don't click here

Object Tweaking Without ASM

Discussion in 'Engineering & Reverse Engineering' started by Sonic 65, Jun 3, 2005.

Thread Status:
Not open for further replies.
  1. Jun 3, 2005 #1
    Sonic 65

    Sonic 65

    Tech Member
    1,178
    16
    18
    Brooklyn
    Yeah, so this is basically all my Object Tweaking Without ASM tutorials on StephenUK's forums combined, with all the OMGs, XDs, LOLs, and ROFLs removed.

    How to Look For Object Loading Procedures:

    In hexadecimal, if an object is to be spawned from another object, the compiled machine code will look something like the below example:

    13 7C 00 40 00 00 33 68

    That would load object 0040, which is the Moto Bug exhaust. So the format of the hex code is in a format like below:

    13 7C 00 aa aa 00 33 68

    That would load object aaaa. If you are programming your own object using hex, for the loading to begin another line of hex would have to be placed after the above code:

    00 08 00 08 33 68 00 0C 00 0C 13 68

    How To Find and Modify The Way Badniks Move:

    You can search for machine code that makes badniks move inside thier code. It will look somewhat like this:

    31 7C mm mm rr rr

    Where mmmm is how much to move and rrrr is in what direction.

    rrrr has several different values you can use that affect the direction the object you are editing moves, which are listed below:

    10 = left
    12 = up
    14 = down
    16 = right

    How to Find An Offset Where Sonic Gets Hurt:

    In the code of objects which hurt Sonic, you will often find a pointer to 1248C0, unless your ROM has shifted before 1248C0. 1248C0 contains the HurtSonic subroutine. If you want an object to hurt Sonic, simply place the hex line:

    30 28 12 48 C0

    That is a pointer to 1248C0, which contains the SonicHit subroutine.
    If you want to skip this code just 4E 91 it and put an FF at the end.


    How To Make An Object Invisible:

    Simply place the following;

    11 7C 00 28 00 1C

    Tada!

    Monitor Types:

    The type of a certain monitor is contained in the register A0 (registers are where a game stores values other than in the RAM), and then moved to the register D0. Then the game tests what monitor type is in D0. Below is a table of monitor types possible for the game to comprehend:

    01 - Eggman
    02 - Sonic (1UP)
    03 - Speed Sneakers
    04 - Shield
    05 - Invincibility
    06 - 10-Ring
    07 - 'S'
    08 - Goggles
    09 - Broken
    ?? - Static

    So it is possible to add 245 more monitor types! Though that would certainly be an unneeded handful of code. Anyway, if the monitor is set to broken, the game is told to do nothing (except show the monitor's graphics
    and mappings, of course!).

    Modifying Things Monitors Do:

    The 10-Ring monitor gives 10 rings (contained as the value 000A). The value moved to the RAM address $FE20 is contained at A443. You can make this monitor give up 65535 (FFFF) rings by modifying the data. Sadly, it is impossible for the ring counter to contain any value above 999 and still give unglitched results. But, anyway, let's say you wanted to make the ring counter give a shield instead of 10 rings. First of all, here are the (predictable) shield values:

    00 - Off
    01 = On

    Just like a binary digit. The ring count (but not ring counter value) is stored in RAM at $FE20. The shield value is stored in RAM at $FE2C. You only know where the value of rings moved to $FE20 is contained and the information I just told you. How do you know what to do?

    Note that A443's code moves the value to $FE20. Therefore, there must be a pointer to $FE20 in the code (or the game wouldn't know where to move the rings!). So you will find FE 20 (the pointer to $FE20) beside the ring value. Change the ring value to 0001 and the pointer to FE2C, and you've got teh ultimate shield of ringiness! *bricked*

    Enough with the bad jokes, Time to go on to our next snippet of this topic:

    Making Monitors Play Teh Music:

    Just put a 30 3C 00 xx 4E F9 00 00 13 96 and you've got it! The variable xx represents the music number you want to play. It uses the same values as the playlists, even in S1. So, wanna test teh music? Let's make the 10-Ring monitor play the shield sound to go along with our previous hack!

    The sound the 10-Ring monitor plays is contained at A474. The value is really 00B5, but the music playlist only supports values from 00 to FF (it may not seem like it, but the only reason I think the programmers cut the playlist was because they didn't want you to hear the SEGA sound in the sound test for
    some reason. =P). The shield music value is AF. Change the B5 to AF, and tada! Woot woot! The ultimate shield of ringiness now playz teh ultimate shield sound of ringiness! *bricked and shot 3 times*




    -----------------------------------------------------------------------------------------------

    END COMPILATION

    EDIT: Fixed error that Heran pointed out.
     
