Steal-Mii
#1
Steal-Mii

NOTE: Does not work on Wiimmfi due to their security patches.

This code will allow you to steal anybody's Mii and install it to your Mii Channel.

How it works--
1. When Online, whatever Mii you are currently viewing on the globe (or have last viewed on the globe), is the one that will be stolen once you have pressed your activator (fill in X, Y, Z values below).

2. You do NOT need to hold down the activator for a long period of time, just simply press it. You will notice a lag spike for a split second, this is normal. If there was absolutely no lag spike, then the code did not execute.

3. After you have stolen the Mii, simply shutdown your game and go to the Mii Channel, you will see the stolen Mii. If you try to see the Mii (like for license settings), before visiting the Mii Channel, you won't see the stolen Mii, this is normal.

4. If you try to do this on your own Mii, the code will detect this and not execute.

5. The stolen Mii will replace w/e Mii you have in slot 0 of your Mii Channel, aka the first ever Mii that was created/or imported in your Channel. Keep in mind, that if you don't have a Mii in slot 0, a new Mii will be created, thus you don't lose any Miis in this scenario. Yes, I could add a feature to always add the stolen Mii w/o erasing slot 0 Mii (if its present), but that would increase this code's length and it's already long enough.

6. You will NOT be able to edit your stolen Mii in your Mii Channel, to enable this feature would easily double the length of this code, and that's something I don't feel like adding in.

Final NOTE: This code makes use of memory addresses 0x80000A20 thru 0x80000A23. Make sure no other codes in your GCT/Cheat-Manager are using those addresses.



NTSC-U
C274BEC4 00000002
7C0903A6 3CA08000
90C50A20 00000000
040095F4 88030051
2834XXXX YYYYZZZZ
C20095F4 0000003E
3D808000 816C0A20
556A273E 2C0A0008
408201D4 7D8802A6
9421FF80 BC610008
7D785B78 3C600001
6063F1E0 7C791B78
38800020 80ADA358
80A50024 3D808022
618C9490 7D8803A6
4E800021 7C7B1B78
3FA08016 48000029
2F736861 72656432
2F6D656E 752F4661
63654C69 622F5246
4C5F4442 2E646174
00000000 7C6802A6
7C7E1B78 38800001
63BCADBC 7F8803A6
4E800021 2C030000
41800140 7C7F1B78
7F64DB78 7F25CB78
63BCB15C 7F8803A6
4E800021 7C03C800
40820120 7FE3FB78
63BCB2E4 7F8803A6
4E800021 3AFB0003
3AC00049 8EB80001
9EB70001 36D6FFFF
4082FFF4 7F63DB78
3899FFFE 7C661B78
39000000 38600000
48000040 7C690734
7CEB5630 7D2948F8
3800EFDF 7D29FE70
556B07FE 7D290038
5460083C 7D6B0378
39291021 7D295A78
394AFFFF 5523043E
4200FFCC 39080001
7C082000 41820018
38000008 7CE830AE
7C0903A6 39400007
4BFFFFAC 38000010
7C0903A6 7C690734
3800EFDF 7D2948F8
7D29FE70 7D290038
5460083C 39291021
7D290278 5523043E
4200FFDC 3C9B0002
B064F1DE 7FC3F378
38800002 63BCADBC
7F8803A6 4E800021
2C030000 41800034
7C7F1B78 7F64DB78
7F25CB78 63BCB220
7F8803A6 4E800021
7C03C800 40820014
7FE3FB78 63BCB2E4
7F8803A6 4E800021
B8610008 38210080
7D8803A6 88030051
60000000 00000000
E0000000 80008000

PAL
C2751404 00000002
7C0903A6 3CA08000
90C50A20 00000000
04009634 88030051
2834XXXX YYYYZZZZ
C2009634 0000003E
3D808000 816C0A20
556A273E 2C0A0008
408201D4 7D8802A6
9421FF80 BC610008
7D785B78 3C600001
6063F1E0 7C791B78
38800020 80ADA360
80A50024 3D808022
618C9814 7D8803A6
4E800021 7C7B1B78
3FA08016 48000029
2F736861 72656432
2F6D656E 752F4661
63654C69 622F5246
4C5F4442 2E646174
00000000 7C6802A6
7C7E1B78 38800001
63BCAE5C 7F8803A6
4E800021 2C030000
41800140 7C7F1B78
7F64DB78 7F25CB78
63BCB1FC 7F8803A6
4E800021 7C03C800
40820120 7FE3FB78
63BCB384 7F8803A6
4E800021 3AFB0003
3AC00049 8EB80001
9EB70001 36D6FFFF
4082FFF4 7F63DB78
3899FFFE 7C661B78
39000000 38600000
48000040 7C690734
7CEB5630 7D2948F8
3800EFDF 7D29FE70
556B07FE 7D290038
5460083C 7D6B0378
39291021 7D295A78
394AFFFF 5523043E
4200FFCC 39080001
7C082000 41820018
38000008 7CE830AE
7C0903A6 39400007
4BFFFFAC 38000010
7C0903A6 7C690734
3800EFDF 7D2948F8
7D29FE70 7D290038
5460083C 39291021
7D290278 5523043E
4200FFDC 3C9B0002
B064F1DE 7FC3F378
38800002 63BCAE5C
7F8803A6 4E800021
2C030000 41800034
7C7F1B78 7F64DB78
7F25CB78 63BCB2C0
7F8803A6 4E800021
7C03C800 40820014
7FE3FB78 63BCB384
7F8803A6 4E800021
B8610008 38210080
7D8803A6 88030051
60000000 00000000
E0000000 80008000

