Sonic and Sega Retro Message Board: Sonic Fighters Hacking - Sonic and Sega Retro Message Board

Jump to content

Hey there, Guest!  (Log In · Register) Help
  • 5 Pages +
  • ◄ First
  • 3
  • 4
  • 5
    Locked
    Locked Forum

Sonic Fighters Hacking

#61 User is offline SteveBlockhead 

Posted 02 April 2018 - 06:03 PM

  • Posts: 7
  • Joined: 29-November 17
  • Gender:Male
  • Location:New Zealand

View Postbiggestsonicfan, on 01 April 2018 - 10:40 AM, said:

Steve, can you make an unlisted video showing the steps you took to find the variable and PM that to me?

Sure. I'll reply back with the link when it's ready.

#62 User is offline biggestsonicfan 

Posted 02 April 2018 - 06:59 PM

  • Model2wannaB
  • Posts: 727
  • Joined: 09-May 07
  • Gender:Male
  • Project:Formerly Sonic the Fighters

View PostSteveBlockhead, on 02 April 2018 - 06:03 PM, said:

View Postbiggestsonicfan, on 01 April 2018 - 10:40 AM, said:

Steve, can you make an unlisted video showing the steps you took to find the variable and PM that to me?

Sure. I'll reply back with the link when it's ready.

Missed this post. OOPS. No worries, I found it. Debug mode is working, kinda sorta but hmm... something's still not quite right... Sky Eye will work for sure, but I want Parts Test to work!

#63 User is offline SteveBlockhead 

Posted 02 April 2018 - 07:36 PM

  • Posts: 7
  • Joined: 29-November 17
  • Gender:Male
  • Location:New Zealand
Whoops. I should have checked back sooner. I had just finished uploading it too. Oh well. I'm not sure what Parts Test really does. Does Parts Test open at all for you? If you open certain menus, and then open another one of a different type after that, it'll sort of glitch out. Only way around that I know is you need to restart the whole emulator.

#64 User is offline biggestsonicfan 

Posted 02 April 2018 - 07:53 PM

  • Model2wannaB
  • Posts: 727
  • Joined: 09-May 07
  • Gender:Male
  • Project:Formerly Sonic the Fighters

View PostSteveBlockhead, on 02 April 2018 - 07:36 PM, said:

Whoops. I should have checked back sooner. I had just finished uploading it too. Oh well. I'm not sure what Parts Test really does. Does Parts Test open at all for you? If you open certain menus, and then open another one of a different type after that, it'll sort of glitch out. Only way around that I know is you need to restart the whole emulator.


We have definately found a way to get debug mode working, but I am not sure all flags are being properly set. However, this gives me a good stepping stone to figure out in the game's code how debug mode may have originally been accessed.


Also it was the POLYGON TEST I am most excited about. It will allow clean screenshots of unused objects for the Wiki.

#65 User is offline biggestsonicfan 

Posted 01 June 2018 - 02:40 AM

  • Model2wannaB
  • Posts: 727
  • Joined: 09-May 07
  • Gender:Male
  • Project:Formerly Sonic the Fighters
Because of the Pokemon Gold leak, it's inspired me to clean up some of my code to make debug mode public in a script with a function to handle debug functions and can integrate into anyone else's cheat script if they've made one.

For those new to this, copy the code into a blank text file using a text editor of your choice (such as notepad), and save as "sfight.lua", and place it in the "scripts" folder where the emulator is located. Voila!
Spoiler


Posted Image

Happy Debugging! :specialed:
This post has been edited by biggestsonicfan: 01 June 2018 - 03:06 AM

#66 User is offline DarthDub 

Posted 02 June 2018 - 12:47 AM

  • Amateur Hacker
  • Posts: 4
  • Joined: 15-December 15
  • Gender:Male
  • Location:Mount Vernon, WA

View Postbiggestsonicfan, on 01 June 2018 - 02:40 AM, said:

Because of the Pokemon Gold leak, it's inspired me to clean up some of my code to make debug mode public in a script with a function to handle debug functions and can integrate into anyone else's cheat script if they've made one.

For those new to this, copy the code into a blank text file using a text editor of your choice (such as notepad), and save as "sfight.lua", and place it in the "scripts" folder where the emulator is located. Voila!
Spoiler



Happy Debugging! :specialed:/>/>
This is really cool! Thanks for sharing with everyone!
This post has been edited by DarthDub: 02 June 2018 - 06:38 PM

#67 User is offline Overlord 

Posted 02 June 2018 - 12:26 PM

  • Substitute Meerkovo IT Chief
  • Posts: 17026
  • Joined: 12-January 03
  • Gender:Male
  • Location:Berkshire, England
  • Project:VGDB
  • Wiki edits:3,204
Indeed, thanks for putting so much work into this, all of you.

#68 User is offline biggestsonicfan 

Posted 03 June 2018 - 03:26 PM

  • Model2wannaB
  • Posts: 727
  • Joined: 09-May 07
  • Gender:Male
  • Project:Formerly Sonic the Fighters

View PostOverlord, on 02 June 2018 - 12:26 PM, said:

Indeed, thanks for putting so much work into this, all of you.

