(Link to AcmlmWiki) Offline: thank ||bass
Register | Login
Views: 13,040,846
 Main | Memberlist | Active users | Calendar | Chat | Online users
Ranks | FAQ | ACS | Stats | Color Chart | Search | Photo album 		04-23-23 09:41 PM
Acmlm's Board - I3 Archive - - Posts by labmaster
Pages: 1 2 3
User Post
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 12-13-05 05:10 PM, in NEED A SMB3 TEXT EDITOR. Please no MSDOS text editors Link
Originally posted by Xeruss
I figured I'd let you know, DOS programs make up the majority of hacking programs.

HEX workshop is a DOS program




... not the version that I use.
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 12-21-05 06:19 PM, in F-Zero X -- Editor Project Link
No, I'm pretty sure you're talking about a license here (the GPL is a license). Copyright is automatic - unless you're referring to actually registering the copyright with the Copyright Office (which you need to do if you want to sue anyone).
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 12-21-05 09:53 PM, in General Project Screenshot Thread Link
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 12-26-05 06:36 PM, in Advance Wars - where does it get 'em from? Link
Gah, why are we doing this the hard way? 


Breakpoint (on write) address 0201621a old:0000 new:002a

R00=0201621a R04=0000002a R08=00000000 R12=03004228

R01=00000000 R05=00000000 R09=00000001 R13=03007b2c

R02=020157f8 R06=08282c28 R10=08282c28 R14=0801f1bb

R03=02019e7a R07=00000a22 R11=00000000 R15=0801f204

CPSR=0000003f (......T Mode: 1f)

0801f202  881b ldrh r3, [r3, #0x0]

debugger>



0801f150  b5f0 push {r4-r7,lr}

0801f152  4657 mov r7, r10

0801f154  464e mov r6, r9

0801f156  4645 mov r5, r8

0801f158  b4e0 push {r5-r7}

0801f15a  b081 add sp, -#0x4

0801f15c  1c05 add r5, r0, #0x0

0801f15e  38a4 sub r0, #0xa4

0801f160  280b cmp r0, #0xb

0801f162  d803 bhi $0801f16c

0801f164  1c28 add r0, r5, #0x0

0801f166  f000 bl $0801f260

0801f16a  e061 b $0801f230

0801f16c  042d lsl r5, r5, #0x10

0801f16e  0c2d lsr r5, r5, #0x10

0801f170  1c28 add r0, r5, #0x0

0801f172  f003 bl $08022614

0801f176  4e32 ldr r6, [$0801f240] (=$08282c28)

0801f178  6834 ldr r4, [r6, #0x0]

0801f17a  4f32 ldr r7, [$0801f244] (=$03004228)

0801f17c  683a ldr r2, [r7, #0x0]

0801f17e  8811 ldrh r1, [r2, #0x0]

0801f180  2000 mov r0, #0x0

0801f182  8021 strh r1, [r4, #0x0]

0801f184  8851 ldrh r1, [r2, #0x2]

0801f186  8061 strh r1, [r4, #0x2]

0801f188  80a0 strh r0, [r4, #0x4]

0801f18a  80e0 strh r0, [r4, #0x6]

0801f18c  8120 strh r0, [r4, #0x8]

0801f18e  8160 strh r0, [r4, #0xa]

0801f190  81a0 strh r0, [r4, #0xc]

0801f192  81e0 strh r0, [r4, #0xe]

0801f194  8220 strh r0, [r4, #0x10]

0801f196  482c ldr r0, [$0801f248] (=$00004722)

0801f198  1824 add r4, r4, r0

0801f19a  1c28 add r0, r5, #0x0

0801f19c  f003 bl $08022824

0801f1a0  1c01 add r1, r0, #0x0

0801f1a2  1c20 add r0, r4, #0x0

0801f1a4  f01f bl $0803f094

0801f1a8  1c28 add r0, r5, #0x0

0801f1aa  f003 bl $080227e8

0801f1ae  6831 ldr r1, [r6, #0x0]

0801f1b0  4a26 ldr r2, [$0801f24c] (=$0000473b)

0801f1b2  1889 add r1, r1, r2

0801f1b4  7008 strb r0, [r1, #0x0]

0801f1b6  f7ff bl $0801f114

0801f1ba  2100 mov r1, #0x0

0801f1bc  6830 ldr r0, [r6, #0x0]

0801f1be  8840 ldrh r0, [r0, #0x2]

