RenegadeEx - The Psycho's New Hacking Tool
Disclaimer
Version History
Features
Mupen - RenegadeEx Edition
Hooking to an Emulator/PC Game
Code Search
Memory Editor
Cheat/Trainer
Credits/Contact


Disclaimer
The author is NOT responsible for any damage caused to you computer by this program, the usage of it, etc. or any damge caused to your brain while trying to understand it. This program in no way encourages piracy and the utilities in the program are intended only for those who have themselves legitimately created archival copies of their own games.

</Obligatory Legal Bullshit>


Version History
Version 1.054/20/09
Still haven't figured out that issue some people are having with the 2nd search yielding 0 results. It's possible there's a memory protection issue. I need to look into the DumpRAM function and try some extra error checks when I have time. I'm also curious if anyone who's had this issue tried finding their own starting point for the particular emulator using tsearch or the like.

Changes:
  • Fixed some interface issues in the Mupen version. Seems dropping the Hook tab the way I did was causing some problems. It's now disabled without changing tab order.
  • Added the 'I Forgot' search option. I always wondered what that was for in GSCC2k. Thanks LazyBastard.
Version 1.043/27/09
The search results issue is still there. Only seems to appear with no$gba. I'm at a loss on that one. Current rex.cfg (v1.03) should be ok with this one. The default PCSX2 0.9.6 address was fixed, but it's probably dodgy and likely OS specific (4DB1000, static). I still encourage deleting the CFG every version though. This is why I made code DBs save separately.

Changes:
  • Fixed a bug with the code handler in the Mupen version. I think I got it right this time.
  • Fixed preset list scrolling (or lack there of).
  • Fixed a minor issue with saving/loading Cheat DBs. I've been wondering why it would ask me to save the DB when I open Renegade sometimes. I found the bitch now.
Version 1.033/11/09
I think I solved the issue with the code hanlder in the Mupen integrated version. There's still an odd bug with the search results sometimes that I haven't gotten a handle on.

NOTE: Delete your old rex.cfg before using this version.

Changes:
  • Fixed a bug with the code handler in the Mupen version.
  • Added PCSX 0.9.6 to the presets. Keep in mind the address may only be good on the specific version of windows I'm running (XP 64-bit SP2). I was unable to find a pointer.
  • Fixed that little issue with the edit box in the memory editor. It was running out of space before all 8 characters could be entered if using caps.
Version 1.022/6/09
I think the code handler is sort of fucked. I tried about 4 codes with the Mupen integrated version and only saw effect from 1. Feels like it's not writing fast enough, even though it should be.

NOTE: Delete your old rex.cfg before using this version.

Changes:
  • Added an option to the search results to make the memory editor jump to each result clicked.
  • Fixed a bug in the memory editor. Goto was getting fucked up when byteswapping was on. I guess it helps to check which column is being edited before swapping bytes.
  • Improved the NDS support a bit. It will now attempt to find the RAM portion of No$GBA if the pointer is no good. This is actually a lot quicker than I expected. The downside is it leaves the potential for offset issues between hardware and emulator addresses. Ever try to hack Mario 64 DS with HasteDS? It's 0x4000 off because HasteDS starts at the game's entrypoint in ram, which isn't always 02000000. The Entry Offset box will subtract an offset from the start address if needed. The easiest way to tell if a game is off is look up an address you already know in the memory editor.
Version 1.011/19/09
I meant to work on this sooner, but I guess it wouldn't have made much difference. The assholes that work on PCSX2 haven't updated the damn Dev-C++ project file since 2007, so it won't compile that way anymore. So much for adding Renegade to it. :(

Changes:
  • Fixed that nasty little bug in the search results. If you used Page Down to the end of the list then clicked one, it would crash.
  • Added 16-bit Upper/Lower exclusions to the advanced search options.
Version 1.010/25/08
Source now included.

Changes:
  • First Mupen verson
  • That little issue with the searches folder should be resolved. It will attempt to create its own now.
Version 0.99 Public Beta10/23/08
This is more of an in-between step. I want it out there for testing while I attempt something else cool. v1.0 will probably be a GPL release with full source.

Changes:
Uh, EVERYTHING!


