This is how I found some of the codes I have found. I'll probably add more to th

1. This is how I found some of the codes I have found. I'll probably add more to this and for a few other games too over time. I'm posting this in the hopes that anybody could learn from this, because finding some codes isn't hard to do. It's quite easy. I don't know much of anything, and I still find stuff. Many people should be giving it a try, you'd be surprised by how many useful things you can find just guessing, because I know I'm surprised by how much I find by guessing.
2.  
3.  
4.  
5. I don't know how some people start finding codes, I'm figuring out some blind ways of starting off though that tend to lead me to things. 1 that has recently lead me to some goodies while crashing games far less than I expected is searching for branches that only skip a few lines. The order I search for is like this:
6.  
7. "0008 ble"
8. "000C ble"
9. "0010 ble"
10. "0014 ble"
11.  
12. "0008 bge"
13. "000C bge"
14. "0010 bge"
15. "0014 bge"
16.  
17. "0008 blt"
18. "000C blt"
19. "0010 blt"
20. "0014 blt"
21.  
22. "0008 bgt"
23. "000C bgt"
24. "0010 bgt"
25. "0014 bgt"
26.  
27. I hunt down every instance of these in that order and change them to "nop" with the value "60000000". These are good to do because many things that have limits in games are usually just a branch like these that rarely skip more than a few lines. Every code I have found for Silent Hill Homecoming was found because of these 6 lines:
28.  
29. "0008 ble"
30. "000C ble"
31. "0010 ble"
32. "0008 bge"
33. "000C bge"
34. "0010 bge"
35.  
36. From what I recall of Disgaea 3, the majority of those codes could have been found using this method too.
37.  
38.  
39.  
40.  
41. Another thing I search for is floats, mainly of "1" which is "3F800000". They are created with "lis" operations. These are all possibilities:
42.  
43. 3C003F80
44. 3C203F80
45. 3C403F80
46. 3C603F80
47. 3C803F80
48. 3CA03F80
49. 3CC03F80
50. 3CE03F80
51. 3D003F80
52. 3D203F80
53. 3D403F80
54. 3D603F80
55. 3D803F80
56. 3DA03F80
57. 3DC03F80
58. 3DE03F80
59. 3E003F80
60. 3E203F80
61. 3E403F80
62. 3E603F80
63. 3E803F80
64. 3EA03F80
65. 3EC03F80
66. 3EE03F80
67. 3F003F80
68. 3F203F80
69. 3F403F80
70. 3F603F80
71. 3F803F80
72. 3FA03F80
73. 3FC03F80
74. 3FE03F80
75.  
76. I change the "3F80" part to "0000" and then try it out. These seem to crash a game about as much as the branches way does. Everything I found for Infamous 1 and nearly everything I found for Dead Space 2 was because I started using this method.
77.  
78.  
79.  
80.  
81. Dead Space 2 - Infinite Use Of Med Packs & Stasis Packs
82. I don't know if this will lead anywhere, but I'm looking at Skiller's code for max credits upon gaining credits at address 0x00216AC4. I searched for "blr" above it to see where the function starts. It starts at address 0x00216878 and ends at address 0x00216F04. I change it from:
83.  
84. 00216878: 7B970020 rldicl r23,r28,0,1
85.  
86. to:
87.  
88. 00216878: 4E800020 blr
89.  
90. The effects I notice:
91. 1. When I pick up credits, the game freezes.
92. 2. When I heal myself, the game freezes.
93. 3. When I restore my stasis with a stasis pack, the game freezes.
94.  
95. I'm interested in #2 and #3.
96. I then change address 0x00216878 back to what it was:
97.  
98. 00216878: 7B970020 rldicl r23,r28,0,1
99.  
100. I'm thinking to cancel all store operations, so I do:
101.  
102. 002168C8: 90010074 stw r0,116(r1)
103.  
104. 002168D8: 91210080 stw r9,128(r1)
105.  
106. 002168E8: F8410028 std r2,40(r1)
107.  
108. 0021692C: F8410028 std r2,40(r1)
109.  
110. 00216950: F8410028 std r2,40(r1)
111.  
112. 00216990: 90010074 stw r0,116(r1)
113.  
114. 002169A0: 9121007C stw r9,124(r1)
115.  
116. 002169B0: F8410028 std r2,40(r1)
117.  
118. 00216A58: 90010074 stw r0,116(r1)
119.  
120. 00216A68: 91210070 stw r9,112(r1)
121.  
122. 00216A78: F8410028 std r2,40(r1)
123.  
124. 00216AD4: 906B0028 stw r3,40(r11)
125.  
126. 00216B20: F8410028 std r2,40(r1)
127.  
128. 00216B34: 93F90260 stw r31,608(r25)
129.  
130. 00216C00: F8410028 std r2,40(r1)
131.  
132. 00216C58: F8410028 std r2,40(r1)
133.  
134. 00216C90: 900100C0 stw r0,192(r1)
135.  
136. 00216C9C: 912100C4 stw r9,196(r1)
137.  
138. 00216CA8: 900100C8 stw r0,200(r1)
139.  
140. 00216CB0: 914100CC stw r10,204(r1)
141.  
142. 00216CDC: D00300F0 stfs f0,240(r3)
143.  
144. 00216CFC: F821FE81 stdu r1,-384(r1)
145.  
146. 00216D04: FB410150 std r26,336(r1)
147.  
148. 00216D08: FBA10168 std r29,360(r1)
149.  
150. 00216D18: FBC10170 std r30,368(r1)
151.  
152. 00216D24: FB610158 std r27,344(r1)
153.  
154. 00216D28: FBE10178 std r31,376(r1)
155.  
156. 00216D2C: FB010140 std r24,320(r1)
157.  
158. 00216D30: FB210148 std r25,328(r1)
159.  
160. 00216D34: FB810160 std r28,352(r1)
161.  
162. 00216D38: F8010190 std r0,400(r1)
163.  
164. 00216D8C: D0010080 stfs f0,128(r1)
165.  
166. 00216D9C: D1A10084 stfs f13,132(r1)
167.  
168. 00216DA4: D0010088 stfs f0,136(r1)
169.  
170. 00216DA8: 9001008C stw r0,140(r1)
171.  
172. 00216E28: F8010070 std r0,112(r1)
173.  
174. 00216E50: F8410028 std r2,40(r1)
175.  
176. 00216E90: 900100A0 stw r0,160(r1)
177.  
178. 00216EC0: 915F0000 stw r10,0(r31)
179.  
180. I change all 39 of them to do nothing:
181.  
182. 002168C8: 60000000 nop
183.  
184. 002168D8: 60000000 nop
185.  
186. 002168E8: 60000000 nop
187.  
188. 0021692C: 60000000 nop
189.  
190. 00216950: 60000000 nop
191.  
192. 00216990: 60000000 nop
193.  
194. 002169A0: 60000000 nop
195.  
196. 002169B0: 60000000 nop
197.  
198. 00216A58: 60000000 nop
199.  
200. 00216A68: 60000000 nop
201.  
202. 00216A78: 60000000 nop
203.  
204. 00216AD4: 60000000 nop
205.  
206. 00216B20: 60000000 nop
207.  
208. 00216B34: 60000000 nop
209.  
210. 00216C00: 60000000 nop
211.  
212. 00216C58: 60000000 nop
213.  
214. 00216C90: 60000000 nop
215.  
216. 00216C9C: 60000000 nop
217.  
218. 00216CA8: 60000000 nop
219.  
220. 00216CB0: 60000000 nop
221.  
222. 00216CDC: 60000000 nop
223.  
224. 00216CFC: 60000000 nop
225.  
226. 00216D04: 60000000 nop
227.  
228. 00216D08: 60000000 nop
229.  
230. 00216D18: 60000000 nop
231.  
232. 00216D24: 60000000 nop
233.  
234. 00216D28: 60000000 nop
235.  
236. 00216D2C: 60000000 nop
237.  
238. 00216D30: 60000000 nop
239.  
240. 00216D34: 60000000 nop
241.  
242. 00216D38: 60000000 nop
243.  
244. 00216D8C: 60000000 nop
245.  
246. 00216D9C: 60000000 nop
247.  
248. 00216DA4: 60000000 nop
249.  
250. 00216DA8: 60000000 nop
251.  
252. 00216E28: 60000000 nop
253.  
254. 00216E50: 60000000 nop
255.  
256. 00216E90: 60000000 nop
257.  
258. 00216EC0: 60000000 nop
259.  
260. I tested it, and my health and stasis still increased when I used a med pack or stasis pack, so nothing in this function writes to either of them. I did notice that when I used a med pack or stasis pack, they didn't disappear from my inventory, and I could keep using them. This didn't affect ammo or nodes though, and I could still normally move or sell any item. Considering when you use a med pack or stasis pack, you lose 1 of them. So I must be looking for a subtraction operation that subtacts 1 from something. So I make a copy of the unmodified EBOOT.ELF because that's quicker than manually undoing everything, and look for all subtraction operations that subtract 1:
261.  
262. 00216AEC: 3BEBFFFF subi r31,r11,1
263.  
264. I guess that's the only 1. Now I just remove it:
265.  
266. 00216AEC: 60000000 nop
267.  
268. I try that out, and they were still removed from my inventory. It must be some other subtraction operation, so I find the rest of them:
269.  
270. 002168B8: 3869FFF0 subi r3,r9,16
271.  
272. 00216980: 3869FFF0 subi r3,r9,16
273.  
274. 00216A00: 3863FFF0 subi r3,r3,16
275.  
276. 00216A48: 3863FFF0 subi r3,r3,16
277.  
278. 00216B48: 3863FFF0 subi r3,r3,16
279.  
280. 00216DEC: 3889FFF0 subi r4,r9,16
281.  
282. I remove all 6 of them:
283.  
284. 002168B8: 60000000 nop
285.  
286. 00216980: 60000000 nop
287.  
288. 00216A00: 60000000 nop
289.  
290. 00216A48: 60000000 nop
291.  
292. 00216B48: 60000000 nop
293.  
294. 00216DEC: 60000000 nop
295.  
296. I try that, and the game froze when I tried to heal or get more stasis. I'm just going to go get another copy of the EBOOT.ELF and go back to all of those store operations, and try the ones that aren't the max credits one or don't store things on the stack, which is always register $r1:
297.  
298. 00216B34: 93F90260 stw r31,608(r25)
299.  
300. 00216CDC: D00300F0 stfs f0,240(r3)
301.  
302. 00216EC0: 915F0000 stw r10,0(r31)
303.  
304. I remove those 3:
305.  
306. 00216B34: 60000000 nop
307.  
308. 00216CDC: 60000000 nop
309.  
310. 00216EC0: 60000000 nop
311.  
312. I try that out, and the effect is back. I doubt it's a float like address 0x00216CDC stores, so I'll try the first 1 only:
313.  
314. 00216B34: 93F90260 stw r31,608(r25)
315.  
316. That becomes:
317.  
318. 00216B34: 60000000 nop
319.  
320. The effect is still there, so I found a code.
321.  
322.  
323.  
324. Infinite Use Of Med Packs & Stasis Packs
325. 00216B34 60000000
326. ORIGINAL PATTERN: 93F90260
327. PATTERN: 60000000
328.  
329.  
330.  
331. I mess with that a little, return address 0x00216B34 to normal, check what happens before it or branches close to it.
332.  
333. 00216AE4: 419E0050 beq- cr7,0x216b34
334.  
335. I force the branch to always go:
336.  
337. 00216AE4: 48000050 b 0x216b34
338.  
339. The effect is gone, so I remove it:
340.  
341. 00216AE4: 60000000 nop
342.  
343. The effect is still gone, so I go to the next branch after it:
344.  
345. 00216AF8: 409D0008 ble- cr7,0x216b00
346.  
347. I first force this branch:
348.  
349. 00216AF8: 48000008 b 0x216b00
350.  
351. The effect is still gone. I then remove the branch:
352.  
353. 00216AF8: 60000000 nop
354.  
355. The effect is back. I then check to see what wasn't skipped:
356.  
357. 00216AFC: 7C1F0378 mr r31,r0
358.  
359. That's just copying whatever register $r0 is to register $r31. I then look to see where it came from:
360.  
361. 00216AF0: 800900B0 lwz r0,176(r9)
362.  
363. Register $r0 is 4 bytes from offset $00B0 of register $r9. I check to see what made register $r9. 2 Lines above it:
364.  
365. 00216AE8: 8139000C lwz r9,12(r25)
366.  
367. That just kind of ends my curiosity.
368.  
369.  
370.  
371.  
372.  
373.  
374.  
375.  
376.  
377.  
378. Disgaea 3 - Enemy Level Modifier
379. I found that by looking for all instances of "270F cmpwi" in programmer's notepad 2. I set all instances values from "270F" to "0000" using HxD. I noticed every enemy I encountered was at level 9999. Here is every instance, and the few I marked:
380.  
381. 00035FEC: 2F8A270F cmpwi cr7,r10,9999
382. 00036C88: 2F8A270F cmpwi cr7,r10,9999
383. 000373D0: 2F89270F cmpwi cr7,r9,9999
384. 00037610: 2F8A270F cmpwi cr7,r10,9999
385. 000391FC: 2F83270F cmpwi cr7,r3,9999
386. 000393B8: 2F83270F cmpwi cr7,r3,9999
387. 0004197C: 2F89270F cmpwi cr7,r9,9999
388. Main area characters replaced with me.
389.  
390. 00041B30: 2F89270F cmpwi cr7,r9,9999
391. 000452F8: 2F80270F cmpwi cr7,r0,9999
392. 0005007C: 2F83270F cmpwi cr7,r3,9999
393. 000501A8: 2F83270F cmpwi cr7,r3,9999
394. 000552AC: 2F80270F cmpwi cr7,r0,9999
395. 0006FC20: 2F83270F cmpwi cr7,r3,9999
396. all enemies at level 9999.
397.  