0801f1c0  4281 cmp r1, r0

0801f1c2  da33 bge $0801f22c

0801f1c4  46b2 mov r10, r6

0801f1c6  2500 mov r5, #0x0

0801f1c8  4654 mov r4, r10

0801f1ca  6820 ldr r0, [r4, #0x0]

0801f1cc  1c4f add r7, r1, #0x1

0801f1ce  46b9 mov r9, r7

0801f1d0  8800 ldrh r0, [r0, #0x0]

0801f1d2  4285 cmp r5, r0

0801f1d4  da24 bge $0801f220

0801f1d6  4e1a ldr r6, [$0801f240] (=$08282c28)

0801f1d8  0049 lsl r1, r1, #0x01

0801f1da  4688 mov r8, r1

0801f1dc  4819 ldr r0, [$0801f244] (=$03004228)

0801f1de  4684 mov r12, r0

0801f1e0  491b ldr r1, [$0801f250] (=$08282c34)

0801f1e2  9100 str r1, [sp, #0x0]

0801f1e4  4662 mov r2, r12

0801f1e6  6810 ldr r0, [r2, #0x0]

0801f1e8  6832 ldr r2, [r6, #0x0]

0801f1ea  4c1a ldr r4, [$0801f254] (=$00004682)

0801f1ec  1913 add r3, r2, r4

0801f1ee  4443 add r3, r8

0801f1f0  881f ldrh r7, [r3, #0x0]

0801f1f2  1979 add r1, r7, r5

0801f1f4  0049 lsl r1, r1, #0x01

0801f1f6  1840 add r0, r0, r1

0801f1f8  8884 ldrh r4, [r0, #0x4]

0801f1fa  4f17 ldr r7, [$0801f258] (=$00000a22)

0801f1fc  19d0 add r0, r2, r7

0801f1fe  1840 add r0, r0, r1

0801f200  8004 strh r4, [r0, #0x0]

0801f202  881b ldrh r3, [r3, #0x0]

0801f204  1958 add r0, r3, r5

0801f206  4915 ldr r1, [$0801f25c] (=$00001432)

0801f208  1852 add r2, r2, r1

0801f20a  1812 add r2, r2, r0

0801f20c  9f00 ldr r7, [sp, #0x0]

0801f20e  6838 ldr r0, [r7, #0x0]

0801f210  1900 add r0, r0, r4

0801f212  7800 ldrb r0, [r0, #0x0]

0801f214  7010 strb r0, [r2, #0x0]

0801f216  3501 add r5, #0x1

0801f218  6830 ldr r0, [r6, #0x0]

0801f21a  8800 ldrh r0, [r0, #0x0]

0801f21c  4285 cmp r5, r0

0801f21e  dbe1 blt $0801f1e4

0801f220  4649 mov r1, r9

0801f222  4652 mov r2, r10

0801f224  6810 ldr r0, [r2, #0x0]

0801f226  8840 ldrh r0, [r0, #0x2]

0801f228  4281 cmp r1, r0

0801f22a  dbcc blt $0801f1c6

0801f22c  f003 bl $08022678

0801f230  b001 add sp, #0x4

0801f232  bc38 pop {r3-r5}

0801f234  4698 mov r8, r3

0801f236  46a1 mov r9, r4

0801f238  46aa mov r10, r5

0801f23a  bcf0 pop {r4-r7}

0801f23c  bc01 pop {r0}

0801f23e  4700 bx r0


Might whip out IDA and take a closer look at this sucker later.


Edit: Okay, most of the stuff above is useless. Actually, all of it really.

The game does indeed use a BIOS Decompression function, LZ77UnCompWram to be precise. You probably didn't catch it because it gets decompressed to 02008012 first, before being copied over (part of the function above does this).

(edited by labmaster on 12-26-05 05:37 PM)
(edited by labmaster on 12-26-05 06:44 PM)
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 12-27-05 08:32 PM, in Addding a password protection. Link
Have you tried GBAtemp?. They'd probably be able to tell you reasonably definitively if such a program existed or not. (edit: looks like you'll have to register to view/post).

Writing one wouldn't be too hard, I guess, it'd just take a bit of time to code the input routine (unless you could borrow the source from someone else). Or - even simpler - stuff text input altogether and just set a certain button sequence to start the game.

(edited by labmaster on 12-28-05 04:11 AM)
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 12-28-05 06:19 AM, in FF4 Advanced Link
Okay, a quick overview of AR M codes.