Features
This is a complete rewrite of Renegade all done with C/Win32 API. Most of the important stuff from the old Renegade has made a return. You may notice a few additions/changes, as well as a somewhat better GUI.

Current Features:
  • Code Search
  • Emulator Trainer
  • Memory Editor
  • Probably the only Readme you'll ever see that's valid XHTML 1.1. ;-)


Mupen - RenegadeEx Edition
Same stuff as RenegadeEx, but it's built into the Mupen 0.5 source (Utilities menu). At the very least, this should allow codes that modify the ASM to actually work. Other emulators, whether with Renegade or builtin cheat ability, lack the ability to automatically reset the dynamic recompiler shit that they use. If you're running anything with a pure intepretor core, this shouldn't be an issue anyway. In any case, codes should work better than other emulators in most cases.


Hooking to an Emulator/PC Game
This new Renegade features a more detailed editor for attaching to processes. It's not meant for total n00bs, but people with a reasonable understanding of hacking and offsets shouldn't be overly confused by it.
Attaching to a PC Game
This isn't complicated at all. Choose the process from the list of the left or launch+hook. Whatever your pleasure. When hooking a game, be sure to tick the box for 'Full Process.'
Attaching to an Emulator
Now this is where it gets interesting. Most of the options are pretty self-explanatory. The hard part is finding start offsets/pointers. What you need to find out about your emulator before you can hack console codes is where exactly the console RAM is located within the emulator's RAM. Start by loading a game in the emulator that we already have codes for and setting up a plain old PC game hook; you can also use other PC hacking tools if desired. Now hack a code you already know the console address for. I'll use Goldeneye running on PJ64 1.6 as an example. I hacked ammo for my right gun on the Dam level. Came up with 3B1737FC. The console address is D37FC. Can you subtract? Good. The N64 RAM begins at 3B0A0000. Are we done? Well, some emulators always load console RAM to the same place, some don't. Open the emulator again with a different game loaded and do the same thing again. If you come up with the same starting address (3B0A0000 in our case), you're set; that's your "RAM Start." Otherwise, we need to go a step farther and look for a pointer to the start address. This is really simple, believe it or not. Find your start address again. Once again, we'll say we figured it out to be 3B0A0000 for the start of console RAM. Now, do a 32-bit search for that value. Yes, SEARCH FOR '3B0A0000' NOOBS. You'll probably see 20 or so results. A lot of times, the first one is all you need. Record them all to a text file though. First one on my list is 4D6A1C. To check this, load up the emulators again and find a start address AGAIN. If this address is once again found at that location (4D6A1C) then the pointer should be good. Now hack something.


Code Searcher Info
This has most of the same options as the original Renegade. You'll notice options to change the type of input for value searches. You'll also notice a progress bar. You should be aware that hacknig PC games is slowest because there's a lot to dump and compare. After the first search or two, it should speed up though. Searches will also tend to be slightly slower when applying certain extra filtering options from the extended options list. P.S. Before you ask "Where can I set the area? I only want 80100000-80200000" or some shit, check out the extended option "Include only results wthin a specified address range." Can you guess what that's for?
Results Tab
Clicking any result will copy the address and the value from the column you click on to the input boxes for activating. Doubleclicking will add it straight to the active list with that value.


Memory Editor Info
The memory editor bares some resemblance to Nemu's this time around. Doubleclicking will allow you to edit any column but the text. Editing the Address column is equivilent to Go To; it'll jump to the address entered.


Cheat/Trainer Info
The code handler supports most cheat device code types from various systems, as well as a few extras. and yes, I was lazy about the GBA/NDS code types. I don't like those systems. Bite me.

