SM64 Exposed Create Your Own Codes
By James S.
Note, all values are in hex (including those that start with 0x) unless otherwise stated.
Introduction
Anyone can create their own codes but you will need the right tools and plenty of practice and a good understanding of how the game works, but that can be learnt as you make codes.
You will need either a cheat code cartridge such as an Action replay or Gameshark, or an emulator like Nemu that has plugins that allow you to search the memory for certain values and to be able to view and edit data at any memory address.
Most type of codes actually do something very simple, they take a value and place it somewhere in the memory, replacing what the game had previously put there. For example, say Mario had 5 lives and then lost one so the game puts him on 4 lives, but if you had the infinite lives code on that 4 will be overwritten by the value that the code put there.
Let's look at the infinite lives code for the NTSC USA SM64:
8033B21D 0064
Remember that the codes use only hexadecimal values. The first two digits (red) are the type of code: the 80 means put the 64 (100 in decimal) at address 8033B21D. This is where it gets a bit confusing: the address always starts with 80 but try not to mix it up with the code type which can be 80.
More to be added soon.
Colour codes
Mario
Mario colour codes have always been popular but some people have not realized that although their colour code works well on an emulator, it does not appear correctly on a real N64, creating a marble effect of mixed colours. The reason for this is that more colour values need changing in order for the colours to be correct, but emulators are more lenient.
Here is an example which you would think would make Mario's overalls white:
PAL
810742E0 FFFF
810742E2 FF00
On an emulator Mario's overalls will be white but on a real N64 you would get a mixture of blue and white, as can be seen from the following screenshot showing Project64 on the left and the output from my capture card on the right:
You can email me at james.boshikoopa@gmail.com
NEW: General Tips for Making Codes
Update: Tips for using Nemu
Use Nemu64's breakpoints to make codes
How to make Play as codes
Colour codes.
For graphics values please go to SM64 Graphics values.
For animation values please go to SM64 Animation values.
For the object variables please go to SM64 Object variables.
For Mario's overalls to be totally white on a real N64 you would need to use:
PAL
810742E0 FFFF
810742E2 FF00
810742E4 FFFF
810742E6 FF00
PAL (UK) and NTSC (USA) colour codes follow with the normal colour values; you could try swapping the end values for the different body parts to see the effect it has.
Overalls
PAL
810742E0 0000
810742E2 7F00
810742E4 0000
810742E6 7F00
810742E8 0000
810742EA FF00
810742EC 0000
810742EE FF00
NTSC
8107EC20 0000
8107EC22 7F00
8107EC24 0000
8107EC26 7F00
8107EC28 0000
8107EC2A FF00
8107EC2C 0000
8107EC2E FF00
Cap, arms and shirt
PAL
810742F8 7F00
810742FA 0000
810742FC 7F00
810742FE 0000
81074300 FF00
81074302 0000
81074304 FF00
81074306 0000
NTSC
8107EC38 7F00
8107EC3A 0000
8107EC3C 7F00
8107EC3E 0000
8107EC40 FF00
8107EC42 0000
8107EC44 FF00
8107EC46 0000
Gloves
PAL
81074310 7F7F
81074312 7F00
81074314 7F7F
81074316 7F00
81074318 FFFF
8107431A FF00
8107431C FFFF
8107431E FF00
NTSC
8107EC50 7F7F
8107EC52 7F00
8107EC54 7F7F
8107EC56 7F00
8107EC58 FFFF
8107EC5A FF00
8107EC5C FFFF
8107EC5E FF00
Shoes
PAL
81074328 390E
8107432A 0700
8107432C 390E
8107432E 0700
81074330 721C
81074332 0E00
81074334 721C
81074336 0E00
NTSC
8107EC68 390E
8107EC6A 0700
8107EC6C 390E
8107EC6E 0700
8107EC70 721C
8107EC72 0E00
8107EC74 721C
8107EC76 0E00
Face
PAL
81074340 7F60
81074342 3C00
81074344 7F60
81074346 3C00
81074348 FEC1
8107434A 7900
8107434C FEC1
8107434E 7900
NTSC
8107EC80 7F60
8107EC82 3C00
8107EC84 7F60
8107EC86 3C00
8107EC88 FEC1
8107EC8A 7900
8107EC8C FEC1
8107EC8E 7900
Hair
PAL
81074358 3903
8107435A 0000
8107435C 3903
8107435E 0000
81074360 7306
81074362 0000
81074364 7306
81074366 0000
NTSC
8107EC98 3903
8107EC9A 0000
8107EC9C 3903
8107EC9E 0000
8107ECA0 7306
8107ECA2 0000
8107ECA4 7306
8107ECA6 0000
General Tips for Making Codes
For codes that change how an object looks, don't forget that you need to also change the animation value for animated graphics. Changing Mario's graphics is the most tricky since the game continually tries to put Mario's animation back.
Not all graphics and animations are loaded in all levels and some behaviours use data loaded only in certain levels. However, because the game uses sets of graphics (e.g., lava graphic objects), there are some normally unused graphics in some levels including beta graphics (Blarrg, Yoshi egg, etc).
