yoshiman Member Level: 23 Posts: 82/95 EXP: 67067 For next: 656 Since: 12-21-07 From: London, England Since last post: 13.2 years Last activity: 12.9 years

Posted on 06-13-08 10:59:28 PM, in Why a Peach 64 hack is not impossible, but would require a lot of work! Link

In the Peach geo layout: 0018097C/043C: 02 01 00 00 0C 00 00 98 --Jump to: 00823BFC/0098 00180984/0444: 02 01 00 00 0C 00 02 54 --Jump to: 00823DB8/0254 I changed so that they both jumped to the same place, assuming that one model could be seen and the other used transparency. It worked since my code to swap a signpost's graphics to Peach could be done without altering the transparency variable in the signpost object. But when I changed the load Mario command to use gfx ID 0xDE (Peach) he wasn't visible at all, not even an outline like you get with completely transparent models. ____________________ James S. We English do things a little differently...Anyone for a cup of tea while we hack?!

yoshiman Member Level: 23 Posts: 83/95 EXP: 67067 For next: 656 Since: 12-21-07 From: London, England Since last post: 13.2 years Last activity: 12.9 years

Posted on 07-04-08 10:19:57 PM, in ASM hacking Link

There seems to be at least 2 spawn object functions, a simpler version requires the GFX ID and segment/offset behaviour as well as a pointer to the object whose behaviour spwaned the new object. This pointer could be used for many purposes but for one it is used to look up the position of the parent object in order to place the starting point for the child object. Using Nemu, you can trace back or at least take note of return addresses in order to find functions that call another. A trick I've used is to spawn an object (such as a leaf), search for its graphics which will lead to the actual object. Looking at the object in the RAM it will have its behaviour pointers and I can also find its GFX ID anyway. Then you can calculate the segment/offset and search for that thus leading to the function(s) that spwan an object with that behaviour. ____________________ James S. We English do things a little differently...Anyone for a cup of tea while we hack?!

yoshiman Member Level: 23 Posts: 84/95 EXP: 67067 For next: 656 Since: 12-21-07 From: London, England Since last post: 13.2 years Last activity: 12.9 years

Posted on 07-06-08 11:25:55 PM, in ASM hacking Link

I know more the PAL addresses but I'm making more of an effort to add NTSC functions to my list. Before an offset type of instruction is used a base address is loaded but remember that if the offset is 0x8000 or higher then it will behave as a minus value. For e.g., (PAL) LUI T0,0x8033 LW T0,0xED90(T0) The word will be loaded from address 0x8032ED90 not 0x8033ED90. You can test functions by writing your own mini program and include them, this is what I have been doing with my more advanced codes such as spawn 1ups. ____________________ James S. We English do things a little differently...Anyone for a cup of tea while we hack?!

yoshiman Member Level: 23 Posts: 85/95 EXP: 67067 For next: 656 Since: 12-21-07 From: London, England Since last post: 13.2 years Last activity: 12.9 years

Posted on 07-08-08 08:25:55 PM, in ASM hacking Link

Don't worry too much about the stack unless you plan to make major changes or write your own programs. For e.g, with a code of mine that spawned an object at Mario's position, I saved RA (the return address) on the stack before calling the spawn function since the RA would be changed by the function that's called. After the function the return address is retrieved from the stack. Speaking of functions, don't forget that the MIPS process has a delay slot with a lot of its instructions that feature branches or jumps; this is something that Nemu will remind you. You might have: jal xxxxxxxx lui a0, 0xC84A So, the lui instruction would be executed before the jump. With coding that calls a spawn function you will often see the behaviour or gaphic ID loaded into a register using an instruction after the function call, which is executed before the call. ____________________ James S. We English do things a little differently...Anyone for a cup of tea while we hack?!

yoshiman Member Level: 23 Posts: 86/95 EXP: 67067 For next: 656 Since: 12-21-07 From: London, England Since last post: 13.2 years Last activity: 12.9 years

Posted on 07-08-08 08:36:59 PM, in Behaviour Scripts Link

It's good that my videos have been so helpful. The way I often find object behaviours and graphic IDs is to find the object or spawn it and then I can look at the behaviour pointers in its object structure. Knowing the start of the behaviour script segment it's simple to work out the segment/offset value. This value can then be searched for and will either be found in the coding or in a look up table (e.g., an item box). As for the graphic ID, that uses a look up table so you just need to search for the graphic pointer value in the RAM, subtract it from the start of the table and divide it by four (as the pointers are 4 bytes long). For non-common graphic objects this has to be done in the levels that have that graphics loaded. ____________________ James S. We English do things a little differently...Anyone for a cup of tea while we hack?!

yoshiman Member Level: 23 Posts: 87/95 EXP: 67067 For next: 656 Since: 12-21-07 From: London, England Since last post: 13.2 years Last activity: 12.9 years

