For better understanding here?s an example:

Tidus MAX HP (FinalFantasyX)
We have a working PAL version code for XP2 from xploder.net and decrypt it.

Tidus MAX HP
1031EAB8 0000FFFF
1031EAC0 0000FFFF

We look on the command of the code. It?s 1, so the value is limited. We know, that the maximum size of the value is 0000 FFFF if the command is 1. We know, that FFFF stands for the decimal digit 65535 (If you don?t know it, use the Calculator). But in FFX the maximum HP is 99.999.

We want Tidus to have 99.999 HP, so we change the command from 1 to 2.
The maximum value for this command is FFFF FFFF what is decimal 4294967295, so the limit is high enough now.
We only have to convert 99.999 in HEX now (1869F) and put the new value in the codes:

2 031EAB8 000 1869F
2 031EAC0 000 1869F

Don?t forget: the addresses are the same, we only changed the values/digits and the command!
That?s all to tell you about hacking with labels. Here are some labels you could look for in games.
Bypass
Disable
Enable
Free
Add
Remove
Get
Activate
Apply
cheat/ bcheat
Display


As an example for hacking with labels we will take the racing game GTC Africa.(Thanks to Nachbrenner)
We first start the "Invoke Analyzer". Now we?re looking for labels which sound useful for a racing game, e.g. car, lap, track, time, championship, AI and so on.
In the ELF file of GTC Africa we sound an interesting label named CheatUnlockAll.



When we choose the label, we?re jumping the addresses.
We double click on the lable.



001aa660:24050001 ,li a1, a1=0x00000001
001aa664:3c010028 ,lui at, at=0x00280000
001aa668:ac25a588 ,sw a1 ,[_0027a588]
001aa66c:3c010028 ,lui at, at=0x00280000
001aa670:ac25a594 ,sw a1 , [_0027a594]
001aa674:3c010028 ,lui at, at=0x00280000
001aa678:ac25a598 , sw a1 ,[_0027a598]

Now we look to the "sw", 3 times they link to other Adresses. But how we get the Digit?

Normally Unlock - Codes have the Digit 00000001 so we test this first.
The Codehacker who make this code (Nachbrenner) take the Command "1" and let run the Code in 16 Bits (dont know why he takes this command cause normally when you dont know in how many bits the address runs you choose the command "2" which runs the code in the normal 32 Bit but maybe he test it out this way)

So we get these codes:
1 027A588 00000001
1 027A594 00000001
1 027A598 00000001

Try the codes one after another. We find out that the codes are:

Unlock All Challenges
1027A588 00000001

Unlock All Championships
1027A594 00000001

Unlock All Single Races
1027A598 00000001

In this case we find in PS2Dis what to do with the code and what value it has. But sometimes we don?t get that much help.


Hacking with Labels in quotes:

Not every game has labels which even look like codes. Most labels are in " " and let us jump to a so called byte routine. A byte routine only shows how the name of the label is built and are useless for us. But we?re lucky to have ps2dis, which helps us out.

Ok... lets take as example the Game "Guilty Gear XX US - SLPS_251.84"
We start "Invoke Analyzer" and look into the Labels. We see some trash in it... but then we find the Label "Player Load %d %dn"
Press Enter and we come to the Address 0030b4c0



ok... now we see where the Label is locatet but this not our real Address...
this is just the part where name of the Label is build.
So we press Space Bar + F3. Now ps2dis brings us to address 0010589c



Ok.... now are in the right part. Directly below we see two addresses with the op "lh" (load halfword) which have a referer.
These referers links to other addresses which holds very often the effect we want. So we mark the addess 001058a0 with
spacebar and press "right" and come now to the address



Now you should ask you why ps2dis brings you to 00289c50 instead of 002892c52..... this is very easy cause ps2dis shows us the addresses in 32 Bit which mean that the addresses are always shown in "4" steps (0 -> 4 -> 8 -> C -> 0 ..... ).
Ok but how to choose now the right code.... you remember the two Addresses with the op "lh" (Load Halfword)? This op tell us that the address there runs in 16 Bits (cause the op "word" runs in 32 Bit and the "half" of a "word" is 16 Bits). So what we have to do now?