NTSC-J
C2750A70 00000002
7C0903A6 3CA08000
90C50A20 00000000
04009590 88030051
2834XXXX YYYYZZZZ
C2009590 0000003E
3D808000 816C0A20
556A273E 2C0A0008
408201D4 7D8802A6
9421FF80 BC610008
7D785B78 3C600001
6063F1E0 7C791B78
38800020 80ADA360
80A50024 3D808022
618C9734 7D8803A6
4E800021 7C7B1B78
3FA08016 48000029
2F736861 72656432
2F6D656E 752F4661
63654C69 622F5246
4C5F4442 2E646174
00000000 7C6802A6
7C7E1B78 38800001
63BCAD7C 7F8803A6
4E800021 2C030000
41800140 7C7F1B78
7F64DB78 7F25CB78
63BCB11C 7F8803A6
4E800021 7C03C800
40820120 7FE3FB78
63BCB2A4 7F8803A6
4E800021 3AFB0003
3AC00049 8EB80001
9EB70001 36D6FFFF
4082FFF4 7F63DB78
3899FFFE 7C661B78
39000000 38600000
48000040 7C690734
7CEB5630 7D2948F8
3800EFDF 7D29FE70
556B07FE 7D290038
5460083C 7D6B0378
39291021 7D295A78
394AFFFF 5523043E
4200FFCC 39080001
7C082000 41820018
38000008 7CE830AE
7C0903A6 39400007
4BFFFFAC 38000010
7C0903A6 7C690734
3800EFDF 7D2948F8
7D29FE70 7D290038
5460083C 39291021
7D290278 5523043E
4200FFDC 3C9B0002
B064F1DE 7FC3F378
38800002 63BCAD7C
7F8803A6 4E800021
2C030000 41800034
7C7F1B78 7F64DB78
7F25CB78 63BCB1E0
7F8803A6 4E800021
7C03C800 40820014
7FE3FB78 63BCB2A4
7F8803A6 4E800021
B8610008 38210080
7D8803A6 88030051
60000000 00000000
E0000000 80008000

NTSC-K
C273F7C4 00000002
7C0903A6 3CA08000
90C50A20 00000000
0400973C 88030051
2833XXXX YYYYZZZZ
C200973C 0000003E
3D808000 816C0A20
556A273E 2C0A0008
408201D4 7D8802A6
9421FF80 BC610008
7D785B78 3C600001
6063F1E0 7C791B78
38800020 80ADA380
80A50024 3D808022
618C9B88 7D8803A6
4E800021 7C7B1B78
3FA08016 48000029
2F736861 72656432
2F6D656E 752F4661
63654C69 622F5246
4C5F4442 2E646174
00000000 7C6802A6
7C7E1B78 38800001
63BCAEF8 7F8803A6
4E800021 2C030000
41800140 7C7F1B78
7F64DB78 7F25CB78
63BCB298 7F8803A6
4E800021 7C03C800
40820120 7FE3FB78
63BCB420 7F8803A6
4E800021 3AFB0003
3AC00049 8EB80001
9EB70001 36D6FFFF
4082FFF4 7F63DB78
3899FFFE 7C661B78
39000000 38600000
48000040 7C690734
7CEB5630 7D2948F8
3800EFDF 7D29FE70
556B07FE 7D290038
5460083C 7D6B0378
39291021 7D295A78
394AFFFF 5523043E
4200FFCC 39080001
7C082000 41820018
38000008 7CE830AE
7C0903A6 39400007
4BFFFFAC 38000010
7C0903A6 7C690734
3800EFDF 7D2948F8
7D29FE70 7D290038
5460083C 39291021
7D290278 5523043E
4200FFDC 3C9B0002
B064F1DE 7FC3F378
38800002 63BCAEF8
7F8803A6 4E800021
2C030000 41800034
7C7F1B78 7F64DB78
7F25CB78 63BCB35C
7F8803A6 4E800021
7C03C800 40820014
7FE3FB78 63BCB420
7F8803A6 4E800021
B8610008 38210080
7D8803A6 88030051
60000000 00000000
E0000000 80008000