398. 0007ADF8: 2F87270F cmpwi cr7,r7,9999
399. 000C14C8: 2F80270F cmpwi cr7,r0,9999
400. 000C14D8: 2F80270F cmpwi cr7,r0,9999
401. 000C1790: 2F9F270F cmpwi cr7,r31,9999
402. 000C3E34: 2F80270F cmpwi cr7,r0,9999
403. 000C3E74: 2F80270F cmpwi cr7,r0,9999
404. 000C6294: 2F8B270F cmpwi cr7,r11,9999
405. 000C7648: 2F84270F cmpwi cr7,r4,9999
406. 000EE0BC: 2F9F270F cmpwi cr7,r31,9999
407. 000EE46C: 2F9F270F cmpwi cr7,r31,9999
408. 000EE85C: 2F9F270F cmpwi cr7,r31,9999
409. 000EF568: 2F9D270F cmpwi cr7,r29,9999
410. 000FC0BC: 2F8B270F cmpwi cr7,r11,9999
411. 00106724: 2F80270F cmpwi cr7,r0,9999
412. 001102A0: 2F89270F cmpwi cr7,r9,9999
413. 00110DF0: 2F80270F cmpwi cr7,r0,9999
414. 001149D4: 2F84270F cmpwi cr7,r4,9999
415. 00116258: 2F80270F cmpwi cr7,r0,9999
416. 001163C4: 2F9F270F cmpwi cr7,r31,9999
417. 00116F14: 2F9F270F cmpwi cr7,r31,9999
418. 0012FF04: 2F80270F cmpwi cr7,r0,9999
419. 001303DC: 2F80270F cmpwi cr7,r0,9999
420. 0013116C: 2F80270F cmpwi cr7,r0,9999
421. 001325E4: 2F80270F cmpwi cr7,r0,9999
422. 00134B5C: 2F80270F cmpwi cr7,r0,9999
423. 00134E28: 2F80270F cmpwi cr7,r0,9999
424. 00135088: 2F80270F cmpwi cr7,r0,9999
425. 0013564C: 2F80270F cmpwi cr7,r0,9999
426. 00135C9C: 2F80270F cmpwi cr7,r0,9999
427. 00135F1C: 2F80270F cmpwi cr7,r0,9999
428. 0013BDE4: 2F80270F cmpwi cr7,r0,9999
429. 0013E32C: 2F89270F cmpwi cr7,r9,9999
430. 001421EC: 2F89270F cmpwi cr7,r9,9999
431. 0015C230: 2F80270F cmpwi cr7,r0,9999
432. 00170B88: 2F8A270F cmpwi cr7,r10,9999
433. 001732C8: 2F87270F cmpwi cr7,r7,9999
434. 001748E8: 2F86270F cmpwi cr7,r6,9999
435. 00174938: 2F86270F cmpwi cr7,r6,9999
436. 001ABD6C: 2F89270F cmpwi cr7,r9,9999
437.  
438. I tried these all at the same time. There may have been many effects from these that I didn't notice that might have been useful. The way I determined it from the rest was by only setting half of them to 0000.
439.  
440. 1. There is 52 of them, so I checked the first 26 (0x00035FEC to 0x000FC0BC) by changing all of them from "270F" to "0000". Everyone was still at level 9,999, so it was within those first 26 results.
441.  
442. 2. I then tried changing the first 13 (0x00035FEC to 0x0006FC20) from "270F" to "0000". Everyone was still at level 9,999, so it was within those first 13 results.
443.  
444. 3. I then tried changing the first 7 (0x00035FEC to 0x0004197C) from "270F" to "0000". Things were back to normal, so it wasn't any of the first 7 results.
445.  
446. 4. 6 results are left. I then tried changing the next 3 (0x00041B30 to 0x0005007C) from "270F" to "0000". Things were still normal, so it wasn't any of those 3.
447.  
448. 5. 3 results are left. I tried the next 2 (0x000501A8 & 0x000552AC) and changed them from "270F" to "0000". Things were still normal.
449.  
450. 6. There is only 1 result left, and that is address 0x0006FC20. Just to verify it, I changed it from "270F" to "0000", and everyone was back to level 9,999.
451.  
452. It only took 7 tests to find that code. Total time was less than 30 minutes.
453.  
454.  
455.  
456.  
457.  
458.  
459.  
460. Disgaea 3 - Starting HP Modifiers For Enemies & Objects
461. I looked at the already found code called "Infinite HP", which is at address 0x000C2DA0 with value 0x60000000. Value 0x60000000 is the NOP command, which deletes a single line of code. I went to address 0x000C2DA0 in programmer's notepad 2. I saw these 3 lines:
462. 000C2D98: E9290008 ld r9,8(r9)
463. 000C2D9C: 7C090050 sub r0,r0,r9
464. 000C2DA0: F80B09C0 std r0,2496(r11)
465. To sum that up, it loads a 16 digit value called "r9", subtracts "r9" from "r0", and then stores the 16 digit value "r0". Since the 3rd line was erased to prevent HP from decreasing, I see it was normally storing that 16 digit value at offset $09C0. That offset told me what to look for in programmer's notepad 2. Also, it was a hunch since I found the same infinite HP code for Disgaea 1 & 2, but I recalled the HP maximum capacity to be just 8 bytes past the current HP address. I changed the code like this to test it:
466. 000C2D98: E9290008 ld r9,8(r9)
467. 000C2D9C: E80B09D0 ld r0,2512(r11)
468. 000C2DA0: F80B09C0 std r0,2496(r11)
469. Anything that was struck instantly had its HP refilled to its maximum capacity, so when I was hit and didn't already have my unit at full HP, it was now full HP.
470. I now know to search for offset $09C0 for the current HP of things, and offset $09D0 is the maximum HP capacity of things.
471. From there, I did a crumb of thinking. When my units start a stage, they start with whatever their HP was from the last stage if I didn't heal them. But no matter where you go, enemies and objects ALWAYS started with full HP. That made me think that the code for their starting HP amount would most likely be 1 line of code that is a "LD" of offset $09D0 followed by 1 line of "STD" of offset $09C0. So I now went into programmers notepad 2 and searched for all instances of:
472. "09D0 LD"
473. I looked for every instance I saw that had this instance after it:
474. "09C0 STD"
475. There are a bunch of instances of that. From there I would change this line:
476. 00??????: E???09D0 ld r?,2512(r?)
477. Into a LI code that uses the same register and set a specific value so I can set it apart from other lines I changed. Here is every last instance so you can't get confused:
478.  
479. 0004538C: E80909D0 ld r0,2512(r9)
480. 00045390: F80909C0 std r0,2496(r9)
481.  
482. 00055208: E80909D0 ld r0,2512(r9)
483. 0005520C: F80909C0 std r0,2496(r9)
484.  
485. 00055324: E80909D0 ld r0,2512(r9)
486. 00055328: F80909C0 std r0,2496(r9)
487.  
488. 0006D674: E81F09D0 ld r0,2512(r31)
489. 0006D678: F81F09C0 std r0,2496(r31)
490.  
491. 0006EB20: E81B09D0 ld r0,2512(r27)
492. 0006EB24: F81B09C0 std r0,2496(r27)
493.  
494. 0006EE34: E81F09D0 ld r0,2512(r31)
495. 0006EE38: F81F09C0 std r0,2496(r31)
496.  
497. 0006F19C: E81F09D0 ld r0,2512(r31)
498. 0006F1A0: F81F09C0 std r0,2496(r31)
499.  
500. 000765A4: E81F09D0 ld r0,2512(r31)
501. 000765A8: F81F09C0 std r0,2496(r31)
502.  
503. 00076868: E81F09D0 ld r0,2512(r31)
504. 0007686C: F81F09C0 std r0,2496(r31)
505.  
506. 0007AF38: E80909D0 ld r0,2512(r9)
507. 0007AF3C: F80909C0 std r0,2496(r9)
508.  
509. 00080344: E81D09D0 ld r0,2512(r29)
510. 00080348: F81D09C0 std r0,2496(r29)
511.  
512. 000B36D8: E80A09D0 ld r0,2512(r10)
513. 000B36DC: F80A09C0 std r0,2496(r10)
514.  
515. 000C6E14: E80909D0 ld r0,2512(r9)
516. 000C6E18: F80909C0 std r0,2496(r9)
517.  
518. 000C6EEC: E80909D0 ld r0,2512(r9)
519. 000C6EF0: F80909C0 std r0,2496(r9)
520.  
521. 000C6FC0: E80909D0 ld r0,2512(r9)
522. 000C6FC4: F80909C0 std r0,2496(r9)
523.  
524. 000C7108: E88909D0 ld r4,2512(r9)
525. 000C710C: F88909C0 std r4,2496(r9)
526.  
527. 000EF06C: E80909D0 ld r0,2512(r9)
528. 000EF070: F80909C0 std r0,2496(r9)
529.  
530. 000EF76C: E80909D0 ld r0,2512(r9)
531. 000EF770: F80909C0 std r0,2496(r9)
532.  
533. 00100C78: E80909D0 ld r0,2512(r9)
534. 00100C7C: F80909C0 std r0,2496(r9)
535.  
536. 00116C10: E80909D0 ld r0,2512(r9)
537. 00116C14: F80909C0 std r0,2496(r9)
538.  
539. 00117684: E80909D0 ld r0,2512(r9)
540. 00117688: F80909C0 std r0,2496(r9)
541.  
542. 00121548: E80909D0 ld r0,2512(r9)
543. 0012154C: F80909C0 std r0,2496(r9)
544.  
545. 001397C8: E80909D0 ld r0,2512(r9)
546. 001397CC: F80909C0 std r0,2496(r9)
547.  
548. 0013BE60: E80909D0 ld r0,2512(r9)
549. 0013BE64: F80909C0 std r0,2496(r9)
550.  
551. 00142928: E80909D0 ld r0,2512(r9)
552. 0014292C: F80909C0 std r0,2496(r9)
553.  
554. 00142A4C: E80909D0 ld r0,2512(r9)
555. 00142A50: F80909C0 std r0,2496(r9)
556.  
557. 001616B0: E80909D0 ld r0,2512(r9)
558. 001616B4: F80909C0 std r0,2496(r9)
559.  
560. 001A1664: E80909D0 ld r0,2512(r9)
561. 001A1668: F80909C0 std r0,2496(r9)
562.  
563. 001AC0D4: E80909D0 ld r0,2512(r9)
564. 001AC0D8: F80909C0 std r0,2496(r9)
565.  
566. All I did with these now is change the load operations into operations to create a specific value so I could see which address each code was at. They all end up like this now:
567.  
568. 0004538C: 38000001 li r0,1
569. 00045390: F80909C0 std r0,2496(r9)
570.  
571. 00055208: 38000003 li r0,3
572. 0005520C: F80909C0 std r0,2496(r9)
573.  
574. 00055324: 38000005 li r0,5
575. 00055328: F80909C0 std r0,2496(r9)
576.  
577. 0006D674: 38000007 li r0,7
578. 0006D678: F81F09C0 std r0,2496(r31)
579.  
580. 0006EB20: 38000009 li r0,9
581. 0006EB24: F81B09C0 std r0,2496(r27)
582.  
583. 0006EE34: 3800000B li r0,11
584. 0006EE38: F81F09C0 std r0,2496(r31)
585.  
586. 0006F19C: 3800000D li r0,13
587. 0006F1A0: F81F09C0 std r0,2496(r31)
588.  
589. 000765A4: 3800000F li r0,15
590. 000765A8: F81F09C0 std r0,2496(r31)
591.  
592. 00076868: 38000011 li r0,17
593. 0007686C: F81F09C0 std r0,2496(r31)
594.  
595. 0007AF38: 38000013 li r0,19
596. 0007AF3C: F80909C0 std r0,2496(r9)
597.  
598. 00080344: 38000015 li r0,21
599. 00080348: F81D09C0 std r0,2496(r29)
600.  
601. 000B36D8: 38000017 li r0,23
602. 000B36DC: F80A09C0 std r0,2496(r10)
603.  
604. 000C6E14: 38000019 li r0,25
605. 000C6E18: F80909C0 std r0,2496(r9)
606.  
607. 000C6EEC: 3800001B li r0,27
608. 000C6EF0: F80909C0 std r0,2496(r9)
609.  
610. 000C6FC0: 3800001D li r0,29
611. 000C6FC4: F80909C0 std r0,2496(r9)
612.  
613. 000C7108: 3804001F li r4,31
614. 000C710C: F88909C0 std r4,2496(r9)
615.  
616. 000EF06C: 38000021 li r0,33
617. 000EF070: F80909C0 std r0,2496(r9)
618.  
619. 000EF76C: 38000023 li r0,35
620. 000EF770: F80909C0 std r0,2496(r9)
621.  
622. 00100C78: 38000025 li r0,37
623. 00100C7C: F80909C0 std r0,2496(r9)
624.  
625. 00116C10: 38000027 li r0,39
626. 00116C14: F80909C0 std r0,2496(r9)
627.  
628. 00117684: 38000029 li r0,41
629. 00117688: F80909C0 std r0,2496(r9)
630.  
631. 00121548: 3800002B li r0,43
632. 0012154C: F80909C0 std r0,2496(r9)
633.  
634. 001397C8: 3800002D li r0,45
635. 001397CC: F80909C0 std r0,2496(r9)
636.  
637. 0013BE60: 3800002F li r0,47
638. 0013BE64: F80909C0 std r0,2496(r9)
639.  
640. 00142928: 38000031 li r0,49
641. 0014292C: F80909C0 std r0,2496(r9)
642.  
643. 00142A4C: 38000033 li r0,51
644. 00142A50: F80909C0 std r0,2496(r9)
645.  
646. 001616B0: 38000035 li r0,53
647. 001616B4: F80909C0 std r0,2496(r9)
648.  
649. 001A1664: 38000037 li r0,55
650. 001A1668: F80909C0 std r0,2496(r9)
651.  
652. 001AC0D4: 38000039 li r0,57
653. 001AC0D8: F80909C0 std r0,2496(r9)
654.  
655. I open HxD and go to those addresses and give them the new values. Upon playing the game, I notice all of these things:
656.  
657. 1. When I enter a mystery gate in an item world, the enemies have 3 HP.
658.  
659. 2. When I enter an item world, geoblocks, treasure chests, and innocents have 11 HP.
