Help Thread: ASM & Disassembly

[Mechakhan]

I don't believe it has ever been done. If you really care about it, it would actually be one of the biggest reasons to hack Emerald. There is zero chance you're going to do this with XSE. I would recommend taking a look at an Emerald IDB to get an understanding of important Emerald RAM locations, but in general, there's a lot less documentation on Emerald.

Thank you for the quick response!
Yeah, I am aware that this is going to be tough. But would it be possible to create custom Link data with ASM and then call the routine in the Multi Battle script in FireRed? Couldn't it be theoreticaly possible if I can find the memory address for the Link data?

 

[Telinc1]

Hi! I've been trying to insert a double battle in Pokémon FireRed. (Like the one in Emerald with Steven.)
I tried to debug the routine for Special 0xEF (Steven battle) with VBA-SDL-H, but my knowledge of Emerald memory addresses is pretty lacking, so I didn't understand much of what the routine did. I couldn't find much by googling either.

I also tried to modify the Link Multi Battle script in FireRed with XSE, but that didn't lead anywhere either, which is probably because Special 0x20 in FireRed requires Link data?

If anyone has an idea of what I could try, I would really appreciate it. Is it possible to modify the link data via ASM? If so, what offsets should be changed? I am by no means asking for an ASM routine, just a tip so I can solve it myself. ;)

I'm not completely sure how link cable data is transmitted in the GBA, but you probably can't just change it. What you can do is spoof it - fool the game into thinking it exists, probably by hooking into whatever routine handles it. That's not all you need to do though, as you also jeed to tell the game to call an AI script and not wait for data.

I myself am studying and looking into this, I'll post anything I happen to find.

 

[Mechakhan]

I'm not completely sure how link cable data is transmitted in the GBA, but you probably can't just change it. What you can do is spoof it - fool the game into thinking it exists, probably by hooking into whatever routine handles it. That's not all you need to do though, as you also jeed to tell the game to call an AI script and not wait for data.

I myself am studying and looking into this, I'll post anything I happen to find.

Thanks a lot for helping me with this!
I managed to discover something. According to the FireRed RAM map made by DavidJCobb, the byte at 0x02022B4C contains the flags for the current battle. By changing this byte the type of battle changes. (0x0: Wild battle. 0x8: Normal trainer battle.) But when I changed the byte to 0x2 and used Special 0x20 I got a communication error, which probably means that 0x2 equals link battle. I still don't know where the link data is though...

 

[Telinc1]

Thanks a lot for helping me with this!
I managed to discover something. According to the FireRed RAM map made by DavidJCobb, the byte at 0x02022B4C contains the flags for the current battle. By changing this byte the type of battle changes. (0x0: Wild battle. 0x8: Normal trainer battle.) But when I changed the byte to 0x2 and used Special 0x20 I got a communication error, which probably means that 0x2 equals link battle. I still don't know where the link data is though...

Does the communication error happen when 0x02022B4C is not 0x2? IIRC the game brings those up every time it tries to receive/send data over an inexistent link cable (warp to a cable club room and stand on one of the script tiles). You should poke around GBATEK, maybe it has something. I'm not sure if DisFire is complete enough for one to able to see how the game handles that. I'll check it out right now.
Currently the best bet is VBA-SDL-H, though the small little detail of its link cable support remains.

Edit: Woop, dere it is. Communication ports on GBATEK. That's what you're after.

 

[Dannwe123]

Hello! I just started playing with some asm in Fire Red. I have managed to make a few routines, but now I'm stuck. I made a simple routine to calculate the length of a string, and tried putting a few test strings into memory to try it out, but I am unable to get the addresses to load properly. What I'm trying to do:

Spoiler:

@ calculate length of string

.text
.align 2
.thumb
.thumb_func

push {r0,r1,lr}
start:
@ strlen(str1)
ldr r0,=str1
bl strlen

@ strlen(str2)
ldr r0,=str2
bl strlen

done: pop {r0,r1,pc}

@ input through r0, pointer to string
@ Output in r1

strlen:
mov r1,#0

strlenAgain:
ldrb r2,[r0,r1]
cmp r2,#0
beq strlenDone

add r1,r1,#1
b strlenAgain

strlenDone:
bx lr

.align
str1: .byte 'A','P','A',0
str2: .byte 'B','E','P','A','C','E','P','A',0

The instruction ldr r0,=str1 is meant to put the address of str1 in r0. However, when I run the code in the No$Gba debugger, it instead interprets the instruction as ldr r0,0x20, and thus sets the value of r0 to 20. The situation is similar with str2.