Code creator: zak

Code credits: RiiDefi (egg alloc), Megazig (all isfs functions), Wannikoko (CRC16 checksum from Mii-Installer)



Source (Store Pointer)
mtctr r0 #Default Instruction
lis r5, 0x8000 #r5 Safe for use, gets overwritten at next address
stw r6, 0x0A20 (r5) #Store Pointer Word to 0x80000A20 for use by other ASM

Source (Attempt to Steal Mii)
#~~~~~~~~~~~~~~~~#
# START ASSEMBLY #
#~~~~~~~~~~~~~~~~#

#

#~~~~~~~~~~~~~~~~~~~~~~#
# Macros and Variables #
#~~~~~~~~~~~~~~~~~~~~~~#

.macro call_link address
    lis r12, \address@h
    ori r12, r12, \address@l
    mtlr r12
    blrl
.endm

.macro call_isfs address
    ori r28, r29, \address@l
    mtlr r28
    blrl
.endm

.macro push_stack
    mflr r12
    stwu r1, -0x0080 (r1)
    stmw r3, 0x8 (r1)
.endm

.macro pop_stack
    lmw r3, 0x8 (r1)
    addi r1, r1, 0x0080
    mtlr r12
.endm

.macro default_instruction
    lbz r0, 0x0051 (r3)
.endm

.set region, '' #Fill in E, P, J, or K within the quotes for your region when Compiling! Lowercase letters can also be used.

.if    (region == 'E' || region == 'e') # RMCE
    .set ISFS_Open, 0xADBC
    .set ISFS_Read, 0xB15C
    .set ISFS_Write, 0xB220
    .set ISFS_Close, 0xB2E4
    .set Wii_Menu, 0x801A87B8
    .set Egg_Alloc, 0x80229490
.elseif (region == 'P' || region == 'p') # RMCP
    .set ISFS_Open, 0xAE5C
    .set ISFS_Read, 0xB1FC
    .set ISFS_Write, 0xB2C0
    .set ISFS_Close, 0xB384
    .set Wii_Menu, 0x801A8858
    .set Egg_Alloc, 0x80229814
.elseif (region == 'J' || region == 'j') # RMCJ
    .set ISFS_Open, 0xAD7C
    .set ISFS_Read, 0xB11C
    .set ISFS_Write, 0xB1E0
    .set ISFS_Close, 0xB2A4
    .set Wii_Menu, 0x801A8778
    .set Egg_Alloc, 0x80229734
.elseif (region == 'K' || region == 'k') # RMCK
    .set ISFS_Open, 0xAEF8
    .set ISFS_Read, 0xB298
    .set ISFS_Write, 0xB35C
    .set ISFS_Close, 0xB420
    .set Wii_Menu, 0x801A8BB4
    .set Egg_Alloc, 0x80229B88
.else # Invalid Region
    .abort
.endif

#~~~~~~~~~~~~~~~~~~~~~~#
# Pointer Check & Load #
#~~~~~~~~~~~~~~~~~~~~~~#

lis r12, 0x8000
lwz r11, 0x0A20 (r12) #Load Pointer
srwi r10, r11, 28 #r10 will now hold 0, 8, or 9
cmpwi r10, 0x8 #Mem80 (8) is valid pointer, Mem90 (9) is your own Mii data, 0 is no pointer loaded
bne- skip_everything

#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
# Push Stack, Move Pointer to r24 #
#  r11 + 1 = Start of Mii Data  #
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#

push_stack
mr r24, r11

#~~~~~~~~~~~~~~~~~~~~~~~#
#    EGG::Heap::alloc  #
#  r3 = Size of Heap  #
#    r4 = Alignment    #
# r5 = System Heap Calc #
#~~~~~~~~~~~~~~~~~~~~~~~#

lis r3, 0x0001 #We don't need to use the entire .dat file, everything after checksum in a shit ton of null bytes
ori r3, r3, 0xF1E0

mr r25, r3 #Backup Size of Data Save for later use of ISFS_Read & ISFS_Write

li r4, 0x20

.if    (region == 'E' || region == 'e')
        lwz r5, -0x5CA8(r13)
.elseif (region == 'P' || region == 'p')
        lwz r5, -0x5CA0(r13)
.elseif (region == 'J' || region == 'j')
        lwz r5, -0x5CA0(r13)
.elseif (region == 'K' || region == 'k')
        lwz r5, -0x5C80(r13)
.endif

lwz r5, 0x0024 (r5)

call_link Egg_Alloc
mr r27, r3 #Backup Heap Address Pointer

#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
#          ISFS_Open          #
#        r3 = File Path        #
# r4 = 0x1 for Read Permissions #
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#