1.Referer:
00289c50
00289c51

2.Referer:
00289c52
00289c53

Easy we test the code in16 Bits too! For this we need the Command "1" (1 xxxxxxx 0000????).
"Player Load" means that something should be load into the game so it would be not that good when we disable it with "0000". Instead of 0000 we choose now "0001" and see what happens.....

10289c50 0000001 <--- Play Sol Badguy as Player 1
10289c52 0000001 <--- Play Sol Badguy as Player 2

When we change the value again (0002, 0003 you will get all the players which are availbel)
Cool we have found now our Player Mod :)

Hacking with Strings:

Now we come to an advanced part in the art of Code hacking. The first thing is that you get information about the game you want to hack.
For example with how many Health Points you start with and what is the maximum Number of Health etc. you can get.
This method is dealing with searching for strings/values which are sometimes written into ELF-Files and not just into the Ram.

Let?s for example take how the FFX-2 PAL Health Code was hacked.

Ok now comes the part where you have to get information about the game.
In FFX-2 your Health is shown as Health Points (HP). The minimum of HP you can get is 1 HP. The maximum is 9999HP but with a special Item you can get 99999 HP.
Let?s see how we can use this information for hacking a code.

First we load the FFX-2 PAL ELF into a dissembler (in this example I used ps2dis) and start Invoke Analyzer. Now we start with searching specific strings. We know that the maximum value is 99999 which is in Hex/Raw 1869F. Now we press Ctrl + F and enable Option "As hex string". When you don?t know exactly how the OP-Code is build but which value it has in the game we take the last 4 Digits. In this example it is 869F. But if we were to write this into the Search Box now it will not find the right results. We have to change the Bytes in these 4 Digits: 869F -> 9F86. If u notice all we did there was put the last 2 digits in front u do this with any hex value when using this method.



So we write 9F86 into the Search option and press ok. The first address where ps2dis brings is 001cf604.



This area with a bunch of Addresses doesn?t look that bad, look at the parts which stands in " ( ) " behind. We see some values which are often used in this game: "0001869f"; "0000270F"; "000000FF"
So we test the addresses in this aria with different values. But we see it doesn?t change anything or just freeze the game. We may have modified other Options in the game that we don?t see yet. But ok... we search again..... Press F5 to get the next result of search.



This brings us to the address "001d1564" (Now you can see why we just search for the last 4 Digits.... the op-code is 34c6869f so if we were to search for 1869f instead of 869f it wound not have shown us this address, and we could have missed it).
So we look into this cluster of Addresses and see that this Address is also not bad. Look at this....

lui a2, $0001
addiu v1, zero, $270f (shown as li)
andi v0, v0, $0001
ori a2, a2, $869f

This is the part where the where the Health Values are set.
lui a2, $0001 and ori a2, a2, $869f belongs together. this means that the value 0001 is stored in the first for Digits of a Value (0001xxxx), ori a2, a2, $869f stores 4 Digits (in this example 869f) in the last 4 Digits of a Value.... means (xxxx869f). We see that all results belongs to Register a2 so the Digits come together and build the Value 0001869f .
addiu v1, zero, $270f means that a value is stored in register v1 (v1 = 0 + 270f).
This was just a little Example which is for us not that really important. Now we came to the boring part..... Testing the Addresses with different Values...

