Register - Login
Views: 95199454
Main - Memberlist - Active users - Calendar - Wiki - IRC Chat - Online users
Ranks - Rules/FAQ - Stats - Latest Posts - Color Chart - Smilies
09-23-18 05:55:01 PM

Jul - SM64 Hacking (Archive) - Hacking animations New poll - New thread - New reply
Pages: 1 2Next newer thread | Next older thread
yoshiman
Member
Level: 22


Posts: 6/95
EXP: 58039
For next: 311

Since: 12-21-07

From: London, England

Since last post: 9.0 years
Last activity: 9.0 years

Posted on 12-25-07 05:37:01 PM Link | Quote
I'm surprised how the animations are handled in SM64, there is the Peach animation stored in memory when outside the castle; she claps her hands and pats something. There are 100 frames to this animation, and many different movements for each frame so the whole animation takes up a fair amount of memory.

First of all there was translation and rotation of Peach, and then the rotation of Peach's hair, dress and arms. The values look to be integers so that they need only 2 bytes as opposed to using more accurate f/p numbers that would need more bytes.

Now for something strange, no surprise that rotating Peach's forearms moves her hands but rotating her upperarms does not so that you can actually split her arms in half! There also seems to be repeated rotations, such as for her hair. I'm guessing that what can be animated about an object depends on how the gfx are constructed.

If it were possible to replace Mario with Peach then the animation would have to be adjusted. As Mario does different things, the data pointed to by Mario's animation pointer changes, but surely all of his animations are already loaded in memory?

James S.
Rena

Star Mario
Fennel
Level: 128


Posts: 1922/5257
EXP: 24350359
For next: 31341

Since: 07-22-07

Pronouns: he/him/whatever
From: RSP Segment 6

Since last post: 2 days
Last activity: 2 days

Posted on 12-25-07 06:43:56 PM Link | Quote
Mario's model is very likely constructed much differently. The animation routines for Peach won't know how to work it and vice-versa. They could be adapted, but probably not easily.

Also, a fair number of N64 games store things as 16-bit integers in ROM and convert those to floats on load. There's no reason not to, since the range gives you enough precision and space to work with for the sizes of the games' levels. Nothing in Mario Kart even comes close to +/-10000 that I've seen, and it has some fairly large levels.
yoshiman
Member
Level: 22


Posts: 7/95
EXP: 58039
For next: 311

Since: 12-21-07

From: London, England

Since last post: 9.0 years
Last activity: 9.0 years

Posted on 12-26-07 06:19:53 PM Link | Quote
It's strange the problem with Peach's upperarms but I've now found the proper values to rotate her arms. Has anyone ever edited SM64 animations before-what about an animation editor?

It's been a while since I've seen the ending sequence, but you can even move or rotate Peach's earrings. Of course changing Mario's animations would be a lot more difficult but it would be a challenge.

James S.
VL-Tone
Member
Super Mario 64 forum moderator
Level: 51


Posts: 155/621
EXP: 987979
For next: 25959

Since: 07-27-07

From: Montreal, Canada

Since last post: 1.0 years
Last activity: 50 days

Posted on 12-27-07 01:38:40 AM Link | Quote
yoshiman, you might want to take a look at this thread: http://jul.rustedlogic.net/thread.php?id=954

What I'm describing there is the 0x27 animation command used in the behavior scripts. The command includes a pointer to animation data which is found in the same MIO0 (compressed) data bank as the geometry for a particular animated object.

I didn't spend much time on analyzing the format of the animation data, but it seems to be related to the animation values you're talking about. It contains a series of rotation values, arranged in a hierarchy that matches the body hierarchy.

But Mario is a special case, its behavior script doesn't contain a 0x27 command, and I've found no traces of animation data anywhere in Mario's MIO0 data bank. In fact it's behavior script doesn't seem to be used that much, you can change values and things, and the only difference you'll see is that for some reason Mario will run faster. Aside from that, he seems to be controlled by an entirely different animation system.


yoshiman
Member
Level: 22


Posts: 9/95
EXP: 58039
For next: 311

Since: 12-21-07

From: London, England

Since last post: 9.0 years
Last activity: 9.0 years

Posted on 12-27-07 06:03:53 PM Link | Quote
I can edit Mario's animation data but it gets overwritten by the game, unlike for Peach, for example. The animation pointer in Mario's object structure stays the same but the data it points to changes, so its possible new animations are loaded but I'm not so sure.