Thank you. I feel I should say something after crying "DEBUG MODE IS NEIGH!" since Honey was first found like, 11 years ago, but in 11 years the people who wanted the models moved on. The community moved on and now I feel like my biggest contribution to this was never giving up really. I knew it was there, but this interesting situation with Steve seemed to accelerate this baby to 88 and we saw some serious shit all the way back to 1996.

I'd like to share some of my research leading to this point that has currently gone unpublished.

In my quest to search for debug mode, I finally brought out the big guns and began disassembling Sonic the Fighters from scratch using every piece of research I had gathered to that time.

After successfully dumping the entire memory contents and loading both the program and memory with correct mapping into IDA Pro, I began labeling everything I knew in the data and the memory.

One particular address I saw associated with Debug was checking an address of memory at 0x508000 and branching to debug-like subroutines if true.

One of these routines happened to call one of my documented routines:

ROMBASE:00000C94 000                 ld      dword_508000, r15
ROMBASE:00000C9C 000                 bbs     0x0D, r15, loc_CB8
ROMBASE:00000CA0 000                 call    health_gyr


If translated to psudocode, it would look something like this:
  • Load register r15 in the processor with value of address 0x508000
  • If the value in bit 0x0D in r15 is set, branch to subroutine CB8
  • Else, call the subroutine to initialize the health bars


health_gyr is a subroutine I documented which handles the HUD's palette data for the health bars.

Their colors values are as follows:
Green:
0x836082C08220818083E0834082A08200

Yellow:
0xA3FF837F82DF827FB3FF83FF835F82FF

Red:
0x801B801880158011801F801C80198015


This subroutine is referenced in every frame of emulation. If we can change the data in the ROM, it will reflect in every frame of the emulated result!

The hex for calling the health routine is 14 DC 02 09, but if we change it to 10 00 00 09, the routine looks a little different:

ROMBASE:00000C94 000                 ld      dword_508000, r15
ROMBASE:00000C9C 000                 bbs     0x0D, r15, loc_CB8
ROMBASE:00000CA0 000                 call    loc_CA4


We now call routine CA4 instead of the health bar routine and guess what, the health bars are assigned default palette values (the location of those colors as of writing I do not know) which happen to be the same ones as seen in very early prototype screenshots of the game!

Et volia! An unused beta routine restored!

The function for this to be used in a script is as follows:

function patchdbg(value)
	--set health bars
	if value == 1 then
		Romset_PatchByte(0,0xCA0, 0x04)
		Romset_PatchWord(0,0xCA1, 0x0000)
	-- restore health bars
	elseif value == 0 then
		Romset_PatchByte(0,0xCA0, 0x14)
		Romset_PatchWord(0,0xCA1, 0x2DC)
	end
end


You can either call patchdbg(1) in Init() or in a cheat menu option. Either way, you will need to read model2lua.txt to implement it correctly into the script above. A more playful script will be released as more things are explored and documented in debug mode. Also, for some reason, it affects menu item selection in debug mode, which is incredibly bizarre.
This post has been edited by biggestsonicfan: 04 June 2018 - 06:42 PM

#69 User is offline lordexodus 

Posted 04 June 2018 - 11:35 PM

  • Posts: 2
  • Joined: 24-November 15
Hey, can you provide videos of Fang, Bean, & Bark running repeatedly with the view on the side? I'd like to see how they look while running...

#70 User is offline biggestsonicfan 

Posted 05 June 2018 - 12:42 PM

  • Model2wannaB
  • Posts: 727
  • Joined: 09-May 07
  • Gender:Male
  • Project:Formerly Sonic the Fighters

View Postlordexodus, on 04 June 2018 - 11:35 PM, said:

Hey, can you provide videos of Fang, Bean, & Bark running repeatedly with the view on the side? I'd like to see how they look while running...

This can be seen in normal gameplay?The instructional VHS also has footage of every dash and move in the game.

Anyway, here's Pengo and his ice blocks. I could not correctly screenshot these a decade ago.
Posted Image

