00069278: 792A0020 rldicl r10,r9,0,1

0006927C: 5569103A rlwinm r9,r11,2,0,29

00069280: 7D29FA14 add r9,r9,r31

00069284: 3929065C addi r9,r9,1628 Skill EXP modifier offset.

00069288: 79280020 rldicl r8,r9,0,1

00069748: 881C0ACE lbz r0,2766(r28) Amount of skills offset.

0006974C: 7C090774 extsb r9,r0

00069750: 2C090000 cmpwi r9,0

00069754: 40810BFC ble- 0x6a350

00069758: 381C07DC addi r0,r28,2012 Skill modifier offset.

0006975C: 781E0020 rldicl r30,r0,0,1

00069760: 381C065C addi r0,r28,1628 Skill EXP modifier offset.

00069764: 781A0020 rldicl r26,r0,0,1

00069768: 381C089C addi r0,r28,2204 Skill level modifier offset.

0006976C: 781B0020 rldicl r27,r0,0,1

0006A0A4: 881C0ACE lbz r0,2766(r28) Amount of skills offset.

0006A0A8: 7C090774 extsb r9,r0

0006A0AC: 2C090000 cmpwi r9,0

0006A0B0: 408102A0 ble- 0x6a350

0006A0B4: 381C07DC addi r0,r28,2012 Skill modifier offset.

0006A0B8: 781E0020 rldicl r30,r0,0,1

0006A0BC: 381C065C addi r0,r28,1628 Skill EXP modifier offset.

0006A0C0: 781A0020 rldicl r26,r0,0,1

0006A0C4: 381C089C addi r0,r28,2204 Skill level modifier offset.

0006A0C8: 781B0020 rldicl r27,r0,0,1

0006A1D0: 881C0ACE lbz r0,2766(r28) Amount of skills offset.

0006A1D4: 7C000774 extsb r0,r0

0006A1D8: 7F80C800 cmpw cr7,r0,r25

0006A1DC: 409D0174 ble- cr7,0x6a350

0006A1E0: 4BFFFEF0 b 0x6a0d0

0006A1E4: 7FE3FB78 mr r3,r31

0006A1E8: A0880078 lhz r4,120(r8)

0006A1EC: 38A00001 li r5,1

0006A1F0: 4BFFDF05 bl 0x680f4

0006A1F4: 4BFFF480 b 0x69674

0006A1F8: 813F065C lwz r9,1628(r31) Skill EXP modifier offset.

0006A1FC: 38C00000 li r6,0

0006A200: 381F089C addi r0,r31,2204 Skill level modifier offset.

0006A204: 780A0020 rldicl r10,r0,0,1

0006A208: 381F0660 addi r0,r31,1632

0006A20C: 78080020 rldicl r8,r0,0,1

0006A210: 39600000 li r11,0

0006A214: 2F890000 cmpwi cr7,r9,0

0006A218: 409EF1A0 bne+ cr7,0x693b8

0006A21C: 4BFFF028 b 0x69244

0006A220: 881F0ACE lbz r0,2766(r31) Amount of skills offset.

0006A224: 7C090774 extsb r9,r0

0006A228: 2F890000 cmpwi cr7,r9,0

0006A22C: 409DFF84 ble+ cr7,0x6a1b0

0006A230: A01E0000 lhz r0,0(r30)

0006A234: 7C080734 extsh r8,r0

0006A238: A01F07DC lhz r0,2012(r31) Skill modifier offset.

000A9118: 881F0ACE lbz r0,2766(r31) Amount of skills offset.

000A911C: 7C090774 extsb r9,r0

000A9120: 3AC00000 li r22,0

000A9124: 2F890000 cmpwi cr7,r9,0

000A9128: 409DF17C ble+ cr7,0xa82a4

000A912C: 381F089C addi r0,r31,2204 Skill level modifier offset.

000A9130: 780A0020 rldicl r10,r0,0,1

000A9134: 381F07DC addi r0,r31,2012 Skill modifier offset.

000A9138: 78080020 rldicl r8,r0,0,1

00106774: 880B0ACE lbz r0,2766(r11) Amount of skills offset.

00106778: 7C090774 extsb r9,r0

0010677C: 2F890000 cmpwi cr7,r9,0

00106780: 409DFCF8 ble+ cr7,0x106478

00106784: A01E01E0 lhz r0,480(r30)

00106788: 7C070734 extsh r7,r0

0010678C: 380B07DC addi r0,r11,2012 Skill modifier offset.

00106790: 78080020 rldicl r8,r0,0,1

00106794: 380B089C addi r0,r11,2204 Skill level modifier offset.

00106798: 780A0020 rldicl r10,r0,0,1

001070F0: 881D0ACE lbz r0,2766(r29) Amount of skills offset.

001070F4: 7C070774 extsb r7,r0

001070F8: 2C070000 cmpwi r7,0

001070FC: 40810084 ble- 0x107180

00107100: 381D07DC addi r0,r29,2012 Skill modifier offset.

00107104: 781C0020 rldicl r28,r0,0,1

00107108: 381D089C addi r0,r29,2204 Skill level modifier offset.

0010710C: 781F0020 rldicl r31,r0,0,1

00107110: 381D065C addi r0,r29,1628 Skill EXP modifier offset.

00107114: 781E0020 rldicl r30,r0,0,1

00131964: 880B0ACE lbz r0,2766(r11) Amount of skills offset.

00131968: 7C070774 extsb r7,r0

0013196C: 2F870000 cmpwi cr7,r7,0

00131970: 409D0088 ble- cr7,0x1319f8

00131974: 8122BA20 lwz r9,-17888(r2)

00131978: 81290000 lwz r9,0(r9)

0013197C: A00901E0 lhz r0,480(r9)

00131980: 7C060734 extsh r6,r0

00131984: 380B07DC addi r0,r11,2012 Skill modifier offset.

00131988: 780A0020 rldicl r10,r0,0,1

0013198C: 380B089C addi r0,r11,2204 Skill level modifier offset.

00131990: 780B0020 rldicl r11,r0,0,1

These are the offsets I know of:

$0ACE = 1 byte = How many skills a unit has.

$089C = 1 byte = A skill's level.

$07DC = 2 bytes = Which skill a skill is.

$065C = 4 bytes = A skills EXP.

It can't be coincidence all of these are close by each other in the functions. I have no idea what "rldicl" operations do, but I was guessing they were being used to pick which exact skill to modify using the byte from offset $0ACE. I then ended up looking for store operations that write to the registers those "rldicl" made, and creating values the line before them to see what happens. I went on that assumption, looked around for all instances of "stb" in the functions that had those above parts. I kept doing that with no results until I got to the function from address 0x000689AC to 0x00068B54:

000689DC: 88030ACE lbz r0,2766(r3)

000689E0: 7C090774 extsb r9,r0

000689E4: 2C090000 cmpwi r9,0

000689E8: 4081012C ble- 0x68b14

000689EC: 3803089C addi r0,r3,2204 This has the offset for skill level.

000689F0: 781B0020 rldicl r27,r0,0,1 I'm guessing $r27 is the exact skill level address.

000689F4: 380307DC addi r0,r3,2012 This has the offset for which skill a skill is.

000689F8: 781C0020 rldicl r28,r0,0,1 I'm guessing $r28 is the exact skill address.

000689FC: 3803065C addi r0,r3,1628 This has the offset for skill EXP.

00068A00: 781E0020 rldicl r30,r0,0,1 I'm guessing $r30 is the exact skill EXP address.

00068A04: 3B200000 li r25,0

00068A08: 3B00FFFF li r24,-1

00068A0C: 7F7FDB78 mr r31,r27 $r27 is copied to register $r31.

00068A10: 881B0000 lbz r0,0(r27)

00068A14: 7C050774 extsb r5,r0

00068A18: 2F85FFFF cmpwi cr7,r5,-1

00068A1C: 409E0100 bne- cr7,0x68b1c

00068A20: 480000A0 b 0x68ac0

00068A24: 38000063 li r0,99 Skill levels max out at 99, so this might be the limit.

00068A28: 981F0000 stb r0,0(r31) 99 is stored to the skill's level.

00068A2C: A09C0000 lhz r4,0(r28) Loading which skill a skill is.

00068A30: 7F43D378 mr r3,r26

00068A34: 7C840734 extsh r4,r4

00068A38: 38A00063 li r5,99

00068A3C: 48022389 bl 0x8adc4 I'm guessing this takes which skill a skill is and it's skill level to determine what the max amount of EXP a maxed out skill has.

00068A40: 60000000 nop

00068A44: 907E0000 stw r3,0(r30) Storing a skill's EXP amount.

