Animal Crossing Nes Codes Memory Card

| 11-05-2021
[RAND-1-100] Comments

Browse Cheat Codes by Game Title
#ABCDEFGHIJKLMNOPQRSTUVWXYZ

Cheat codes for Animal Crossing

How to Meet K.K.slider the singing dogGo to the train station a 8:00 pm on a saturday night in real time.

My SD card has alot of space of it, and looked online and says delete the extra data, tried that and still happens. I read you delete the game off the 3DS and redownload it again, but am afraid of doing so, cause dont know if I redownload the gmae, it will recognize the save file that I have for the game and dont want to lose all that work.

  • That’s where a bunch of the code for Animal Crossing lives in memory. This means its possible to patch Animal Crossing’s code itself using the ROM metadata tags from a file on the memory card. With a small loader patch, it’d be possible to easily load even larger patches to any address from the memory card.
  • The best place to get cheats, codes, cheat codes, hints, tips, tricks, and secrets for the GameCube (GCN). This trick requires at least two memory cards. Have two towns saved, one on each card. On Saturday, get a song from Totakeke, then go to the other town and get one there. Or in the Animal Crossing options and change.

Song List

These are all of the songs that you can request from K.K. Slider and play on your own stereo. Make sure you put in the periods after the letters 'K':
Aloha KK
Cafe KK
Comrade KK
DJ KK
Go KK Rider
I Love You
Imperial KK
KK Aria
KK Ballad
KK Blues
KK Bossa
KK Calypso
KK Casbah
KK Chorale
KK Condor
KK Country
KK Cruisin'
KK D & B
KK Dirge
KK Etude
KK Faire
KK Folk
KK Fusion
KK Gumbo
KK Jazz
KK Lament
KK Love Song
KK Lullaby
KK Mambo
KK March
KK Parade
KK Ragtime
KK Raggae
KK Rock
KK Safari
KK Salsa
KK Sambe
KK Ska
KK Song
KK Soul
KK Steppe
KK Swing
KK Tango
KK Technopop
KK Waltz
KK Western
Lucky KK
Mr. KK
Only Me
Rockin' KK
Senor KK
Soulful KK
Surfin' KK
The K. Funk
Two Days Ago

Golden Shovel

See the shiny spots on the ground where you dig up your 1000 bells? Do not fill in the holes yet. Instead, you need to purchase another shovel and bury the shovel in the ground where you got the money. This will sprout a tree that will grow a golden shovel.

Golden Axe

Frequently visit the wishing fountain. You must fix all tasks it asks of you ranging from cleaning up the garbage to making areas more green. Get a consistently good ranking on your town from the wishing well for 15 days and you will be rewarded with the golden axe.

Golden Fishing Rod

Catch all 40 species of fish to get rewarded with the golden rod. You will also get a cool emblem on top of your house.

Golden Net

Catch all 40 species of bugs to recieve a golden net and a cool emblem on top of your house.

Be color coded

Place orange colored furniture in the North, yellow in the West, red in the East, and green in the South. This will give you certain bonuses. For example, the yellow furniture increases the amount of money you receive. The other colors have similar benefits, so be sure to follow this basic rule when constructing your house.

Fossil Fuel

After you've dug up a fossil, sent it to the museum and received it back, you can take the fossils to Tom Nook and sell them for very high prices.

Bees into money

It's tricky and you have to time it right, but when you knock a beehive out of a tree get your net out and catch the bees. This is the most profitable out of all the insects in the game, worth 4500.

Money trees

Find a spot in the ground that's glowing and dig it up. You'll get 1000 bells but instead of keeping it, bury again in the same hole and a money tree will grow.

Speed it up

During any given day you can run out of things to do or buy. So here's a solution: Save your current game, then turn the GC off. Open the lid and turn the GC on so the main GC menu comes up. Go into the calendar and change the date and/or time to whatever you want. Then close the lid and start the game. It will now be that time/day in the game and you have new stuff to buy and things to do. This works great with Halloween and 'Toy Day' (Christmas). You can then switch back to the regular day and time without fault.

Super Mario Song

Obtain an Apple television and turn it on. If you zoom in close, you will hear the Bowser music from Super Mario World.