lis r29, 0x8016 #Set 1st half address for all ISFS Functions

bl open_dat

.string "/shared2/menu/FaceLib/RFL_DB.dat\0\0\0"

open_dat:
mflr r3
mr r30, r3 #Backup file path address pointer
li r4, 0x1

call_isfs ISFS_Open
cmpwi r3, 0x0 #r3 should return fd value. If negative value, then error occured.
blt- stack_end

mr r31, r3 #Backup fd for later use of ISFS_Close

#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
#                ISFS_Read                #
#                  r3 = fd                  #
# r4 = Address Pointer to dump read Data to #
#    r5 = Amount of Bytes to read & dump    #
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#

mr r4, r27
mr r5, r25 #Use backed up size arg from Egg Alloc

call_isfs ISFS_Read
cmpw r3, r25 #r3 should return r5's aka r25's value. If negative value, then error occured.
bne- stack_end

#~~~~~~~~~~~~#
# ISFS_Close #
#  r3 = fd  #
#~~~~~~~~~~~~#

mr r3, r31

call_isfs ISFS_Close

#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
# Grab Mii Data & Write it to Heap #
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#

addi r23, r27, 3 #Setup first loop store address, this is on the last byte of the magic of the .dat file, load address is already set (r24+1 = Start of Mii Data)
li r22, 0x49 #0x49 bytes is in Mii Data

mii_loop:
lbzu r21, 0x1 (r24)
stbu r21, 0x1 (r23)
subic. r22, r22, 1
bne+ mii_loop

#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
#    CRC16_CCITT (16bit Checksum)  #
#      r3 = Address to Contents    #
# r4 = Amount (bytes) to use in Sum #
#    r3 returns Halfword Checksum  # 
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#

mr r3, r27
addi r4, r25, -2 #0x1F1E0 - 2 = 0x1F1DE

#Start the CRC16#

mr r6,r3
li r8,0
li r3,0
b CTR_Setup1

Loop1:
extsh r9, r3
sraw r11, r7, r10
not r9,r9
li r0, -0x1021
srawi r9, r9, 31
rlwinm r11, r11, 0, 31, 31
and r9, r9, r0
rlwinm r0, r3, 1, 0, 30
or r11, r11, r0
addi r9, r9, 0x1021
xor r9, r9, r11
subi r10, r10, 1
rlwinm r3, r9, 0, 16, 31
bdnz+ Loop1

addi r8,r8,1

CTR_Setup1:
cmpw r8, r4
beq- CTR_Setup2
li r0, 8
lbzx r7, r8, r6
mtctr r0
li r10, 7
b Loop1

CTR_Setup2:
li r0, 16
mtctr r0

Loop2:
extsh r9, r3
li r0, -0x1021
not r9, r9
srawi r9, r9, 31
and r9, r9, r0
rlwinm r0, r3, 1, 0, 30
addi r9, r9, 0x1021
xor r9, r9, r0
rlwinm r3, r9, 0, 16, 31
bdnz+ Loop2

#~~~~~~~~~~~~~~~~#
# Store Checksum #
#~~~~~~~~~~~~~~~~#

addis r4, r27, 0x0002
sth r3, 0xFFFFF1DE (r4) #Stores at 0x1F1DE in reference to r27

#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
#          ISFS_Open          #
#        r3 = File Path        #
# r4 = 0x1 for Read Permissions #
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#

mr r3, r30
li r4, 0x2

call_isfs ISFS_Open
cmpwi r3, 0x0 #r3 should return fd value. If negative value, then error occured.
blt- stack_end
mr r31, r3 #Backup fd for later use of ISFS_Close

#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
#                                ISFS_Write                                  #
#                                  r3 = fd                                    #
# r4 = Address Pointer where String Data that will used for writes is located #
#                    r5 = Amount of Bytes to Write to File                    #
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#

mr r4, r27 #Move backed up Heap Address Pointer to r4
mr r5, r25 #Move backed up Byte Write Size to r5

call_isfs ISFS_Write
cmpw r3, r25
bne- stack_end

#~~~~~~~~~~~~#
# ISFS_Close #
#  r3 = fd  #
#~~~~~~~~~~~~#

mr r3, r31

call_isfs ISFS_Close

#~~~~~~~~~~~~~~~~~~~~~#
# Pop Stack, End Code #
#~~~~~~~~~~~~~~~~~~~~~#

stack_end:
pop_stack

skip_everything:
default_instruction

#~~~~~~~~~~~~~~#
# END ASSEMBLY #
#~~~~~~~~~~~~~~#


Reply
#2
Works on Dolphin 5.0-10836 with standard Wii menu (PAL)
Reply
#3
^ Thank you.  Smile
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)