  2. Jun 3, 2005 #2
    Heran Bago

    Heran Bago

    Ah! It's Puyo battle then. Tech Member
    2,951
    7
    18
    Foggy California
    勉強
    I threw open Sonic 1 and searched for "13 7C 00 40 00 00 33 68". Changed the 00 40 to C0 00 (so motobug will spawn more motobugs =D). Well, the bug plowed along as usual only without the smoke. Then a Buzz Bomber comes over and shoots his crazed angry ray around the screen. =(
    Just ignore that the screen is from my craptastic hack.
    [​IMG]

    Well, aside from that, this info is awesome.
     
  3. Jun 3, 2005 #3
    Sonic 65

    Sonic 65

    Tech Member
    1,178
    16
    18
    Brooklyn
    ...the fuck?

    Gotta check that.
     
  4. Jun 3, 2005 #4
    Hivebrain

    Hivebrain

    Administrator
    3,049
    162
    43
    53.4N, 1.5W
    Github
    0040 obviously isn't Motobug smoke. 4002 is.
     
  5. Jun 3, 2005 #5
    Sonic 65

    Sonic 65

    Tech Member
    1,178
    16
    18
    Brooklyn
    *slaps head* Ow. I meant to have it say to search for 13 7C 00 40 02 00 33 68.
     
  6. Jun 3, 2005 #6
    Heran Bago

    Heran Bago

    Ah! It's Puyo battle then. Tech Member
    2,951
    7
    18
    Foggy California
    勉強
    "13 7C 00 40 02 00 33 68"? Search string not found. That's on a clean ROM too.
     
  7. Jun 3, 2005 #7
    Sonic Hachelle-Bee

    Sonic Hachelle-Bee

    Taking a Sand Shower Tech Member
    809
    203
    43
    Lyon, France
    Sonic 2 Long Version
    If you look at the SCHG, in the Sonic 2 section, you will see an object programming topic. I haven't explained how to program a sprite yet, but soon, you will be able to make incredible things, all in machine code (just read).

    I'm on dynamic patterns again for now, and I am going to make the same thing as for sprites. My holidays starts today. You can expect quite huge updates to the SCHG soon.

    BTW, some things I can read here looks like what I've done into my new Lost Wood zone. It looks like pieces of code I made, but extremely badly explained... I hope this is only a coincidence.
     
  8. Jun 3, 2005 #8
    Hivebrain

    Hivebrain

    Administrator
    3,049
    162
    43
    53.4N, 1.5W
    Github
    I think it would be better if everyone learned to use actual ASM, rather than confusing sequences of numbers.

    This is the code for loading exhaust smoke:

    Code (Text):
    1.   bsr.w    SingleObjLoad
    2.   bne.s    locret_F756
    3.   move.b   #$40,0(a1); load exhaust smoke object (40)
    4.   move.w   8(a0),8(a1)
    5.   move.w   $C(a0),$C(a1)
    6.   move.b   $22(a0),$22(a1)
    7.   move.b   #2,$1C(a1); use animation 02
    As you can see, the 40 and 02 are set separately as bytes.
     
  9. Jun 3, 2005 #9
    Miles3298

    Miles3298

    Member
    586
    27
    28
    How would we make it so enemies can't hurt Sonic? Search for 30 28 12 48 C0 strings, 4E 71 (or 75, not sure) the 30 28 and make the location of 28 12 48 be 00 00 00?
     
  10. Jun 3, 2005 #10
    ICEknight

    ICEknight

    Researcher Researcher
    11,780
    150
    43
    Spain
    Let me guess, was whatever code the spikes used to have replaced with "30 28 12 48 C0" for the JP2 version in Sonic Mega Collection?
     
  11. Jun 3, 2005 #11
    Tweaker

    Tweaker

    Banned
    12,387
    2
    0
    ASM may confuse some people. At least I understood it. Yay!

    I think better than trying to search for exact results immediately, it would be better to look up results simply using object 40 first. Then once you get some legitimate results, you can get more precise. I just wish there was a hex editor that allowed you to insert wildcards in place of certain bytes. That would be really helpful.
     
  12. Jun 4, 2005 #12
    Sonic 65

    Sonic 65

    Tech Member
    1,178
    16
    18
    Brooklyn
    XVI32 is that hex editor. =P. The 'joker hex char' is the wildcard.
     
  13. Jun 4, 2005 #13
    Aurochs

    Aurochs

    Единый, могучий Советский Союз! Tech Member
    2,343
    0
    0
    Whatever catches my fancy
    I never liked that program. It was difficult to search for patterns because it didn't render anything while scrolling. But, to each his own, I guess... :P
     
  14. Jun 4, 2005 #14
    Sonic 65

    Sonic 65

    Tech Member
    1,178
    16
    18
    Brooklyn
    The only bad thing I can see about XVI32 is that it uses weird offset numbers, meaning you actually have to count. *gasp*
     
Thread Status:
Not open for further replies.