660.  
661. 3. The NPCs I can talk to outside of any map, like the people who sell me armors, weapons, items, heal my dead units and restore their HP and SP, the classroom representative, the heart bank lady, the dimension guide, the item world lady, the evilities guy, and those few NPCs all have 15 HP.
662.  
663. 4. Class World Dropouts have 19 HP.
664.  
665. 5. Item World Enemies have 33 HP.
666.  
667. 6. For those few levels that have base panels for enemies, the enemies that came from the base panel had 39 HP.
668.  
669. 7. When I went to any story mode levels, all of the enemies had 43 HP.
670.  
671. 8. When I wanted to fight the homeroom representatives for denying something, they all had 55 HP.
672.  
673. From that, I knew exactly which addresses did what. There were probably more things I didn't notice, but I could still easily check for them with these results. This took a few hours to individually check all of them because I just played the game through and whenever I noticed the current codes weren't working for certain enemies or objects, I had to go through all of the results again to figure out which exact code worked.
674.  
675.  
676.  
677.  
678.  
679.  
680. Disgaea 3 - Starting SP Modifiers For Enemies & Objects
681. I looked at the already found code called "Infinite SP", which is at address 0x000C2DA0 with value 0x60000000. Value 0x60000000 is the NOP command, which deletes a single line of code. I went to address 0x000C2DA0 in programmer's notepad 2. I saw these 3 lines:
682. 00132430: E80B09C8 ld r0,2504(r11)
683. 00132434: 7C090050 sub r0,r0,r9
684. 00132438: F80B09C8 std r0,2504(r11)
685. The same setup as the "Infinite HP" code, just offset $09C8 instead of offset $09C0. I'd assume it also has the maximum SP capacity limit just 8 bytes after it, so I tested that again like this:
686. 00132430: E80B09C8 ld r0,2504(r11)
687. 00132434: E80B09D8 ld r0,2520(r11)
688. 00132438: F80B09C8 std r0,2504(r11)
689. I tested it and was correct. When I used my characters that didn't have full SP or just leveled up and had them do a special attack, their SP refilled to full. That tells me that offset $09C8 is 16 digits and the current amount of SP something has, offset $09D8 is 16 digits and the current maximum amount of SP something has, and that this area of code is executed when a special attack is executed.
690. I'm going with the same thinking I did for the "Starting HP Modifier" codes. No matter what area you go to, NPCs, object, and enemies all start with their SP filled to its maximum amount. That means I'm going to look for something that loads 8 bytes from offset $09D8 followed by the next line which stores those 8 bytes at offset $09C8. Just like "09D8 LD" followed by an instance of "09C8 STD".
691. I'll list every instance again.
692.  
693. 0004539C: E80909D8 ld r0,2520(r9)
694. 000453A0: F80909C8 std r0,2504(r9)
695.  
696. For item world mystery gate enemies.
697. 00055218: E80909D8 ld r0,2520(r9)
698. 0005521C: F80909C8 std r0,2504(r9)
699.  
700. 00055334: E80909D8 ld r0,2520(r9)
701. 00055338: F80909C8 std r0,2504(r9)
702.  
703. 0006D67C: E81F09D8 ld r0,2520(r31)
704. 0006D680: F81F09C8 std r0,2504(r31)
705.  
706. 0006EB28: E81B09D8 ld r0,2520(r27)
707. 0006EB2C: F81B09C8 std r0,2504(r27)
708.  
709. For item world geoblocks, treasure chests, and innocents.
710. 0006EE3C: E81F09D8 ld r0,2520(r31)
711. 0006EE40: F81F09C8 std r0,2504(r31)
712.  
713. 0006F1A4: E81F09D8 ld r0,2520(r31)
714. 0006F1A8: F81F09C8 std r0,2504(r31)
715.  
716. For Normal World NPCs. Heart banker, shops, item worlder, dimension guide, etc...
717. 000765AC: E81F09D8 ld r0,2520(r31)
718. 000765B0: F81F09C8 std r0,2504(r31)
719.  
720. 00076870: E81F09D8 ld r0,2520(r31)
721. 00076874: F81F09C8 std r0,2504(r31)
722.  
723. For Class World Dropouts.
724. 0007AF44: E80909D8 ld r0,2520(r9)
725. 0007AF48: F80909C8 std r0,2504(r9)
726.  
727. 0008034C: E81D09D8 ld r0,2520(r29)
728. 00080350: F81D09C8 std r0,2504(r29)
729.  
730. 000B36E0: E80A09D8 ld r0,2520(r10)
731. 000B36E4: F80A09C8 std r0,2504(r10)
732.  
733. 000C6E20: E80909D8 ld r0,2520(r9)
734. 000C6E24: F80909C8 std r0,2504(r9)
735.  
736. 000C6EF8: E80909D8 ld r0,2520(r9)
737. 000C6EFC: F80909C8 std r0,2504(r9)
738.  
739. 000C6FCC: E80909D8 ld r0,2520(r9)
740. 000C6FD0: F80909C8 std r0,2504(r9)
741.  
742. 000C7150: E80909D8 ld r0,2520(r9)
743. 000C7154: F80909C8 std r0,2504(r9)
744.  
745. For Item World enemies.
746. 000EF078: E80909D8 ld r0,2520(r9)
747. 000EF07C: F80909C8 std r0,2504(r9)
748.  
749. 000EF778: E80909D8 ld r0,2520(r9)
750. 000EF77C: F80909C8 std r0,2504(r9)
751.  
752. 00100C84: E80909D8 ld r0,2520(r9)
753. 00100C88: F80909C8 std r0,2504(r9)
754.  
755. For story mode level enemies from enemy base panels.
756. 00116C1C: E80909D8 ld r0,2520(r9)
757. 00116C20: F80909C8 std r0,2504(r9)
758.  
759. 00117690: E80909D8 ld r0,2520(r9)
760. 00117694: F80909C8 std r0,2504(r9)
761.  
762. For story mode enemies.
763. 00121554: E80909D8 ld r0,2520(r9)
764. 00121558: F80909C8 std r0,2504(r9)
765.  
766. 001397D4: E80909D8 ld r0,2520(r9)
767. 001397D8: F80909C8 std r0,2504(r9)
768.  
769. 0013BE6C: E80909D8 ld r0,2520(r9)
770. 0013BE70: F80909C8 std r0,2504(r9)
771.  
772. 00142934: E80909D8 ld r0,2520(r9)
773. 00142938: F80909C8 std r0,2504(r9)
774.  
775. 00142A58: E80909D8 ld r0,2520(r9)
776. 00142A5C: F80909C8 std r0,2504(r9)
777.  
778. 001616C0: E80909D8 ld r0,2520(r9)
779. 001616C4: F80909C8 std r0,2504(r9)
780.  
781. For homeroom representatives.
782. 001A1670: E80909D8 ld r0,2520(r9)
783. 001A1674: F80909C8 std r0,2504(r9)
784.  
785. 001AC0DC: E80909D8 ld r0,2520(r9)
786. 001AC0E0: F80909C8 std r0,2504(r9)
787.  
788. That is all of them again. Take note of the fact that all of these results are very close by the results I had for the starting HP modifiers. I noticed that after finding a few of them, and just started going back to the starting HP modifier locations and checking a few bytes past them for the instances of "09D8 ld" followed by "09C8 std". Using that, I found all of the starting SP modifiers and didn't need to bother changing the instances of "09D8 ld" into "???? li" like I did for checking the starting HP modifiers. I labeled all of them above. Considering I noticed all of these were right next to the starting HP modifiers, it only took less than a minute to make a package and test them.
789.  
790.  
791.  
792.  
793.  
794.  
795.  
796.  
797.  
798. Disgaea 3 - All Homeroom Representatives Love You
799. I honestly had no idea of how I would find this. All I could think of is that I found starting HP & SP modifiers for homeroom representatives, so I went to that area. Not knowing what to do, I just decided to "nop" any "bl" operations I found. Since the starting SP modifier for homeroom representatives is at address 0x001A1670, I went there and searched for " bl 0x". I changed the 1st 4 results I had, which were:
800.  
801. 001A16C8: 4BFF4F75 bl 0x19663c
802.  
803. 001A16E0: 4BF08D55 bl 0xaa434
804.  
805. 001A1750: 4BFF4EED bl 0x19663c
806.  
807. 001A1768: 4BF08CCD bl 0xaa434
808.  
809. Branches always start with " b". I cancelled them by changing the value to 0x60000000, which is "nop". So they became:
810.  
811. 001A16C8: 60000000 nop
812.  
813. 001A16E0: 60000000 nop
814.  
815. 001A1750: 60000000 nop
816.  
817. 001A1768: 60000000 nop
818.  
819. When I used these codes, all of the representatives on anything always loathed me, so that tells me that at least 1 of those 4 that I cancelled had something that determined how the representatives loved or loathed me. I checked them by doing 2 and then 1 of them.
820.  
821. 1. I changed 0x001A16C8 to value 0x60000000, and 0x001A16E0 to 0x60000000. All of them still loathed me, so it's 1 of these 2.
822.  
823. 2. I changed 0x001A16C8 to value 0x60000000. They still loathed me, so it was something in this branch that was doing it.
824.  
825. I went to address 0x0019663C and kind of glanced at the whole thing. I had no idea of what to do, but there were a large amount of branches. I started off by going to the 1st few branches and changing them to "nop" by giving them value 0x60000000. I kept doing that and playing the game to see what happened, and some things they liked me more, and others they hated me more. After getting sick of doing that because it wasn't telling me much, I just decided to skip past the 1st half that was loaded with branches and started just picking certain registers and setting all instances of them to 0. I ended up seeing register "r31" and only a few instances of it:
826.  
827. 001967C8: 3BE00000 li r31,0
828.  
829. 00196808: 3BE00000 li r31,0
830.  
831. 00196810: 3BE00019 li r31,25
832.  
833. I just changed their values like this:
834.  
835. 001967C8: 3BE07FFF li r31,32767
836.  
837. 00196808: 3BE07FFF li r31,32767
838.  
839. 00196810: 3BE07FFF li r31,32767
840.  
841. I tested that and I guess that was what I was looking for, except it caused some representatives to loathe me instead of love me. From there, I wasn't sure of what to do, but I started with a copy of the unmodified EBOOT.ELF again. I checked that function again for any "store" operations and noticed there were none. I checked for register "r31" at the end of the function, and saw:
842.  
843. 00196A34: 7FE3FB78 mr r3,r31
844.  
845. That is transferring the value of register "r31" to register "r3". I then tried this:
846.  
847. 00196A34: 38037FFF li r3,32767
848.  
849. That had no effect. I was still not sure of what to. I saw many instances of " bl 0x96cbc". I thought to just remove that function. I went to address 0x00096CBC:
850.  
851. 00096CBC: 786B0760 rldicl r11,r3,0,59
852.  
853. I removed that entire function by changing it to "blr".
854.  
855. 00096CBC: 4E800020 blr
856.  
857. I started the game, the main menu was weird, and I couldn't get to the game because it was trapped looping the new game story. So I undid that and changed it back to what it was. That meant I had to do it the longer way and "nop" all of the "bl"s in that function that went to that other function. I found these:
858.  
859. 001967D0: 4BF004ED bl 0x96cbc
860.  
861. 001967EC: 4BF004D1 bl 0x96cbc
862.  
863. 00196824: 4BF00499 bl 0x96cbc
864.  
865. 00196840: 4BF0047D bl 0x96cbc
866.  
867. 00196868: 4BF00455 bl 0x96cbc
868.  
869. 00196884: 4BF00439 bl 0x96cbc
870.  
871. 001968AC: 4BF00411 bl 0x96cbc
872.  
873. 001968C8: 4BF003F5 bl 0x96cbc
874.  
875. 001968F0: 4BF003CD bl 0x96cbc
876.  
877. 0019690C: 4BF003B1 bl 0x96cbc
878.  
879. 00196934: 4BF00389 bl 0x96cbc
880.  
881. 00196950: 4BF0036D bl 0x96cbc
882.  
883. 00196978: 4BF00345 bl 0x96cbc
884.  
885. 00196994: 4BF00329 bl 0x96cbc
886.  
887. 001969BC: 4BF00301 bl 0x96cbc
888.  
889. 001969D8: 4BF002E5 bl 0x96cbc
890.  
891. 00196A00: 4BF002BD bl 0x96cbc
892.  
893. 00196A1C: 4BF002A1 bl 0x96cbc
894.  
895. That's all of those within the function. I changed them all to "nop".
896.  
897. 001967D0: 60000000 nop
898.  
899. 001967EC: 60000000 nop
900.  
901. 00196824: 60000000 nop
902.  
903. 00196840: 60000000 nop
904.  
905. 00196868: 60000000 nop
906.  
907. 00196884: 60000000 nop
908.  
909. 001968AC: 60000000 nop
910.  
911. 001968C8: 60000000 nop
912.  
913. 001968F0: 60000000 nop
914.  
915. 0019690C: 60000000 nop
916.  
917. 00196934: 60000000 nop
918.  
919. 00196950: 60000000 nop
920.  
921. 00196978: 60000000 nop
922.  
923. 00196994: 60000000 nop
924.  
925. 001969BC: 60000000 nop
926.  
927. 001969D8: 60000000 nop
928.  
929. 00196A00: 60000000 nop
930.  
931. 00196A1C: 60000000 nop
932.  
933. I did a few of those at a time and noticed certain monster type representatives always loved me, so I changed all of these and then all representatives loved me. Made another copy of my unmodified EBOOT.ELF and tried it again, and it didn't work. I remembered I had this at the same time too:
934.  
935. 00196A34: 7FE3FB78 mr r3,r31
936.  
937. I changed it back to this again:
938.  
939. 00196A34: 38037FFF li r3,32767
940.  
941. I tried it and it was working again. I was happy the code was working but I thought this was a lot of lines and people like patterns, and this would have been a lot of patterns that would take forever to input. So I messed around just a little more because I knew that register "r3" was doing something. I went back to where the function was jumped to.
942.  
943. 001A16C8: 4BFF4F75 bl 0x19663c
944.  