It seems like 0x20 is the offset from the start of the routine to the letter A, so I guess rather than doing ldr r0,[pc,#offset-to-pointer] it acts like pc is set to 0.

I have also tried writing it this way:

...
@ strlen(str1)
ldr r0,str1Ptr
bl strlen

@ strlen(str2)
ldr r0,str2Ptr
bl strlen
...
...
.align
str1: .byte 'A','P','A',0
str2: .byte 'B','E','P','A','C','E','P','A',0

.align
str1Ptr:
.word str1
str2Ptr:
.word str2

Which should be equivalent (the assembler should turn the above example into something like this) ,but I get the exact same problem. Any ideas?

I am using HackMew's Thumb assembler batch file, but I have also tried playing with the assembler and objcopy settings manually to no avail.

Sorry if the question was unclear or a similar one has already been discussed.
Cheers!

 

[azurile13]

Hello! I just started playing with some asm in Fire Red. I have managed to make a few routines, but now I'm stuck. I made a simple routine to calculate the length of a string, and tried putting a few test strings into memory to try it out, but I am unable to get the addresses to load properly. What I'm trying to do:

Spoiler:

@ calculate length of string

.text
.align 2
.thumb
.thumb_func

push {r0,r1,lr}
start:
@ strlen(str1)
ldr r0,=str1
bl strlen

@ strlen(str2)
ldr r0,=str2
bl strlen

done: pop {r0,r1,pc}

@ input through r0, pointer to string
@ Output in r1

strlen:
mov r1,#0

strlenAgain:
ldrb r2,[r0,r1]
cmp r2,#0
beq strlenDone

add r1,r1,#1
b strlenAgain

strlenDone:
bx lr

.align
str1: .byte 'A','P','A',0
str2: .byte 'B','E','P','A','C','E','P','A',0

The instruction ldr r0,=str1 is meant to put the address of str1 in r0. However, when I run the code in the No$Gba debugger, it instead interprets the instruction as ldr r0,0x20, and thus sets the value of r0 to 20. The situation is similar with str2.

It seems like 0x20 is the offset from the start of the routine to the letter A, so I guess rather than doing ldr r0,[pc,#offset-to-pointer] it acts like pc is set to 0.

I have also tried writing it this way:


Which should be equivalent (the assembler should turn the above example into something like this) ,but I get the exact same problem. Any ideas?

I am using HackMew's Thumb assembler batch file, but I have also tried playing with the assembler and objcopy settings manually to no avail.

Sorry if the question was unclear or a similar one has already been discussed.
Cheers!

It appears that you're looking for the pseudo instruction adr. Instead of
ldr r0,=str1
use
adr r0, str1
Note that you'll only be able to use this get a word aligned address, and your str 2 label is only word aligned by coincidence. The reason the second thing you posted doesn't work is that it requires the assembler to put a pointer in the pool, but the assembler doesn't know where in the ROM your routine is. adr is pc relative. To let the assembler know where your routine is, you can use the .org directive.

.org 0x08900000

ldr r2, ptr_str2
.....
.align 
ptr_str2: .long str2


.....
str2:	.byte 'B','E','P','A','C','E','P','A',0

Then you can copy the bin from 0x08900000 and paste in the ROM to 0x900000 and the str2 doesn't need to be word aligned.
Another thing of note is that 0x0 isn't normally the string terminator, the pokemon games use 0xFF while 0x0 is for a space. One last thing of note is that although you can write your strlen to return through r1, its weird to not use r0.

 

[Dannwe123]

It appears that you're looking for the pseudo instruction adr. Instead of
ldr r0,=str1
use
adr r0, str1
Note that you'll only be able to use this get a word aligned address, and your str 2 label is only word aligned by coincidence. The reason the second thing you posted doesn't work is that it requires the assembler to put a pointer in the pool, but the assembler doesn't know where in the ROM your routine is. adr is pc relative. To let the assembler know where your routine is, you can use the .org directive.

.org 0x08900000

ldr r2, ptr_str2
.....
.align 
ptr_str2: .long str2


.....
str2:	.byte 'B','E','P','A','C','E','P','A',0

Then you can copy the bin from 0x08900000 and paste in the ROM to 0x900000 and the str2 doesn't need to be word aligned.
Another thing of note is that 0x0 isn't normally the string terminator, the pokemon games use 0xFF while 0x0 is for a space. One last thing of note is that although you can write your strlen to return through r1, its weird to not use r0.