Notes:
  • Select the system BEFORE adding codes.
  • The cheat device button is based on windows virtual key values. Default is the + key. Look them up.
  • Doubleclick New Code to set a new name and begin entering codes. Names can be edited again later by doublicking them.
  • DELETE key will remove the selected code.
N64 Code Types
8-Bit WriteWrites value YY to adddress XXXXXX. The 'A0' prefix does the same thing here. '88' for Cheat Device Button.
80XXXXXX 00YY
16-Bit WriteWrites value YYYY to adddress XXXXXX. The 'A1' prefix does the same thing here. '89' for Cheat Device Button.
81XXXXXX YYYY
32-Bit WriteWrites value YYYYYYYY to adddress XXXXXX. '8A' for Cheat Device Button.
82XXXXXX YYYYYYYY
8-Bit Equal To ActivatorExecute the following code (ZZZZZZZZ ZZZZ) ONLY when the value stored in address XXXXXX is equal to YY.
D0XXXXXX 00YY
ZZZZZZZZ ZZZZ
16-Bit Equal To ActivatorSame as above but checks a 16-bit value.
D1XXXXXX YYYY
ZZZZZZZZ ZZZZ
8-Bit Not Equal To ActivatorExecute the following code (ZZZZZZZZ ZZZZ) ONLY when the value stored in address XXXXXX is NOT equal to YY.
D2XXXXXX 00YY
ZZZZZZZZ ZZZZ
16-Bit Not Equal To ActivatorSame as above but checks a 16-bit value.
D3XXXXXX YYYY
ZZZZZZZZ ZZZZ
8-Bit Less Than ActivatorExecute the following code (ZZZZZZZZ ZZZZ) ONLY when the value stored in address XXXXXX is less than YY.
E0XXXXXX 00YY
ZZZZZZZZ ZZZZ
16-Bit Less Than ActivatorSame as above but checks a 16-bit value.
E1XXXXXX YYYY
ZZZZZZZZ ZZZZ
8-Bit Greater Than ActivatorExecute the following code (ZZZZZZZZ ZZZZ) ONLY when the value stored in address XXXXXX is greater than YY.
E2XXXXXX 00YY
ZZZZZZZZ ZZZZ
16-Bit Greater Than ActivatorSame as above but checks a 16-bit value.
E3XXXXXX YYYY
ZZZZZZZZ ZZZZ
Patch/RepeaterPatch codes, aka Serial Repeaters, are used to make a code string shorter. EG, You have five codes put together to give you "all weapons." Use the patch to shorten it to two codes. XX is the number of addresses to write; YY is the amount (offset) to add to each address; ZZ is the amount to add to each value. '58' for Cheat Device Button (Renegade Only).
5000XXYY 00ZZ
TTTTTTTT VVVV
Copy BytesCopies YYYY bytes from location XXXXXX to location ZZZZZZ. 'C8' for Cheat Device Button.

Example use would be:
C2040450 0008
80040680 0000
That would copy 8 bytes from 40450 to 40680
C2XXXXXX YYYY
80ZZZZZZ 0000
8-Bit Pointer WriteWrites value ZZ to adddress stored at XXXXXX + offset (YYYY). '78' for Cheat Device Button.
70XXXXXX YYYY00ZZ
16-Bit Pointer WriteWrites value ZZZZ to adddress stored at XXXXXX + offset (YYYY). '79' for Cheat Device Button.
71XXXXXX YYYYZZZZ
Z-Bit IncrementAdds YY to the value at adddress XXXXXX. Z = 0-2 for 8, 16, and 32 bit in that order. 'Z8' for Cheat Device button.
Z0XXXXXX 00YY
Z-Bit DecrementSubtracts YY to the value at adddress XXXXXX. Z = 0-2 for 8, 16, and 32 bit in that order. 'Z9' for Cheat Device button.
Z1XXXXXX 00YY
Z-Bit Bitwise ANDValue at adddress XXXXXX is changed to value AND YY. Z = 0-2 for 8, 16, and 32 bit in that order. 'ZA' for Cheat Device button.
Z2XXXXXX 00YY
Z-Bit Bitwise ORValue at adddress XXXXXX is changed to value OR YY. Z = 0-2 for 8, 16, and 32 bit in that order. 'ZB' for Cheat Device button.
Z3XXXXXX 00YY
Z-Bit Bitwise XORValue at adddress XXXXXX is changed to value XOR YY. Z = 0-2 for 8, 16, and 32 bit in that order. 'ZC' for Cheat Device button.
Z4XXXXXX 00YY
32-Bit Slide WriteWrites YY 32-bit values starting at address XXXXXX. '68' for Cheat Device button.