945. I decided to see if there were any store operations with register "r3". I saw this:
946.  
947. 001A16F0: B07C0418 sth r3,1048(r28)
948.  
949. I also saw this and decided to mess with it just because it was a nearby store operation:
950.  
951. 001A170C: B01C0418 sth r0,1048(r28)
952.  
953. I went to the lines before them and changed them to set a specific value. I went to these:
954.  
955. 001A16EC: 3863FFFB subi r3,r3,5
956. 001A16F0: B07C0418 sth r3,1048(r28)
957.  
958. 001A1708: 7C004A14 add r0,r0,r9
959. 001A170C: B01C0418 sth r0,1048(r28)
960.  
961. And I changed them to these:
962.  
963. 001A16EC: 38037FFF li r3,32767
964. 001A16F0: B07C0418 sth r3,1048(r28)
965.  
966. 001A1708: 38007FFF li r0,32767
967. 001A170C: B01C0418 sth r0,1048(r28)
968.  
969. I tried that out, and noticed about half of the representatives loved me. So I went a little further down and saw the same exact thing again:
970.  
971. 001A1774: 3863FFFB subi r3,r3,5
972. 001A1778: B07C0418 sth r3,1048(r28)
973.  
974. 001A1790: 7C004A14 add r0,r0,r9
975. 001A1794: B01C0418 sth r0,1048(r28)
976.  
977. I changed them the same way:
978.  
979. 001A1774: 38037FFF li r3,32767
980. 001A1778: B07C0418 sth r3,1048(r28)
981.  
982. 001A1790: 38007FFF li r0,32767
983. 001A1794: B01C0418 sth r0,1048(r28)
984.  
985. I played the game again, and everyone loved me. So I tested it again with an unmodified copy of the EBOOT.ELF.
986.  
987. 001A16EC: 38037FFF li r3,32767
988. 001A16F0: B07C0418 sth r3,1048(r28)
989.  
990. 001A1774: 38037FFF li r3,32767
991. 001A1778: B07C0418 sth r3,1048(r28)
992.  
993. I played again and there was no effect. I was thinking that should have done it. I then thought maybe by some chance it was the other 2, so I tested them with another copy of the unmodified EBOOT.ELF.
994.  
995. 001A1708: 38007FFF li r0,32767
996. 001A170C: B01C0418 sth r0,1048(r28)
997.  
998. 001A1790: 38007FFF li r0,32767
999. 001A1794: B01C0418 sth r0,1048(r28)
1000.  
1001. It worked. Another useful code found by accident, and it took a few hours of messing around to get it. Since I now know that offset $0418 is 2 bytes that determine how a representative likes me, I could probably find just 1 line of code to make this work by just searching for any instances of "0418 lhz ", but I'm fine with 2 lines of code. If somebody wants that, they should be able to easily find it themselves.
1002.  
1003.  
1004.  
1005.  
1006.  
1007.  
1008.  
1009. Disgaea 3 - Aptitudes Percent Modifier
1010. Disgaea 3 - Elemental Resistances Modifier
1011. Disgaea 3 - Move Range Modifier
1012. Disgaea 3 - Jump Height Modifier
1013. Disgaea 3 - Counter Attack Amount Modifier
1014. Disgaea 3 - Lift/Throw Amount Modifier
1015. Disgaea 3 - Attack Range Modifier
1016. Disgaea 3 - EXP Multiplier/Max EXP
1017. Disgaea 3 - Level Modifier
1018. With all of these, they were things I stumbled upon by looking for something else. I did a search for many values in hopes that I would find some useful things that have limits. I did a search for the value 99,999,999 throughout the game in programmer's notepad. 99,999,999 is 0x05F5E0FF in hex. Since that is 8 digits, it takes 2 lines of code to make that value. Games usually use 1 line for "lis", and the next line is "ori". I did a search for all instances of "05F5 lis", and then checked to make sure the next line had "E0FF ori". I checked the first 3 lines after those 2 lines to see if it was a " cmpw " line follwed by a " ble- " line. These are all of the instances I ended up with:
1019.  
1020. Looking for 99,999,999, which is 0x05F5E0FF.
1021. 00180278: 3D6005F5 lis r11,1525
1022. 0018027C: 616BE0FF ori r11,r11,57599
1023.  
1024. 0017FFEC: 3D2005F5 lis r9,1525
1025. 0017FFF0: 6129E0FF ori r9,r9,57599
1026.  
1027. 0015F344: 3F6005F5 lis r27,1525
1028. 0015F348: 637BE0FF ori r27,r27,57599
1029.  
1030. 001108B0: 3D2005F5 lis r9,1525
1031. 001108B4: 6129E0FF ori r9,r9,57599
1032.  
1033. 000CB62C: 3D2005F5 lis r9,1525
1034. 000CB630: 6129E0FF ori r9,r9,57599
1035.  
1036. 000CB3C4: 3D2005F5 lis r9,1525
1037. 000CB3C8: 6129E0FF ori r9,r9,57599
1038.  
1039. 000C3DF0: 3D2005F5 lis r9,1525
1040. 000C3DF4: 6129E0FF ori r9,r9,57599
1041.  
1042. 00072564: 3D2005F5 lis r9,1525
1043. 00072568: 6129E0FF ori r9,r9,57599
1044.  
1045. 0006E108: 3D2005F5 lis r9,1525
1046. 0006E10C: 6129E0FF ori r9,r9,57599
1047.  
1048. 0006DEA4: 3D2005F5 lis r9,1525
1049. 0006DEA8: 6129E0FF ori r9,r9,57599
1050.  
1051. 0006CEF8: 3D6005F5 lis r11,1525
1052. 0006CEFC: 616BE0FF ori r11,r11,57599
1053. All characters stats that weren't HP or SP were 0.
1054.  
1055. 0006A994: 3D0005F5 lis r8,1525
1056. 0006A998: 6108E0FF ori r8,r8,57599
1057.  
1058. 0006A860: 3D2005F5 lis r9,1525
1059. 0006A864: 6129E0FF ori r9,r9,57599
1060. All characters HP & SP were less than 5.
1061.  
1062. 0001D1A4: 3C0005F5 lis r0,1525
1063. 0001D1A8: 6000E0FF ori r0,r0,57599
1064.  
1065. I have already marked those 2, and here is what I changed all of them to:
1066.  
1067. 00180278: 3D600000 lis r11,0
1068. 0018027C: 616B0001 ori r11,r11,1
1069.  
1070. 0017FFEC: 3D200000 lis r9,0
1071. 0017FFF0: 61290003 ori r9,r9,3
1072.  
1073. 0015F344: 3F600000 lis r27,0
1074. 0015F348: 637B0005 ori r27,r27,5
1075.  
1076. 001108B0: 3D200000 lis r9,0
1077. 001108B4: 61290007 ori r9,r9,7
1078.  
1079. 000CB62C: 3D200000 lis r9,0
1080. 000CB630: 61290009 ori r9,r9,9
1081.  
1082. 000CB3C4: 3D200000 lis r9,0
1083. 000CB3C8: 6129000B ori r9,r9,11
1084.  
1085. 000C3DF0: 3D200000 lis r9,0
1086. 000C3DF4: 6129000D ori r9,r9,13
1087.  
1088. 00072564: 3D200000 lis r9,0
1089. 00072568: 6129000F ori r9,r9,15
1090.  
1091. 0006E108: 3D200000 lis r9,0
1092. 0006E10C: 61290011 ori r9,r9,17
1093.  
1094. 0006DEA4: 3D200000 lis r9,0
1095. 0006DEA8: 61290013 ori r9,r9,19
1096.  
1097. 0006CEF8: 3D600000 lis r11,0
1098. 0006CEFC: 616B0015 ori r11,r11,21
1099. All characters stats that weren't HP or SP were 0.
1100.  
1101. 0006A994: 3D0005F5 lis r8,0
1102. 0006A998: 61080017 ori r8,r8,23
1103.  
1104. 0006A860: 3D2005F5 lis r9,0
1105. 0006A864: 61290019 ori r9,r9,25
1106. All characters HP & SP were less than 5.
1107.  
1108. 0001D1A4: 3C0005F5 lis r0,0
1109. 0001D1A8: 6000001B ori r0,r0,27
1110.  
1111. That told me exactly which one of those did those 2 effects.
1112.  
1113. Out of curiousity I noticed those 2 codes are within the same function. I decided to mess with anything else I saw as a limiting thing. The way to spot limits is they are usually either 2 lines like above that define that limit by using a "lis" followed by an "ori" followed by a "cmp" operation, or just 1 line that is "cmpwi" which has the value to compare something to, followed by the next line being a either "blt" for branch if less than, or "ble" for branch if less than or equal, or "bgt" for branch if greater than, or "bge" for branch if greater than or equal to, and that branch usually only skips a few of the next lines in most cases, and one of those lines that is skipped is a store operation if it's not in the next few lines that weren't skipped. That last sentence would probably just baffle you. I got to address 0x0006CEF8, and I search for the previous instance of "4E800020 blr" because that tells me where the previous function ended, so the next line is the start of the function that contains these 2 codes. I end up with:
1114.  
1115. 0006A38C: 4E800020 blr
1116.  
1117. So this function starts at address 0x0006A390. I now search for the next instance of "4E800020 blr" so I know where this function ends. I end up with:
1118.  
1119. 0006D108: 4E800020 blr
1120.  
1121. I now know this function starts at address 0x0006A390 and ends at 0x0006D108. So I go address 0x0006A390 and start searching for the instance "bl". If that seems odd to you, that's because the 2 branch types I'm looking for are "blt" and "ble". I'll end encountering many things that are not what I'm looking for, but I'll just try them all anyway. Here's the list of things that I ended up with:
1122.  
1123. 0006A458: 419C0190 blt- cr7,0x6a5e8
1124.  
1125. 0006A4C8: 409D0094 ble- cr7,0x6a55c
1126.  
1127. 0006A640: 409D0008 ble- cr7,0x6a648
1128.  
1129. 0006A650: 409D0010 ble- cr7,0x6a660
1130.  
1131. 0006A734: 409D0008 ble- cr7,0x6a73c
1132.  
1133. 0006A7FC: 40FD0054 ble+ cr7,0x6a850
1134.  
1135. 0006A86C: 409D0008 ble- cr7,0x6a874
1136.  
1137. 0006A8E8: 409D0134 ble- cr7,0x6aa1c
1138.  
1139. 0006A9D0: 409D0008 ble- cr7,0x6a9d8
1140.  
1141. 0006AA7C: 409D000C ble- cr7,0x6aa88
1142.  
1143. 0006AA90: 409D0008 ble- cr7,0x6aa98
1144.  
1145. 0006AD00: 409D001C ble- cr7,0x6ad1c
1146.  
1147. 0006AD40: 409D00A0 ble- cr7,0x6ade0
1148.  
1149. 0006ADAC: 409D0034 ble- cr7,0x6ade0
1150.  
1151. 0006AE94: 409D0008 ble- cr7,0x6ae9c
1152.  
1153. 0006AEDC: 409D0008 ble- cr7,0x6aee4
1154.  
1155. 0006AF0C: 409D0008 ble- cr7,0x6af14
1156.  
1157. 0006AF40: 409D0008 ble- cr7,0x6af48
1158.  
1159. 0006AF60: 409D000C ble- cr7,0x6af6c
1160.  
1161. 0006AF74: 409D000C ble- cr7,0x6af80
1162.  
1163. 0006AF88: 409D000C ble- cr7,0x6af94
1164.  
1165. 0006AF9C: 409D000C ble- cr7,0x6afa8
1166.  
1167. 0006AFB0: 409D000C ble- cr7,0x6afbc
1168.  
1169. 0006B018: 409D0020 ble- cr7,0x6b038
1170.  
1171. 0006B0C4: 409D0008 ble- cr7,0x6b0cc
1172.  
1173. 0006B130: 409D0040 ble- cr7,0x6b170
1174.  
1175. 0006B28C: 409D0008 ble- cr7,0x6b294
1176.  
1177. 0006B29C: 409D0008 ble- cr7,0x6b2a4
1178.  
1179. 0006B310: 409D000C ble- cr7,0x6b31c
1180.  
1181. 0006B43C: 409D0010 ble- cr7,0x6b44c
1182.  
1183. 0006B4E0: 409D0024 ble- cr7,0x6b504
1184.  
1185. 0006B4F8: 409D000C ble- cr7,0x6b504
1186.  
1187. 0006B51C: 409D0024 ble- cr7,0x6b540
1188.  
1189. 0006B534: 409D000C ble- cr7,0x6b540
1190.  
1191. 0006B558: 409D0024 ble- cr7,0x6b57c
1192.  
1193. 0006B570: 409D000C ble- cr7,0x6b57c
1194.  
1195. 0006B594: 409D0030 ble- cr7,0x6b5c4
1196.  
1197. 0006B5DC: 409D0030 ble- cr7,0x6b60c
1198.  
1199. 0006B62C: 409D002C ble- cr7,0x6b658
1200.  
1201. 0006B864: 419C0014 blt- cr7,0x6b878
1202.  
1203. 0006B9B4: 419C0014 blt- cr7,0x6b9c8
1204.  
1205. 0006BB20: 419C0014 blt- cr7,0x6bb34
1206.  
1207. 0006BDE8: 419C0014 blt- cr7,0x6bdfc
1208.  
1209. 0006BF38: 419C0014 blt- cr7,0x6bf4c
1210.  
1211. 0006BF98: 409D10D4 ble- cr7,0x6d06c
1212.  
1213. 0006C050: 409D000C ble- cr7,0x6c05c
1214.  
1215. 0006C084: 409D0024 ble- cr7,0x6c0a8
1216.  
1217. 0006C09C: 409D000C ble- cr7,0x6c0a8
1218.  
1219. 0006C174: 409D0030 ble- cr7,0x6c1a4
1220.  
1221. 0006C218: 409D051C ble- cr7,0x6c734
1222.  
1223. 0006C264: 409D0030 ble- cr7,0x6c294
1224.  
1225. 0006C2AC: 409D0030 ble- cr7,0x6c2dc
1226.  