James S.
VL-Tone
Member
Super Mario 64 forum moderator
Level: 51


Posts: 164/621
EXP: 987979
For next: 25959

Since: 07-27-07

From: Montreal, Canada

Since last post: 1.0 years
Last activity: 50 days

Posted on 01-05-08 08:16:33 PM Link | Quote
Originally posted by yoshiman
I can edit Mario's animation data but it gets overwritten by the game, unlike for Peach, for example. The animation pointer in Mario's object structure stays the same but the data it points to changes, so its possible new animations are loaded but I'm not so sure.

James S.


I guess that the animation data for Mario is dynamic, meaning that it changes depending on the "move" Mario is making.
Rena

Star Mario
Fennel
Level: 128


Posts: 2077/5257
EXP: 24350359
For next: 31341

Since: 07-22-07

Pronouns: he/him/whatever
From: RSP Segment 6

Since last post: 2 days
Last activity: 2 days

Posted on 01-06-08 03:49:11 AM Link | Quote
Well if you feel like hacking it, 8033B17C (32 bits) is Mario's current action. If you turn on debug mode (8032D598 0001), part of this value is shown on the screen. Some known values:
00020449: Burning
00021312: Sinking in quicksand to die
00840452: Sitting
008C0453: Sliding forward
010208B7: Jumping from Lava
04000440: Sneaking against a wall
0C000203: Sleeping Mario
0C400201: Normal
0C400205: Weak Mario
380022C0: Swimming
20810446: Riding a shell
03000880: Jumping
yoshiman
Member
Level: 22


Posts: 14/95
EXP: 58039
For next: 311

Since: 12-21-07

From: London, England

Since last post: 9.0 years
Last activity: 9.0 years

Posted on 01-06-08 06:23:00 PM Link | Quote
Thanks for what's no doubt an NTSC address! The debug code was never found for the PAL version as far as I'm aware. But thanks anyway.

James S.
Rena

Star Mario
Fennel
Level: 128


Posts: 2084/5257
EXP: 24350359
For next: 31341

Since: 07-22-07

Pronouns: he/him/whatever
From: RSP Segment 6

Since last post: 2 days
Last activity: 2 days

Posted on 01-06-08 07:26:47 PM Link | Quote
Well, do the math. NTSC has the lives at 8033B21D. The difference between that and the PAL lives address is most likely the same for the debug code.
yoshiman
Member
Level: 22


Posts: 16/95
EXP: 58039
For next: 311

Since: 12-21-07

From: London, England

Since last post: 9.0 years
Last activity: 9.0 years

Posted on 01-06-08 07:55:18 PM (last edited by yoshiman at 01-06-08 08:06 PM) Link | Quote
Actually, you can't always add/subtract to get the address for a different version; that's a common mistake. Otherwise all PAL users would be able to use the debug code if it were that simple; but there are some remains left in the PAL version such as the level select names.

Mario's lives (PAL) 803094DD (NTSC) 8033B21D Difference=31D40
First object structure (PAL) 8030B0B8 (NTSC) 8033D488 Difference=323D0

See? It doesn't always work out. I've tried subtracting to get the debug code but nothing.

But what you're talking about once more is totally different to what I'm referring to.

If Peach's actual animation data is just a number of translations and rotations for each of her body parts then why should it be different for any other objects? The animations commands you talk about do change dynamically for Mario but does Mario's actual animation data-the translations and rotations-change dynamically too?

James S.
Sunny

Level: 110


Posts: 280/3675
EXP: 14230460
For next: 178426

Since: 07-23-07


Since last post: 220 days
Last activity: 13 hours

Posted on 01-06-08 08:24:10 PM Link | Quote
Would figuring out these help?

NTSC ???????? ???? = Nearest known code before = ???????? ???? PAL
NTSC 8032D598 0001 = Debug Code = ???????? ???? PAL
NTSC ???????? ???? = Nearest known code after = ???????? ???? PAL

If you know what those codes translate at, and they're close enough to the debug code, you could probably translate the debug code at both their differences, all the differences between, and a slight +/- error translation outside the range.
It's a bunch of shots in the dark, but hey, it's ammo. And something I'd do if I had the ROM & the will.
yoshiman
Member
Level: 22


Posts: 17/95
EXP: 58039
For next: 311

Since: 12-21-07

From: London, England

Since last post: 9.0 years
Last activity: 9.0 years

Posted on 01-06-08 08:31:17 PM Link | Quote
Yeah, I've tried nearby but I think the only way to find the debug in the PAL version is to trace the coding. However, I can't find in the PAL version the ASM that checks the debug flag. So it seems like it was removed from the PAL version, or certainly the one I have.