One of the best ways to learn how to make codes is to modify existing codes so you can understand how they work. From there you will be able to put together your own codes in time. I started off making only simple codes and over time I learnt more about how the game works, allowing me to make codes such as the Spawn code.
I'm here to help so please email me with your questions, comments, etc at:
Using Nemu to make codes
Although Nemu64 does not emulate the N64 very well it does have some very useful plugins to help create your own codes. First thing to do is to load the SM64 ROM and start the game so that you are outside the castle. Codes that do the same thing (infinite health, and so on) will be different for different regions of the same game due to extra features, bugs removed, etc. To check what version of the ROM you have, go to the Plugins menu and choose Show Rom Info...
So here, the values will be specific to the USA (NTSC) version of SM64, but the step-by-step of how to make the codes can be used for all regions.
We are going to find the Mario object which is the collection of variables that relate to what Mario does, how he looks, his size, etc. Every object in a level has these variables, and with 240 objects (not normally all used) in a course, how can we find Mario? One way is to search for Mario's graphics value which will be in memory in several places, including his object.
Let me take you back, say, 5 years ago when I had only started to hack Super Mario 64 using my Equalizer. I don't remember exactly how, but I had stumbled upon the castle tower object and I noted a certain value (the graphics pointer). I then looked at the next object which was a tree and compared the value, changing it to that of the tower: the tree now looked like the tower. That was only the start...
I have graphic pointer values listed on the SM64 Exposed page, since they are for the PAL game, for common objects (such as Mario) to convert to the USA (NTSC) version add 0xA940 (in hex, see the 0x). Right, that's 0x800E5F20 (PAL)+0xA940=0x800F0860 (NTSC). You'll need a calculator with hex support such as the Windows calculator and some pocket calculators.
The Mario object is located in a different place dependent on what level you're in so you'll need to do the search again when you go somewhere else, but remember to first clear the results. Also, make sure hex is checked as well as 32-bit is selected.
In other games, such as the Legend of Zelda: Ocarina of Time and Resident Evil 2, the hero object (who you're playing as) stays at the same place regardless of what level you're in. For those games it would be easier to make some cheats, i.e., those that directly affect the hero. Additionally, it is possible to change variables related to the hero located in his/her object which is not so for some of Mario's variables in SM64.
There will be a few results which each need to be checked although often you can rule out some results if they are in a certain area. However, as I'm helping you out I can tell you that we are interested only in the last result.
Double-click the address (the result) and it will be displayed in the memory viewer, and then go back a bit, to address 0x0034B888. This is the start of the Mario object, every object begins with the value 0x0018 which shouldn't be changed (the game is likely to crash if you do).
After the 0x0018 you will see 0x0021, change the 0x21 to 0x25, return to the game and you will find that Mario always faces the camera; change back to 0x21 and Mario will behave normally again. To convert that to a code follow these steps:
(1) 0x25 is an 8-bit value (0x00-0xFF) so the code type is 0x80.
(2) Next is the address, which is 0x34B88B (count in hex from the address displayed at the left of the memory viewer as you move right).
(3) We want to place 0x25 at that address; it is an 8-bit value so put 0x00 before the value, that is 0x0025.
Thus, the code is 8034B88B 0025. Add it to the code list (Options menu, Gameshark Cheats) to test it out. This code will only affect Mario when outside the castle so you would need a cheat for every course, unless you found a way that affects Mario in all courses.
You may have found that both 0x00 and 0x80 at the start of the address appear to behave in the same way and that the address looks very much like the first part of a Gameshark code. As to not get confused, try to ignore the first two digts of the address as that's used for the code type for Gameshark cheats (it is assumed that the address starts with 0x80).
Use Nemu64's breakpoints to make codes
Example: make a code that gives Mario 10 extra lives instead of just 1 for every 1-up collected.
Values are for the NTSC USA game but you can still use the help here to make codes for other versions.
Start Nemu64 and load the Super Mario 64 ROM and then go to somewhere that has a 1-up, but don't collect it yet. Pause Nemu64 using the pause button and then go to Plugins->Debugger:Memory... to call up the memory editor window.
We know from the infinite lives code (8033B21D 0064) that Mario's lives are stored at address 8033B21D. So put that value into the 'Address:' box to display that memory location (and the values that follow). If you count across each byte (2 digits) from address 8033B21C until you get to 8033B21D you will see the number of lives Mario currently has (e.g. 04).
Now we are going to set up a breakpoint which will cause Nemu64 to automatically freeze the game when it tries to read or write a value to a certain memory location. Since we want to catch the game before it updates the lives variable, click on the 'Read' check box under 'Watch type on set' so that only the 'Write' check box is selected. This means that Nemu64 will only freeze the game when it's about to write to the address we've put the breakpoint on.
To place the breakpoint, right-click on the 8 digits after the 8033B21C (probably has the values 00040880). You will see that the values are highlighted in a blue colour (the colour depends on the type of breakpoint, that is, the combination of 'Read' and 'Write' 'Watch type on set'.)