1227. 0006C2F4: 409D0440 ble- cr7,0x6c734
1228.  
1229. 0006C340: 409D0030 ble- cr7,0x6c370
1230.  
1231. 0006C388: 409D03AC ble- cr7,0x6c734
1232.  
1233. 0006C3D4: 409D0030 ble- cr7,0x6c404
1234.  
1235. 0006C41C: 409D0318 ble- cr7,0x6c734
1236.  
1237. 0006C468: 409D02CC ble- cr7,0x6c734
1238.  
1239. 0006C4B4: 409D0030 ble- cr7,0x6c4e4
1240.  
1241. 0006C4FC: 409D0238 ble- cr7,0x6c734
1242.  
1243. 0006C550: 409D0030 ble- cr7,0x6c580
1244.  
1245. 0006C598: 409D019C ble- cr7,0x6c734
1246.  
1247. 0006C5E4: 409D0030 ble- cr7,0x6c614
1248.  
1249. 0006C62C: 409D0030 ble- cr7,0x6c65c
1250.  
1251. 0006C674: 409D0030 ble- cr7,0x6c6a4
1252.  
1253. 0006C6BC: 409D0030 ble- cr7,0x6c6ec
1254.  
1255. 0006C704: 409D0030 ble- cr7,0x6c734
1256.  
1257. 0006C7E8: 409D02E0 ble- cr7,0x6cac8
1258.  
1259. 0006C834: 409D0030 ble- cr7,0x6c864
1260.  
1261. 0006C868: 409D0260 ble- cr7,0x6cac8
1262.  
1263. 0006C890: 409D0238 ble- cr7,0x6cac8
1264.  
1265. 0006C8C8: 409D0200 ble- cr7,0x6cac8
1266.  
1267. 0006CA54: 409D000C ble- cr7,0x6ca60
1268.  
1269. 0006CA80: 409D000C ble- cr7,0x6ca8c
1270.  
1271. 0006CAAC: 409D000C ble- cr7,0x6cab8
1272.  
1273. 0006CB68: 409D000C ble- cr7,0x6cb74
1274.  
1275. 0006CBA4: 409D000C ble- cr7,0x6cbb0
1276.  
1277. 0006CBDC: 409D000C ble- cr7,0x6cbe8
1278.  
1279. 0006CC14: 409D000C ble- cr7,0x6cc20
1280.  
1281. 0006CC4C: 409D000C ble- cr7,0x6cc58
1282.  
1283. 0006CEF4: 409D001C ble- cr7,0x6cf10
1284.  
1285. 0006CF08: 409D0008 ble- cr7,0x6cf10
1286.  
1287. 0006CF58: 409D0008 ble- cr7,0x6cf60
1288.  
1289. 0006CF9C: 409D000C ble- cr7,0x6cfa8
1290.  
1291. 0006CFB0: 409D000C ble- cr7,0x6cfbc
1292.  
1293. 0006CFC4: 409D000C ble- cr7,0x6cfd0
1294.  
1295. 0006CFD8: 409D000C ble- cr7,0x6cfe4
1296.  
1297. 0006D004: 409D0008 ble- cr7,0x6d00c
1298.  
1299. 0006D018: 409D00AC ble- cr7,0x6d0c4
1300.  
1301. 0006D0BC: 409DE024 ble+ cr7,0x6b0e0
1302.  
1303. That's all of them, and that's exactly 90 results. From there, I just "nop" all of them so that anything that may be enforcing limits will just set everything to it's maximum value, and play the game to see what has changed. I get another copy of the unmodified EBOOT.ELF, open it up with HxD, and this is what I change all of them to:
1304.  
1305. 0006A458: 60000000 nop
1306.  
1307. 0006A4C8: 60000000 nop
1308.  
1309. 0006A640: 60000000 nop
1310.  
1311. 0006A650: 60000000 nop
1312.  
1313. 0006A734: 60000000 nop
1314.  
1315. 0006A7FC: 60000000 nop
1316.  
1317. 0006A86C: 60000000 nop
1318.  
1319. 0006A8E8: 60000000 nop
1320.  
1321. 0006A9D0: 60000000 nop
1322.  
1323. 0006AA7C: 60000000 nop
1324.  
1325. 0006AA90: 60000000 nop
1326.  
1327. 0006AD00: 60000000 nop
1328.  
1329. 0006AD40: 60000000 nop
1330.  
1331. 0006ADAC: 60000000 nop
1332.  
1333. 0006AE94: 60000000 nop
1334.  
1335. 0006AEDC: 60000000 nop
1336.  
1337. 0006AF0C: 60000000 nop
1338.  
1339. 0006AF40: 60000000 nop
1340.  
1341. 0006AF60: 60000000 nop
1342.  
1343. 0006AF74: 60000000 nop
1344.  
1345. 0006AF88: 60000000 nop
1346.  
1347. 0006AF9C: 60000000 nop
1348.  
1349. 0006AFB0: 60000000 nop
1350.  
1351. 0006B018: 60000000 nop
1352.  
1353. 0006B0C4: 60000000 nop
1354.  
1355. 0006B130: 60000000 nop
1356.  
1357. 0006B28C: 60000000 nop
1358.  
1359. 0006B29C: 60000000 nop
1360.  
1361. 0006B310: 60000000 nop
1362.  
1363. 0006B43C: 60000000 nop
1364.  
1365. 0006B4E0: 60000000 nop
1366.  
1367. 0006B4F8: 60000000 nop
1368.  
1369. 0006B51C: 60000000 nop
1370.  
1371. 0006B534: 60000000 nop
1372.  
1373. 0006B558: 60000000 nop
1374.  
1375. 0006B570: 60000000 nop
1376.  
1377. 0006B594: 60000000 nop
1378.  
1379. 0006B5DC: 60000000 nop
1380.  
1381. 0006B62C: 60000000 nop
1382.  
1383. 0006B864: 60000000 nop
1384.  
1385. 0006B9B4: 60000000 nop
1386.  
1387. 0006BB20: 60000000 nop
1388.  
1389. 0006BDE8: 60000000 nop
1390.  
1391. 0006BF38: 60000000 nop
1392.  
1393. 0006BF98: 60000000 nop
1394.  
1395. 0006C050: 60000000 nop
1396.  
1397. 0006C084: 60000000 nop
1398.  
1399. 0006C09C: 60000000 nop
1400.  
1401. 0006C174: 60000000 nop
1402.  
1403. 0006C218: 60000000 nop
1404.  
1405. 0006C264: 60000000 nop
1406.  
1407. 0006C2AC: 60000000 nop
1408.  
1409. 0006C2F4: 60000000 nop
1410.  
1411. 0006C340: 60000000 nop
1412.  
1413. 0006C388: 60000000 nop
1414.  
1415. 0006C3D4: 60000000 nop
1416.  
1417. 0006C41C: 60000000 nop
1418.  
1419. 0006C468: 60000000 nop
1420.  
1421. 0006C4B4: 60000000 nop
1422.  
1423. 0006C4FC: 60000000 nop
1424.  
1425. 0006C550: 60000000 nop
1426.  
1427. 0006C598: 60000000 nop
1428.  
1429. 0006C5E4: 60000000 nop
1430.  
1431. 0006C62C: 60000000 nop
1432.  
1433. 0006C674: 60000000 nop
1434.  
1435. 0006C6BC: 60000000 nop
1436.  
1437. 0006C704: 60000000 nop
1438.  
1439. 0006C7E8: 60000000 nop
1440.  
1441. 0006C834: 60000000 nop
1442.  
1443. 0006C868: 60000000 nop
1444.  
1445. 0006C890: 60000000 nop
1446.  
1447. 0006C8C8: 60000000 nop
1448.  
1449. 0006CA54: 60000000 nop
1450.  
1451. 0006CA80: 60000000 nop
1452.  
1453. 0006CAAC: 60000000 nop
1454.  
1455. 0006CB68: 60000000 nop
1456.  
1457. 0006CBA4: 60000000 nop
1458.  
1459. 0006CBDC: 60000000 nop
1460.  
1461. 0006CC14: 60000000 nop
1462.  
1463. 0006CC4C: 60000000 nop
1464.  
1465. 0006CEF4: 60000000 nop
1466.  
1467. 0006CF08: 60000000 nop
1468.  
1469. 0006CF58: 60000000 nop
1470.  
1471. 0006CF9C: 60000000 nop
1472.  
1473. 0006CFB0: 60000000 nop
1474.  
1475. 0006CFC4: 60000000 nop
1476.  
1477. 0006CFD8: 60000000 nop
1478.  
1479. 0006D004: 60000000 nop
1480.  
1481. 0006D018: 60000000 nop
1482.  
1483. 0006D0BC: 60000000 nop
1484.  
1485. I played the game, and these are all of the things I noticed:
1486.  
1487. Everything had 99,999,999 HP, SP, ATK, DEF, INT, RES, HIT, and SPD.
1488. Everything was at level 9,999, and its EXP was at its max.
1489. Everything had 32 MOV, 99 JMP, 9 Attack Range, 9 Counters, 9 Lift/Throw Range, 5% Critical, and 99% Fire, Wind, and Ice.
1490. I couldn't create or reincarnate characters because a menu in the stuff didn't appear, and I couldn't back out of it either.
1491. I selected an enemy and the game froze.
1492. Nothing could be damaged, SP couldn't be decreased, and Counters couldn't be decreased.
1493. All aptitudes were at 255%.
1494.  
1495. Since I know all of those values are the same for every character except for each character's max EXP amount, and I'm not sure about the Critical thing. I'll just check for those ones with specific max values first. Here were the ones that had instances of "0009 cmp", and a bit of explaining:
1496.  
1497. 0006B56C: 2B800009 cmplwi cr7,r0,9 It's comparing whatever value register "r0" is to the number 9.
1498. 0006B570: 409D000C ble- cr7,0x6b57c If "r0" was less than or equal to 9, then skip the next 2 lines of code.
1499. 0006B574: 38000009 li r0,9 "r0" was greater than 9, so set register "r0" to the value 9.
1500. 0006B578: 98180ACA stb r0,2762(r24) "r0" was greater than 9, so store register "r0", which is now 9, to the offset $0ACA of register "r24".
1501.  
1502. 0006CBD8: 2FA90009 cmpdi cr7,r9,9 It's comparing whatever value register "r9" is to the number 9.
1503. 0006CBDC: 409D000C ble- cr7,0x6cbe8 If "r9" was less than or equal to 9, then skip the next 2 lines of code.
1504. 0006CBE0: 39200009 li r9,9 "r9" was greater than 9, so set register "r9" to the value 9.
1505. 0006CBE4: 48000010 b 0x6cbf4 "r9" was greater than 9, and now it's going to jump to address 0x0006CBF4 and continue doing whatever.
1506.  
1507. 0006CC10: 2FA90009 cmpdi cr7,r9,9 It's comparing whatever value register "r9" is to the number 9.
1508. 0006CC14: 409D000C ble- cr7,0x6cc20 If "r9" was less than or equal to 9, then skip the next 2 lines of code.
1509. 0006CC18: 39200009 li r9,9 "r9" was greater than 9, so set register "r9" to the value 9.
1510. 0006CC1C: 48000010 b 0x6cc2c "r9" was greater than 9, and now it's going to jump to address 0x0006CC2C and continue doing whatever.
1511.  
1512. 0006CF98: 2B800009 cmplwi cr7,r0,9 It's comparing whatever value register "r0" is to the number 9.
1513. 0006CF9C: 409D000C ble- cr7,0x6cfa8 If "r0" was less than or equal to 9, then skip the next 2 lines of code.
1514. 0006CFA0: 38000009 li r0,9 "r0" was greater than 9, so set register "r0" to the value 9.
1515. 0006CFA4: 98180AC9 stb r0,2761(r24) "r0" was greater than 9, so store register "r0", which is now 9, to the offset $0AC9 of register "r24".
1516.  
1517. 0006CFAC: 2B800009 cmplwi cr7,r0,9 It's comparing whatever value register "r0" is to the number 9.
1518. 0006CFB0: 409D000C ble- cr7,0x6cfbc If "r0" was less than or equal to 9, then skip the next 2 lines of code.
1519. 0006CFB4: 38000009 li r0,9 "r0" was greater than 9, so set register "r0" to the value 9.
1520. 0006CFB8: 98180ACA stb r0,2762(r24) "r0" was greater than 9, so store register "r0", which is now 9, to the offset $0ACA of register "r24".
1521.  
1522. 0006CFD4: 2B800009 cmplwi cr7,r0,9 It's comparing whatever value register "r0" is to the number 9.
1523. 0006CFD8: 409D000C ble- cr7,0x6cfe4 If "r0" was less than or equal to 9, then skip the next 2 lines of code.
1524. 0006CFDC: 38000009 li r0,9 "r0" was greater than 9, so set register "r0" to the value 9.
1525. 0006CFE0: 98180AD6 stb r0,2774(r24) "r0" was greater than 9, so store register "r0", which is now 9, to the offset $0AD6 of register "r24".
1526.  
1527. That's the 6 of them. This is how I'll change them:
1528.  
1529. 0006B56C: 2B800009 cmplwi cr7,r0,9
1530. 0006B570: 60000000 nop No more branching depending on whether register "r0" was less than or equal to 9.
1531. 0006B574: 38000001 li r0,1 I'm now setting register "r0" to always be 1.
1532. 0006B578: 98180ACA stb r0,2762(r24)
1533.  
1534. 0006CBD8: 2FA90009 cmpdi cr7,r9,9
1535. 0006CBDC: 60000000 nop No more branching depending on whether register "r9" was less than or equal to 9.
1536. 0006CBE0: 39200003 li r9,3 I'm now setting register "r9" to always be 3.
1537. 0006CBE4: 48000010 b 0x6cbf4
1538.  
1539. 0006CC10: 2FA90009 cmpdi cr7,r9,9
1540. 0006CC14: 60000000 nop No more branching depending on whether register "r9" was less than or equal to 9.
1541. 0006CC18: 39200005 li r9,5 I'm now setting register "r9" to always be 5.