James S.
VL-Tone
Member
Super Mario 64 forum moderator
Level: 51


Posts: 169/621
EXP: 987979
For next: 25959

Since: 07-27-07

From: Montreal, Canada

Since last post: 1.0 years
Last activity: 50 days

Posted on 01-06-08 09:54:11 PM Link | Quote
Originally posted by yoshiman
Yeah, I've tried nearby but I think the only way to find the debug in the PAL version is to trace the coding. However, I can't find in the PAL version the ASM that checks the debug flag. So it seems like it was removed from the PAL version, or certainly the one I have.

James S.


The only way? Nahh there are other ways... Remember that I managed to reverse-engineer SM64 and create TT64 without ever needing to trace and disassemble anything (though Cellar Dweller did both and helped me in a few parts).

Here's a trick that you can use to find the equivalent address in the PAL ROM.

Look for a sequence of static bytes nearby the NTSC address that looks unique, and make sure it's not a RAM address, (0x80xxxxxx) which will probably be different in the PAL version. For the debug code, let's take this sequence: "14 12 80 01". It's unique enough so that it doesn't appear at other places in the RAM (or ROM for that matter).

As you know the debug flag in the US ROM is at 0x8032D598, the "14 12 80 01" sequence is not far, at 0x8032D650.

Now, search for this sequence in the PAL version. In my PAL version, it's found at 0x802F9800.

Substract 0x802F9800 from 0x8032D650 to get the difference for this particular RAM area and you obtain 0x33E50. While this value cannot be used for the whole RAM, you can see that the data surrounding 0x802F9800 in the PAL version is very similar to where the debug flag is in the US version.

So, if you substract 0x33E50 from 0x8032D598 you get 0x802F9748.

What happens when I set the byte at 0x802F9748 to 01 in my PAL version? The Debug mode in the PAL version!. Well at least in my PAL ROM. Even if you have a different version, you can follow my instruction to find the address.

Originally posted by yoshiman
If Peach's actual animation data is just a number of translations and rotations for each of her body parts then why should it be different for any other objects? The animations commands you talk about do change dynamically for Mario but does Mario's actual animation data-the translations and rotations-change dynamically too?


I suspect that the animation data itself is not dynamic, but the game swaps different chunks of animation data depending on Mario's state. For example, if he's walking, the animation data is a walking cycle. If he jumps, the walking cycle data is replaced by the jumping animation data, etc. That would be why when you change something in Mario's animation data you loses the changes as soon as he moves. But that's a theory. What I do know for a fact is that unlike every other animated character in the game, Mario doesn't have its animation data stored in its MIO0 bank, and its behavior script doesn't use the 0x27 command. Actually I don't even know where its found in the ROM.


Originally posted by HyperHacker
Well if you feel like hacking it, 8033B17C (32 bits) is Mario's current action. If you turn on debug mode (8032D598 0001), part of this value is shown on the screen. Some known values:
00020449: Burning
00021312: Sinking in quicksand to die
00840452: Sitting
008C0453: Sliding forward
010208B7: Jumping from Lava
04000440: Sneaking against a wall
0C000203: Sleeping Mario
0C400201: Normal
0C400205: Weak Mario
380022C0: Swimming
20810446: Riding a shell
03000880: Jumping


Very interesting Reminds me of this list posted by Kawa-oneechan "back in the days" of the mega SM64 Hacking thread on acmlm. (And let's remind everyone that HyperHacker is the one that started that mega thread).


1 Standing
7 Carrying a small thing
8 Carrying a big thing
20 Crouching
21 Start crouching
22 Stop crouching
23 Start tigering
24 Stop tigering
2F Recover from backflip ("ha-haa!")
30 Recover from jump
32 Recover from jumping kick
3A Recover from triplejump
3B Recover from longjump (enter crouch)
3C Land from ground pound
3D Recover from Brake
3E Recover from ground pound
40 Walk/run
45 Brake
48 Crouching
4A Gentle brake
52 Sliding on butt
53 Sliding on stomach
62 Lie on butt
70 Land from jump
71 Land from jumping kick
78 Land from triplejump
79 Land from longjump
7A Land from backflip
80 Jump
82 Triplejump
83 Backflip
86 Walljump
88 Longjump
8C Hop off ledge
8D Twirl off treetop (end as jumpkick)
98 Shot away
A9 Ground pound
AC Jumping kick
B0 Bonk into wall
B6 Let go of ledge
C0 Swimming
C2 Recover from swimming punch
D0 Start paddle
D2 Paddle
D1 Stop paddle
E1 Swimming punch
E2 Land into water
100 Entering level
102 V sign
103 V sign while swimming
106 Used when talking to a character?
108 Used when reading signs
120 Open door
125 Falling?
121 Open small door
126 Jump out of painting
127 Recover from painting and wipe off
12B Jump out of fountain
133 Fall...
135 Jump into Big Boo's Haunt
140 Hang in tree (and slide down)
142 Slam into tree and grab
143 Climb up
144 Climb onto treetop
145 Stand on treetop
14B Hang onto ledge
14C Climb onto ledge
14D Recover from ledge climbing
171 In cannon
180 Punch (all three phases)
183 Grabbing something
188 Throw what you're holding
190 Grabbing Bowser
191 Holding Bowser
192 Letting go of Bowser