Danny Boy Song

To have the song 'Danny Boy', enter the following at the Melody sign west of the Post Office.
- - A C D E - -, D E A G E D C A

Eponas song

Animal crossing nes codes memory card freeTo have Epona's Song (from Zelda), enter the following at the Melody sign west of the Post Office.
C A G - - C A G- - C A G (Silent) B A -

Fish Prizes

The following are fish prices that Mr. Nook gives you in Bells.
Barbel Steed 200 Bells
Barred Knifejaw 5,000 Bells
Bass 300 Bells
Bitterling 1,300 Bells
Blue Gill 120 Bells
Brook Trout 150 Bells
Carp 300 Bells
Cherry Salmon 1,300 Bells
Crucian Carp 120 Bells
Dace 200 Bells
Freshwater Goby 300 Bells
Giant Snakehead 6,500 Bells
Gold Fish 1,300 Bells
Guppy 1,300 Bells
Koi
L. Bass 3,000 Bells
L. Char 10,000 Bells
Piranha 6,500 Bells
Plae Chub 200 Bells
Pond Smelt 300 Bells
Popeye Gold Fish 1,300 Bells
Rainbow Trout 650 Bells
Red Snapper 3,000 Bells
S. Bass 200 Bells
Sea Bass 120 Bells

Ballon

On some days, you will see a balloon floating in the air with a present tied to it. Follow it until it gets stuck in a tree. If this happens, shake the tree to pop the balloon and the present will fall to the ground. Then, pick up the present. Note: Most of the time it is furniture.

Golden Butterfly

Catch all 40 types of bugs.

Duplicating items and money

This trick requires two Game Boy Advances and a link cable. Connect Game Boy Advance #1 to the Gamecube using your link cable and turn it on. Go to your island (located on the dock at the edge of the ocean). When you finally get to the island, drop off the item or money that you wish to duplicate. Leave the island. When Kapp'n asks if you want to save your island to your Game Boy Advance, select 'Yes'. After it is done downloading to your Game Boy Advance, you can put it in sleep mode, disconnect it, and set it aside. When you get back to your town, attach Game Boy Advance #2 and turn it on. Leave that screen then immediately return to it. Talk to Kapp'n to go back to your island. After you start leaving you can turn Game Boy Advance #2 off. When you get to your island, pick up the item that you left there then leave the island again. This time when Kapp'n asks you to save your island to your Game Boy Advance, answer 'No'. When you get back to your town, disconnect Game Boy Advance #2 and connect Game Boy Advance #1 (make sure it is not in sleep mode). Leave the screen and return. Talk to Kapp'n once more. Your island should upload from your Game Boy Advance. When you get to your island, your item will be there again and you will already have it in your pockets. Pick up your item from the ground. You now have two of them. This will also work with multiple items.

Catch A Living Fossil Fish

To catch the living fossil you must fish in the sea when its raining. You will know when its there because its the largest fish and is worth 15,000 bell to Tom Nook.

How To Get Extra Money

First grab some fruit then hop on the train. Once you get to the other village sell the fruit for 400 bells more. Then grab some more fruit in that town. Then go back to the first town and sell all the fruit. You will get a lot more money this way!

How To Transport Items

To transport items pick them up and travel to a different town. Once there you must either drop the item on the ground or use the shovel to bury it in the ground. Then go back home and save. Come back on the other Memory Card and get the item put it in your house. This is great for moving your belongings to a different town.

Yankee Doodle

To get yankee doodle as a melody put CCDE-CED-CCDE-C-B-G.

Charlie Brown

To get the charlie brown melody you put CDE-EDC-D-C-CDE-E.

Stop The Waiting

When Tom Nook collects enough money he upgrades his store. When he does this the store is closed for a day. Now if you hate being on the wrong day and time (or if it is a special day) on animal crossing you can do this...Go to your Giroid and save and quit. Then before you start the game again select Before I Go and select Other Things. Then select Set Clock change it to the next day and start the game. When the game has stared go to Tom Nooks ne shop and sell something (ex: fruit) then Save and Quit and chage the clock to the real day and time. After when you go to Tom Nooks shop it will be finished.