Also, a build date, which as of yet has no relevance to the game's code as far as I can tell:
ROMBASE:000BDE1B     aRYPOC:         .ascii "RYPOC"<0>
ROMBASE:000BDE21     aTHGI:          .ascii " THGI"<0>
ROMBASE:000BDE27     aAGES:          .ascii " AGES"<0>
ROMBASE:000BDE2D     aRETNE:         .ascii "RETNE"<0>
ROMBASE:000BDE33     aESIRP:         .ascii "ESIRP"<0>
ROMBASE:000BDE39     aMILS:          .ascii "MIL S"<0>
ROMBASE:000BDE3F     aDETI:          .ascii " DETI"<0>
ROMBASE:000BDE45     a5991:          .ascii " 5991"<0>
ROMBASE:000BDE4B                     .ascii "     "<0>
ROMBASE:000BDE51     a7211:          .ascii " 7211"<0>
ROMBASE:000BDE57                     .ascii "     "<0>
ROMBASE:000BDE5D     aAHMA:          .ascii "AH MA"<0>
ROMBASE:000BDE63     aRAWDR:         .ascii "RAWDR"<0>
ROMBASE:000BDE69     aDRE:           .ascii "D&R E"<0>
ROMBASE:000BDE6F     aTPED:          .ascii "TPED "<0>
ROMBASE:000BDE75                     .ascii "    ."<0>
ROMBASE:000BDE7B     aCOPYR:         .ascii "COPYR"<0>
ROMBASE:000BDE81     aIGHT:          .ascii "IGHT "<0>
ROMBASE:000BDE87     aSEGA:          .ascii "SEGA "<0>
ROMBASE:000BDE8D     aENTER:         .ascii "ENTER"<0>
ROMBASE:000BDE93     aPRISE:         .ascii "PRISE"<0>
ROMBASE:000BDE99     aSLIM:          .ascii "S LIM"<0>
ROMBASE:000BDE9F     aITED:          .ascii "ITED "<0>
ROMBASE:000BDEA5     a1995:          .ascii "1995 "<0>
ROMBASE:000BDEAB                     .ascii "     "<0>
ROMBASE:000BDEB1     a1127:          .ascii "1127 "<0>
ROMBASE:000BDEB7                     .ascii "     "<0>
ROMBASE:000BDEBD     aAMHA:          .ascii "AM HA"<0>
ROMBASE:000BDEC3     aRDWAR:         .ascii "RDWAR"<0>
ROMBASE:000BDEC9     aERD:           .ascii "E R&D"<0>
ROMBASE:000BDECF     aDEPT:          .ascii " DEPT"<0>
ROMBASE:000BDED5                     .ascii ".    "


COPYRIGHT SEGA ENTERPRISE LIMITED 19951127 AM HARDWARE R&D DEPT.
This post has been edited by biggestsonicfan: 05 June 2018 - 06:40 PM

#71 User is offline lordexodus 

Posted 07 June 2018 - 05:28 PM

  • Posts: 2
  • Joined: 24-November 15
^ I checked the video. It doesn't show any of the characters I named running toward the opponent, nor any polygonal demonstrations of them running. You lied to me!

#72 User is offline biggestsonicfan 

Posted 07 June 2018 - 05:35 PM

  • Model2wannaB
  • Posts: 727
  • Joined: 09-May 07
  • Gender:Male
  • Project:Formerly Sonic the Fighters

View Postlordexodus, on 07 June 2018 - 05:28 PM, said:

^ I checked the video. It doesn't show any of the characters I named running toward the opponent, nor any polygonal demonstrations of them running. You lied to me!

Unfortunate I wasted your time, but you could find a copy of the game now you know how to play! This is the hacking forum, not a help thread. You also did not tell me what you would do with the information.

The video, however, shows you a Sky Eye that we do not have access to. Debug mode only allows for single-frame observation. As of yet, the camera cannot be locked to another object or coordinate yet. Requesting such information now would be like requesting the models a decade ago, the information does not exist nor am I interested in capturing it for you. I will tell you that if you use the debug mode and set the stage to the dummy stage while in wireframe mode you will be able to see the polygons fully.

#73 User is offline SteveBlockhead 

Posted 11 June 2018 - 05:57 AM

  • Posts: 7
  • Joined: 29-November 17
  • Gender:Male
  • Location:New Zealand

View Postbiggestsonicfan, on 07 June 2018 - 05:35 PM, said:

View Postlordexodus, on 07 June 2018 - 05:28 PM, said:

^ I checked the video. It doesn't show any of the characters I named running toward the opponent, nor any polygonal demonstrations of them running. You lied to me!

Debug mode only allows for single-frame observation.


I found the the address that controls that. If you just scan in Cheat Engine for a decrease when frozen, and an increase when playing, you should be able to find it, and set it as the same value as it was when the game wasn't frozen. I also do have the animation address too, but sadly my cheat table doesn't work with others, only me.
This post has been edited by SteveBlockhead: 11 June 2018 - 05:58 AM

#74 User is offline biggestsonicfan 

Posted 11 June 2018 - 07:53 AM

  • Model2wannaB
  • Posts: 727
  • Joined: 09-May 07
  • Gender:Male
  • Project:Formerly Sonic the Fighters

View PostSteveBlockhead, on 11 June 2018 - 05:57 AM, said:

View Postbiggestsonicfan, on 07 June 2018 - 05:35 PM, said:

View Postlordexodus, on 07 June 2018 - 05:28 PM, said:

^ I checked the video. It doesn't show any of the characters I named running toward the opponent, nor any polygonal demonstrations of them running. You lied to me!

Debug mode only allows for single-frame observation.


I found the the address that controls that. If you just scan in Cheat Engine for a decrease when frozen, and an increase when playing, you should be able to find it, and set it as the same value as it was when the game wasn't frozen. I also do have the animation address too, but sadly my cheat table doesn't work with others, only me.

I meant Skye Eye doesn't stay in place. I simulated your pass-through method using the "Q" key!

  • 5 Pages +
  • ◄ First
  • 3
  • 4
  • 5
    Locked
    Locked Forum

2 User(s) are reading this topic
0 members, 2 guests, 0 anonymous users