Posted on 07-09-08 08:15:37 PM, in ASM hacking Link

What you have to remember about the delay slot is that the instruction following the jump or branch will be executed if the call is made or not. So the only time a nop should follow a jump or branch is if there is no instruction to be executed before the call that is also to be executed after the call. If you ask me, having these extra nop's that are actually wasting space are annoying but necessary. As for the table you showed, is that specific to the N64-the MIPS processors were used in other consoles and devices. There's no harm in looking at a function you want to call to see if it modifies certain registers, if it does, typically at the beginning of the function it will save them to the stack before altering them. ____________________ James S. We English do things a little differently...Anyone for a cup of tea while we hack?!

yoshiman Member Level: 23 Posts: 88/95 EXP: 67067 For next: 656 Since: 12-21-07 From: London, England Since last post: 13.2 years Last activity: 12.9 years

Posted on 08-19-08 10:04:44 PM, in Stuff inside the checksum protected area (Title Screen, etc.) Link

For my camera on any object code I replaced the function call that normally updates the camera with my own function. For NTSC, NOP the function call at 0x80254318 and when the game starts the camera will be near the moat. Now you'll be able to modify the camera's position using the camera position variables which are floats: 0x8033C524 0x8033C528 0x8033C52C The now disabled function normally copies the camera position from another set of variables to the ones above. ____________________ James S. We English do things a little differently...Anyone for a cup of tea while we hack?!

yoshiman Member Level: 23 Posts: 89/95 EXP: 67067 For next: 656 Since: 12-21-07 From: London, England Since last post: 13.2 years Last activity: 12.9 years	Posted on 08-20-08 01:11:07 PM, in Stuff inside the checksum protected area (Title Screen, etc.) Link
	You could patch the function that updates the camera so that only two (e.g. X and Y) values are updated if that's what you mean. That can be done with Gameshark codes, otherwise it means writing a new camera update function. ____________________ James S. We English do things a little differently...Anyone for a cup of tea while we hack?!

yoshiman Member Level: 23 Posts: 90/95 EXP: 67067 For next: 656 Since: 12-21-07 From: London, England Since last post: 13.2 years Last activity: 12.9 years

Posted on 01-26-09 05:02:36 PM, in Behaviour Scripts Link

Sorry this is off topic to what you was previously talking about but VL-TONE asked me to have a look at an invisible object in the waterfall outside the castle. The object he mentioned is actually hidden in the waterfall area even when using my code to see the invisible objects; there are two other invisible objects at the top and middle of the waterfall that you can use when using my code. The object that VL-TONE wanted to know about which has the behaviour 0x13003C90 is used by the object at 0x80349748 outside the castle for the NTSC game. Its only purpose is to call the function 0x802F0950, which thanks to Nemu I can show you: 802F0950: ADDIU SP, SP, 0xFFE8 802F0954: SW RA, 0x0014 (SP) 802F0958: LUI T6, 0x8034 802F095C: LW T6, 0xCBD0 (T6) 802F0960: ADDIU AT, R0, 0x0003 802F0964: LBU T7, 0x0000 (T6) 802F0968: BNE T7, AT, 0x802F0978 802F096C: NOP 802F0970: BEQ R0, R0, 0x802F0994 802F0974: NOP 802F0978: LUI A0, 0x6010 802F097C: LUI A1, 0x8033 802F0980: ADDIU A1, A1, 0x31F0 802F0984: JAL 0x8031EB00 play_sound2 802F0988: ORI A0, A0, 0x4001 802F098C: BEQ R0, R0, 0x802F0994 802F0990: NOP 802F0994: LW RA, 0x0014 (SP) 802F0998: ADDIU SP, SP, 0x0018 802F099C: JR RA 802F09A0: NOP Using my naming of the functions, the behaviour function calls the play_sound2 function which is used, for example, to play the pause sound. So, this behaviour plays a sound whenever you go outside the castle, except that the sound seems to be blank, or at least it is when I transfer the sound values (0x60104001) to the pause coding. The value 0x10 is loaded from a pointer which I don't know it's purpose and why it plays the sound unless it's equal to 0x03. If you want proof that the waterfall object does play a sound when you go outside the castle, this Gameshark code changes the sound to that of the pause sound effect. It's for the NTSC version; turn the code on before the title screen appears. You'll hear the sound when outside the castle and if you go inside and out again. 812F097A 7002 812F098A FF81 Why would this invisible object need to be placed in the waterfall, I don't think the sound function is capable of 3D sound so it can't be to do with position? The pointer that the sound function needs seems to be to do with soud related variables. ____________________ James S. We English do things a little differently...Anyone for a cup of tea while we hack?!

yoshiman Member Level: 23 Posts: 91/95 EXP: 67067 For next: 656 Since: 12-21-07 From: London, England Since last post: 13.2 years Last activity: 12.9 years

Posted on 01-27-09 11:14:45 AM, in Behaviour Scripts (last edited by yoshiman at 01-27-09 01:01 PM) Link

Thanks VL-TONE, I'm here to help. I had a look at another invisible object outside the castle, the one that is the near the tree with the 1-up. I've only just looked at the coding, the object has behaviour 13003C7C and it too plays a sound or initializes something to do with sound when you go outside the castle. But this object checks the value at offset 0x144 in the object structure to see what sound is played although the one I tried was blank. I had a look at the invisible objects in the tree you get a 1-up mushroom from outside the castle. The invisible object at the top of the tree spawns the 1-up in advance and the invisible object near to the top of the tree. When Mario climbs the tree he touches and removes the object which writes 1 to offset 0xF4 in the 1-up object. As Mario does a handstand he touches and removes the second invisible object which writes 2 to offset 0xF4 in the 1-up object, activating it. It seems the need for the first invisible object is to make sure that Mario climbed the tree. ____________________ James S. We English do things a little differently...Anyone for a cup of tea while we hack?!

yoshiman Member Level: 23 Posts: 92/95 EXP: 67067 For next: 656 Since: 12-21-07 From: London, England Since last post: 13.2 years Last activity: 12.9 years

Posted on 02-11-09 11:34:31 AM, in ASM hacking Link

Here's what I know so far about what happens when Mario runs up a slope. As Mario goes up the slope, the value at 8033B3BC (16-bit) increases, but is zero when he is not moving. However, the value does not lean Mario's body forward when still, only when running. This value ends up in Mario's graphics structure (geo layout) by a function call (80277294) from Mario's graphics structure. 8027737C LH T5, 0X000C(T4) T5=(8033B3BC) 80277380 SH T5, 0X001C(T6) (800F47C4)=T5 There is also a value at 8033B3BE (16-bit) which seems to turn Mario's body. ____________________ James S. We English do things a little differently...Anyone for a cup of tea while we hack?!

yoshiman Member Level: 23 Posts: 93/95 EXP: 67067 For next: 656 Since: 12-21-07 From: London, England Since last post: 13.2 years Last activity: 12.9 years

Posted on 02-12-09 06:35:34 PM, in ASM hacking Link

Don't forget that only the middle of the three functions in the Mario behaviour script is actually the Mario behaviour, the other two are for the second debug display and the spawn debug mode. Thanks messiaen, I'm going to have to compare that with what I have for PAL (UK). Here is what I know of just a few of the functions called from the uncompressed Mario geo layout: 800F09F8 802773A4 Remove this pointer and Mario's head doesn't turn when looking around with Camera-up. 800F0A54 802771BC Remove this pointer and Mario doesn't blink, it seems to only affect when he is not moving. ____________________ James S. We English do things a little differently...Anyone for a cup of tea while we hack?!

yoshiman Member Level: 23 Posts: 94/95 EXP: 67067 For next: 656 Since: 12-21-07 From: London, England Since last post: 13.2 years Last activity: 12.9 years

Posted on 02-19-09 12:15:57 PM, in Hacking animations Link

A code I did recently swapped Mario's long jump for the cannon 'jump': NTSC 81336C82 FF78 Which alters Mario's long jump action pointer: 80336C80 8026FE9C->8026FF78 Note that there are a lot of pointers to 802700E0, like at address 80336C84, which is no action. Could they be used to add more actions/animations if the coding was added? ____________________ James S. We English do things a little differently...Anyone for a cup of tea while we hack?!

yoshiman Member Level: 23 Posts: 95/95 EXP: 67067 For next: 656 Since: 12-21-07 From: London, England Since last post: 13.2 years Last activity: 12.9 years

Posted on 02-20-09 02:15:39 PM, in Behaviour Scripts Link

I have done a code which spawns ten yellow coins and a single blue coin instead of the water bomb in Bob-omb Battlefield. What is strange is that for every water bomb two objects are spawned which are the water bomb and its shadow (which in my code I swapped for yellow and blue coins): NTSC 80306174 LUI T2, 0x1300 80306178 ADDIU T2, T2, 0x4BA8 Water bomb behaviour 8030617C ADDIU T0, R0, 0x0054 Water bomb GFX ID 80306254 LUI A2, 0x1300 80306258 ADDIU A2, A2, 0x4BD4 Water bomb shadow behaviour 80306264 ADDIU A1, R0, 0x0055 Water bomb shadow GFX ID At first I thought it was to do with the shadow size needing to change on just one axis but that's not possible. Can anyone think of why the shadow is separate? ____________________ James S. We English do things a little differently...Anyone for a cup of tea while we hack?!