The list is not complete, there are some moves missing. You can see that there's a correspondence between the last byte of the values you posted and this list. Or would it be the last two bytes? There's something fishy about that extra nibble in the list.

I wish we could find the table that assigns which move goes with what, so we could swap moves. For example I always wanted to reinstate the spinning triple jump found in the Beta version (this is the spinning move that happens when you jump on the top of a flyguy and Mario shouts "boing!"). Look at this video to see what I'm talking about: http://www.youtube.com/watch?v=6HODfFcpecI
Rena

Star Mario
Fennel
Level: 128


Posts: 2088/5257
EXP: 24350359
For next: 31341

Since: 07-22-07

Pronouns: he/him/whatever
From: RSP Segment 6

Since last post: 2 days
Last activity: 2 days

Posted on 01-06-08 10:30:07 PM Link | Quote
My guess would be the game is taking the last byte of that, and another byte from somewhere else, and printing them using the "%x" format. (I know it uses %x, actually, as I made a code to change it. ) Can't say where the other byte comes from though.

There were some codes made a while back that changed certain moves. For example, courtesy of Parasyte:
8026FBDF 0081
8025251B 0081 Instant Double Jump

8126FBD4 0809
8126FBD4 BF37
8126FCE4 0000
8126FCE4 C821
812524E4 1000
812525AC 1000 Instant Triple Jump

I haven't investigated them but it looks like the first one is just changing a value that gets written to the action word. (80 is jump, 81 is probably double jump.)
These might be changing writes to that word too:

81250900 1000 Walk on Lava

81255490 1000
8125572C 1000
8125572E 0031 Walk on Quicksand

81253BF0 2400
81264BBC 1000 Walk up Hills

8126A2C4 1000 Land Safely From Any Height


812637FC 1000
812698C8 1000
8126FA6C 1000 Never Crushed By Thwomp/Whomp

There are a bunch of physics hacks too. Actually there's quite a few codes that might be useful to you. I should send you the file. (I intend to put it on my site at some point, but it still needs some corrections and I still need to code a frontend and so on.)

Also, I noticed 80222622 0000 turns the music right off.
yoshiman
Member
Level: 22


Posts: 18/95
EXP: 58039
For next: 311

Since: 12-21-07

From: London, England

Since last post: 9.0 years
Last activity: 9.0 years

Posted on 01-07-08 08:05:13 PM (last edited by yoshiman at 01-07-08 08:05 PM) Link | Quote
Thanks, VL-Tone; never before had I seen the PAL debug code yet you knew it all the time! It would have taken me much longer to find the code myself especially as the coding is different for the two versions for the ASM in the RAM:

NTSC

80248BE0 3C188033 lui t8, 0x8033
80248BE4 8318D598 lb t8, 0xd598 (debug_flag)
80248BE8 1300000B beq t8, r0, 0x80248C18

PAL

8026DFA0 3C0A8030 lui t2, 0x8030
8026DFA4 814A9748 lb t2, 0x802F9748 (debug_flag)
8026DFA8 3C018030 lui at, 0x8030
8026DFAC AC20A0D0 sw r0, 0x802FA0D0
8026DFB0 1140000A beq t2, r0, 0x8026DFDC

This really helps as I'm looking over the coding; I'd love to do a thread on SM64 ASM...

James S.
VL-Tone
Member
Super Mario 64 forum moderator
Level: 51


Posts: 172/621
EXP: 987979
For next: 25959

Since: 07-27-07

From: Montreal, Canada

Since last post: 1.0 years
Last activity: 50 days

Posted on 01-07-08 11:12:54 PM (last edited by VL-Tone at 01-07-08 11:13 PM) Link | Quote
Originally posted by yoshiman
Thanks, VL-Tone; never before had I seen the PAL debug code yet you knew it all the time!


Well I didn't know the PAL debug code before you prompted me to look for it It was easy for me, I'm used to make use of these kind of tricks when I have to find in ROM a value that's in RAM. BTW you can use the same method to find the debug flag in ROM, so that it can be activated permanently.

