Register - Login
Views: 87390908
Main - Memberlist - Active users - Calendar - Wiki - IRC Chat - Online users
Ranks - Rules/FAQ - JCS - Stats - Latest Posts - Color Chart - Smilies
11-21-17 05:58:57 AM

Jul - Game Research/Hacking/Modding - Using an Emulator Cheat Search thing. New poll - New thread - New reply
Next newer thread | Next older thread
Rick
M'Lord, there's a knife in your head!
Level: 140


Posts: 7117/7281
EXP: 33083237
For next: 203168

Since: 02-15-10
From: Maine

Since last post: 4 hours
Last activity: 3 hours

Posted on 08-09-16 12:03:54 AM Link | Quote
So this isn't so much of a "teach me to use it" sort of thing as I already know the basics and have a bit of sense on how to do certain easy things like infinite lives/heath/whatever. I even once created a character modifier code out of sheer luck! However, there's still a lot of stuff I struggle with. I'm looking more for a "point in the right direction" sort of thing.

My other problem is probably that the thing I know how to work with is a cheat search on emulators and not really using a hex editor, but well...this is my own fault!

But anyway, sometimes it's like, I try to hack stuff that I -think- is easy, but it turns out it's...not really that much so. Basically, maybe you guys can tell me what I'm doing wrong.

---

The thing I've been trying to do lately is in Final Fight 2. I know there are more enemies when in two player mode than in one player mode no matter what the difficulty, but I also know that if one player dies, the other player continues on for a bit with that same enemy set. My goal is to make a code to have the enemies that show up in 2P games normally show up instead in 1P, making the game more challenging.

Originally I tried looking to see if there was a flag that would set the game from 1P to 2P mode, but I kind of wasn't sure how I could represent that where say, if 00 was 1 Player and 01 was 2 Player...well there's a lot of things where 00 and 01 are on and off values, so I ended up abandoning it.

Then I decided to go into option mode and see if I could exact value search the difficulties according to 00 being Easy, 01 being Normal, 02 being hard, and 03 being expert, but that list got cut short almost immediately. My guess is I should probably either use a greater than search as I change the various difficulty levels to what I want them to be?

I'm not exactly sure how I should find the corresponding "This is a 2P game" flag, or if the difficulty and the 1P-2P adjustment is all in one difficulty setting read by the game. (i.e. 00 = 1P Easy, 01 = 2P Easy, 02 = 1P Normal, etc.)

I guess this begs the question, how would you search for it? Am I on the right search track or off on another one entirely?
SamEarl13

Nipper Plant
Trying (and failing) to learn Lua.
Level: 39


Posts: 381/418
EXP: 392228
For next: 12543

Since: 02-14-12


Since last post: 6 days
Last activity: 6 days

Posted on 08-09-16 05:07:42 AM Link | Quote
Since my PC is currently dead I can't give you any proper help but it might be useful that instead of searching for specific numbers make use of Equal and Not Equal with Previous Value (If you're emulator has those). If it does you spam Equal when you're sure its the same removing all the constantly changing addresses and then Not Equal the second you're sure its changed. What you've tried was definitely the best thing to try first though.

When you say one player dies do you mean run out of lives? An alternative to looking for a mode switch might be to just move the second player but I imagine that'd have problems of its own and would be harder too. Keep trying on your own and if I find the USB stick to fix my PC I'll try doing it for you.
Rick
M'Lord, there's a knife in your head!
Level: 140


Posts: 7118/7281
EXP: 33083237
For next: 203168

Since: 02-15-10
From: Maine

Since last post: 4 hours
Last activity: 3 hours

Posted on 08-09-16 10:04:39 PM Link | Quote
When I say "die", I do mean when they run out of lives and don't continue. I remember way back in the day having the extra added enemies when playing the game with friends continue on like that, which inspired the idea for the code.

So basically, I'll try spamming the equal to thing until nothing happens, then do the not equal after that and see if that changes anything. I should probably spam equal as well until nothing happens on 1P mode as well?
MooMilk
User
Level: 9


Posts: 8/24
EXP: 2576
For next: 586

Since: 07-29-16


Since last post: 128 days
Last activity: 64 days

Posted on 08-10-16 11:52:19 AM Link | Quote
You could try gamehacking.org forums. Sometimes they teach newbies how to cheat search. Might even find the cheat for you.
Rick
M'Lord, there's a knife in your head!
Level: 140


Posts: 7119/7281
EXP: 33083237
For next: 203168

Since: 02-15-10
From: Maine

Since last post: 4 hours
Last activity: 3 hours

Posted on 08-12-16 01:14:38 AM Link | Quote
Originally posted by MooMilk
You could try gamehacking.org forums. Sometimes they teach newbies how to cheat search. Might even find the cheat for you.