1542. 0006CC1C: 48000010 b 0x6cc2c
1543.  
1544. 0006CF98: 2B800009 cmplwi cr7,r0,9
1545. 0006CF9C: 60000000 nop No more branching depending on whether register "r0" was less than or equal to 9.
1546. 0006CFA0: 38000007 li r0,7 I'm now setting register "r0" to always be 7.
1547. 0006CFA4: 98180AC9 stb r0,2761(r24)
1548.  
1549. 0006CFAC: 2B800009 cmplwi cr7,r0,9
1550. 0006CFB0: 60000000 nop No more branching depending on whether register "r0" was less than or equal to 9.
1551. 0006CFB4: 38000009 li r0,9 I'm now setting register "r0" to always be 9.
1552. 0006CFB8: 98180ACA stb r0,2762(r24)
1553.  
1554. 0006CFD4: 2B800009 cmplwi cr7,r0,9
1555. 0006CFD8: 60000000 nop No more branching depending on whether register "r0" was less than or equal to 9.
1556. 0006CFDC: 3800000B li r0,11 I'm now setting register "r0" to always be 11.
1557. 0006CFE0: 98180AD6 stb r0,2774(r24)
1558.  
1559. So I tried all of these and ended up with these:
1560.  
1561. All Counter Attacks were 7.
1562. All Lift/Throw Amounts were 9.
1563. All Attack Ranges were 11.
1564. I now know which codes these are.
1565.  
1566.  
1567. Next up, the maximum MOV value was 32, so next is to search for the instances of "0020 cmp". These are all of them:
1568.  
1569. 0006CFC0: 2B800020 cmplwi cr7,r0,32 It's comparing whatever value register "r0" is to the number 32.
1570. 0006CFC4: 409D000C ble- cr7,0x6cfd0 If "r0" was less than or equal to 32, then skip the next 2 lines of code.
1571. 0006CFC8: 38000020 li r0,32 "r0" was greater than 32, so set register "r0" to the value 32.
1572. 0006CFCC: 98180AC7 stb r0,2759(r24) "r0" was greater than 32, so store register "r0", which is now 32, to the offset $0AC7 of register "r24".
1573.  
1574. That's the only 1 I see. I'll just try setting it to 17 like this:
1575.  
1576. 0006CFC0: 2B800020 cmplwi cr7,r0,32
1577. 0006CFC4: 60000000 nop No more branching depending on whether register "r0" was less than or equal to 9.
1578. 0006CFC8: 38000011 li r0,17 I'm now setting register "r0" to always be 17.
1579. 0006CFCC: 98180AC7 stb r0,2759(r24)
1580.  
1581. I tried it out, and now the MOV value of everything is 17, so I've now found that code too. Next up is the JUMP value and Elemental Resistance values. I'll search for comparisons to 99, which is "0063 cmp". These are what I find:
1582.  
1583.  
1584. 0006B288: 2F990063 cmpwi cr7,r25,99 It's comparing whatever value register "r25" is to the number 99.
1585. 0006B28C: 409D0008 ble- cr7,0x6b294 If "r25" was less than or equal to 99, then skip the next 1 line of code.
1586. 0006B290: 3B200063 li r25,99 "r25" was greater than 99, so set register "r25" to the value 99.
1587. 0006B294: 9B380AC7 stb r25,2759(r24) Store register "r25", which is now 99, to the offset $0AC7 of register "r24".
1588.  
1589. 0006B298: 2F9A0063 cmpwi cr7,r26,99 It's comparing whatever value register "r26" is to the number 99.
1590. 0006B29C: 409D0008 ble- cr7,0x6b2a4 If "r26" was less than or equal to 99, then skip the next 1 line of code.
1591. 0006B2A0: 3B400063 li r26,99 "r26" was greater than 99, so set register "r26" to the value 99.
1592. 0006B2A4: 9B580AC5 stb r26,2757(r24) Store register "r26", which is now 99, to the offset $0AC5 of register "r24".
1593.  
1594. 0006B4F4: 2B800063 cmplwi cr7,r0,99 It's comparing whatever value register "r0" is to the number 99.
1595. 0006B4F8: 409D000C ble- cr7,0x6b504 If "r0" was less than or equal to 99, then skip the next 2 lines of code.
1596. 0006B4FC: 38000063 li r0,99 "r0" was greater than 99, so set register "r0" to the value 99.
1597. 0006B500: 98180AC7 stb r0,2759(r24) "r0" was greater than 99, so store register "r0", which is now 99, to the offset $0AC7 of register "r24".
1598.  
1599. 0006B530: 2F800063 cmpwi cr7,r0,99 It's comparing whatever value register "r0" is to the number 99.
1600. 0006B534: 409D000C ble- cr7,0x6b540 If "r0" was less than or equal to 99, then skip the next 2 lines of code.
1601. 0006B538: 38000063 li r0,99 "r0" was greater than 99, so set register "r0" to the value 99.
1602. 0006B53C: 98180AC5 stb r0,2757(r24) "r0" was greater than 9, so store register "r0", which is now 99, to the offset $0AC5 of register "r24".
1603.  
1604. 0006C04C: 2B800063 cmplwi cr7,r0,99 It's comparing whatever value register "r0" is to the number 99.
1605. 0006C050: 409D000C ble- cr7,0x6c05c If "r0" was less than or equal to 99, then skip the next 2 lines of code.
1606. 0006C054: 38000063 li r0,99 "r0" was greater than 99, so set register "r0" to the value 99.
1607. 0006C058: 98180AC7 stb r0,2759(r24) "r0" was greater than 99, so store register "r0", which is now 99, to the offset $0AC7 of register "r24".
1608.  
1609. 0006C098: 2B800063 cmplwi cr7,r0,99 It's comparing whatever value register "r0" is to the number 99.
1610. 0006C09C: 409D000C ble- cr7,0x6c0a8 If "r0" was less than or equal to 99, then skip the next 2 lines of code.
1611. 0006C0A0: 38000063 li r0,99 "r0" was greater than 99, so set register "r0" to the value 99.
1612. 0006C0A4: 98180AC7 stb r0,2759(r24) "r0" was greater than 99, so store register "r0", which is now 99, to the offset $0AC7 of register "r24".
1613.  
1614. 0006CA50: 2FA00063 cmpdi cr7,r0,99 It's comparing whatever value register "r0" is to the number 99.
1615. 0006CA54: 409D000C ble- cr7,0x6ca60 If "r0" was less than or equal to 99, then skip the next 2 lines of code.
1616. 0006CA58: 38000063 li r0,99 "r0" was greater than 99, so set register "r0" to the value 99.
1617. 0006CA5C: 48000010 b 0x6ca6c "r0" was greater than 99, and now it's going to jump to address 0x0006CA6C and continue doing whatever.
1618.  
1619. 0006CA7C: 2FA00063 cmpdi cr7,r0,99 It's comparing whatever value register "r0" is to the number 99.
1620. 0006CA80: 409D000C ble- cr7,0x6ca8c If "r0" was less than or equal to 99, then skip the next 2 lines of code.
1621. 0006CA84: 38000063 li r0,99 "r0" was greater than 99, so set register "r0" to the value 99.
1622. 0006CA88: 48000010 b 0x6ca98 "r0" was greater than 99, and now it's going to jump to address 0x0006CA98 and continue doing whatever.
1623.  
1624. 0006CAA8: 2FA00063 cmpdi cr7,r0,99 It's comparing whatever value register "r0" is to the number 99.
1625. 0006CAAC: 409D000C ble- cr7,0x6cab8 If "r0" was less than or equal to 99, then skip the next 2 lines of code.
1626. 0006CAB0: 38000063 li r0,99 "r0" was greater than 99, so set register "r0" to the value 99.
1627. 0006CAB4: 48000010 b 0x6cac4 "r0" was greater than 99, and now it's going to jump to address 0x0006CAC4 and continue doing whatever.
1628.  
1629. 0006CB64: 2FA00063 cmpdi cr7,r0,99 It's comparing whatever value register "r0" is to the number 99.
1630. 0006CB68: 409D000C ble- cr7,0x6cb74 If "r0" was less than or equal to 99, then skip the next 2 lines of code.
1631. 0006CB6C: 38000063 li r0,99 "r0" was greater than 99, so set register "r0" to the value 99.
1632. 0006CB70: 48000010 b 0x6cb80 "r0" was greater than 99, and now it's going to jump to address 0x0006CB80 and continue doing whatever.
1633.  
1634. 0006CBA0: 2FA00063 cmpdi cr7,r0,99 It's comparing whatever value register "r0" is to the number 99.
1635. 0006CBA4: 409D000C ble- cr7,0x6cbb0 If "r0" was less than or equal to 99, then skip the next 2 lines of code.
1636. 0006CBA8: 38000063 li r0,99 "r0" was greater than 99, so set register "r0" to the value 99.
1637. 0006CBAC: 48000010 b 0x6cbbc "r0" was greater than 99, and now it's going to jump to address 0x0006CBBC and continue doing whatever.
1638.  
1639. 0006CC48: 2FA90063 cmpdi cr7,r9,99 It's comparing whatever value register "r9" is to the number 99.
1640. 0006CC4C: 409D000C ble- cr7,0x6cc58 If "r9" was less than or equal to 99, then skip the next 2 lines of code.
1641. 0006CC50: 39200063 li r9,99 "r9" was greater than 99, so set register "r9" to the value 99.
1642. 0006CC54: 48000010 b 0x6cc64 "r0" was greater than 99, and now it's going to jump to address 0x0006CC64 and continue doing whatever.
1643.  
1644. 0006CF54: 2FA00063 cmpdi cr7,r0,99 It's comparing whatever value register "r0" is to the number 99.
1645. 0006CF58: 409D0008 ble- cr7,0x6cf60 If "r0" was less than or equal to 99, then skip the next 2 lines of code.
1646. 0006CF5C: F8E90000 std r7,0(r9) "r0" was greater than 99, so store whatever register "r7" is to the offset $0000 of register "r9".
1647.  
1648. I'm now just going to cancel the branches again and change the values of the "li" operations.
1649.  
1650. 0006B288: 2F990063 cmpwi cr7,r25,99
1651. 0006B28C: 60000000 nop No more branching depending on whether register "r25" was less than or equal to 99.
1652. 0006B290: 3B200001 li r25,1 I'm now setting register "r25" to always be 1.
1653. 0006B294: 9B380AC7 stb r25,2759(r24)
1654.  
1655. 0006B298: 2F9A0063 cmpwi cr7,r26,99
1656. 0006B29C: 60000000 nop No more branching depending on whether register "r26" was less than or equal to 99.
1657. 0006B2A0: 3B400003 li r26,3 I'm now setting register "r26" to always be 3.
1658. 0006B2A4: 9B580AC5 stb r26,2757(r24)
1659.  
1660. 0006B4F4: 2B800063 cmplwi cr7,r0,99
1661. 0006B4F8: 60000000 nop No more branching depending on whether register "r0" was less than or equal to 99.
1662. 0006B4FC: 38000005 li r0,5 I'm now setting register "r0" to always be 5.
1663. 0006B500: 98180AC7 stb r0,2759(r24)
1664.  
1665. 0006B530: 2F800063 cmpwi cr7,r0,99
1666. 0006B534: 60000000 nop No more branching depending on whether register "r0" was less than or equal to 99.
1667. 0006B538: 38000007 li r0,7 I'm now setting register "r0" to always be 7.
1668. 0006B53C: 98180AC5 stb r0,2757(r24)
1669.  
1670. 0006C04C: 2B800063 cmplwi cr7,r0,99
1671. 0006C050: 60000000 nop No more branching depending on whether register "r0" was less than or equal to 99.
1672. 0006C054: 38000009 li r0,9 I'm now setting register "r0" to always be 9.
1673. 0006C058: 98180AC7 stb r0,2759(r24)
1674.  
1675. 0006C098: 2B800063 cmplwi cr7,r0,99
1676. 0006C09C: 60000000 nop No more branching depending on whether register "r0" was less than or equal to 99.
1677. 0006C0A0: 3800000B li r0,11 I'm now setting register "r0" to always be 11.
1678. 0006C0A4: 98180AC7 stb r0,2759(r24)
1679.  
1680. 0006CA50: 2FA00063 cmpdi cr7,r0,99
1681. 0006CA54: 60000000 nop No more branching depending on whether register "r0" was less than or equal to 99.
1682. 0006CA58: 3800000D li r0,13 I'm now setting register "r0" to always be 13.
1683. 0006CA5C: 48000010 b 0x6ca6c
1684.  
1685. 0006CA7C: 2FA00063 cmpdi cr7,r0,99
1686. 0006CA80: 60000000 nop No more branching depending on whether register "r0" was less than or equal to 99.
1687. 0006CA84: 3800000F li r0,15 I'm now setting register "r0" to always be 15.
1688. 0006CA88: 48000010 b 0x6ca98
1689.  
1690. 0006CAA8: 2FA00063 cmpdi cr7,r0,99
1691. 0006CAAC: 60000000 nop No more branching depending on whether register "r0" was less than or equal to 99.
1692. 0006CAB0: 38000011 li r0,17 I'm now setting register "r0" to always be 17.
1693. 0006CAB4: 48000010 b 0x6cac4
1694.  
1695. 0006CB64: 2FA00063 cmpdi cr7,r0,99
1696. 0006CB68: 60000000 nop No more branching depending on whether register "r0" was less than or equal to 99.
1697. 0006CB6C: 38000013 li r0,19 I'm now setting register "r0" to always be 19.
1698. 0006CB70: 48000010 b 0x6cb80
1699.  
1700. 0006CBA0: 2FA00063 cmpdi cr7,r0,99
1701. 0006CBA4: 60000000 nop No more branching depending on whether register "r0" was less than or equal to 99.
1702. 0006CBA8: 38000015 li r0,21 I'm now setting register "r0" to always be 21.
1703. 0006CBAC: 48000010 b 0x6cbbc
1704.  
1705. 0006CC48: 2FA90063 cmpdi cr7,r9,99
1706. 0006CC4C: 60000000 nop No more branching depending on whether register "r9" was less than or equal to 99.
