(Link to AcmlmWiki) Offline: thank ||bass
Register | Login
Views: 13,040,846
Main | Memberlist | Active users | Calendar | Chat | Online users
Ranks | FAQ | ACS | Stats | Color Chart | Search | Photo album
04-23-23 09:41 PM
Acmlm's Board - I3 Archive - - Posts by labmaster
Pages: 1 2 3
User Post
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 12-13-05 05:10 PM, in NEED A SMB3 TEXT EDITOR. Please no MSDOS text editors Link
Originally posted by Xeruss
I figured I'd let you know, DOS programs make up the majority of hacking programs.

HEX workshop is a DOS program





... not the version that I use.
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 12-21-05 06:19 PM, in F-Zero X -- Editor Project Link
No, I'm pretty sure you're talking about a license here (the GPL is a license). Copyright is automatic - unless you're referring to actually registering the copyright with the Copyright Office (which you need to do if you want to sue anyone).
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 12-21-05 09:53 PM, in General Project Screenshot Thread Link
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 12-26-05 06:36 PM, in Advance Wars - where does it get 'em from? Link
Gah, why are we doing this the hard way?


Breakpoint (on write) address 0201621a old:0000 new:002a
R00=0201621a R04=0000002a R08=00000000 R12=03004228
R01=00000000 R05=00000000 R09=00000001 R13=03007b2c
R02=020157f8 R06=08282c28 R10=08282c28 R14=0801f1bb
R03=02019e7a R07=00000a22 R11=00000000 R15=0801f204
CPSR=0000003f (......T Mode: 1f)
0801f202 881b ldrh r3, [r3, #0x0]
debugger>