True, but I'd rather do it here where I look less like a n00b who's wandered in saying "HAY HACK SOMETHING 4 ME U GUYZ".
Rick
M'Lord, there's a knife in your head!
Level: 140


Posts: 7120/7281
EXP: 33083237
For next: 203168

Since: 02-15-10
From: Maine

Since last post: 4 hours
Last activity: 3 hours

Posted on 08-14-16 10:39:28 PM Link | Quote
Double post update!

So basically I tried doing the above, but after a few game resets, the game wouldn't actually restart on my emulator and I'd lose all the progress that I had searching for the cheat.

divingkataetheweirdo and I kinda talked out trying to see what happens if I make one player lose all their lives and then trying that, but I think it looks like a disassembly of the game is going to be at hand, which I don't know what to do.

Maybe I'm going to have to request this cheat after all. Bleh.
Cuber456

Lantern Ghost
Don't mind me. Just passing through.
Level: 51


Posts: 687/754
EXP: 949252
For next: 64686

Since: 02-19-12
From: Everywhere at once.

Since last post: 10 days
Last activity: 12 hours

Posted on 08-15-16 12:41:37 AM Link | Quote
Honestly, this is the type of thing that needs a lot of patience and luck to succeed at. That's what makes it suck because you are trying to make sense out of a bunch of nonsense (bits/bytes and asm).

I'll throw in my two cents. Take multiple snapshots/dumps of the running memory and compare different snapshots. For example:

1. Take a snapshot when in 2p mode and both players are alive and the enemy amount is equal to 2p mode
2. Take a snapshot when in 2p mode and only one player is alive and the enemy amount is equal to 1p mode
3. Take a snapshot when in 1p mode

Open up a hex editor that can do comparisons between 2 files (such as Tiny Hexer). Compare #1 and #2 to see all the file differences. Then scan through the changes of each file one by one.

Now you might say, "that's a lot to compare". Yeah, it is. However, we don't care for huge changes in memory. Remember, we are assuming that the enemy amount is controlled with a single byte. If so, we can skip over massive amounts of memory that were altered between the two states. Likewise, if you assume the enemy amount is controlled with byte values 00, 01, 02... then that would narrow your search even more. Take note of whatever interesting changes you find and the address they occur at.

Now start the game again in 1P mode. Open the memory viewer and start screwing with the addresses you took note of. By that I mean, set them to your 2P counterpart and see what happens.

As you can see, this is a lot of trail and error. Do whatever you think is best to achieve your goal.
JLukas
User
Level: 10


Posts: 18/19
EXP: 4319
For next: 95

Since: 06-11-10


Since last post: 135 days
Last activity: 10 days

Posted on 08-23-16 02:26:48 AM Link | Quote
A cheat search for equal/not equal on the title screen 1P 2P selection shows that RAM address 7E0004 changes when you move the cursor. It's $00 when the cursor is on 1P mode, and $01 on 2P mode.

Setting a read breakpoint on 7E0004 then pressing Start to proceed to the character select triggers the breakpoint. This would be the ideal spot to turn on trace logging in the debugger.

It breaks on this:

$80/A900 A5 04 LDA $04 [$00:0004]
$80/A902 8D 1F 20 STA $201F [$7E:201F]

The value is copied to 7E201F. Set a read breakpoint on this new addresses and this shows up:

$80/A9FC AE 1F 20 LDX $201F [$7E:201F] A:0604 X:0005 Y:0000 P:envMXdizC
$80/A9FF D0 02 BNE $02 [$AA03] A:0604 X:0000 Y:0000 P:envMXdiZC
$80/AA01 A9 00 LDA #$00 A:0604 X:0000 Y:0000 P:envMXdiZC
$80/AA03 8F 63 11 00 STA $001163[$00:1163] A:0600 X:0000 Y:0000 P:envMXdiZC

It loads 7E201F into the X register. If it's $00 (ie, 1P mode), a $00 byte is written to 7E1163. If in 2P mode, the lower 8 bits of the accumulator ($04) is stored to 7E1163 instead. This is the RAM address we're after.

At this point, if you began an equal/not equal cheat search on the character select screen this $00 vs. $04 difference would show up. You probably already found this during your searches. The problem is, 7E1163 isn't just an on/off flag, but a gameplay status byte that changes often. Using a Pro Action Replay code (eg, 7E116304) to freeze it would just crash the game or other problems.