1707. 0006CC50: 39200017 li r9,23 I'm now setting register "r9" to always be 23.
1708. 0006CC54: 48000010 b 0x6cc64
1709.  
1710. 0006CF54: 2FA00063 cmpdi cr7,r0,99
1711. 0006CF58: 38070019 li r7,25 No more branching depending on whether register "r0" was less than or equal to 99, and I changed it to a "li" operation and gave register "r7" value 25.
1712. 0006CF5C: F8E90000 std r7,0(r9)
1713.  
1714. I tried those out, and I noticed the elemental resistances were all 25%, and all JUMP values were now 3. Found 2 more codes. Next up is the aptitudes that were all 255%. I'll just search for ones that compared something to the value 255 and change them to remove the branch and set a custom value that will tell me which 1 is the correct code. Just search for instances of "00FF cmp".
1715.  
1716. 0006AE90: 2FA000FF cmpdi cr7,r0,255 It's comparing whatever value register "r0" is to the number 255.
1717. 0006AE94: 409D0008 ble- cr7,0x6ae9c If "r0" was less than or equal to 255, then skip the next 1 line of code.
1718. 0006AE98: F8E90000 std r7,0(r9) "r0" was greater than 255, so store whatever register "r7" is to the offset $0000 of register "r9".
1719.  
1720. I guess that's the only instance of it. I guess I'll just try giving it a value and hope it's the code for the aptitudes.
1721.  
1722. 0006AE90: 2FA000FF cmpdi cr7,r0,255
1723. 0006AE94: 38070003 li r7,3 No more branching depending on whether register "r0" was less than or equal to 255, and I changed it to a "li" operation and gave register "r7" value 3.
1724. 0006AE98: F8E90000 std r7,0(r9)
1725.  
1726. I tried it, and all aptitudes were set to 3%. Another code found. Next up is the level modifier, which puts everything's level up to 9,999. I'm going to search for instances of "270F cmp" again, remove the branches, and change or add a "li" operation to give it a certain value so I can tell which code does the effect.
1727.  
1728. Nevermind that, there isn't one. Instead, I'll now search for "2710 cmp". No result. Did a search for "270E cmp", and ended up with 1 result that wasn't one of the ones we found with the first search of "blt" and "ble".
1729.  
1730. 0006A430: 2F84270E cmpwi cr7,r4,9998
1731. 0006A434: 419D2C14 bgt- cr7,0x6d048
1732.  
1733. Looking at this, it checks if something is larger than 9,998, and if it is, it jumps to address 0x006D048. I changed the 9,998 to 0 with:
1734.  
1735. 0006A430: 2F840000 cmpwi cr7,r4,0
1736. 0006A434: 419D2C14 bgt- cr7,0x6d048
1737.  
1738. I tried that, and everyone was at level 9,999. I checked, and their actual EXP increased to its maximum amount, but my stats didn't increase, and I didn't unlock new special moves for my characters.
1739.  
1740. I then went to address 0x0006D048, which was where the code jumped to because unit levels were greater than 0. This is what was there:
1741.  
1742. 0006D048: 3800270F li r0,9999 Register "r0" is now 9,999
1743. 0006D04C: B0180AAC sth r0,2732(r24) Register "r0", which is 9,999, is 2 bytes and stored at offset $0AAC of register "r24".
1744. 0006D050: A0780AB4 lhz r3,2740(r24) Load 2 bytes at offset $0AB4 of register $r24.
1745. 0006D054: 7C630734 extsh r3,r3 Don't know what this operation does. I'm guessing it's like the "mr" operation, but it sign extends a number.
1746. 0006D058: 3880270F li r4,9999 Register $r4 is now 9,999.
1747. 0006D05C: 4801DC31 bl 0x8ac8c Branch and link to another function starting at address 0x0008AC8C.
1748. 0006D060: 60000000 nop
1749. 0006D064: F8780000 std r3,0(r24) Store 8 byte register $r3 at offset $0000 of register $r24.
1750. 0006D068: 4BFFD580 b 0x6a5e8 Jump to address 0x0006A5E8.
1751.  
1752. Still having the previous modification of changing the comparison operation to compare to 0 instead of 9,998, I then change this line:
1753.  
1754. 0006D048: 3800270F li r0,9999 Register "r0" is now 9,999
1755.  
1756. I change it to 3:
1757.  
1758. 0006D048: 38000002 li r0,2 Register "r0" is now 2
1759.  
1760. I try that, and every unit is at level 2. That's another code found, but it doesn't seem to have the effects that come with the levels. Next up I'm going to find the code that gave me the max EXP. The part that makes this less easier than the rest is that different characters have different possible max amounts of EXP. However, we know that the amount of EXP a unit has determines its level, and we know a unit's level is 2 bytes at offset $0AAC, so we'll look close by for things that add a level. I'll search for a write to that offset with "0AAC sth". These are the results:
1761.  
1762. 0006A464: B1380AAC sth r9,2732(r24)
1763.  
1764. 0006D04C: B0180AAC sth r0,2732(r24)
1765.  
1766. Only 2 results, and we already found the result at address 0x0006D04C is used to set the level 9,999 limit, so odds are the other result is for normal leveling. So I'm looking at this, and some of it was from the earlier level 9,999 code:
1767.  
1768. 0006A428: A0180AAC lhz r0,2732(r24) The level of a unit is 2 bytes and loaded to register $r0 from offset $0AAC of register $r24.
1769. 0006A42C: 7C040734 extsh r4,r0 Don't know, but it seems to do the same thing as "mr", so now $r0 & $r4 are the same.
1770. 0006A430: 2F84270E cmpwi cr7,r4,9998 Comparing the unit's level to 9,998.
1771. 0006A434: 419D2C14 bgt- cr7,0x6d048 If a unit's level is greater than 9,998, it branches to a function that sets it to 9,999.
1772. 0006A438: EBB80000 ld r29,0(r24) I don't know what this is, but it's 8 bytes.
1773. 0006A43C: A0780AB4 lhz r3,2740(r24) This thing is close to the offset of a character's level, but I don't know what it is.
1774. 0006A440: 38840001 addi r4,r4,1 $r4 is the level, and this adds +1 to it.
1775. 0006A444: 7C630734 extsh r3,r3 Don't know, but it's 2 bytes from offset $0AB4.
1776. 0006A448: 7C8407B4 extsw r4,r4 I'm guessing this operation just sign extends things. Nothing important, $r4 is $r4.
1777. 0006A44C: 48020841 bl 0x8ac8c Go to another function starting at address 0x0008AC8C, do stuff, return to address 0x0006A450.
1778. 0006A450: 60000000 nop
1779. 0006A454: 7FBD1800 cmpd cr7,r29,r3 Compare $r29 to $r3, and it's 8 bytes.
1780. 0006A458: 419C0190 blt- cr7,0x6a5e8 If $r29 is less than $r3, jump to address 0x0006A5E8.
1781. 0006A45C: A1380AAC lhz r9,2732(r24) The level of a unit is 2 bytes and loaded to register $r9 from offset $0AAC of register $r24.
1782. 0006A460: 39290001 addi r9,r9,1 This adds 1 to the current level of a unit.
1783. 0006A464: B1380AAC sth r9,2732(r24) This stores the new level, which is $r9, to offset $0AAC of register $r24.
1784.  
1785. Looking at all of this, I'm guessing those last 5 lines compare EXP to the next amount of EXP required to level up, and adds a level if it gets high enough. I'm guessing that the "bl 0x8ac8c" goes to the code that calculates how much EXP is required for the next level up. To check this stuff, I changed this line:
1786.  
1787. 0006A460: 39290001 addi r9,r9,1
1788.  
1789. I gave it a specific value, 3.
1790.  
1791. 0006A458: 38090003 li r9,3
1792.  
1793. I tried the game with this, and when any leveled up, their level became 3 even if they were already higher than 3. I now know that comparison branch determines if you've reached the correct amount of EXP to level up. You level up if $r29 is greater than or equal to $r3, so $r29 must be the amount of EXP something has. I then changed that line back to what it was and then removed the branch:
1794.  
1795. 0006A458: 419C0190 blt- cr7,0x6a5e8
1796.  
1797. That became this:
1798.  
1799. 0006A458: 60000000 nop
1800.  
1801. Every unit was leveled up to 9,999, their EXP was maxed out, and their stats increased. The only problem was I didn't get my new special moves. Something in this whole function gave me the specials, and I'm not sure of what to do. I'm going to find something that affects the EXP specifically rather than the level of a unit. From above, I learned that $r29 was my current EXP.
1802.  
1803. 0006A438: EBB80000 ld r29,0(r24) I don't know what this is, but it's 8 bytes.
1804. 0006A43C: A0780AB4 lhz r3,2740(r24) This thing is close to the offset of a character's level, but I don't know what it is.
1805. 0006A440: 38840001 addi r4,r4,1 $r4 is the level, and this adds +1 to it.
1806. 0006A444: 7C630734 extsh r3,r3 Don't know, but it's 2 bytes from offset $0AB4.
1807. 0006A448: 7C8407B4 extsw r4,r4 I'm guessing this operation just sign extends things. Nothing important, $r4 is $r4.
1808. 0006A44C: 48020841 bl 0x8ac8c Go to another function starting at address 0x0008AC8C, do stuff, return to address 0x0006A450.
1809. 0006A450: 60000000 nop
1810. 0006A454: 7FBD1800 cmpd cr7,r29,r3 Compare $r29 to $r3, and it's 8 bytes.
1811. 0006A458: 419C0190 blt- cr7,0x6a5e8 If $r29 is less than $r3, jump to address 0x0006A5E8.
1812.  
1813. From the 1st line, $r29 is 8 bytes loaded from offset $0000 of register $r24. To test that's correct, I create a value and store it at that offset like this
1814.  
1815. 0006A434: 381D0005 li r29,5
1816. 0006A438: FBB80000 std r29,0(r24)
1817.  
1818. I play the game, and everyone has exactly 5 EXP. So I now know offset $0000 is the offset for EXP, which sucks because that has to be the most commonly used offset of anything for every game on every console. Ignoring that, I'm going to check every instance of "0000 std" and hive them a specific value to store. These are what I find:
1819.  
1820. 0006A5C0: F81B0000 std r0,0(r27)
1821.  
1822. 0006A844: F80B0000 std r0,0(r11)
1823.  
1824. 0006A85C: F80A0000 std r0,0(r10)
1825.  
1826. 0006A870: F92A0000 std r9,0(r10)
1827.  
1828. 0006A9C8: F80B0000 std r0,0(r11)
1829.  
1830. 0006A9D4: F90B0000 std r8,0(r11)
1831.  
1832. 0006ACCC: FB9D0000 std r28,0(r29)
1833.  
1834. 0006AD64: F8090000 std r0,0(r9)
1835.  
1836. 0006ADD0: F8090000 std r0,0(r9)
1837.  
1838. 0006AE14: F9490000 std r10,0(r9)
1839.  
1840. 0006AE58: F9490000 std r10,0(r9)
1841.  
1842. 0006AE98: F8E90000 std r7,0(r9)
1843.  
1844. 0006B1FC: F80B0000 std r0,0(r11)
1845.  
1846. 0006B484: F80B0000 std r0,0(r11)
1847.  
1848. 0006C0F0: F92B0000 std r9,0(r11)
1849.  
1850. 0006C148: F80B0000 std r0,0(r11)
1851.  
1852. 0006C910: F96A0000 std r11,0(r10)
1853.  
1854. 0006CCB0: F8090000 std r0,0(r9)
1855.  
1856. 0006CCF4: F8090000 std r0,0(r9)
1857.  
1858. 0006CD4C: F8090000 std r0,0(r9)
1859.  
1860. 0006CE5C: F92B0000 std r9,0(r11)
1861.  
1862. 0006CE68: F8CB0000 std r6,0(r11)
1863.  
1864. 0006CEEC: F8A90000 std r5,0(r9)
1865.  
1866. 0006CF0C: F9690000 std r11,0(r9)
1867.  
1868. 0006CF14: F80A0000 std r0,0(r10)
1869.  
1870. 0006CF5C: F8E90000 std r7,0(r9)
1871.  
1872. 0006CF70: F8090000 std r0,0(r9)
1873.  
1874. 0006D064: F8780000 std r3,0(r24)
1875.  
1876. That's all 28 of them. Now I just create a "li" operation before all of them with a specific value and hope the game doesn't freeze or anything because I'm too lazy to check if I'm messing up something obvious.
1877.  
1878. 0006A5C0: 60000000 nop
1879.  
1880. 0006A844: 60000000 nop
1881.  
1882. 0006A85C: 60000000 nop
1883.  
1884. 0006A870: 60000000 nop
1885.  
1886. 0006A9C8: 60000000 nop
1887.  
1888. 0006A9D4: 60000000 nop
1889.  
1890. 0006ACCC: 60000000 nop
1891.  
1892. 0006AD64: 60000000 nop
1893.  
1894. 0006ADD0: 60000000 nop
1895.  
1896. 0006AE14: 60000000 nop
1897.  
1898. 0006AE58: 60000000 nop
1899.  
1900. 0006AE98: 60000000 nop
1901.  
1902. 0006B1FC: 60000000 nop
1903.  
1904. 0006B484: 60000000 nop
1905.  
1906. 0006C0F0: 60000000 nop
1907.  
1908. 0006C148: 60000000 nop
1909.  
1910. 0006C910: 60000000 nop
1911.  
1912. 0006CCB0: 60000000 nop
1913.  
1914. 0006CCF4: 60000000 nop
1915.  
1916. 0006CD4C: 60000000 nop
1917.  
1918. 0006CE5C: 60000000 nop
1919.  
1920. 0006CE68: 60000000 nop
1921.  
1922. 0006CEEC: 60000000 nop
1923.  
1924. 0006CF0C: 60000000 nop
1925.  
1926. 0006CF14: 60000000 nop
1927.  
1928. 0006CF5C: 60000000 nop
1929.  
1930. 0006CF70: 60000000 nop
1931.  
1932. 0006D064: 60000000 nop
1933.  