First up, all AR codes are encrypted. There's a nifty utility out there called ARCrypt by Parasyte and kenobi that we can use to decrypt them - here's the official CJ's M code decrypted:

C4001406 000084A1
45345A42 001DC0DE

Two lines - the first line is known as the hook, the second line the identifier.

The purpose of the hook code is to tell the Action Replay whereabouts in ROM it can insert a 'hook', which allows the code handler to be executed. The first 32-bits tell us that this code is a hook code, and that the address to be patched is 08001406 - the second 32-bits (though only the lower halfword is used in a hook code) are option flags, which indicate the type of hook.

The next line identifies the game - the latter 32-bits always being '001DC0DE'. The former is the game code, aka the 32-bit value at 080000AC in the ROM.

So, there's no nasty checksumming/hashing to be done (although Gameshark SP/Codebreaker/Xploder M codes do use a 16-bit CRC instead of the game ID).
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 12-29-05 06:18 AM, in General Project Screenshot Thread Link
Not a screenshot... but a 50KB AVI file for all those out there interested in Golden Sun entitled "Isaac gives up".

http://metawire.org/~labmaster/isaac.AVI

Don't get too excited, though.
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 01-02-06 03:39 AM, in Editor release: Millie 1.0 Link


Millie is a question editor for the GBA series of "Who Wants To Be A Millionaire?" games, and one of the few ROM hacking utilities for a quiz game.

Version 1.0 allows users to extract and insert game scripts from any of the currently dumped versions of "Who Wants To Be A Millonaire?".

Millie is a command-line utility written in ANSI C. A Windows binary and platform-independent source for the project can be found at Sourceforge. Included are a VS 2005 .sln file and Makefile for *nix systems.

I don't really expect anyone to use this, but I've certainly learnt a lot from making it which should help with the next game I'm working on. Next editor is definitely getting a GUI
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 01-09-06 06:00 AM, in SuDoKu; Number Bending Link
We were given these in Calculus last year for some reason... good way to fill in a Friday afternoon.

143289765
875316492
926574183
387692514
452831976
619457238
561943827
294768351
738125649
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 01-09-06 07:18 PM, in putting ShyGuy in Mario 3 ! Link
Originally posted by Jason

How does a person send/recieve a PM, by the way? that also isn't in the FAQ.


http://board.acmlm.org/private.php
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 01-09-06 10:42 PM, in Golden Sun Link
I've just finished a program to dump the game's string table. You can see its output at http://romhacking.deadbeat-inc.com/forum/index.php?topic=815.msg9663#msg9663 . First column is the string ID, next is it's location in ROM, then the start of a bitstream that the decompression routine uses, and finally the text itself. Control characters are in brackets - if anyone is interested in compiling a list of what does what (most are quite obvious), I'd appreciate it.

The long term plan is an editor - and at the moment, I'm seriously considering replacing the decompression functions in the game altogether with something a lot nicer. We'll see.


(edited by labmaster on 01-09-06 09:44 PM)
(edited by labmaster on 01-09-06 10:29 PM)
(edited by labmaster on 01-09-06 11:02 PM)
(edited by labmaster on 01-10-06 04:09 AM)
(edited by labmaster on 01-13-06 02:43 PM)
(edited by labmaster on 04-03-06 11:14 PM)
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 01-10-06 07:51 PM, in Golden Sun Link
Update
* Descriptions for most control codes added
* Multi-box dialogue now dumped in full.

Next step will be to work on codes 12-16, which will probably take me to the scripts that actually use these strings.
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 01-12-06 05:39 PM, in DAT Files? Link
Z GUI CFG W

It's a ZSNES configuration file.
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 01-12-06 10:15 PM, in A revelation I've had... Link
Saves having to have software mix them (using up precious CPU time), I guess.
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 02-20-06 11:56 PM, in GBA romhacking info Link
The first instruction that is executed is the ARM opcode at $08000000 (which is 0x0 in the ROM). This is typically a branch instruction, which skips over the header.

GBATEK has a lot of useful information on both the GBA and NDS - it's a very good reference doc to have around.

As for trying to find how a game loads tiles - the first thing I'd do is use the devel version of VBA to do a SWI log and see if anything is copying/decompressing to the VRAM block that you'd interested in. If I remember correctly there's some detailed instructions in a thread in the old board/archive.