Next, unpause Nemu64 by clicking the pause button again and collect a 1-up; the game will freeze and the 'Commands' window will be displayed. This shows the list of the emulated N64 instructions, with the instruction highlighted that was about to update Mario's lives:
802F3CA0 SB T8, 0x00AD(T6)
If you hover your mouse pointer over the instruction (SB T8...) a tool-tip will appear showing the new number of lives stored in register T8 (e.g., 5). The register T6 contains the base address which when added to the offset value (00AD) you get the target address: 8033B170+00AD=8033B21D. Which we know is where Mario's lives are stored in memory.
So, the instruction that's about to be executed (SB T8...) writes the new lives value to the Mario's lives variable. If you go up two instructions you will see:
802F3C98 LB T7, 0x00AD(T6)
802F3C9C ADDIU T8, T7, 0x0001
The first instruction above gets the number of lives Mario currently has and stores it in register T7. The instruction following that adds 1 to the value in register T7 and puts the result into register T8. In other words, Mario's lives are increased by one. Then we know from the next instruction (SB T8...) the new lives total is stored to memory.
To give Mario ten extra lives instead of only one for each 1-up collected, we need to add 0x000A (10 in decimal) as part of the ADDIU T8... instruction. So, using the Memory window, go to address 802F3C9C where you will find the value 25F80001 that represents the instruction. See the '0001' from the instruction, we need to change that to 000A to add ten lives instead of a single life for each 1-up. As a Gameshark code that would be:
802F3C9F 000A
But since the code changes one of the game's instructions, if using an emulator, it's best to turn the code on before the title screen appears.
The amount to add to Mario's lives for a 1-up (normally 0x0001) is a signed value so it can be positive or negative. So if the value to add to Mario's lives was 0xFFFF one life would be taken for every 1-up collected. As a Gameshark code that would be:
812F3C9E FFFF
Note the '81' because it's a 16-bit value to write (0xFFFF) and that the addres is 802F3C9E, not 802F3C9F.
How to make Play as codes
Here I will take you through the steps of how to make a Play as type code where you can play as a different character instead of Mario which really is just a graphics and for some, an animation change as well.
The first thing to do, is find the Mario object in the memory (RAM); the Mario object moves about in memory from level-to-level and for some courses, between stars too. Fortunately, there are many way to find the Mario object when in a certain courses which include searching for Mario's graphics or animation or for his behaviour (not the segment/offset value but the actual address).
There is another way to find the Mario object and that's to check the pointer to the Mario object, which is used by many behaviours to interact with Mario. The values mentioned here will be for the NTSC (USA) game.
So, using Nemu64, go to address 0x80361158 which is the pointer to the Mario object. When outside the castle, the value should be 0x8034B888.
As a fairly simple example, we will now change Mario into MIPS the rabbit. The MIPS graphics value for outside the castle is 0x801951AC, which we need to put at offset 0x14 from the start of the Mario object, so that's 0x8034B888+0x14=8034B89C. So, as a Gameshark code it would be:
8134B89C 8019
8134B89E 51AC
If you was to use that code on its own you will see the rabbit won't quite look right as we need to also give the Mario objects MIPS' animation value. MIPS' running animation for outside the castle is 0x80164FB8. This value needs to be put att offset 0x3C of the Mario object, so that will be 0x8034B888+0x3C=8034B8C4. This gives us the Gameshark code:
8134B8C4 8016
8134B8C6 4FB8
Now we can put together the complete Gameshark code for playing as MIPS the rabbit outside the castle:
8134B89C 8019
8134B89E 51AC
8134B8C4 8016
8134B8C6 4FB8
Unfortunately, because the game keeps trying to put Mario's animation back, the MIPS animation will be interrupted every so often, resulting in what looks like a glitch. Also, for MIPS, when running the animation is played very fast.
Tips for using Nemu
(Update: 26/9/9)
Unlike other emulators such as Project64, Nemu64 doesn't automatically pause when you switch to another program which slows the whole system down. So get used to pressing Nemu's pause button if you want to select another program and also before using Nemu's plugins such as the memory viewer which will also make sure the game doesn't update any memory locations.
It is OK to load a save state when Nemu is paused but it is best to unpause before saving a state, which is a pain as it can run slow.
Do NOT set a breakpoint on an instruction in the Commands window that's in the delay slot, if you do it can confuse Nemu when it breaks. Instead, put the breakpoint on the instruction before the delay slot (i.e., the branch or jump instruction).
If you alter the game's coding often Nemu will continue to use the cached version. To make sure it uses the modified instructions put a breakpoint on or near the changed commands and step through the altered instructions and then continue playing the game.
If you want to change the type of breakpoint set up by right-clicking on values in the Memory window, first remove the breakpoint by right-clicking on the highlighted values, change the type of breakpoint (Read/Write) and then set the breakpoint again. If you don't do that, Nemu may continue using the previous type (Read/write) for the breakpoint.
You can use address values starting with 0x80 or 0x00 in Nemu's memory viewer. Please do not confuse the start of the address value with certain codes that start with 0x80 (8-bit type code) as those types of codes assume that the start of the address is 0x80. So a code beginning with 0x81 (16-bit) doesn't start the address with 0x81, it starts with 0x80 as the 0x81 is simply the code type.
All content of this and related pages is copyright (c) James S. 2008-2010