Example:
6000C0F4 00000002
08018090 AFA40000
60060240 00000007
00047600 3C028008
8C429EE0 34013F80
A44100DC A44100E0
0800303F 00000000

This the same as:
8100C0F4 0801
8100C0F6 8090
8100C0F8 AFA4
8100C0FA 0000
81060240 0004
81060242 7600
81060244 3C02
81060246 8008
81060248 8C42
8106024A 9EE0
8106024C 3401
8106024E 3F80
81060250 A441
81060252 00E0
81060254 0800
81060256 303F
60XXXXXX 000000YY
ZZZZZZZZ ZZZZZZZZ
PSX Code Types
8-Bit WriteWrites value YY to adddress XXXXXX. '38' for Cheat Device Button.
30XXXXXX 00YY
16-Bit WriteWrites value YYYY to adddress XXXXXX. The 'A1' prefix does the same thing here. '89' for Cheat Device Button.
80XXXXXX YYYY
32-Bit WriteWrites value YYYYYYYY to adddress XXXXXX. '8A' for Cheat Device Button.
82XXXXXX YYYYYYYY
16-Bit Equal To ActivatorExecute the following code (ZZZZZZZZ ZZZZ) ONLY when the value stored in address XXXXXX is equal to YYYY.
D0XXXXXX YYYY
ZZZZZZZZ ZZZZ
16-Bit Not Equal To ActivatorExecute the following code (ZZZZZZZZ ZZZZ) ONLY when the value stored in address XXXXXX is NOT equal to YYYY.
D1XXXXXX YYYY
ZZZZZZZZ ZZZZ
16-Bit Less Than ActivatorExecute the following code (ZZZZZZZZ ZZZZ) ONLY when the value stored in address XXXXXX is less than YYYY.
D2XXXXXX YYYY
ZZZZZZZZ ZZZZ
16-Bit Greater Than ActivatorExecute the following code (ZZZZZZZZ ZZZZ) ONLY when the value stored in address XXXXXX is greater than YYYY.
D3XXXXXX YYYY
ZZZZZZZZ ZZZZ
8-Bit Equal To ActivatorExecute the following code (ZZZZZZZZ ZZZZ) ONLY when the value stored in address XXXXXX is equal to YY.
E0XXXXXX 00YY
ZZZZZZZZ ZZZZ
8-Bit Not Equal To ActivatorExecute the following code (ZZZZZZZZ ZZZZ) ONLY when the value stored in address XXXXXX is NOT equal to YY.
E1XXXXXX 00YY
ZZZZZZZZ ZZZZ
8-Bit Less Than ActivatorExecute the following code (ZZZZZZZZ ZZZZ) ONLY when the value stored in address XXXXXX is less than YY.
E2XXXXXX 00YY
ZZZZZZZZ ZZZZ
8-Bit Greater Than ActivatorExecute the following code (ZZZZZZZZ ZZZZ) ONLY when the value stored in address XXXXXX is greater than YY.
E3XXXXXX 00YY
ZZZZZZZZ ZZZZ
Patch/RepeaterPatch codes, aka Serial Repeaters, are used to make a code string shorter. EG, You have five codes put together to give you "all weapons." Use the patch to shorten it to two codes. XX is the number of addresses to write; YY is the amount (offset) to add to each address; ZZ is the amount to add to each value. '58' for Cheat Device Button (Renegade Only).
5000XXYY 00ZZ
TTTTTTTT VVVV
Copy BytesCopies YYYY bytes from location XXXXXX to location ZZZZZZ. 'C8' for Cheat Device Button.

Example use would be:
C2040450 0008
80040680 0000
That would copy 8 bytes from 40450 to 40680
C2XXXXXX YYYY
80ZZZZZZ 0000
8-Bit Pointer WriteWrites value ZZ to adddress stored at XXXXXX + offset (YYYY). '78' for Cheat Device Button.
70XXXXXX YYYY00ZZ
16-Bit Pointer WriteWrites value ZZZZ to adddress stored at XXXXXX + offset (YYYY). '79' for Cheat Device Button.
71XXXXXX YYYYZZZZ
Z-Bit IncrementAdds YY to the value at adddress XXXXXX. Z = 0-2 for 8, 16, and 32 bit in that order. 'Z8' for Cheat Device button.
Z0XXXXXX 00YY
Z-Bit DecrementSubtracts YY to the value at adddress XXXXXX. Z = 0-2 for 8, 16, and 32 bit in that order. 'Z9' for Cheat Device button.
Z1XXXXXX 00YY
Z-Bit Bitwise ANDValue at adddress XXXXXX is changed to value AND YY. Z = 0-2 for 8, 16, and 32 bit in that order. 'ZA' for Cheat Device button.
Z2XXXXXX 00YY
Z-Bit Bitwise ORValue at adddress XXXXXX is changed to value OR YY. Z = 0-2 for 8, 16, and 32 bit in that order. 'ZB' for Cheat Device button.
Z3XXXXXX 00YY
Z-Bit Bitwise XORValue at adddress XXXXXX is changed to value XOR YY. Z = 0-2 for 8, 16, and 32 bit in that order. 'ZC' for Cheat Device button.
Z4XXXXXX 00YY
32-Bit Slide WriteWrites YY 32-bit values starting at address XXXXXX. '68' for Cheat Device button.