0801f150 b5f0 push {r4-r7,lr}
0801f152 4657 mov r7, r10
0801f154 464e mov r6, r9
0801f156 4645 mov r5, r8
0801f158 b4e0 push {r5-r7}
0801f15a b081 add sp, -#0x4
0801f15c 1c05 add r5, r0, #0x0
0801f15e 38a4 sub r0, #0xa4
0801f160 280b cmp r0, #0xb
0801f162 d803 bhi $0801f16c
0801f164 1c28 add r0, r5, #0x0
0801f166 f000 bl $0801f260
0801f16a e061 b $0801f230
0801f16c 042d lsl r5, r5, #0x10
0801f16e 0c2d lsr r5, r5, #0x10
0801f170 1c28 add r0, r5, #0x0
0801f172 f003 bl $08022614
0801f176 4e32 ldr r6, [$0801f240] (=$08282c28)
0801f178 6834 ldr r4, [r6, #0x0]
0801f17a 4f32 ldr r7, [$0801f244] (=$03004228)
0801f17c 683a ldr r2, [r7, #0x0]
0801f17e 8811 ldrh r1, [r2, #0x0]
0801f180 2000 mov r0, #0x0
0801f182 8021 strh r1, [r4, #0x0]
0801f184 8851 ldrh r1, [r2, #0x2]
0801f186 8061 strh r1, [r4, #0x2]
0801f188 80a0 strh r0, [r4, #0x4]
0801f18a 80e0 strh r0, [r4, #0x6]
0801f18c 8120 strh r0, [r4, #0x8]
0801f18e 8160 strh r0, [r4, #0xa]
0801f190 81a0 strh r0, [r4, #0xc]
0801f192 81e0 strh r0, [r4, #0xe]
0801f194 8220 strh r0, [r4, #0x10]
0801f196 482c ldr r0, [$0801f248] (=$00004722)
0801f198 1824 add r4, r4, r0
0801f19a 1c28 add r0, r5, #0x0
0801f19c f003 bl $08022824
0801f1a0 1c01 add r1, r0, #0x0
0801f1a2 1c20 add r0, r4, #0x0
0801f1a4 f01f bl $0803f094
0801f1a8 1c28 add r0, r5, #0x0
0801f1aa f003 bl $080227e8
0801f1ae 6831 ldr r1, [r6, #0x0]
0801f1b0 4a26 ldr r2, [$0801f24c] (=$0000473b)
0801f1b2 1889 add r1, r1, r2
0801f1b4 7008 strb r0, [r1, #0x0]
0801f1b6 f7ff bl $0801f114
0801f1ba 2100 mov r1, #0x0
0801f1bc 6830 ldr r0, [r6, #0x0]
0801f1be 8840 ldrh r0, [r0, #0x2]
0801f1c0 4281 cmp r1, r0
0801f1c2 da33 bge $0801f22c
0801f1c4 46b2 mov r10, r6
0801f1c6 2500 mov r5, #0x0
0801f1c8 4654 mov r4, r10
0801f1ca 6820 ldr r0, [r4, #0x0]
0801f1cc 1c4f add r7, r1, #0x1
0801f1ce 46b9 mov r9, r7
0801f1d0 8800 ldrh r0, [r0, #0x0]
0801f1d2 4285 cmp r5, r0
0801f1d4 da24 bge $0801f220
0801f1d6 4e1a ldr r6, [$0801f240] (=$08282c28)
0801f1d8 0049 lsl r1, r1, #0x01
0801f1da 4688 mov r8, r1
0801f1dc 4819 ldr r0, [$0801f244] (=$03004228)
0801f1de 4684 mov r12, r0
0801f1e0 491b ldr r1, [$0801f250] (=$08282c34)
0801f1e2 9100 str r1, [sp, #0x0]
0801f1e4 4662 mov r2, r12
0801f1e6 6810 ldr r0, [r2, #0x0]
0801f1e8 6832 ldr r2, [r6, #0x0]
0801f1ea 4c1a ldr r4, [$0801f254] (=$00004682)
0801f1ec 1913 add r3, r2, r4
0801f1ee 4443 add r3, r8
0801f1f0 881f ldrh r7, [r3, #0x0]
0801f1f2 1979 add r1, r7, r5
0801f1f4 0049 lsl r1, r1, #0x01
0801f1f6 1840 add r0, r0, r1
0801f1f8 8884 ldrh r4, [r0, #0x4]
0801f1fa 4f17 ldr r7, [$0801f258] (=$00000a22)
0801f1fc 19d0 add r0, r2, r7
0801f1fe 1840 add r0, r0, r1
0801f200 8004 strh r4, [r0, #0x0]
0801f202 881b ldrh r3, [r3, #0x0]
0801f204 1958 add r0, r3, r5
0801f206 4915 ldr r1, [$0801f25c] (=$00001432)
0801f208 1852 add r2, r2, r1
0801f20a 1812 add r2, r2, r0
0801f20c 9f00 ldr r7, [sp, #0x0]
0801f20e 6838 ldr r0, [r7, #0x0]
0801f210 1900 add r0, r0, r4
0801f212 7800 ldrb r0, [r0, #0x0]
0801f214 7010 strb r0, [r2, #0x0]
0801f216 3501 add r5, #0x1
0801f218 6830 ldr r0, [r6, #0x0]
0801f21a 8800 ldrh r0, [r0, #0x0]
0801f21c 4285 cmp r5, r0
0801f21e dbe1 blt $0801f1e4
0801f220 4649 mov r1, r9
0801f222 4652 mov r2, r10
0801f224 6810 ldr r0, [r2, #0x0]
0801f226 8840 ldrh r0, [r0, #0x2]
0801f228 4281 cmp r1, r0
0801f22a dbcc blt $0801f1c6
0801f22c f003 bl $08022678
0801f230 b001 add sp, #0x4
0801f232 bc38 pop {r3-r5}
0801f234 4698 mov r8, r3
0801f236 46a1 mov r9, r4
0801f238 46aa mov r10, r5
0801f23a bcf0 pop {r4-r7}
0801f23c bc01 pop {r0}
0801f23e 4700 bx r0


Might whip out IDA and take a closer look at this sucker later.


Edit: Okay, most of the stuff above is useless. Actually, all of it really.

The game does indeed use a BIOS Decompression function, LZ77UnCompWram to be precise. You probably didn't catch it because it gets decompressed to 02008012 first, before being copied over (part of the function above does this).


(edited by labmaster on 12-26-05 05:37 PM)
(edited by labmaster on 12-26-05 06:44 PM)
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 12-27-05 08:32 PM, in Addding a password protection. Link
Have you tried GBAtemp?. They'd probably be able to tell you reasonably definitively if such a program existed or not. (edit: looks like you'll have to register to view/post).

Writing one wouldn't be too hard, I guess, it'd just take a bit of time to code the input routine (unless you could borrow the source from someone else). Or - even simpler - stuff text input altogether and just set a certain button sequence to start the game.


(edited by labmaster on 12-28-05 04:11 AM)
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 12-28-05 06:19 AM, in FF4 Advanced Link
Okay, a quick overview of AR M codes.