1934. I tried that out, and do things that normally increase a unit's EXP. So I kill an enemy with 1 unit, kill an enemy with a team attack, kill an enemy with a tower attack, heal something, create a new character, and reincarnate a character since those are the only things I can think of that increase EXP. I did that stuff, and nothing happened. Now I don't know what to do for sure. I looked at other codes, and Skiller found the code for max mana after a single unit kills anything. You get mana when you kill something, and you also get EXP when you kill something, so I'm hoping they are in the same area.
1935.  
1936. Max Mana After 1 Unit Kills Anything (Found by Skiller)
1937. 000C5210 7F890040
1938.  
1939. I first go to address 0x000C5210. I search for the 1st instance of "blr" above and below that address so I know the size of the entire function. So the function starts at 0x000C2ADC and ends at 0x000C73F4. So I go to address 0x000C2ADC and start searching for instances of "0000 std". These are what I encountered:
1940.  
1941. 000C55A0: F81C0000 std r0,0(r28)
1942.  
1943. 000C55B4: F93C0000 std r9,0(r28)
1944.  
1945. 000C56E4: F8090000 std r0,0(r9)
1946.  
1947. 000C56F8: F9690000 std r11,0(r9)
1948.  
1949. 000C5708: F8090000 std r0,0(r9)
1950.  
1951. 000C5724: F9230000 std r9,0(r3)
1952.  
1953. 000C5734: F80B0000 std r0,0(r11)
1954.  
1955. 000C5750: F9230000 std r9,0(r3)
1956.  
1957. 000C5940: F81F0000 std r0,0(r31)
1958.  
1959. 000C5954: F93F0000 std r9,0(r31)
1960.  
1961. 000C5A84: F8090000 std r0,0(r9)
1962.  
1963. 000C5A98: F9690000 std r11,0(r9)
1964.  
1965. 000C5AA8: F8090000 std r0,0(r9)
1966.  
1967. 000C5AC4: F92B0000 std r9,0(r11)
1968.  
1969. 000C5AD4: F8090000 std r0,0(r9)
1970.  
1971. 000C5AF0: F92B0000 std r9,0(r11)
1972.  
1973. 000C5C0C: F81F0000 std r0,0(r31)
1974.  
1975. 000C5C20: F93F0000 std r9,0(r31)
1976.  
1977. 000C5D50: F8090000 std r0,0(r9)
1978.  
1979. 000C5D64: F9690000 std r11,0(r9)
1980.  
1981. 000C5D74: F8090000 std r0,0(r9)
1982.  
1983. 000C5D90: F92B0000 std r9,0(r11)
1984.  
1985. 000C5DA0: F80B0000 std r0,0(r11)
1986.  
1987. 000C5DBC: F92B0000 std r9,0(r11)
1988.  
1989. 000C6C94: F8090000 std r0,0(r9)
1990.  
1991. 000C6CA8: F9690000 std r11,0(r9)
1992.  
1993. 000C6CB8: F8090000 std r0,0(r9)
1994.  
1995. 000C6CD4: F92B0000 std r9,0(r11)
1996.  
1997. 000C6CE4: F80B0000 std r0,0(r11)
1998.  
1999. 000C6D00: F92B0000 std r9,0(r11)
2000.  
2001. That's all 30 instances of that. Now I'm just going to nop all of them:
2002.  
2003. 000C55A0: 60000000 nop
2004.  
2005. 000C55B4: 60000000 nop
2006.  
2007. 000C56E4: 60000000 nop
2008.  
2009. 000C56F8: 60000000 nop
2010.  
2011. 000C5708: 60000000 nop
2012.  
2013. 000C5724: 60000000 nop
2014.  
2015. 000C5734: 60000000 nop
2016.  
2017. 000C5750: 60000000 nop
2018.  
2019. 000C5940: 60000000 nop
2020.  
2021. 000C5954: 60000000 nop
2022.  
2023. 000C5A84: 60000000 nop
2024.  
2025. 000C5A98: 60000000 nop
2026.  
2027. 000C5AA8: 60000000 nop
2028.  
2029. 000C5AC4: 60000000 nop
2030.  
2031. 000C5AD4: 60000000 nop
2032.  
2033. 000C5AF0: 60000000 nop
2034.  
2035. 000C5C0C: 60000000 nop
2036.  
2037. 000C5C20: 60000000 nop
2038.  
2039. 000C5D50: 60000000 nop
2040.  
2041. 000C5D64: 60000000 nop
2042.  
2043. 000C5D74: 60000000 nop
2044.  
2045. 000C5D90: 60000000 nop
2046.  
2047. 000C5DA0: 60000000 nop
2048.  
2049. 000C5DBC: 60000000 nop
2050.  
2051. 000C6C94: 60000000 nop
2052.  
2053. 000C6CA8: 60000000 nop
2054.  
2055. 000C6CB8: 60000000 nop
2056.  
2057. 000C6CD4: 60000000 nop
2058.  
2059. 000C6CE4: 60000000 nop
2060.  
2061. 000C6D00: 60000000 nop
2062.  
2063. I tried that, and my EXP didn't change when I killed anything or used something like heal. Looks like I found the right place. Now I just go to every address just above those and change whatever it is to a "li" operation with the same register and a specific value so I know know what which addresses are the correct ones.
2064.  
2065. 000C559C: 38000001 r0,1
2066.  
2067. 000C55B0: 38090003 r9,3
2068.  
2069. 000C56E0: 38000005 r0,5
2070.  
2071. 000C56F4: 380B0007 r11,7
2072.  
2073. 000C5704: 38000009 r0,9
2074.  
2075. 000C5720: 3809000B r9,11
2076.  
2077. 000C5730: 3800000D r0,13
2078.  
2079. 000C574C: 3809000F r9,15
2080.  
2081. 000C593C: 38000011 r0,17
2082.  
2083. 000C5950: 38090013 r9,19
2084.  
2085. 000C5A80: 38000015 r0,21
2086.  
2087. 000C5A94: 380B0017 r11,23
2088.  
2089. 000C5AA4: 38000019 r0,25
2090.  
2091. 000C5AC0: 3809001B r9,27
2092.  
2093. 000C5AD0: 3800001D r0,29
2094.  
2095. 000C5AEC: 3809001F r9,31
2096.  
2097. 000C5C08: 38000021 r0,33
2098.  
2099. 000C5C1C: 38090023 r9,35
2100.  
2101. 000C5D4C: 38000025 r0,37
2102.  
2103. 000C5D60: 380B0027 r11,39
2104.  
2105. 000C5D70: 38000029 r0,41
2106.  
2107. 000C5D8C: 3809002B r9,43
2108.  
2109. 000C5D9C: 3800002D r0,45
2110.  
2111. 000C5DB8: 3809002F r9,47
2112.  
2113. 000C6C90: 38000031 r0,49
2114.  
2115. 000C6CA4: 380B0033 r11,51
2116.  
2117. 000C6CB4: 38000035 r0,53
2118.  
2119. 000C6CD0: 38090037 r9,55
2120.  
2121. 000C6CE0: 38000039 r0,57
2122.  
2123. 000C6CFC: 3809003B r9,59
2124.  
2125. I try that out, and anything I do maxes out a unit to level 9,999 with the increased stats and EXP but none of the special attacks. I decide to check the codes I overwrote because I probably erased a bunch of branches that check things. These are the ones that had branches:
2126.  
2127. 000C5594: E81C0000 ld r0,0(r28)
2128. 000C5598: E90101F0 ld r8,496(r1)
2129. 000C559C: 7C080214 add r0,r8,r0
2130. 000C55A0: F81C0000 std r0,0(r28)
2131. 000C55A4: 3D200100 lis r9,256
2132. 000C55A8: 792907C6 rldcl r9,r9,r0,62
2133. 000C55AC: 7FA04800 cmpd cr7,r0,r9
2134. 000C55B0: 409D0008 ble- cr7,0xc55b8
2135. 000C55B4: F93C0000 std r9,0(r28)
2136.  
2137. 000C56DC: E8090000 ld r0,0(r9)
2138. 000C56E0: 7C110214 add r0,r17,r0
2139. 000C56E4: F8090000 std r0,0(r9)
2140. 000C56E8: 3D600100 lis r11,256
2141. 000C56EC: 796B07C6 rldcl r11,r11,r0,62
2142. 000C56F0: 7FA05800 cmpd cr7,r0,r11
2143. 000C56F4: 409D0008 ble- cr7,0xc56fc
2144. 000C56F8: F9690000 std r11,0(r9)
2145.  
2146. 000C5718: E8030000 ld r0,0(r3)
2147. 000C571C: 7FA04800 cmpd cr7,r0,r9
2148. 000C5720: 409D0034 ble- cr7,0xc5754
2149. 000C5724: F9230000 std r9,0(r3)
2150.  
2151. 000C5744: E8030000 ld r0,0(r3)
2152. 000C5748: 7FA04800 cmpd cr7,r0,r9
2153. 000C574C: 409D0008 ble- cr7,0xc5754
2154. 000C5750: F9230000 std r9,0(r3)
2155.  
2156. 000C5938: E81F0000 ld r0,0(r31)
2157. 000C593C: 7C150214 add r0,r21,r0
2158. 000C5940: F81F0000 std r0,0(r31)
2159. 000C5944: 3D200100 lis r9,256
2160. 000C5948: 792907C6 rldcl r9,r9,r0,62
2161. 000C594C: 7FA04800 cmpd cr7,r0,r9
2162. 000C5950: 409D0008 ble- cr7,0xc5958
2163. 000C5954: F93F0000 std r9,0(r31)
2164.  
2165. 000C5A7C: E8090000 ld r0,0(r9)
2166. 000C5A80: 7C190214 add r0,r25,r0
2167. 000C5A84: F8090000 std r0,0(r9)
2168. 000C5A88: 3D600100 lis r11,256
2169. 000C5A8C: 796B07C6 rldcl r11,r11,r0,62
2170. 000C5A90: 7FA05800 cmpd cr7,r0,r11
2171. 000C5A94: 409D0008 ble- cr7,0xc5a9c
2172. 000C5A98: F9690000 std r11,0(r9)
2173.  
2174. 000C5AB8: E80B0000 ld r0,0(r11)
2175. 000C5ABC: 7FA04800 cmpd cr7,r0,r9
2176. 000C5AC0: 409D0034 ble- cr7,0xc5af4
2177. 000C5AC4: F92B0000 std r9,0(r11)
2178.  
2179. 000C5AE4: E80B0000 ld r0,0(r11)
2180. 000C5AE8: 7FA04800 cmpd cr7,r0,r9
2181. 000C5AEC: 409D0008 ble- cr7,0xc5af4
2182. 000C5AF0: F92B0000 std r9,0(r11)
2183.  
2184. 000C5C04: E81F0000 ld r0,0(r31)
2185. 000C5C08: 7C150214 add r0,r21,r0
2186. 000C5C0C: F81F0000 std r0,0(r31)
2187. 000C5C10: 3D200100 lis r9,256
2188. 000C5C14: 792907C6 rldcl r9,r9,r0,62
2189. 000C5C18: 7FA04800 cmpd cr7,r0,r9
2190. 000C5C1C: 409D0008 ble- cr7,0xc5c24
2191. 000C5C20: F93F0000 std r9,0(r31)
2192.  
2193. 000C5D48: E8090000 ld r0,0(r9)
2194. 000C5D4C: 7C190214 add r0,r25,r0
2195. 000C5D50: F8090000 std r0,0(r9)
2196. 000C5D54: 3D600100 lis r11,256
2197. 000C5D58: 796B07C6 rldcl r11,r11,r0,62
2198. 000C5D5C: 7FA05800 cmpd cr7,r0,r11
2199. 000C5D60: 409D0008 ble- cr7,0xc5d68
2200. 000C5D64: F9690000 std r11,0(r9)
2201.  
2202. 000C5D84: E80B0000 ld r0,0(r11)
2203. 000C5D88: 7FA04800 cmpd cr7,r0,r9
2204. 000C5D8C: 409D0034 ble- cr7,0xc5dc0
2205. 000C5D90: F92B0000 std r9,0(r11)
2206.  
2207. 000C5DB0: E80B0000 ld r0,0(r11)
2208. 000C5DB4: 7FA04800 cmpd cr7,r0,r9
2209. 000C5DB8: 409D0008 ble- cr7,0xc5dc0
2210. 000C5DBC: F92B0000 std r9,0(r11)
2211.  
2212. 000C6C8C: E8090000 ld r0,0(r9)
2213. 000C6C90: 7C030214 add r0,r3,r0
2214. 000C6C94: F8090000 std r0,0(r9)
2215. 000C6C98: 3D600100 lis r11,256
2216. 000C6C9C: 796B07C6 rldcl r11,r11,r0,62
2217. 000C6CA0: 7FA05800 cmpd cr7,r0,r11
2218. 000C6CA4: 409D0008 ble- cr7,0xc6cac
2219. 000C6CA8: F9690000 std r11,0(r9)
2220.  
2221. 000C6CC8: E80B0000 ld r0,0(r11)
2222. 000C6CCC: 7FA04800 cmpd cr7,r0,r9
2223. 000C6CD0: 409D0034 ble- cr7,0xc6d04
2224. 000C6CD4: F92B0000 std r9,0(r11)
2225.  
2226. 000C6CF4: E80B0000 ld r0,0(r11)
2227. 000C6CF8: 7FA04800 cmpd cr7,r0,r9
2228. 000C6CFC: 409D0008 ble- cr7,0xc6d04
2229. 000C6D00: F92B0000 std r9,0(r11)
2230.  
2231. That's 15 of them. I undid those ones and tried the game with the other ones that didn't overwrite a branch. This is what I noticed:
2232.  
2233. 1. A single unit killing another unit normally or with a special attack always had 45 EXP.
2234.  
2235. 2. Units in a group attack or tower attack all got 13 EXP.
2236.  
2237. 3. Units that used restorative special stuff like healing or espoir had 57 EXP.
2238.  
2239. Out of those, I didn't have the chance to find a place where I could open a treasure chest with EXP in it, but I know one of the other codes changed that too.