For example:
"201d155c 2403270f" or 201d155c 240300FF or sth, like this... but damn... nothing seems to work for the described Addresses. Ok but we don?t give up and look to the addresses in this bunch and test them. So we come to the jal op on address 001d1570. But how to give a jal a constant value... we have to change the op code jal in something different. We want to store an address so we take the op "addiu". Now we have found a register where we can store the result, which is not used in this routine btw. Which the game allows us to use that it will not freeze. I choose Register v0. The op-code should like this addiu v0, zero, $270f ($270f for the value we want to get). Make a double-click on the Address and type this ( "addiu v0, zero, $270f" ) into the command line. It will give you now the value "2402270f". So we test the Code 201d1570 2402270f and see it brings us 9999 of Health Points :)
Now we have the Code for Health.... Another interesting thing is below we see the value $03E7 which is the maximum value from MP.... As far as we can tell is that the health code lies on a jal op we test the next jal too.....
We take the same op as before just with the value 03E7 to get the full 999 MP Points.... and after a quick test we see we got all 999 MP-Points...

Ok this was just a little example how to hack with Strings hopeful it will help you a little bit :)

Finding Address of Joker Commands:
Method 1:
Need Labels without " " , e.g. Entrypoint.... if the game dont have it use our "Label Mates"
Search for (pad_dma_buf) and add 2.
Example: GTC Africa:



just add 2 and we have our Max Reserved Joker!
D02DB380 0000????
Note:
The same method can you use with this labels:
Pad_DMA_Buffer
g_Pad_Dma_Buffer
PADD1
Padinfo
Pad_rdata1

_____________________

Methode 2:
Search for Label ("libpad: buffer addr is not 64 byte align. %08xn" )
Beispiel: Half Life (DE) v1



ps2dis brings us to the Byte - Address of the Label



we mark this address with Space and press F3 (Invoke Analyzer)



From this Address we have to go a few lines above till we come to an Addres like this ( ::FNC_xxxxxxxxx ). In a ELF-File which have Labels e.g. Entrypoint or by using our Tool "Label Mates" this address is named (scepadportopen) sein.This Address we also mark with Space and press F3 again.



Now we are near on our Joker Command. From the Addrees which ps2dis brings us (JAL #xxxxxxxx), we have to look (under and above) for an addiu with the Register a2.
We see that this Address links us to a nop which is our Joker Command (sometimes it dont links to another Address so try the Addiu as the Joker Address).
If we are on the nop which is our Joker - Address just add 2.
Joker Command Halflife
D03a5402 0000????

To get the Joker Address for Controller 2 just add 100.
Joker Command Halflife Controller 2
D03a5502 0000????
___________________

Multiple Line Joker Command
Sometimes you have to aktivate more than one line to get the right effect, so we need a special type of Joker Command.
Structure:
E0 xx ???? yyyyyyyy
x = how many lines you want to aktivate
???? = Pad
yyyyyyyy = Address of Joker Command

Example:
Joker Address (Add + 2):
00636782

Health:
201fd648 2402FFFF
201fd64c 2402FFFF
201fd650 2402FFFF

We want to refill our health by pressing R3
R3 = FFFB
The Healt Code has 3 Lines so we Take E00"3"

Press R3 to refill Health:
E003FFFB 00636782
201fd648 2402FFFF
201fd64c 2402FFFF
201fd650 2402FFFF

Using scePadInfoAct to make a joker. Not all games use this.

Example: The Punisher
001da1ac 0c06e518 jal $001b9460 [scePadInfoAct]
001da1b0 005eb021 addu s6, v0, fp
001da1b4 aec20000 sw v0, $0000(s6)
001da1b8 8ec30000 lw v1, $0000(s6)
001da1bc 18600094 blez v1, $001da410
001da1c0 0003082a slt at, zero, v1
001da1c4 10200024 beq at, zero, $001da258
001da1c8 0000902d daddu s2, zero, zero
001da1cc 3c0201a6 lui v0, $01a6
001da1d0 329000ff andi s0, s4, $00ff
001da1d4 2442e600 addiu v0, v0, $e600 (01a5e600)
001da1d8 005e8821 addu s1, v0, fp

Reverse Joker Command Pad1
D1A5E602 0000????