The only problem is that the debug flag is inside an area that's covered by one of the two checksums. That means that the checksum has to be recalculated, or else emulators will crash or refuse to run the game. Note that if you fix the checksum, you'll have to change one preference option in TT64 to skip the checksum check (TT64 expects a specific checksum).

Speaking of checksum, I found where the "state" values for Mario's action are stored in ROM by looking at the surrounding values of the patched bytes in the codes HyperHacker posted.

Same problem: these values are also inside the checksum area, so changing them require a checksum recalculation. I'm a little tired, I'm working early tomorrow morning, so I'll post the details of it some other time.

HyperHacker, I would be interested in the the other physics-changing codes that you have. I wasn't really interested in those before because on the Mac, the n64 emulators are pretty much barebones when it comes to hacking. No memory viewer, disassembler or even Gameshark codes (SNES9x on the Mac is pretty nice when it comes to hacking, it had a cheat finder and memory viewer, it helped me a lot when I was hacking StarFox and F-Zero, but it's an exception.). The only RAM searching I did before was by opening decompressed freeze states.

Anyway since I got my intel Mac, I can run Windows and its n64 emulators at full speed inside a VM, with all the hacker-friendly bell and whistles.

yoshiman, while a thread about ASM hacking is a good idea in itself, I'm not sure we have enough stuff to post about it yet, and keep in mind that only a few people here are familiar with n64 ASM. I think we should keep talks of ASM hacks inside threads like these, at least for now. Still if you have some major discovery involving ASM hacking, you can create a new thread about it.
Rena

Star Mario
Fennel
Level: 128


Posts: 2100/5257
EXP: 24350359
For next: 31341

Since: 07-22-07

Pronouns: he/him/whatever
From: RSP Segment 6

Since last post: 2 days
Last activity: 2 days

Posted on 01-08-08 06:04:51 AM Link | Quote
I'll try to remember to send you the list tomorrow, if I get the chance. Also, this convenient program will fix the checksums (just drag-and-drop the ROM file onto it), or you can look right around the beginning of RAM for the routine that checks them and simply disable the infinite loop it goes into. I'm not sure if that causes any trouble on a real N64 but it works fine in emulators.
yoshiman
Member
Level: 22


Posts: 23/95
EXP: 58039
For next: 311

Since: 12-21-07

From: London, England

Since last post: 9.0 years
Last activity: 9.0 years

Posted on 01-08-08 05:41:28 PM Link | Quote
Right, understood! At the moment I'm trying to work my way up the tree, that is, get to the original game loop. I've come across some strange side effects when disabling calls, such as no object interaction and a lot of smoke! But that's the way I try to work out what the coding does other than look at what variables it uses.

James S.
Stevoisiak
Member
Level: 36


Posts: 16/283
EXP: 299509
For next: 8601

Since: 11-22-07

From: New York, Long Island

Since last post: 8.0 years
Last activity: 2.0 years

Posted on 01-11-08 06:25:12 PM (last edited by Stevoisiak at 01-11-08 06:29 PM) Link | Quote
Originally posted by VL-Tone
I would be interested in the the other physics-changing codes that you have.


Here are a few you may like

Warp doors don't work
8133B18E 00AA

Warp Doors close quickly
8133B174 FFFF

Jump 3x Higher (Must reset ROM)
8125273E 3FFF

I also had a code that made the game crash if you went to the castle grounds the game froze. I deleted the code though. Would you like me to locate the code again? Also, I have two DIFFERENT codes that seem to do the EXACT same thing. They're texture codes. Can someone see what the difference between the codes is?

8133B424 1010

8133B424 9910
yoshiman
Member
Level: 22


Posts: 25/95
EXP: 58039
For next: 311

Since: 12-21-07

From: London, England

Since last post: 9.0 years
Last activity: 9.0 years

Posted on 01-11-08 07:12:26 PM Link | Quote
The only difference between the last 2 codes is the data:

8133B424 1010

8133B424 9910

I.e. the 1010 and 9910.

James S.
Pages: 1 2Next newer thread | Next older thread
Jul - SM64 Hacking (Archive) - Hacking animations New poll - New thread - New reply




Rusted Logic

Acmlmboard - commit 5d36857 [2018-03-03]
©2000-2018 Acmlm, Xkeeper, Inuyasha, et al.

30 database queries, 15 query cache hits.
Query execution time: 0.189923 seconds
Script execution time: 0.032921 seconds
Total render time: 0.222844 seconds
Memory used: 786432