First up, all AR codes are encrypted. There's a nifty utility out there called ARCrypt by Parasyte and kenobi that we can use to decrypt them - here's the official CJ's M code decrypted:

C4001406 000084A1
45345A42 001DC0DE

Two lines - the first line is known as the hook, the second line the identifier.

The purpose of the hook code is to tell the Action Replay whereabouts in ROM it can insert a 'hook', which allows the code handler to be executed. The first 32-bits tell us that this code is a hook code, and that the address to be patched is 08001406 - the second 32-bits (though only the lower halfword is used in a hook code) are option flags, which indicate the type of hook.

The next line identifies the game - the latter 32-bits always being '001DC0DE'. The former is the game code, aka the 32-bit value at 080000AC in the ROM.

So, there's no nasty checksumming/hashing to be done (although Gameshark SP/Codebreaker/Xploder M codes do use a 16-bit CRC instead of the game ID).
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 12-29-05 06:18 AM, in General Project Screenshot Thread Link
Not a screenshot... but a 50KB AVI file for all those out there interested in Golden Sun entitled "Isaac gives up".

http://metawire.org/~labmaster/isaac.AVI

Don't get too excited, though.
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 01-02-06 03:39 AM, in Editor release: Millie 1.0 Link


Millie is a question editor for the GBA series of "Who Wants To Be A Millionaire?" games, and one of the few ROM hacking utilities for a quiz game.

Version 1.0 allows users to extract and insert game scripts from any of the currently dumped versions of "Who Wants To Be A Millonaire?".

Millie is a command-line utility written in ANSI C. A Windows binary and platform-independent source for the project can be found at Sourceforge. Included are a VS 2005 .sln file and Makefile for *nix systems.

I don't really expect anyone to use this, but I've certainly learnt a lot from making it which should help with the next game I'm working on. Next editor is definitely getting a GUI
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 01-09-06 06:00 AM, in SuDoKu; Number Bending Link
We were given these in Calculus last year for some reason... good way to fill in a Friday afternoon.

143289765
875316492
926574183
387692514
452831976
619457238
561943827
294768351
738125649
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 01-09-06 07:18 PM, in putting ShyGuy in Mario 3 ! Link
Originally posted by Jason

How does a person send/recieve a PM, by the way? that also isn't in the FAQ.



http://board.acmlm.org/private.php
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 01-09-06 10:42 PM, in Golden Sun Link
I've just finished a program to dump the game's string table. You can see its output at http://romhacking.deadbeat-inc.com/forum/index.php?topic=815.msg9663#msg9663 . First column is the string ID, next is it's location in ROM, then the start of a bitstream that the decompression routine uses, and finally the text itself. Control characters are in brackets - if anyone is interested in compiling a list of what does what (most are quite obvious), I'd appreciate it.

The long term plan is an editor - and at the moment, I'm seriously considering replacing the decompression functions in the game altogether with something a lot nicer. We'll see.



(edited by labmaster on 01-09-06 09:44 PM)
(edited by labmaster on 01-09-06 10:29 PM)
(edited by labmaster on 01-09-06 11:02 PM)
(edited by labmaster on 01-10-06 04:09 AM)
(edited by labmaster on 01-13-06 02:43 PM)
(edited by labmaster on 04-03-06 11:14 PM)
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 01-10-06 07:51 PM, in Golden Sun Link
Update
* Descriptions for most control codes added
* Multi-box dialogue now dumped in full.

Next step will be to work on codes 12-16, which will probably take me to the scripts that actually use these strings.
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 01-12-06 05:39 PM, in DAT Files? Link
Z GUI CFG W

It's a ZSNES configuration file.
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 01-12-06 10:15 PM, in A revelation I've had... Link
Saves having to have software mix them (using up precious CPU time), I guess.
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 02-20-06 11:56 PM, in GBA romhacking info Link
The first instruction that is executed is the ARM opcode at $08000000 (which is 0x0 in the ROM). This is typically a branch instruction, which skips over the header.

GBATEK has a lot of useful information on both the GBA and NDS - it's a very good reference doc to have around.

As for trying to find how a game loads tiles - the first thing I'd do is use the devel version of VBA to do a SWI log and see if anything is copying/decompressing to the VRAM block that you'd interested in. If I remember correctly there's some detailed instructions in a thread in the old board/archive.

