How to find cheats (BSD Patch Creator)
Originally by Ginger from ps3cheating.net
The Patch Creator by @aldostools is a HEX editor/wizard made for Bruteforce Save Data. Once you have the basic fundamentals of finding hex values using any Hex editor, you can use the Patch Creator easily. All you need to the location of where the values/offset are located. You need to take some time to understand the syntax of Patch Creator. It is basically the simplified and readable version of Game Genie's Code-Types.
If the value is at single static offset/address?
[Cheat 1]
; (67) = 0x43 ;Addresses enclosed in parenthesis are treated as decimal.
write at (67): 446966666963756C7479
;The following 3 lines are equivalent:
;write at (67): 446966666963756C7479
;write at 43: "Difficulty"
;write at 0x43: "Difficulty"
;write at <offset>:repeat(<count>,<value>[,<increment>])
;write next <address-increment>:repeat(<count>,<value>[,<increment>])
;set [variable]:repeat(<count>,<value>[,<increment>])
;write from offset 0x0001 to 0x0021 (32 bytes) filled with character ascii 0x01
write at 0x0001:repeat(0x20,01)
;write from offset 0x0000 to 0x00FF (256 bytes) filled with characters 0x00 to 0xFF
write at 0x0000:repeat(0x100,0x00,0x01)
;write from offset 0x0100 to 0x011F (32 bytes) filled with values 0x20FF to 0x20F0
write at 0x0100:repeat(10,20FF,(-1))
;write from offset 0x0100 to 0x010B (12 bytes): 0F FF FF 1F FF FF 2F FF FF 3F FF FF
write at 0x0100:repeat(4,0FFFFF,100000)
;store 4096 null bytes in "myvar"
set [myvar]:repeat(0x1000,00)
If the value is at multiple static offset?
[Cheat 2]
write at 0x43: 12345
write at 0x55: 56789
If the value is not at a static offset/address? What if the position is always changing at every saving?
; the search sets the file pointer to the offset
search "a text value that is near the bytes that will be changed"
write next 3:"TEXT"
; the 2 bytes CA CA will be searched starting from offset 0:
search 0xCACA
write next 0x100:0xCAFE
; the 2 bytes: CA FE are written 256 bytes after the 1st occurrence of CACA
; 0x100 = (256). If the bytes CA CA are not found, the write is not performed.
What if you need to change at multiple location of a value is not at a static offset/address? What if the position is always changing at every saving?
Example 1
; the 4 bytes BE B0 CA FE will be searched 3 times starting from offset 0:
search 0xBEB0CAFE:3
write next (-512):0xDEADC0DE
; the 4 bytes: DE AD C0 DE are overwritten 512 bytes before the 3rd occurrence of BEB0CAFE
; If the bytes CA CA are not found, the write is not performed.
Example 2
search 0x00000960
write next (11):0x54000000
The search command stores the offset where the bytes are found in an internal Pointer variable.
The write next writes the bytes at a location relative to that Pointer.
So if the bytes 00 00 09 60 are found at 0x4000, the write next (11) means that the 54 00 00 00 will be written 11 bytes (decimal) after the pointer. That is at 0x400B.
For the script, the 11 between parenthesis means that the number is decimal.
If you use instead write next 11:0x54000000 or write next 0x11:0x54000000 the 54 00 00 00 will be written 17 bytes (decimal) after the pointer. 0x11 = 17 decimal.
if the searched value is not found, the write next is not performed.
Example 3
:PROFILE
[default:Example]
search unicode("Bgm")
search next unicode("Items")
set [var]:read(pointer+10,10)
set [var]:reverse([var])
write next (10):[var]
In the example above you will see the 3 new commands in action:
-
search unicode("<text>"): searches the first occurrence of an ANSI text as Unicode. This avoid the use of hex codes (nulls in the middle). -
search unicode("<text>"):<times>: searches for the Nth occurrence of<text>starting from offset 0. -
search next <data-to-find>: search starts from the last pointer address + length of the last search. -
search next <data-to-find>:<times>: search starts from the last pointer address + lenght of the last search. -
search next (<offset>) <data-to-find>:<times>: search starts from the last pointer address + offset. -
set [var]:reverse([var]): reverses the bytes of a variable.
The write next is performed only if the last search was successful.
So if the last search didn't find the value, nothing is written to the file.
When to use Set Pointer?
; find 3rd occurrence of BEB0CAFE
search 0xBEB0CAFE:3
set pointer:-0x200
write next 0:0xDEADC0DE
;overwrite the last 4 bytes of the file
set pointer:lastbyte-0x4
write next 0:0xDEADC0DE
When to use Copy Operation?
It is a command that reads the bytes from an static address and writes it in another place.
;Copy 16 bytes from offset 0x1000 to offset 0x2000
copy 0x1000:0x2000:16
copy 0x1000:0x2000:0x10
How can you to put a value at a given offset in Patch Creator, which will move the rest of the code (up or down), not overwrite it?
insert at <offset>:<bytes to write in hex or quoted text>
delete at <offset>:<size in hex>
insert next <bytes>:<bytes to write in hex or quoted text>
delete next <bytes>:<size in hex>
Basically they work the same as the write command.
Example 1
:TEST
[test]
;-- insert "blah" at offset 0x100 (256 decimal)
insert at 0x100:"blah"
;-- insert 0x0BADC0DE at offset 0x3E8 (1000 decimal)
insert at (1000):0x0BADC0DE
;-- insert "cream" after C0FFEE
search 0xC0FFEE
insert next (3):"cream"
;-- remove the last 4 bytes
set pointer:lastbyte
delete next (-3):4
;-- remove 10 bytes at offset 0x100 (decrease the file size in 10 bytes)
delete at 0x100:0xA
Example 2
; BLES01796
; Farming Simulator
:META.BIN
;requires BSD 4.1.2 or higher
[money]
search "money="
set pointer:pointer+7
delete next (0):until 0x22
insert next (0):3939393939393939
This script searches for the text money=, sets the pointer after the first quote, deletes the text until the next quote, and insert 99999999