Monitor this byte during gameplay in the RAM viewer window of the debugger. In 1P mode, it stays at $00, but in 2P mode it starts at $04 when the stage first opens and then increments to $05.

The next step is to find a spot in the game where the enemy layouts are different to experiment with. After Chun Li in the background is a spot where there's 1 drumcan in 1P mode and 2 drumcans in 2P mode. Create a save state for each mode just before that point (where the screen flashes Go waiting for you to walk to the next section), before the drumcan(s) would load.

With the 1P mode save state loaded, type in a value of $05 for 7E1163 into the debugger RAM window (this is a one-time write, not a PAR code that is freezing the RAM address) and walk to the right. It now loads 2 drumcans even though the game was started as 1 player mode. Success! (It should be noted that an equal/not equal cheat search would've also found this difference, too. But again, there's still the issue where the byte changes and therefore requires a non-RAM based cheat solution).

Somewhere in the log between when 7E1163 is read on the character select screen to when the enemies appear on screen is an operation where either $00 or $04 is set. Searching the trace log shows this:

$82/A1EC A5 AB LDA $AB [$00:1163]
$82/A1EE C9 04 CMP #$04
$82/A1F0 B0 19 BCS $19 [$A20B]
$82/A1F2 64 00 STZ $00 [$00:10B8]
$82/A1F4 C9 02 CMP #$02
$82/A1F6 D0 05 BNE $05 [$A1FD]
$82/A1FD C9 03 CMP #$03
$82/A1FF D0 05 BNE $05 [$A206]

$82/A206 20 42 A3 JSR $A342 [$82:A342]

$82/A342 E2 20 SEP #$20
$82/A344 A9 00 LDA #$00 This is it!
$82/A346 85 AB STA $AB [$00:1163]
$82/A348 A9 00 LDA #$00
$82/A34A 85 05 STA $05 [$00:10BD]
$82/A34C 64 06 STZ $06 [$00:10BE]
$82/A34E 60 RTS


The first part is checking to see what 7E1163's status is. If it's 1P mode aka $00 (or another value not covered by those CMP operations - hmm what does $01 do...worth looking into), it skips to $82A206 which then jumps to a subroutine, which, among other things, sets 7E1163 to $00 (the same value it already was, which is a bit confusing)

Use PAR code 82A34505 to change the LDA #$00 to LDA #$05 for the final solution.

PS there's a side effect to this cheat, after losing all lives the game will act like it's in 2P mode and put the small continue screen in the upper left corner, instead of the big countdown screen. This means you can continue at the exact spot instead of restarting at the beginning of the stage. Some further cheats are required for the authentic 1P mode experience. Here's the related programming:

$80/DB47 AF 63 11 00 LDA $001163[$00:1163]
$80/DB4B C9 03 CMP #$03
$80/DB4D B0 04 BCS $04 [$DB53]
$80/DB4F A9 03 LDA #$03
$80/DB51 80 02 BRA $02 [$DB55]
$80/DB53 A9 00 LDA #$00
$80/DB55 60 RTS

In theory, PAR code 80DB4E00 (or 80DB5403) would accomplish this, but the continue screen still depends on 7E1163's status. Instead, use these 2 PAR codes to force it back to $00 1P mode:

80DB4C9C
80DB4AEA

Translates to:

$80/DB47 9C 63 11 STZ $1163[$00:1163]
$80/DB4A EA NOP

This works, because when the stage reloads the programming affected by the 82A34505 PAR code is executed again.

PPS hopefully the formatting for programming quoted above isn't too garbled, it's been so long I forgot what the code tags to use were.
Rick
M'Lord, there's a knife in your head!
Level: 140


Posts: 7121/7281
EXP: 33083237
For next: 203168

Since: 02-15-10
From: Maine

Since last post: 4 hours
Last activity: 3 hours

Posted on 08-23-16 11:30:21 PM Link | Quote
Holy wowza, I did NOT expect this cheat to be such a difficult thing to make happen. o____o

I appreciate you guys taking the time out to give me some incredibly sound advice for this. Thank you so much, especially Cuber and JLukas!
Next newer thread | Next older thread
Jul - Game Research/Hacking/Modding - Using an Emulator Cheat Search thing. New poll - New thread - New reply




Rusted Logic

Acmlmboard - commit 2f1bc75 [2017-08-27]
©2000-2017 Acmlm, Xkeeper, Inuyasha, et al.

29 database queries.
Query execution time: 0.139787 seconds
Script execution time: 0.009767 seconds
Total render time: 0.149554 seconds