Failing that, you'd need to get a debugger with VRAM breakpoints - if it comes to that and there aren't any others out there, I'll see if I can get around to uploading an unreleased version of VBA-H-SDL with experimental VRAM bkpt support (a couple of people out there have it, but I'm not sure if it's being distributed on the web or not).
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 02-21-06 12:22 AM, in GBA romhacking info Link
If you know whereabouts in the global table data is being pulled from a particular level, then you can just put a read breakpoint on that address. If you don't know where in the global table it is, but have the general location of the general table, you can try putting a breakpoint over (what you think is) the entire range.

If you don't actually know where the tiles are coming from, then it's either VRAM breakpoints, or dumping a trace that contains the loading code and looking for something interesting.
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 02-25-06 12:25 AM, in GBA romhacking info Link
http://metawire.org/~labmaster/files/sdlkl.zip

^^ My private version of VBA-SDL. It's not optimized, so don't bother using it for anything other than hacking.


? Shows this help information. Type ? for command help
adb Toggles Auto Don't Break
ba Adds an ARM breakpoint
bd Deletes a breakpoint
bl Lists breakpoints
bj Break on joypad read
bpr Break on read
bprc Clear break on read
bpw Break on write
bpwc Clear break on write
break Adds a breakpoint on the given function
bt Adds a THUMB breakpoint
c Continues execution
cba Adds a Conditional ARM breakpoint
cbt Adds a Conditional THUMB breakpoint
cow Select break on change or break on write
d Disassembles instructions
da Disassembles ARM instructions
db Don't break at the following address.
dbc Clear the Don't Break list.
dload Load raw data dump from file
dsave Dump raw data to file
dt Disassembles THUMB instructions
eb Modify memory location (byte)
eh Modify memory location (half-word)
er Modify register
ew Modify memory location (word)
h Shows this help information. Type h for command help
io Show I/O registers status
last Trigger the display of the last registers states
lf Log instructions to file
lfc Log instructions to file (doesn't dump register data
load Loads a Fx type savegame
locals Shows local variables
mb Shows memory contents (bytes)
mh Shows memory contents (half-words)
mw Shows memory contents (words)
n Executes the next instruction
print Print the value of a expression (if known)
q Quits the emulator
r Shows ARM registers
radix Sets the print radix
save Creates a Fx type savegame
symbols List symbols
verbose Change verbose setting
where Shows call chain


A couple of things may be broken - I haven't touched it for a very long time. bpw will accept VRAM addresses, and should process these correctly (tip: watch out for DMA writes, it catches these as well. If something doesn't look right, check that it's not a DMA write first). It also accepts SRAM addresses but this -does not work-. Just ignore that.

edit: some additional info about the conditional syntax - it sucks. This is basically how it works:


(address or register) (comparison operator) (address, register or immediate) [(size)]


addresses should be prefixed with '$' and are read as hexadecimal.
registers should be prefixed with 'R'.
immediates should not be prefixed.

valid comparison operators are:
==
!=
<>
<
>

size is for the size of comparison - i.e. specifies whether to read a byte, halfword, or word when loading values from a given address. use 'b', 'h' or 'w'.





(edited by labmaster on 02-24-06 11:35 PM)
(edited by labmaster on 02-24-06 11:36 PM)
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 03-03-06 02:20 AM, in Converting Save Files Link
An SPS is basically a 'sav' file with a header tacked on. Try removing the header using a hex editor (I don't think SPS headers have a fixed size, so the easiest way to tell where it finishes is probably to take a look at a normal 'sav' file generated by the game, and seeing if there's some easily recognizable 'marker data' that you can use).

edit: jbtw, which emulator are you using?


(edited by labmaster on 03-03-06 01:20 AM)
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 03-03-06 07:52 PM, in Converting Save Files Link
VBA should take SPS files - File->Import->Gameshark Snapshot. If there isn't that feature in your version, you should seriously consider updating (1.6.1 or 1.7.2).
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 03-31-06 01:33 AM, in Dis-assembler for GBA Link
What do you want to use it for? MappyVM will let you export disassemblies, VBA-SDL let's you do it to a limited degree (shouldn't be too hard to make some changes so that you can specify ranges etc...) and of course if you only want to take a look you can use the Disassembly viewer in the GUI version.
Pages: 1 2 3
Acmlm's Board - I3 Archive - - Posts by labmaster


ABII

Acmlmboard 1.92.999, 9/17/2006
©2000-2006 Acmlm, Emuz, Blades, Xkeeper

Page rendered in 0.033 seconds; used 441.54 kB (max 569.97 kB)