Thank you for your quick reply, it works!!
I have previously worked with a different arm processor, I guess it didn't occur to me that the instruction set might be different. Should have thought of that obviously lol.

 

[Dannwe123]

It appears that you're looking for the pseudo instruction adr. Instead of
ldr r0,=str1
use
adr r0, str1
Note that you'll only be able to use this get a word aligned address, and your str 2 label is only word aligned by coincidence. The reason the second thing you posted doesn't work is that it requires the assembler to put a pointer in the pool, but the assembler doesn't know where in the ROM your routine is. adr is pc relative. To let the assembler know where your routine is, you can use the .org directive.

.org 0x08900000

ldr r2, ptr_str2
.....
.align 
ptr_str2: .long str2


.....
str2:	.byte 'B','E','P','A','C','E','P','A',0

Then you can copy the bin from 0x08900000 and paste in the ROM to 0x900000 and the str2 doesn't need to be word aligned.
Another thing of note is that 0x0 isn't normally the string terminator, the pokemon games use 0xFF while 0x0 is for a space. One last thing of note is that although you can write your strlen to return through r1, its weird to not use r0.

Actually, by including the .org directive, the ldr r0,=str1 seems to work fine. I guess the downside to that is that the .bin file becomes pretty huge as it gets padded with 0:s, so your approach of using adr r0 str1 might be better in that respect. On the other hand, having the .org directive is a great form of documentation, makes it easier to keep track of where you inserted the routine. I guess you could just do that in a comment tho.

 

[azurile13]

Actually, by including the .org directive, the ldr r0,=str1 seems to work fine. I guess the downside to that is that the .bin file becomes pretty huge as it gets padded with 0:s, so your approach of using adr r0 str1 might be better in that respect. On the other hand, having the .org directive is a great form of documentation, makes it easier to keep track of where you inserted the routine. I guess you could just do that in a comment tho.

You're welcome :D The other advantage of adr (assuming word alignment) is that it removes the need for a pointer, so you save 4 bytes. When you do ldr r0, =str1, you're implicitly placing a pointer to str1 in your pool. Its only 4 bytes, but still. I never minded the padding for .org because I only save my asm files. I delete my bins anyways - I'd only need it again if there were some problem with my routine, which would necessitate assembling again regardless. But I suppose if you really cared about it, you could do something like

.equ where_i_plan_to_paste_this_routine, 0x08yyyyyy

main:
.....
ldr r0, =(str2 + where_i_plan_to_paste_this_routine)
.....
.align
str2:	.byte 'B','E','P','A','C','E','P','A',0

Then the assembler would be able to create an accurate pointer without the padding.

 

[robinjea]

Uhm... Help? :(

I'm trying to assemble the routine written here by azurile13 but when I try to drag in onto the compiler/assembler, all it gives me is a 127mb sized .bin file. I'm doing it wrong, am I not?

And if my question didn't make any sense, "How do I assemble this?" pretty much makes the same idea. xDD

Anyways, here's the post about the said routine.

I don't know if this has been posted before, but whatevs. It came to my attention today that the bag in FireRed crashes if a "main" pocket has more than 42 items (the normal max for regular items). I had always assumed the malloc was done based on a multiple of the numbers inputted at the routine beginning 0x08099E44, because the TM pocket works fine even with over 100 items, but apparently the berry/TM cases mean they run off of something different. Anyhow, to allow for sufficient malloc requests, change ".equ largest_pocket_size" to your new max and insert this:

.equ  largest_pocket_size,    CHANGE THIS LINE
.equ largest_pocket_size_plus_one, largest_pocket_size + 1
.equ strings_size,    largest_pocket_size_plus_one * 19

.org 0x08002B9C
malloc:
    push {lr}
    mov r1, r0

.org 0x081083F4
main:
    push {r4, lr}
    ldr r4, =(0x0203AD18)
    mov r0, #largest_pocket_size_plus_one
    lsl r0, r0, #0x3
    bl malloc
    str r0, [r4, #0x0]
    cmp r0, #0x0
    beq return
    ldr r0, =strings_size
    bl malloc
    str r0, [r4, #0x4]
    cmp r0, #0x0
    beq return
    mov r0, #0x1

return:
    pop {r4}
    pop {r1}
    bx r1

EDIT: I haven't done much testing. I've only thrown like 60 items into the general items pocket before I got bored & assumed this routine was the only problem.

 

[azurile13]

Uhm... Help? :(

I'm trying to assemble the routine written here by azurile13 but when I try to drag in onto the compiler/assembler, all it gives me is a 127mb sized .bin file. I'm doing it wrong, am I not?

And if my question didn't make any sense, "How do I assemble this?" pretty much makes the same idea. xDD

Anyways, here's the post about the said routine.

I used .org because it was bl'ing the malloc. It pads the file with zeroes. Basically, go to the end of the bin and copy the bytes there to the corresponding address in your ROM (ignoring the 0x8000000 for ROM, which I just type out of habit and really doesn't need to be there and is currently only inflating the bin by a gigantic amount). Btw, that post alone doesn't change the item cap. I alluded to it, but you also need to change that other routine mentioned in the post, which I should have made clearer but was probably lazy. I think I'll edit that it the next time I'm on a computer.

 

[robinjea]

I used .org because it was bl'ing the malloc. It pads the file with zeroes. Basically, go to the end of the bin and copy the bytes there to the corresponding address in your ROM (ignoring the 0x8000000 for ROM, which I just type out of habit and really doesn't need to be there and is currently only inflating the bin by a gigantic amount). Btw, that post alone doesn't change the item cap. I alluded to it, but you also need to change that other routine mentioned in the post, which I should have made clearer but was probably lazy. I think I'll edit that it the next time I'm on a computer.

Okay, I've done that and edited parts of the routine at 0x99E44 (namely, 0x99E52 - new item cap., 0x99E56 - new item cap. * 4, and 0x99E7C - new item cap. +1). When I played the game, it doesn't crash anymore BUT alas! Bag was messed up! The regular items pocket merged with the key items pocket (key items are in the regular items pocket), Key Items Pocket is Empty, TMs went to the Pokeballs Pocket and my Pokeballs, gone. Is there a different byte that I should've changed? Like a limiter of some sort. I'm sorry for bugging out on this. I just want to learn how this works. :(

 

[azurile13]

Okay, I've done that and edited parts of the routine at 0x99E44 (namely, 0x99E52 - new item cap., 0x99E56 - new item cap. * 4, and 0x99E7C - new item cap. +1). When I played the game, it doesn't crash anymore BUT alas! Bag was messed up! The regular items pocket merged with the key items pocket (key items are in the regular items pocket), Key Items Pocket is Empty, TMs went to the Pokeballs Pocket and my Pokeballs, gone. Is there a different byte that I should've changed? Like a limiter of some sort. I'm sorry for bugging out on this. I just want to learn how this works. :(

I remember now - I think I didn't explain the 0x99E44 routine because I posted an explanation of it elsewhere around the same time period. Not the smartest decision on my part to not even link it in the post, but after some digging, here it is: https://www.pokecommunity.com/showpost.php?p=9014911&postcount=2018
Your bag is mixing items because all items pockets are handled in that routine, not just general items. As a result, they will overlap. If you have some ASM knowledge, I think that post should let you know how you'll need to modify 0x99E44. If you don't, this is a nice learning experience ;) No need to apologize. Feel free to ask questions if you run into any more problems - if I didn't want to answer questions, I would have just posted a routine for you and been done with this topic, but I think its better when people actually understand what they're putting in their ROMs.

 

[jiangzhengwenjzw]

Just a quote

Hi! I want to ask a question about using bitfields as u32 vars in C.
(Yes, I know you don't understand what I'm speaking of, so let's take an example)
This is the bitfield of DMA config data:

/*From Nintendo*/
struct DMACNT
{
    u16 Count;              // Transfer Count
    u16 Dummy_21_16:5;
    u16 DestpCnt:2;         // Destination Address Control
    u16 SrcpCnt:2;          // Source Address Control
    u16 ContinuousON:1;     // Continuous Mode
    u16 BusSize:1;          // Bus Size 16/32Bit Select
    u16 DataRequest:1;      // Data Request Synchronize Mode
    u16 Timming:2;          // Timing Select
    u16 IF_Enable:1;        // Interrupt Request Enable
    u16 Enable:1;           // DMA Enable
};

and we use cast here:

struct DMACNT *DMA3CNT = (struct DMACNT *)0x40000DC;

Then here comes the question:
How to exceed such effect via it in C?

ldr r0, =0x40000DC
ldr r1, =0x81000800
str r1, [r0]

If we use u32 value for 0x81000800, the code is extremely simple, but not clear.
So is it a way to use the struct as u32 value? (I think there's a way, otherwise there's no need to include the bitfields)

 

[Blah]

Hi! I want to ask a question about using bitfields as u32 vars in C.
(Yes, I know you don't understand what I'm speaking of, so let's take an example)
This is the bitfield of DMA config data:

/*From Nintendo*/
struct DMACNT
{
    u16 Count;              // Transfer Count
    u16 Dummy_21_16:5;
    u16 DestpCnt:2;         // Destination Address Control
    u16 SrcpCnt:2;          // Source Address Control
    u16 ContinuousON:1;     // Continuous Mode
    u16 BusSize:1;          // Bus Size 16/32Bit Select
    u16 DataRequest:1;      // Data Request Synchronize Mode
    u16 Timming:2;          // Timing Select
    u16 IF_Enable:1;        // Interrupt Request Enable
    u16 Enable:1;           // DMA Enable
};

and we use cast here:

struct DMACNT *DMA3CNT = (struct DMACNT *)0x40000DC;

Then here comes the question:
How to exceed such effect via it in C?

ldr r0, =0x40000DC
ldr r1, =0x81000800
str r1, [r0]

If we use u32 value for 0x81000800, the code is extremely simple, but not clear.
So is it a way to use the struct as u32 value? (I think there's a way, otherwise there's no need to include the bitfields)

Hi Jiang, you can achieve this with some casting or the use of a union.

union DMACNT {
    u32 u_DMACNT;
    struct s_DMACNT st_DMACNT;
};

Something like that.

 

[jiangzhengwenjzw]

Hi Jiang, you can achieve this with some casting or the use of a union.

union DMACNT {
    u32 u_DMACNT;
    struct s_DMACNT st_DMACNT;
};

Something like that.

It worked! THX!{:3}

 

[robinjea]

I remember now - I think I didn't explain the 0x99E44 routine because I posted an explanation of it elsewhere around the same time period. Not the smartest decision on my part to not even link it in the post, but after some digging, here it is: https://www.pokecommunity.com/showpost.php?p=9014911&postcount=2018
Your bag is mixing items because all items pockets are handled in that routine, not just general items. As a result, they will overlap. If you have some ASM knowledge, I think that post should let you know how you'll need to modify 0x99E44. If you don't, this is a nice learning experience ;) No need to apologize. Feel free to ask questions if you run into any more problems - if I didn't want to answer questions, I would have just posted a routine for you and been done with this topic, but I think its better when people actually understand what they're putting in their ROMs.

Okay, since I don't have *that* much knowledge about ASM, here's another question. The bag is not so messed up now except that some Key Items are in the General Items Pocket. To avoid that happening, should I repoint the RAM address where the General Items are stored (which is at 0x203988C)? @.@

I have this theory that is a little incomplete:

Since I increased the General Items Pocket's Capacity to 0x3C (60) which is 0x12 more than the original 0x2A (42), I'm guessing I either have to adjust the offsets of the next pockets' addresses to make room for the new 0x12 general items OR repoint where the General Items are stored to a free space in the save data (which is I am not really knowledgable). The problem is, I don't know which offsets I have to change for the former since the comment and the content in a hex editor is unequal which is so confusing. @.@

 

[azurile13]

Okay, since I don't have *that* much knowledge about ASM, here's another question. The bag is not so messed up now except that some Key Items are in the General Items Pocket. To avoid that happening, should I repoint the RAM address where the General Items are stored (which is at 0x203988C)? @.@

I have this theory that is a little incomplete:

Since I increased the General Items Pocket's Capacity to 0x3C (60) which is 0x12 more than the original 0x2A (42), I'm guessing I either have to adjust the offsets of the next pockets' addresses to make room for the new 0x12 general items OR repoint where the General Items are stored to a free space in the save data (which is I am not really knowledgable). The problem is, I don't know which offsets I have to change for the former since the comment and the content in a hex editor is unequal which is so confusing. @.@

Right, so basically what is happening is because you've changed the length of what is read for general items but haven't moved where key items start, your key items are being read in the general list. I'm not really sure how to explain this more precisely, so maybe you could post your the routine you tried? It would be easier to explain with concrete addresses than in the abstract.

 

[robinjea]

Right, so basically what is happening is because you've changed the length of what is read for general items but haven't moved where key items start, your key items are being read in the general list. I'm not really sure how to explain this more precisely, so maybe you could post your the routine you tried? It would be easier to explain with concrete addresses than in the abstract.

I didn't actually edit the routine, just hex edit because I don't know how to rip the routine. :( And the only part that I actually changed is:

ROM:08099E52                 MOVS    R0, #0x2A @ '*'    @#42 (changed to 3C for 60 items)

And the following (bracketed and bold) are what I changed to accommodate the new 0x12 items but apparently messed up the bag.

ROM:08099E56                 ADDS    R3, #0xA8 @ '¿'     @0x3B8; offset of key items [B][changed to A8+12=BA][/B]
ROM:08099E60                 ADDS    R3, #0x78 @ 'x'     @0x430; offset of pokeballs [B][changed to 78+12=8A][/B]
ROM:08099E6A                 ADDS    R3, #0x34 @ '4'    @0x464; offset of TMs/HMs [B][changed to 34+12=46][/B]
ROM:08099E74                 LDR     R0, =0x54C             @0x54C, offset of berries[B] [this one I am unsure of because in a hex editor, it's 05 48][/B]

And then these ones are what I am really not sure because however I think of it, I don't see a connection between the [R1]'s and it's value on a hex editor.

ROM:08099E50                 STR     R0, [R1]            @store address of general items at 0x203988C 
ROM:08099E5A                 STR     R0, [R1,#8]    @store address of key items at 0x2039894[B] [0x88 in a hex editor, maybe I should +0x12 this?][/B]
ROM:08099E64                 STR     R0, [R1,#0x10]    @store address of pokeballs at 0x203989C[B] [0x8 in a hex editor][/B]
ROM:08099E6E                 STR     R0, [R1,#0x18]    @store address of TMs/HMs at 0x20398A4 [B][0x88 in a hex editor][/B]
ROM:08099E78                 STR     R2, [R1,#0x20]    @store address of berries at 0x20398AC [B][0xA in a hex editor][/B]

 

[azurile13]

I didn't actually edit the routine, just hex edit because I don't know how to rip the routine. :( And the only part that I actually changed is:

ROM:08099E52                 MOVS    R0, #0x2A @ '*'    @#42 (changed to 3C for 60 items)

And the following (bracketed and bold) are what I changed to accommodate the new 0x12 items but apparently messed up the bag.

ROM:08099E56                 ADDS    R3, #0xA8 @ '¿'     @0x3B8; offset of key items [B][changed to A8+12=BA][/B]
ROM:08099E60                 ADDS    R3, #0x78 @ 'x'     @0x430; offset of pokeballs [B][changed to 78+12=8A][/B]
ROM:08099E6A                 ADDS    R3, #0x34 @ '4'    @0x464; offset of TMs/HMs [B][changed to 34+12=46][/B]
ROM:08099E74                 LDR     R0, =0x54C             @0x54C, offset of berries[B] [this one I am unsure of because in a hex editor, it's 05 48][/B]

And then these ones are what I am really not sure because however I think of it, I don't see a connection between the [R1]'s and it's value on a hex editor.

ROM:08099E50                 STR     R0, [R1]            @store address of general items at 0x203988C 
ROM:08099E5A                 STR     R0, [R1,#8]    @store address of key items at 0x2039894[B] [0x88 in a hex editor, maybe I should +0x12 this?][/B]
ROM:08099E64                 STR     R0, [R1,#0x10]    @store address of pokeballs at 0x203989C[B] [0x8 in a hex editor][/B]
ROM:08099E6E                 STR     R0, [R1,#0x18]    @store address of TMs/HMs at 0x20398A4 [B][0x88 in a hex editor][/B]
ROM:08099E78                 STR     R2, [R1,#0x20]    @store address of berries at 0x20398AC [B][0xA in a hex editor][/B]

Okay I see something. You say stuff like "A8+12=BA"
But 0x12 is the number of items, right? You're adding 0x12 items, but each one is taking up 4 bytes. So you'd actually have to do 0x12 times four = 72 = 0x48.
But forget that for a moment. Forget about hex editing and forget about trying to copy the format of the routine in the game for the moment. Do you know how to write a routine? If not, I can help walk you through it. Because all that you should really care about is this:

At the end routine, the following offsets should contain the important offsets/quantities:

0x203988C: offset of general items
0x2039890: maximum number of held items
0x2039894: offset of key items
0x2039898: maximum number of key items
0x203989C: offset of pokeballs
0x20398A0: maximum number of pokeballs
0x20398A4: offset of TMs/HMs
0x20398A8: maximum number of TMs/HMs
0x20398AC: offset of berries
0x20398B0: maximum number of berries

I think that looking at the hex and attempting to change the code byte by byte is a waste and only serves to create extra work.