Example:
6000C0F4 00000002
08018090 AFA40000
60060240 00000007
00047600 3C028008
8C429EE0 34013F80
A44100DC A44100E0
0800303F 00000000

This the same as:
8100C0F4 0801
8100C0F6 8090
8100C0F8 AFA4
8100C0FA 0000
81060240 0004
81060242 7600
81060244 3C02
81060246 8008
81060248 8C42
8106024A 9EE0
8106024C 3401
8106024E 3F80
81060250 A441
81060252 00E0
81060254 0800
81060256 303F
60XXXXXX 000000YY
ZZZZZZZZ ZZZZZZZZ
PS2 & PC Code Types
8-Bit WriteWrites value YY to adddress XXXXXXX. PC Addresses can be 7 or 8 digits. i.e. 0XXXXXXXX 000000YY
0XXXXXXX 000000YY
16-Bit WriteWrites value YYYY to adddress XXXXXXX.
1XXXXXXX 0000YYYY
32-Bit WriteWrites value YYYYYYYY to adddress XXXXXXX.
2XXXXXXX YYYYYYYY
16-Bit Equal To Activator
DXXXXXXX 0000YYYY
ZZZZZZZZ ZZZZZZZZ
16-Bit Not Equal To Activator
DXXXXXXX 0010YYYY
ZZZZZZZZ ZZZZZZZZ
16-Bit Less Than Activator
DXXXXXXX 0020YYYY
ZZZZZZZZ ZZZZZZZZ
16-Bit Greater Than Activator
DXXXXXXX 0030YYYY
ZZZZZZZZ ZZZZZZZZ
16-Bit Equal To Activator (Multiple Skip)If value at XXXXXXXX equals YYYY, execute the following ZZZ lines.
EZZZYYYY XXXXXXX
ZZZZZZZZ ZZZZZZZZ
16-Bit Not Equal To Activator (Multiple Skip)If value at XXXXXXXX is NOT equal to YYYY, execute the following ZZZ lines.
EZZZYYYY XXXXXXX
ZZZZZZZZ ZZZZZZZZ
16-Bit Less Than Activator (Multiple Skip)If value at XXXXXXXX is less than YYYY, execute the following ZZZ lines.
EZZZYYYY XXXXXXX
ZZZZZZZZ ZZZZZZZZ
16-Bit Greater Than Activator (Multiple Skip)If value at XXXXXXXX is greater than YYYY, execute the following ZZZ lines.
EZZZYYYY XXXXXXX
ZZZZZZZZ ZZZZZZZZ
Patch/RepeaterPatch codes, aka Serial Repeaters, are used to make a code string shorter. EG, You have five codes put together to give you "all weapons." Use the patch to shorten it to two codes. XXXXXXX is the address to write; YYYY is the number of addresses to write, ZZZZ is the amount (offset) to add to each address; VVVVVVVV is value; IIIIIIII is the amount to add to each value.
4XXXXXXX YYYYZZZZ
VVVVVVVV IIIIIIII
Copy BytesCopies YYYYYYYY bytes from location XXXXXXXX to location ZZZZZZZZ.