I needed to figure out which branches went to address 0x00068A24. There were 2 results:

00068A94: 2F850062 cmpwi cr7,r5,98

00068A98: 419DFF8C bgt+ cr7,0x68a24

00068B1C: 2F850062 cmpwi cr7,r5,98

00068B20: 419DFF04 bgt+ cr7,0x68a24

I changed them this way so they will always branch there:

00068A94: 2F850000 cmpwi cr7,r5,0

00068A98: 419DFF8C bgt+ cr7,0x68a24

00068B1C: 2F850000 cmpwi cr7,r5,0

00068B20: 419DFF04 bgt+ cr7,0x68a24

When I did that, I went into battle and my skills were at level 99. That meant this was the function to use. Out of curiousity I looked for other things within that function that look like limits, so I searched for instances of "cmpwi":

00068AB0: 2F800009 cmpwi cr7,r0,9

I saw that and then wanted to see what went to it and see if a limit was enforced:

00068A9C: 4BFFFFB0 b 0x68a4c

00068AA0: 381F0060 addi r0,r31,96

00068AA4: 78090020 rldicl r9,r0,0,1

00068AA8: 88090000 lbz r0,0(r9) Something is loaded into register $r0.

00068AAC: 7C000774 extsb r0,r0 Nothing important.

00068AB0: 2F800009 cmpwi cr7,r0,9 Register $r0 is compared to 9.

00068AB4: 409D000C ble- cr7,0x68ac0 If register $r0 is less than or equal to 9, skip the next 2 lines.

00068AB8: 38000009 li r0,9 $r0 was greater than 9, and now $r0 is now 9.

00068ABC: 98090000 stb r0,0(r9) 9 is stored at offset $0000 of register $r9, whatever that is.

I checked to see what jumps to this area:

00068A6C: 7F83E840 cmplw cr7,r3,r29

00068A70: 419D0030 bgt- cr7,0x68aa0

I was just going to force that branch to go there. I see other unconditional forced branches always start with "4800". So that's how I changed this:

00068A6C: 7F83E840 cmplw cr7,r3,r29

00068A70: 48000030 b cr7,0x68aa0

And to make the limit work, I need to cancel the branch that does the check:

00068A9C: 4BFFFFB0 b 0x68a4c

00068AA0: 381F0060 addi r0,r31,96

00068AA4: 78090020 rldicl r9,r0,0,1

00068AA8: 88090000 lbz r0,0(r9)

00068AAC: 7C000774 extsb r0,r0

00068AB0: 2F800009 cmpwi cr7,r0,9

00068AB4: 60000000 nop No branch means the limit doesn't check if the thing is greater than 9, it just sets it to 9 now.

00068AB8: 38000009 li r0,9

00068ABC: 98090000 stb r0,0(r9)

I tried that, went into battle, checked my skills, and they were all boosted to +9. That's how I found that by accident, but I was also wondering at which offset is that boost amount located, so I looked for what makes register $r9. I chopped this up a bit:

000689EC: 3803089C addi r0,r3,2204 This has the offset for a skill's level.

000689F0: 781B0020 rldicl r27,r0,0,1 This is the exact address of a skill's level.

00068A0C: 7F7FDB78 mr r31,r27 $r31 is now also the exact address of a skill's level.

00068AA0: 381F0060 addi r0,r31,96 The exact address of a skill's level + $0060.

00068AA4: 78090020 rldicl r9,r0,0,1 This is the exact address of a skill's boost amount.

00068AA8: 88090000 lbz r0,0(r9)

00068ABC: 98090000 stb r0,0(r9)

Going by that, the boost for skills should probably start at $08FC. I'm too lazy to check though, I'm happy having them boosted to max. I could probably find an easy way of giving characters certain skills by looking for what adds to the byte at offset $0ACE, but I don't want to do anything with this game anymore. I've been doing stuff with it for about a month.

Resistance 1 - Rapid Fire Tank Cannon

00328558 C01E800C

I found it by accident while trying to find infinite grenades. I was looking at Hyper2k's codes for unlimited ammo, and they were all near each other:

00329264 - Reserve Ammo Doesn't Decrease From Reloading.

00329B00 - Primary Fire Doesn't Decrease Ammo In Clip.

00329BF0 - Secondary Fire Doesn't Decrease Ammo In Clip.

Reserve Ammo:

0032925C: 40920010 bne- cr4,0x32926c - Some branch I'm assuming determines whether you reloaded your weapon or not.

00329260: A01D03BE lhz r0,958(r29) - 2 bytes loaded from offset 03BE of some address.

00329264: 7C1F0050 sub r0,r0,r31 - The line hyper2k removed so subtraction didn't occur.

00329268: B01D03BE sth r0,958(r29) - The line that stores the new value that was subtracted from the total.

Primary Ammo In The Weapon:

00329AFC: 80010074 lwz r0,116(r1) - 4 bytes are loaded from offset 0074 of an address.

00329B00: 7C004850 sub r0,r9,r0 - The line hyper2k removed so nothing was decreased.

00329B04: 7C000734 extsh r0,r0 - Those 4 bytes are decreased to 2 bytes.

00329B08: B01F03BC sth r0,956(r31) - The new decreased value saved at offset

Secondary Ammo In Weapon:

00329BEC: 8001FFE4 lwz r0,-28(r1) - 4 bytes are loaded from offset FFE4 of the stack.

00329BF0: 7C004850 sub r0,r9,r0 - The line hyper2k deleted that normally subtracts something from those 4 bytes.

00329BF4: 7C000734 extsh r0,r0 - Those 4 bytes are decreased to 2 bytes.

00329BF8: 2F800000 cmpwi cr7,r0,0 - A comparison being done to see if your ammo is empty.

00329BFC: B00303C0 sth r0,960(r3) - Storing the new amount of secondary ammo in the weapon at offset 03C0 of a different address.

From those, I decided to search for instances of "sub" above and below them since when you throw a grenade you subtract 1 from your amount. I also checked to see if the register that was subtracted from also had a store operation within the next few lines after it. I did that and ended up with these store operations:

0032855C: D0030364 stfs f0,868(r3)

00329268: B01D03BE sth r0,958(r29)

003292D4: B00303BE sth r0,958(r3)

003294D0: B01D03C2 sth r0,962(r29)

003297FC: 90050000 stw r0,0(r5)

00329850: 90850000 stw r4,0(r5)

00329884: 90050000 stw r0,0(r5)

I just stopped there for the moment. I "NOP"ed all of those lines:

0032855C: 60000000 nop

00329268: 60000000 nop

003292D4: 60000000 nop

003294D0: 60000000 nop

003297FC: 60000000 nop

00329850: 60000000 nop

00329884: 60000000 nop

I played the game, threw a grenade on the ground and let it explode by me. My grenades decreased and so did my health, so I failed. I just figured I'm right next to a tank, kill a few enemies. I took damage still. I fired the cannon and the meter didn't refill so I couldn't use it. I switched to the other seat and it only fired 1 bullet, then the meter kept increasing on its own, then went back down, and went back up, it just kept doing that.

The first instinct when you see a meter instead of specific numbers is that it's a float. Only 1 of those 7 stored a float:

0032855C: D0030364 stfs f0,868(r3)

So I tried only that:

0032855C: 60000000 nop

Same effects. I figure since it's messing with the cannon and gun's ability to fire more than 1 shot, there must be a branch that tells the game whether you are still able to fire. So I look at the tiny function:

00328530: 83C288C8 lwz r30,-30520(r2)

00328534: C1830364 lfs f12,868(r3)

00328538: C01E800C lfs f0,-32756(r30)

0032853C: FF8C0000 fcmpu cr7,f12,f0

00328540: 409D0020 ble- cr7,0x328560

00328544: 817E8024 lwz r11,-32732(r30)

00328548: 81230024 lwz r9,36(r3)

0032854C: C1AB0004 lfs f13,4(r11)

00328550: C00900D0 lfs f0,208(r9)

00328554: EC000372 fmuls f0,f0,f13

00328558: EC0C0028 fsubs f0,f12,f0

0032855C: D0030364 stfs f0,868(r3)

That in my brain translates to: "If f12 is less than or equal to f0, skip the entire function". Taking a glance, f12 is from the same place f0 gets stored at. So I copied this:

C1830364 lfs f12,868(r3)

I copied that to the address just before it gets stored. I play and have rapid fire tank cannons, with no effect on the gun. Code found.

Resistance 1 - Health Never Decreases

0028EF08 60000000

Resistance 1 - Grenades Never Decrease

00296F10 60000000

These were found by guessing and checking instances of "0008 ble". So I find all of them from address 00100000 to 00500000.

0011FCB4: 409D0008 ble- cr7,0x11fcbc

00125C00: 409D0008 ble- cr7,0x125c08

0012C09C: 409D0008 ble- cr7,0x12c0a4

00149598: 409D0008 ble- cr7,0x1495a0

001499F8: 409D0008 ble- cr7,0x149a00

00169B68: 409D0008 ble- cr7,0x169b70

00173980: 40990008 ble- cr6,0x173988

00173FBC: 409D0008 ble- cr7,0x173fc4

001762C0: 409D0008 ble- cr7,0x1762c8

00178330: 409D0008 ble- cr7,0x178338

00186AA4: 409D0008 ble- cr7,0x186aac

0018879C: 409D0008 ble- cr7,0x1887a4

0019A0AC: 409D0008 ble- cr7,0x19a0b4

001A4890: 409D0008 ble- cr7,0x1a4898

001A97FC: 409D0008 ble- cr7,0x1a9804

001AF7EC: 409D0008 ble- cr7,0x1af7f4

001D082C: 409D0008 ble- cr7,0x1d0834

001E14AC: 409D0008 ble- cr7,0x1e14b4

001F5FC4: 409D0008 ble- cr7,0x1f5fcc

00200298: 409D0008 ble- cr7,0x2002a0

00200480: 409D0008 ble- cr7,0x200488

0020BBFC: 409D0008 ble- cr7,0x20bc04

0020BC48: 409D0008 ble- cr7,0x20bc50

0020BC88: 409D0008 ble- cr7,0x20bc90

0020BCC8: 409D0008 ble- cr7,0x20bcd0

0020BD08: 409D0008 ble- cr7,0x20bd10

002106F4: 409D0008 ble- cr7,0x2106fc

00211778: 409D0008 ble- cr7,0x211780

002123F8: 409D0008 ble- cr7,0x212400

0023CF68: 409D0008 ble- cr7,0x23cf70

00264164: 409D0008 ble- cr7,0x26416c

00287418: 409D0008 ble- cr7,0x287420

0028EF08: 409D0008 ble- cr7,0x28ef10

00296F10: 409D0008 ble- cr7,0x296f18

002A3F38: 409D0008 ble- cr7,0x2a3f40

002B7054: 409D0008 ble- cr7,0x2b705c

002CE41C: 40990008 ble- cr6,0x2ce424

002D6CC8: 409D0008 ble- cr7,0x2d6cd0

003078C4: 409D0008 ble- cr7,0x3078cc

00316738: 40910008 ble- cr4,0x316740

00316B64: 409D0008 ble- cr7,0x316b6c

00320C1C: 409D0008 ble- cr7,0x320c24

0033124C: 409D0008 ble- cr7,0x331254

00341428: 409D0008 ble- cr7,0x341430

0034D4CC: 409D0008 ble- cr7,0x34d4d4

00355924: 409D0008 ble- cr7,0x35592c

003566B0: 409D0008 ble- cr7,0x3566b8

00367798: 409D0008 ble- cr7,0x3677a0

0036D610: 409D0008 ble- cr7,0x36d618

0036E258: 409D0008 ble- cr7,0x36e260

003767C8: 409D0008 ble- cr7,0x3767d0

003C7F84: 409D0008 ble- cr7,0x3c7f8c

003DF91C: 40850008 ble- cr1,0x3df924

004198F0: 409D0008 ble- cr7,0x4198f8

00438E14: 409D0008 ble- cr7,0x438e1c

0048E19C: 409D0008 ble- cr7,0x48e1a4

00499F28: 409D0008 ble- cr7,0x499f30

004B1C80: 409D0008 ble- cr7,0x4b1c88

004CBD00: 409D0008 ble- cr7,0x4cbd08

004EF1DC: 409D0008 ble- cr7,0x4ef1e4

004FAA3C: 409D0008 ble- cr7,0x4faa44

004FC9B8: 409D0008 ble- cr7,0x4fc9c0

00504850: 409D0008 ble- cr7,0x504858

That's all I found. I then start from the end and try the first 16:

00367798: 409D0008 ble- cr7,0x3677a0

0036D610: 409D0008 ble- cr7,0x36d618

0036E258: 409D0008 ble- cr7,0x36e260

003767C8: 409D0008 ble- cr7,0x3767d0

003C7F84: 409D0008 ble- cr7,0x3c7f8c

003DF91C: 40850008 ble- cr1,0x3df924

004198F0: 409D0008 ble- cr7,0x4198f8

00438E14: 409D0008 ble- cr7,0x438e1c

0048E19C: 409D0008 ble- cr7,0x48e1a4

00499F28: 409D0008 ble- cr7,0x499f30

004B1C80: 409D0008 ble- cr7,0x4b1c88

004CBD00: 409D0008 ble- cr7,0x4cbd08

004EF1DC: 409D0008 ble- cr7,0x4ef1e4

004FAA3C: 409D0008 ble- cr7,0x4faa44

004FC9B8: 409D0008 ble- cr7,0x4fc9c0

00504850: 409D0008 ble- cr7,0x504858

I delete the branches:

00367798: 60000000 nop

0036D610: 60000000 nop

0036E258: 60000000 nop

003767C8: 60000000 nop

003C7F84: 60000000 nop

003DF91C: 60000000 nop

004198F0: 60000000 nop

00438E14: 60000000 nop

0048E19C: 60000000 nop

00499F28: 60000000 nop

004B1C80: 60000000 nop

004CBD00: 60000000 nop

004EF1DC: 60000000 nop

004FAA3C: 60000000 nop

004FC9B8: 60000000 nop

00504850: 60000000 nop

I play the game and notice no effects. So I move onto the next 16:

00287418: 409D0008 ble- cr7,0x287420

0028EF08: 409D0008 ble- cr7,0x28ef10

00296F10: 409D0008 ble- cr7,0x296f18

002A3F38: 409D0008 ble- cr7,0x2a3f40

002B7054: 409D0008 ble- cr7,0x2b705c

002CE41C: 40990008 ble- cr6,0x2ce424

002D6CC8: 409D0008 ble- cr7,0x2d6cd0

003078C4: 409D0008 ble- cr7,0x3078cc

00316738: 40910008 ble- cr4,0x316740

00316B64: 409D0008 ble- cr7,0x316b6c

00320C1C: 409D0008 ble- cr7,0x320c24

0033124C: 409D0008 ble- cr7,0x331254

00341428: 409D0008 ble- cr7,0x341430

0034D4CC: 409D0008 ble- cr7,0x34d4d4

00355924: 409D0008 ble- cr7,0x35592c

003566B0: 409D0008 ble- cr7,0x3566b8

I delete them too:

00287418: 60000000 nop

0028EF08: 60000000 nop

00296F10: 60000000 nop

002A3F38: 60000000 nop

002B7054: 60000000 nop

002CE41C: 60000000 nop

002D6CC8: 60000000 nop

003078C4: 60000000 nop

00316738: 60000000 nop

00316B64: 60000000 nop

00320C1C: 60000000 nop

0033124C: 60000000 nop

00341428: 60000000 nop

0034D4CC: 60000000 nop

00355924: 60000000 nop

003566B0: 60000000 nop

I play the game and notice a have 5 grenades instead of 3. I throw one on the ground near me and notice my health didn't decrease and neither did my amount of grenades. Just to make sure it's the correct effects and not some worthless thing that only affects the numbers, I throw 6 grenades at my feet and stand on them. I lived and the grenades did not decrease, so I've found them. Now I just try half of them:

00287418: 60000000 nop

0028EF08: 60000000 nop

00296F10: 60000000 nop

002A3F38: 60000000 nop

002B7054: 60000000 nop

002CE41C: 60000000 nop

002D6CC8: 60000000 nop

003078C4: 60000000 nop

I play again and the same effects are still present, so they are within these 8 results. I try the first 4:

00287418: 60000000 nop

0028EF08: 60000000 nop

00296F10: 60000000 nop

002A3F38: 60000000 nop

The effects are still there, so they are within these 4. I try the first 2:

00287418: 60000000 nop

0028EF08: 60000000 nop

I play and notice I'm back to 3 grenades. I throw them on the ground and take no damage. So that means 1 of the first 2 is infinite health and 1 of the last 2 is infinite grenades. I try the first and third:

00287418: 60000000 nop

00296F10: 60000000 nop

I play and have 5 grenades again. I throw 1 at my feet and die when it explodes. That means 2 and 3 were health and grenades. Codes found.