Failing that, you'd need to get a debugger with VRAM breakpoints - if it comes to that and there aren't any others out there, I'll see if I can get around to uploading an unreleased version of VBA-H-SDL with experimental VRAM bkpt support (a couple of people out there have it, but I'm not sure if it's being distributed on the web or not).
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 02-21-06 12:22 AM, in GBA romhacking info Link
If you know whereabouts in the global table data is being pulled from a particular level, then you can just put a read breakpoint on that address. If you don't know where in the global table it is, but have the general location of the general table, you can try putting a breakpoint over (what you think is) the entire range.

If you don't actually know where the tiles are coming from, then it's either VRAM breakpoints, or dumping a trace that contains the loading code and looking for something interesting.
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 02-25-06 12:25 AM, in GBA romhacking info Link
http://metawire.org/~labmaster/files/sdlkl.zip

^^ My private version of VBA-SDL. It's not optimized, so don't bother using it for anything other than hacking.


? Shows this help information. Type ? for command help
adb Toggles Auto Don't Break
ba Adds an ARM breakpoint
bd Deletes a breakpoint
bl Lists breakpoints
bj Break on joypad read
bpr Break on read
bprc Clear break on read
bpw Break on write
bpwc Clear break on write
break Adds a breakpoint on the given function
bt Adds a THUMB breakpoint
c Continues execution
cba Adds a Conditional ARM breakpoint
cbt Adds a Conditional THUMB breakpoint
cow Select break on change or break on write
d Disassembles instructions
da Disassembles ARM instructions
db Don't break at the following address.
dbc Clear the Don't Break list.
dload Load raw data dump from file
dsave Dump raw data to file
dt Disassembles THUMB instructions
eb Modify memory location (byte)
eh Modify memory location (half-word)
er Modify register
ew Modify memory location (word)
h Shows this help information. Type h for command help
io Show I/O registers status
last Trigger the display of the last registers states
lf Log instructions to file
lfc Log instructions to file (doesn't dump register data
load Loads a Fx type savegame
locals Shows local variables
mb Shows memory contents (bytes)
mh Shows memory contents (half-words)
mw Shows memory contents (words)
n Executes the next instruction
print Print the value of a expression (if known)
q Quits the emulator
r Shows ARM registers
radix Sets the print radix
save Creates a Fx type savegame
symbols List symbols
verbose Change verbose setting
where Shows call chain


A couple of things may be broken - I haven't touched it for a very long time. bpw will accept VRAM addresses, and should process these correctly (tip: watch out for DMA writes, it catches these as well. If something doesn't look right, check that it's not a DMA write first). It also accepts SRAM addresses but this -does not work-. Just ignore that.

edit: some additional info about the conditional syntax - it sucks. This is basically how it works:


(address or register) (comparison operator) (address, register or immediate) [(size)]


addresses should be prefixed with '$' and are read as hexadecimal.
registers should be prefixed with 'R'.
immediates should not be prefixed.

valid comparison operators are:
==
!=
<>
<
>

size is for the size of comparison - i.e. specifies whether to read a byte, halfword, or word when loading values from a given address. use 'b', 'h' or 'w'.




(edited by labmaster on 02-24-06 11:35 PM)
(edited by labmaster on 02-24-06 11:36 PM)
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 03-03-06 02:20 AM, in Converting Save Files Link
An SPS is basically a 'sav' file with a header tacked on. Try removing the header using a hex editor (I don't think SPS headers have a fixed size, so the easiest way to tell where it finishes is probably to take a look at a normal 'sav' file generated by the game, and seeing if there's some easily recognizable 'marker data' that you can use).

edit: jbtw, which emulator are you using?

(edited by labmaster on 03-03-06 01:20 AM)
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 03-03-06 07:52 PM, in Converting Save Files Link
VBA should take SPS files - File->Import->Gameshark Snapshot. If there isn't that feature in your version, you should seriously consider updating (1.6.1 or 1.7.2).
labmaster

Red Paragoomba


 





Since: 11-18-05
From: Away for exams, back mid-December.

Last post: 5983 days
Last view: 5913 days
Posted on 03-31-06 01:33 AM, in Dis-assembler for GBA Link
What do you want to use it for? MappyVM will let you export disassemblies, VBA-SDL let's you do it to a limited degree (shouldn't be too hard to make some changes so that you can specify ranges etc...) and of course if you only want to take a look you can use the Disassembly viewer in the GUI version.
Pages: 1 2 3
Acmlm's Board - I3 Archive - - Posts by labmaster


ABII

Acmlmboard 1.92.999, 9/17/2006
©2000-2006 Acmlm, Emuz, Blades, Xkeeper

Page rendered in 0.033 seconds; used 441.54 kB (max 569.97 kB)