Example use would be:
50040450 00000008
00040680 00000000
That would copy 8 bytes from 40450 to 40680
5XXXXXXX YYYYYYYY
ZZZZZZZZ 00000000
8-Bit Pointer WriteWrites value YY to adddress stored at XXXXXXX + offset (ZZZZZZZZ).
6XXXXXXX 000000YY
00000000 ZZZZZZZZ
16-Bit Pointer WriteWrites value YYYY to adddress stored at XXXXXXX + offset (ZZZZZZZZ).
6XXXXXXX 0000YYYY
00010000 ZZZZZZZZ
32-Bit Pointer WriteWrites value YYYYYYYY to adddress stored at XXXXXXX + offset (ZZZZZZZZ).
6XXXXXXX YYYYYYYY
00020000 ZZZZZZZZ
8-Bit IncrementAdds YY to the value at adddress XXXXXXX.
301000YY XXXXXXXX
8-Bit DecrementSubtracts YY from the value at adddress XXXXXXX.
302000YY XXXXXXXX
16-Bit IncrementAdds YYYY to the value at adddress XXXXXXX.
3030YYYY XXXXXXXX
16-Bit DecrementSubtracts YYYY from the value at adddress XXXXXXX.
3040YYYY XXXXXXXX
32-Bit IncrementAdds YYYYYYYY to the value at adddress XXXXXXX.
30500000 XXXXXXXX
YYYYYYYY 00000000
32-Bit DecrementSubtracts YYYYYYYY from the value at adddress XXXXXXX.
30600000 XXXXXXXX
YYYYYYYY 00000000
32-Bit Slide WriteWrites YY 32-bit values starting at address XXXXXX.

Example:
7000C0F4 00000002
08018090 AFA40000
60060240 00000007
00047600 3C028008
8C429EE0 34013F80
A44100DC A44100E0
0800303F 00000000

This the same as:
2000C0F4 08018090
2000C0F8 AFA40000
20060240 00047600
20060244 3C028008
20060248 8C429EE0
2006024C 34013F80
20060250 A44100E0
20060254 0800303F
6XXXXXXX 000000YY
ZZZZZZZZ ZZZZZZZZ
GBA Code Types
Note: GBA is divided into 2 systems in the list because of the RAM being stored in 2 differmet chunks. I wasn't going to butcher my code to support 1 odd system. Keep in mind which part of the RAM the codes for a game are accessing and write to only that area.
8-Bit WriteWrites value YY to adddress XXXXXXX.
0XXXXXXX 000000YY
16-Bit WriteWrites value YYYY to adddress XXXXXXX.
1XXXXXXX 0000YYYY
32-Bit WriteWrites value YYYYYYYY to adddress XXXXXXX.
2XXXXXXX YYYYYYYY
16-Bit Equal To Activator
DXXXXXXX 0000YYYY
ZZZZZZZZ ZZZZZZZZ
16-Bit Equal To Activator (Multiple Skip)If value at XXXXXXXX equals YYYY, execute the following ZZ lines.
E0ZZYYYY XXXXXXX
ZZZZZZZZ ZZZZZZZZ
NDS Code Types (Codebreaker Style)
8-Bit WriteWrites value YY to adddress XXXXXXX.
0XXXXXXX 000000YY
16-Bit WriteWrites value YYYY to adddress XXXXXXX.
1XXXXXXX 0000YYYY
32-Bit WriteWrites value YYYYYYYY to adddress XXXXXXX.
2XXXXXXX YYYYYYYY
16-Bit Equal To Activator (Multiple Skip)If value at XXXXXXXX <!=> YYYY, execute the following ZZ lines. 'S' is the size of YYYY (0 = 16 bit, 1 - 8 bit). 'T' is 0-3 for the compare type (==,!=,<,>)
DXXXXXXX ZZTSYYYY
ZZZZZZZZ ZZZZZZZZ
Pointer WriteWrites value YYYY to adddress stored at XXXXXXX + offset (ZZZZZZZZ). 'N' is 0-2 (8,16,32 bit) for the size of ZZZZZZZZ. 'C' is 0/1 for conditional check on/off. If it's on, the value loaded from XXXXXXXX is compared to VVVV. 'T' is 0-3 for the compare type (==,!=,<,>). 'S' is the size of VVVV (0/1 - 16/8 bit).
6XXXXXXX YYYYYYYY
ZZZZZZZZ NCTSVVVV


Credits/Contact
Written by Viper187 of GSHI, Kodewerx and The Snake Pit

Special Thanks To: