Acmlm's Board - I2 Archive

Register \| Login
Views: 19364387	Main \| Memberlist \| Active users \| ACS \| Commons \| Calendar \| Online users Ranks \| FAQ \| Color Chart \| Photo album \| IRC Chat	11-02-05 12:59 PM

1 user currently in Super Mario World hacking:

labmaster | 3 guests

Acmlm's Board - I2 Archive - Super Mario World hacking - Now how's that RAT thing work again?

Add to favorites | "RSS" Feed | Next newer thread | Next older thread

User

Post

HyperLamer
<||bass> and this was the soloution i thought of that was guarinteed to piss off the greatest amount of people

Sesshomaru
Tamaranian

Level: 118

Posts: 3962/8210
EXP: 18171887
For next: 211027

Since: 03-15-04
From: Canada, w00t!
LOL FAD

Since last post: 2 hours
Last activity: 2 hours

Posted on 03-29-05 07:57 AM

Link | Quote

Coulda sworn I had this written down (or in LM's help file

) but I can't seem to remember the RAT tag format. How exactly did that go?

[edit] Also how can I JSL to a subroutine that ends with RTS? I know I heard some way to do it by messing with the stack... Putting the code in RAM and using JSR doesn't work, because it just jumps to other parts of RAM.

(edited by HyperHacker on 03-28-05 10:07 PM)

Escherial

Shyguy
Level: 17

Posts: 88/90
EXP: 20866
For next: 3877

Since: 03-15-04
From: Pasadena, CA

Since last post: 202 days
Last activity: 38 days

Posted on 03-29-05 09:19 AM

Link | Quote

Taken from LunarDLL.h, starting at line 1012:
The format of a RAT tag is as follows:

S T A R ssssssss SSSSSSSS cccccccc CCCCCCCC (8 bytes)

"STAR" Tag identifier, which is the word "RATS" reversed in
all-caps.
SSSSSSSS ssssssss Size-1 of data, 16 bit, little endian. It does not
include the size of the RAT tag itself.
CCCCCCCC cccccccc Inverse of size-1, 16 bit, little endian.

Min/Max size allowed: 1-0x10000
As far as I know, the only difference between RTS and RTL is that RTL pulls the program bank register value off the stack (that was pushed there by JSL) whereas RTS doesn't. With that in mind, I can't think of any way to have RTS jump back to the right section of code unless you somehow ensure that the PBR gets set to wherever the JSL came from originally, which would obviously require modifying the subroutine in question.

Sorry if that's not very helpful, but I can't figure any other way to do it.

EDIT: Actually, you'd already be screwed once you pulled the PBR, since you'd then be whisked off to some random point in the bank from which you JSLd. The beauty of RTL is that it changes the program counter and the program bank counter in one fell swoop. So yeah, *shrug*...

(edited by Escherial on 03-28-05 11:27 PM)

HyperLamer
<||bass> and this was the soloution i thought of that was guarinteed to piss off the greatest amount of people

Sesshomaru
Tamaranian

Level: 118

Posts: 3965/8210
EXP: 18171887
For next: 211027

Since: 03-15-04
From: Canada, w00t!
LOL FAD

Since last post: 2 hours
Last activity: 2 hours

Posted on 03-29-05 09:51 AM

Link | Quote

Ah, so that's where I saw that. Thanks. As for the JSR problem, I found a way: Push the return address manually and jump. Since JMP supports indirect addressing, it fixed some other stuff too.

(Has to be done in the same bank, of course, but this allowed small enough code to fit it there.)

This is what I used, it won't work in 16-bit mode which I'd like to fix if possible (but probably not). (Put it at 0x3C80 in the ROM, write the address to $06FE, and JSL to it, and you can call code in bank 0 that's supposed to be JSRed to.

)
STA $FF ;Unused except between levels
LDA #$BA ;Store return address
PHA
LDA #$8C
PHA
LDA $FF
JMP ($06FE)
RTL

Now is there a way to swap the bytes of the A register? I need to read a byte in 8-bit mode, make it the high byte of A, read another byte, go to 16-bit and modify them. (Damn fireball code storing low and high bytes at two different places.

) I think I know a way, but I need to sleep.

(edited by HyperHacker on 03-28-05 11:51 PM)

Escherial

Shyguy
Level: 17

Posts: 89/90
EXP: 20866
For next: 3877

Since: 03-15-04
From: Pasadena, CA

Since last post: 202 days
Last activity: 38 days

Posted on 03-29-05 10:11 AM

Link | Quote

Ah, that one's easy: use the "XBA" opcode (hex value: EB). It swaps the bytes of the A register, as you desire.

Sukasa

Boomboom
Error 349857348734534: The system experienced an error.
Level: 57

Posts: 289/1981
EXP: 1446921
For next: 39007

Since: 02-06-05
From: *Shrug*

Since last post: 6 days
Last activity: 1 day

Posted on 03-29-05 10:43 AM

Link | Quote

Originally posted by Escherial

Sorry if i'm being dumb, but I've missed something. Could you please PM me how to make this work, because I will need to use a RATS tag soon.

FuSoYa
Defender of Relm
Level: 26

Posts: 171/255
EXP: 99529
For next: 2746

Since: 03-15-04
From: Moon

Since last post: 7 days
Last activity: 7 hours

Posted on 03-29-05 12:48 PM

Link | Quote

Originally posted by HyperHacker
Also how can I JSL to a subroutine that ends with RTS? I know I heard some way to do it by messing with the stack...

There's a few lines of code I use all the time for this. You can run it from any bank, and it only requires finding a single existing 0x6B (RTL) byte within the same bank as the subroutine ending in RTS that you want to call.

      PHK            ;current bank byte for RTL
      PER   Fake-1   ;16 bits for RTL
      PEA   $804D-1  ;16 bit address of 0x6B byte
      JML   $Routine ;long jump to RTS subroutine
Fake  (whatever)     ;continues here

As for RATs, remember that LM uses a slightly older implementation of the RAT system. A tag will only protect data in the same LoROM bank, so it shouldn't be set larger than that.

Parasyte

Bullet Bill
Level: 35

Posts: 393/514
EXP: 267348
For next: 12588

Since: 05-25-04

Since last post: 104 days
Last activity: 32 days

Posted on 03-29-05 03:35 PM

Link | Quote

You can also locate (or add) a small routine written specifically for calling subroutines from outside banks. These can usually be found directly before the subroutine they call. They look like this:

JSR $subroutine
RTL

Just JSL to that first instruction. Simple.

HyperLamer
<||bass> and this was the soloution i thought of that was guarinteed to piss off the greatest amount of people

Sesshomaru
Tamaranian

Level: 118

Posts: 3966/8210
EXP: 18171887
For next: 211027

Since: 03-15-04
From: Canada, w00t!
LOL FAD

Since last post: 2 hours
Last activity: 2 hours

Posted on 03-30-05 01:59 AM

Link | Quote

That was basically the idea, but I wanted it to be more universal. I may just use Fu's idea though. This should help a lot, thanks!

[edit] Hmm, 'PER fb_return-1' is giving me illegal addressing mode errors.

(fb_return is just a few bytes after that.)

Also, anyone know an assembler like SNESASM that won't crash when I try to BNE/BEQ/BRA backward, or a way to avoid it?

Proper inline hex support (db #$04) and a way to indicate to it that I'm using 16-bit instructions (like switching to 16-bit mode isn't enough

) would be a plus too. It's difficult to use a 16-bit add when it only writes 2 bytes and you can't manually add the third byte to make up for it.

(edited by HyperHacker on 03-29-05 04:20 PM)
(edited by HyperHacker on 03-29-05 04:31 PM)
(edited by HyperHacker on 03-29-05 04:52 PM)

FuSoYa
Defender of Relm
Level: 26

Posts: 172/255
EXP: 99529
For next: 2746

Since: 03-15-04
From: Moon

Since last post: 7 days
Last activity: 7 hours

Posted on 03-30-05 06:30 AM

Link | Quote

Originally posted by HyperHacker
Hmm, 'PER fb_return-1' is giving me illegal addressing mode errors. (fb_return is just a few bytes after that.)

*downloads SNESASM and plays with it a bit*

As far as I can tell, this assembler doesn't properly handle using a label with that opcode. Even with values you have to be careful, as it apparently doesn't realize that PER is always a 3 byte instruction.

Looks like you'd have to use PER.w #$0007-1, and adjust the value yourself if the number of bytes between PER and "Fake" changes.

(edited by FuSoYa on 03-29-05 08:34 PM)

HyperLamer
<||bass> and this was the soloution i thought of that was guarinteed to piss off the greatest amount of people

Sesshomaru
Tamaranian

Level: 118

Posts: 3970/8210
EXP: 18171887
For next: 211027

Since: 03-15-04
From: Canada, w00t!
LOL FAD

Since last post: 2 hours
Last activity: 2 hours

Posted on 03-31-05 06:54 AM

Link | Quote

Bah, damn thing. What do you use anyway?

FuSoYa
Defender of Relm
Level: 26

Posts: 173/255
EXP: 99529
For next: 2746

Since: 03-15-04
From: Moon

Since last post: 7 days
Last activity: 7 hours

Posted on 03-31-05 12:57 PM

Link | Quote

I use a 65816 cross assembler by Jeremy Gordon. I've used it since I first started SNES hacking, actually. Problem is, the only compiled version I found on the net back then refused to run in Win9x (had to exit windows entirely). The source is out there, so I recompiled it as a win32 console app. Also had to fix a few rarely used stack opcodes so they'd assemble correctly. Come to think of it, PER was probably one of them.

I'd send you a copy to see if it's more to your liking, but the doc with the source seems to prohibit distributing modified binaries/source. *shrugs*

Juggling Joker

Boomerang Brother
SMW Hacking Moderator
Yeah, JAMH is still being worked on.
Level: 48

Posts: 686/1033
EXP: 811447
For next: 12096

Since: 03-15-04
From: Wyoming

Since last post: 2 days
Last activity: 3 hours

Posted on 03-31-05 09:40 PM

Link | Quote

Some of us (and obviously Fu is one of these people) actually respect the wishes of fellow programmers.

Sukasa

Boomboom
Error 349857348734534: The system experienced an error.
Level: 57

Posts: 311/1981
EXP: 1446921
For next: 39007

Since: 02-06-05
From: *Shrug*

Since last post: 6 days
Last activity: 1 day

Posted on 03-31-05 09:50 PM

Link | Quote

Sorry, I misunderstood what he was saying *deletes post*

Add to favorites | "RSS" Feed | Next newer thread | Next older thread

Acmlm's Board - I2 Archive - Super Mario World hacking - Now how's that RAT thing work again?

Page rendered in 0.022 seconds.