Gift From Nintendo Power

Go to Tom Nook's store and then talk to him. One of his options will be 'Other Things.' Then he will give you the option of 'Say Code.' Then type in the following code
Mario Trophy
[email protected]&q75
8XzSKd6Tuj7Lts

100 turnups

Go to Tom Nook`s shop and say 'other things.' Then say 'say code' and type this in. It sells for good bells.
aPShDyYoeR685b
afcAlkwcRCmqi3
This will give you 100 turnups.

Fiddle Pause Screen Background

To change the pause screen background, grab a shirt that you want for the background. Move it to the bottom-right hand corner (not the section where the letters are stored) and move it down once. It will go into a blank area,and when you press A, the background will change.

30,000 Bells

Tell Tom Nook:
WB2&pARAcnOwnU jMCK%hTk8JHyrT

Starman

Talk to Tom Nook. Tell him this code:
4UF6T948GZ3ZW3
dw#%jtLEqj5ZBf

Extra 10,000 bells

First go to your gyroid and save and quit (make sure your mailbox is empty.) Then set the clock to January 1st. Then go to your mailbox. Your mom will mail you 10,000 bells! Do that with every other year for 10,000 bells!
Note: If you do it with one year, you can't do it with that year ever again!

Catch a Stringfish

When it is winter you can find a stringfish. Note: Don't try to catch it in the sea.

Zelda's Lullaby

Go to the melody sign near the post office and type this for Zelda's Lullaby: E--D-C--E--D-C--

48,000 bells in less than 10 minutes

1LhOwvrDA23fmt dsgnvzbCIBAsyd....Go to Tom Nook's Store and talk to him, say Other Things, and then Say Code. Type the below code in, you should get a Train Station Model 1. Open it, and sell it to Tom Nook. You will get 16,000 Bells! Repeat this process two more times, you will get in total 48,000 Bells! Then save and quit. Load up the game again, and you can get another 48,000 Bells! This can be repeated as much as you want, but remember, after you put it in three times, you have to save and quit. This also works with the other Station Models.

Some Item Codes

Password Effect
HullivershoneH DullivershonSY Get: Classic Bed
BF&6KQom9DzR35 RfLDC4%EepcmiR Get: Classic Cabinet
11ACK6I9JE#[email protected] gHCeoBLaa7Y%PE Get: Classic Chair
rc&c5qw9baamLS gljjHSoLwZMD7& Get: Classic Clock
rxdfqdasdasdas masdasdasdasda Get: Classic Desk
[email protected] sh&9cb#9Uh9w04 Get: Classic Hutch
B6&6KQom9DzR35 RfyDC4%EEpCmiR Get: Classic Sofa
Toad&Mushsooms Hmad&Mushdooms Get: Classic Table
OainktothepasT qninktothepasT Get: Classic Wall
KtsuKuKeGiKunY ItsuReSeZeNiyG Get: Classic Wardrobe
Za2&3&4&5&6&7& 1&2&3&4&5&6&7& Get:: Classic Vanity
j&JHasABigFatM exicanAss5eups Get: Classic Painting
All Passwords for the Harvest Set/Series
Go to the store owned by Tom Nook. While talking to him, say 'other things', then say 'say code'.
Password Effect
ArariaAndrarah Swurlingtre5&2 Harvest Bed
[email protected] sqO9cb#3UaKHP5 Harvest Bureau
ifc74nVlY%zoI4 [email protected] Harvest Chair
R5ngoARS6I3iVL y&M6IJyNoWUBW4 Harvest Clock
[email protected] sqO9cb#9UaKHI4 Harvest Dresser
[email protected]&q7z 8UzSN1pfij76ts Harvest Lamp
ZeldainhyruleS NlgendO3Zeldgb Harvest Mirror
ArariaAndrarah Srurl5ngtre5&2 Harvest Sofa
vPSYDyYoeR685b afZBlkwcRCmqi3 Harvest T.V.
vPNH#CJc5yevsB DDQOhQdeKxHydS Harvest Table
All Passwords for the Jingle Set
Go to the store owned by Tom Nook. Talk to him. Tell Nook 'Other things', then 'Say Code'.
Password Effect
aPShHyYoeR685b afvBlkwcRCmqi3 Jingle Bed
aDSLHyYoeR685b afBBklwcRCmqi3 Jingle Chair
JgpermariobqoS 2ysmAlCa0ssiNG Jingle Clock
11AcKGI9JE#[email protected] gHceoBLdG7Y%PE Jingle Dresser
aPShDyYoeR685b afTBlkwcRCmqi3 Jingle Lamp
aDShHyYoeR685b afEBlkwcRCmqi3 Jingle Piano
aPShDyYoeR685b afhBlkwcRCmqi3 Jingle Sofa
lLhuwvEDA33emA dbgnvzbCvBAsyU Jingle Table
MeetloafmeatdY LxatloafmeatdY Jingle Wardrobe
All passwords for the Modern set
Tell these codes to Tom Nook. Say 'Other things' then 'Say Code'.
Password Effect
MupersmaspbdoSSFIersmashbroS Modern Bed
MupersmaspbhoSSuIersmashbroS Modern Cabinet
A234567891234512345678912345 Modern Chair
[email protected]@Zzfuq#0zz3Nn27IGVlmPGG Modern Desk
[email protected]#9Uh9wO4 Modern Dresser
A7r45678912345K2345678912345 Modern End Table
2CijfPfycftAWiZkLTnpUgQjJ&j% Modern Lamp
EByY6mPTISyAEEyeexae81jaVOOb Modern Screen
[email protected] Modern Sofa
AlinktothepasT#linkgothepasT Modern Table
IDktBTGeNewWayOCRogtingCodez Modern Wardrobe
You can get the Lucky Nintendo Set for free with this code. There are others codes for them but these codes also work.
(Note: All codes are case sensitive. You must type exactly as you it. O and 0 look same as do I and l and 1.)
Password Effect
EOktvXIJ7WdzRj uiT28vpqcbJ1g Luigi Statue
[email protected]&q75 8XzSKd6Tuj7Lts Mario Statue
Barbecue Theme
Go to Tom Nook and tell him the following set of passwords:
Password Effect
aPYhDyYoeR685b afZBlkwcRCmqi3 Barbecue
ArTriaAnoSarah Spurlingtre5&2 Bird Feeder
cPYhDyYoeR685b afZBlkwcRCmqiR Bug Zapper
[email protected] RTkjA3P3nb#GNh Garden Gnome
[email protected]&q7z 8XzSNupfij76ts Hammock
ArariaAndSarah SourlingAre5&2 Lawn Chair
[email protected] sh09cb#9UaKH84 Lawn Mower
ArTriaAndSarah Spurlingtpe5&2 Mr. Flamingo
aPYhDjYoeR685b afZBlkwcRCmqi3 Mrs. Flamingo
ArariaAndrarah S9urlCngwre5&2 Picnic Table
[email protected] shO9cb#9UaKHL4 Sprinkler
ArariaAndSarah Shurliagtre5&2 Tiki Torch
Cabana Items
Go to Nook and talk, select other things, then pick the password choice.
Note: You need to talk to a villager for the Cabana Screen
Password Effect
B6&6KQom9DzR35DfkDC4%EEpCmiR Cabana Bed
Iar45678912345E2345678912345 Cabana Boockcase
2%QafhMKhAyAY3Z5yYAK9zNHxLo7 Cabana Chair
PlaystationonE PyaystationonE Cabana Dresser
ZzicrRB%wwcRMs GX1Qb&Zv0Z7c8x Cabana Lamp
2%Q3fhMdRByAY3Z5yYAK9zyHxLo7 Cabana Screen
I7345678912345 E234567891234E Cabana Table
FjEiKuIzEiKukY DkEiKuIzEiKuky Cabana Vanity
Cabin Items
Go to Nook's store and talk to him. Select other things and chose the password option, enter one of the following
Password Effect
MupersmashbgoSSFIersmashbroS Cabin Armchair
MupersmashbroSSupersmashbroS Cabin Bed
[email protected][email protected] Cabin Bookcase
D7r4567a912345Ea3456789e23i5 Cabin Chair
MupersmashbnoSSupersmashbroS Cabin Clock
Blaine0002HeISABigFatAssNazi Cabin Couch
11AcKGI9JE#[email protected]%PE Cabin Dresser
MupersmaspbroSSupersmashbroS Cabin low Table
ZzicrRB%wwcRMsGX1QbaZv0Z7c8x Cabin Table
IDkteTBeNewWayOCRogtingCodez Cabin Wardrobe
Chess characters
Go to Nook's store, talk to him, select other things and chose the password choice. Then enter one of the following
Note: I think you need to talk to a villager for the White Knight. I'm not positive though.
Password Effect
aDSLDyYoeR685bafRBlkwcRCmqi3 Black Bishop
lLhuwvEDA23fmAdsgnvzbCIBAsyU Black King
SupermakiobroSAeImAlCrOssiNG Black Knight
1LhuwvEDA22fmAdagnvzbCvBAsyU Black Queen
aDShHyYoeR685bafyBlkwcRCmqi3 Black Rook
SupermariobqoS4nImAlCa0ssiNG White Bishop
aPShDyYoeR685bafbBlkwcRCmqi3 White King
[email protected]#9Uh9HO4 White Knight
RtiXgIAGfe2AI7WwBZBBWW#Pulyc White Pawn
aPShDyYoeR685baf%BlkwcRCmqi3 White Queen
aPSLHyYoeR685bafxBlkwcRCmqi3 White Rook

Find a turky

At the harvest festival, you will find a turky somewhere hiding behind stuff.

Catch a Shark

To catch a Shark do the following. When it is raining in November go to were the ocean meets the river from 6pm onwards keep running out of the acre and back in, scaring away all the little fish, until you see a huge shadow (about the size of the Coelacanth's). Cast out your line try to catch it. If you dont catch keep on trying. It is worth 20,000 bells if sold at Tom Nooks.

Money trees

Sometimes in your town you will see some sort of yellow come out of the ground. Use your shovel and dig it up. you will get 1,000 bells! So then, bury money in and a few days later it will grow into a money tree!
Note: This trick is very hard to do because it mostly dies out.

Find a ghost

You must do this at 2:00 am in June (or some month around it). Then, keep checking around all the acres(he's invisible so check all around) and you will find him! You need to catch all 5 spirits with your net for him to: Pull weeds, give you something, and something else.
Note:Spirits can be found all over the town so keep checking!

Money trees:step #2

When you plant a money tree, don't set the clock. If you do, it won't grow. So wait a few days without setting the clock.

Mr. Resetti and Don

If you start a game after resetting the GameCube during play, Mr. Resetti will appear to complain. Repeatedly reset the GameCube to make him more and more angry. Eventually, Mr. Resetti's brother Don will appear to take the place of Mr. Resetti.
This is what happens corresponding with the number of times you reset:
1: The first time, he will go 'easy' on you and warn you not to reset again.
2: He'll come back and is slightly angry, no harm done.
3-6: He'll be ticked off, watch out, you may get lucky and he'll do this for the max 3 times in the stage.
7: Don his brother takes his place. He is nice but don't let him fool you, Mr. Resetti will come back if you reset again.
8-60. Ok, here’s when it gets funny, he'll sometimes ask you to write a note, and sometimes he'll make the screen go blank for a few seconds.
Your last offence, number 61: He makes sure that no one resets again! He makes almost everyone who lives in your town move up. Its rather funny, and they can't move back for about a week. When they do come back they don't want be near you. You are shunned for a about a month.
  • Today I felt like going over one of the many save exploits for the gamecube I pushed out over time, these exploits load a custom homebrew executable from memory card so you can use gamecube homebrew without any modchips or any other special device, just an exploitable game and a save for it on memory card, transferred using another hacked gamecube or a hacked wii.
    Specifically I felt like going over animal crossing, the most recent exploit I released right here:
    https://github.com/FIX94/ac-exploit-gc
    For this one I dont have to go over the initial step of finding a way to execute code, I can just link you to this detailed writeup:
    https://jamchamb.github.io/2018/07/11/animal-crossing-nes-emulator-hacks.html
    Indeed all the credits for finding this way to execute code go to james chambers, if you read the link above then this will continue right from where the link above ends.
    So while james chambers initially used my_malloc for his address overwrite to gain code execution when loading up a custom NES game with the NES item in game, I quickly realized that this would not work out with all releases of animal crossing. As he described, you can only modify memory regions 0x80000000 to 0x807FFFFF with the PAT tag, in the US release of the game the my_malloc pointer is at 0x806D4B9C which is within that region but in for example the last japanese release that location is at 0x8115BC74, far out of reach of the PAT tag.
    Luckily, I have years of gamecube experience thanks to nintendont, so I immediately had an alternative in mind that would easily be in reach of all versions and gets executed pretty much every frame by PADRead. Now what exactly is PADRead? Well, it reads out the gamecube controller plugged in, updating whatever buttons you press or analog sticks you move. The actual controller update type though can theoretically vary depending on the gamecube revision, early development models and such actually had a different setup for updating the controls and even though retail units I think always use the same function, the gamecube software development kit always has this function on a pointer for what I can only assume maximum backwards compatibility, just in case such an alternative type is needed. This pointer gets set by PADSetSpec right when the game first boots up and then never touched again.
    Thanks to the gamecube software development kit being statically linked into memory, the address used for that set by PADSetSpec never changes, making it the perfect target:
    https://github.com/FIX94/ac-exploit-gc/blob/master/exploit/Makefile#L57-L99
    See PATCH_PTR from all these different releases of the game? Thats the address I overwrite. As you can see, those are all easily within the limit of the PAT tag. So great, now we have a pointer we can write any other memory address into that then gets executed.
    What do we even want to write into there?
    In past exploits, this was a very simple case of executing a custom loader I wrote that just loads an executable off the memory card, but we are talking about animal crossing here. If you exit the game without first saving, then on next boot resetti will show up, which would make this exploit pretty annoying. It takes long enough to boot the game, load your town, enter your house and click on the NES already so I dont want this to take even longer. So this time, I needed some more setup than usual.
    There can be more than one PAT tag in the custom NES game so following the example of james chambers, I used that to copy some small bit of code into an address not used by the game anymore, 0x80003970. Now we have 2 PAT tags. The first writing the value '0x80003970' into the pointer executed by PADRead, and the second one writing some custom code into the actual memory region 0x80003970, so now as soon as PADRead gets executed, it will jump to 0x80003970 which with the help of the second PAT tag contains some custom code. That bit of custom code is right here:
    https://github.com/FIX94/ac-exploit-gc/blob/master/patcher/start.S
    Let me go over what that code actually does.
    The first bit of code to start us out with is pretty boring:
    https://github.com/FIX94/ac-exploit-gc/blob/master/patcher/start.S#L13-L24
    All this bit does is secure the address of PADRead and the arguments that PADRead used to call this now replaced controller update function into some other registers we dont use, so we can restore them later on when all the magic is done. Next up, we load the NES ROM address that the NES emulator uses, so now onto what this NES ROM even is.
    I really did not like that in the initial demonstration from james chambers that there was no NES ROM used to display at least some message on screen when you chose to load your custom game with the NES item, so having written my own nes emulator and several nes patches, I of course decided to make up my own NES ROM:
    https://github.com/FIX94/ac-exploit-gc/tree/master/exploit/nesrom
    This one is just based on a template I grabbed from another github repo that I linked at the link above, all it does is display a message on screen of the exploit either succeeding or failing:
    How do I know if the exploit actually worked? Well, in the NES ROM I just set up a variable that is 0, and then when the NES ROM executes, it compares that variable with 0, if it still is 0 then I print out it failed, but if it is not 0, then I print out it succeeded. Since the PADRead function executes before that NES ROM code, my code at 0x80003970 first sets that ROM variable to 1:
    https://github.com/FIX94/ac-exploit-gc/blob/master/patcher/start.S#L25-L27
    The purpose of this NES ROM however is more than to just show of that hey, I can do that, it also actually contains the loader code I was talking about earlier, the one to load up an executable from memory card. So the code at 0x80003970 next up copies that bit of code from the NES ROM over into some more unused game memory at 0x80004000:
    https://github.com/FIX94/ac-exploit-gc/blob/master/patcher/start.S#L28-L44
    To recap what all happened so far, we have a custom NES ROM and some PAT tags that when selecting the custom NES game will display a message on screen and copy a custom loader thats capable of loading executables from memory card to 0x80004000. Next up, how are we going to execute this custom loader?
    Again thanks to my knowledge from nintendont, I had the idea of just seeing which function called CARDWriteAsync. CARDWriteAsync gets executed whenever the game wants to write a sector onto the memory card, which of course is done during saving. So I just set a breakpoint of this in dolphin and wrote down the function address of where that happens, and from that address I essentially just set a new breakpoint at the start of that function, then again checked from which function address that was called and repeated that until I found the earliest function that is involved in saving. This led me to a small function pointer tree that handles mounting and opening the memory card, starting to save, updating the save date and closing and unmounting the memory card after saving is done. So all I had to do from here is just replace the function pointer in the tree that gets executed right after the card got unmounted with a jump to our custom loader at 0x80004000:
    https://github.com/FIX94/ac-exploit-gc/blob/master/patcher/start.S#L45-L50
    I did actually release 2 versions of this exploit, and this is where the earlier version cleaned everything up and you had to exit the NES game, leave the house, select that you want to save, wait for it to save and then the loader would load the executable. That was rather slow and I wanted to improve that, this next part is of what I had to go through to make it better.
    This part probably took me the longest out of all this, trying to find a smoother way of getting to the actual executable. My memory on this is quite fuzzy because it really just was a constant loop of me setting a breakpoint in dolphin and seeing what happens, basically what I was searching for was some state variable that told the game what to do when exiting the NES game, and changing that to a state that normally gets set when you choose to save. Well, at this point I already knew what gets executed when it starts to save. So from that function pointer tree it was just a matter of setting more breakpoints to get earlier into game execution. In the end, I found the function that gets executed right when the screen fades in where you then get asked if you want to save. After finding that function, I've read through the code that actually set that function pointer and after a long search I found, in the US release located at 81266414, a variable I just called gamestate. This value decides what gets executed when game scene changes (a scene being the title screen, the save screen, game overworld etc). So here are a few of those states in dolphin:
    So normally when exiting the NES, it is set to 14 (house) as you can see from the images above, after finding this magic variable I set a breakpoint for whatever sets that memory address on NES exit and found that when starting the NES game it stored that state in a separate address first (8128E97C in the US version) and then on NES exit just set the gamestate to that previously stored value. So, all I have to do now in my custom loader is modify that address and set it to 22 (game save) instead:
    https://github.com/FIX94/ac-exploit-gc/blob/master/patcher/start.S#L51-L55
    So now when exiting the NES game we automatically jump to the save screen instead of the house, this is a pretty good start!
    Since I now knew which functions get executed when saving and also knew which ones first get executed when you enter the save screen, I just replaced that initial function on fade in directly with the function that does the saving process, so you dont even have to go through the dialog and again say that you want to save, as soon as you enter the save screen it just saves immediately instead:
    https://github.com/FIX94/ac-exploit-gc/blob/master/patcher/start.S#L56-L61
    With all those changes in place, I now had a very optimized way of making this exploit work, lastly I suppose we should just quickly go over the cleanup that remains. Of course, we still need the game to execute like normal so we have to restore the function PADRead uses to what it is supposed to be, this of course can just be done by calling PADSetSpec again which was used to initially set this pointer:
    https://github.com/FIX94/ac-exploit-gc/blob/master/patcher/start.S#L62-L71
    Now that the pointer is restored, all thats left is to call that function with the arguments PADRead initially gave us and the game is back in normal operation:
    https://github.com/FIX94/ac-exploit-gc/blob/master/patcher/start.S#L72-L83
    So, we now reached the end of this small custom code and even though it may be pretty short it sure did a ton of stuff.
    Now you know what all happens when you choose the custom NES game in your house except for the custom loader that gets executed after saving is done. In this blog entry I wont go over the details of that custom loader because it is shared pretty much unchanged between all the save exploits I pushed out, maybe that one will be a separate entry. When I released that exploit I did also make a quick video showing it in action so you can see it for yourself:
    There you have it, now you know just how much stuff is going on for something that looks so simple when you just execute it without looking closer at it. This isnt even going into the really tiny details either of how this is all put together into a usable save in the first place but that would probably just be too much to write down, I would be surprised if anyone actually made it all the way to the bottom of this blog entry anyways and understood exactly what is going on so theres no need to push any further I think.
    If you DID make it down to here and actually understood some of it then I hope you learned something new, thanks for reading.
    You, I pwned U!, TheMrIron2 and 9 others like this.

    1 Comment

  • TheMrIron2
    Fascinating exploit. It's expected to see an exploit that's simply 'Okay, this is loading another part of the program; let's replace it', but the way you actually loaded it was quite clever and it must have been hard to figure out all the addresses and functions. Props.

Share this blog entry:

Ninperu