https://wiki.gamehacking.org/api.php?action=feedcontributions&feedformat=atom&user=UgetabWiki - GameHacking.org - User contributions [en]2026-06-14T02:24:26ZUser contributionsMediaWiki 1.41.1https://wiki.gamehacking.org/index.php?title=Assembly_Hacking&diff=4474Assembly Hacking2010-04-18T02:15:07Z<p>Ugetab: /* FCEU */ NSF program suggestion changed</p>
<hr />
<div>Assembly hacking is the art of editing a compiled program. Without the source code, and without notes from the source code, one has to deduce almost everything about the underlying code, and how it works with RAM.<br />
<br />
There are several emulators that can aid one in creating a modification for a game. Games for console systems fall into the category of compiled programs, and generally, the source code is unavailable for these games.<br />
<br />
The use of making an assembly hack for a game can be found with the Nintendo Entertainment System (NES) [[Game Genie]].<br />
<br />
The codes that are entered into an NES Game Genie represent single-byte assembly hacks. Any assembly hack that could be done with a change of 3 bytes or less is possible to implement with a single Game Genie. The SNES Game Genie allows up to 5 codes, and 5 bytes of change. While this makes the possible usage of codes very limiting, it didn't prevent single-byte invincibility and infinite lives codes from appearing that could make it unnecessary to use additional codes.<br />
<br />
For more modern assembly hacking of the same systems, emulators that support 50 or more codes for any given game aren't uncommon. The ROMs have been turned into files that can be patched with all the changes needed to give the game a script in a new language. Emulators that aid in the process of making assembly hacks have appeared for many different emulated systems. The effect is that more people are now capable of starting their own projects, and existing projects can be modified and/or repaired more easily.<br />
<br />
=Emulators=<br />
<br />
==NES==<br />
===FCEU===<br />
[http://fceux.com FCEUX] is the most up-to-date version of the FCEU* line of builds. It has taken several lines of FCEU offshoots and combined them into a single application. Even I(ugetab) have had the opportunity to contribute code, changes and fixes to it. If you were having trouble with any games while using FCEUXDSP, you can try FCEUX. If FCEUX has trouble with games, you can report the issue and, if someone gets interested in fixing it, you may end up seeing it repaired. It is currently compatible with FCEUXDSP's debugger files. If you want to use FCEUXDSP, see below.<br />
<br />
[http://www.the-interweb.com/serendipity/index.php?/categories/9-FCEUXD-SP FCEUXDSP] is the result of an emulator first developed by Parasyte called FCEUD, which was then picked up by bbitmaster and renamed to FCEUXD, and finally adopted as FCEUXD SP.<br />
<br />
====Setting breakpoints in ROM/RAM====<br />
Tools>Debug<br />
<br />
In the breakpoint window, 'Add' the Executable address or Memory address you want.<br><br />
ROM is 8000-FFFF<br><br />
RAM is 0000-07FF, 6000-7FFF<br><br />
0800-3FFF is mirrored from some part of RAM.<br><br />
4000-4015 can be breakpointed if working on an NSF. If you want to use this to deal with NSFs, FCEUX is currently the best option.<br />
<br />
'Hex Editor' is a memory viewer/modifier.<br />
<br />
==SNES==<br />
===Geiger's SNES9X Debugger===<br />
This emulator can be found at [http://geigercount.net/crypt/ Geiger's Crypt] and [http://www.zophar.net/snes/geiger-s-snes9x-debugger.html Zophar's Domain - Geiger’s Snes9x Debugger].<br />
<br />
====Setting breakpoints in ROM/RAM====<br />
Open ROM, Click 'Breakpoints'<br><br />
In the breakpoint window, enter the Executable address or Memory address you want.<br><br />
Standard RAM: 7E0000 - 7FFFFF<br><br />
SA1 RAM: 400000-407FFF, 303000-303FFF<br><br />
HiROM - C00000 - FFFFFF<br><br />
LoROM - 808000-BFFFFF (**0000 - **7FFF doesn't exist)<br />
<br />
If you use the [[SA1]] logger with an SA1-using game, and wish to find an address that changed an address in RAM, you can see if the conversion chart on the [[SA1]] page shows you the address to search for in the log file.<br />
<br />
===FuSoYa's SNES9X SuperFX Instruction Logger===<br />
This emulator can be found [http://www.gshi.org/downloads/snes9x1.43-FuSoYa-SFX_B2.zip here].<br />
<br />
This emulator allows you to log SuperFX instructions being used by the emulator.<br />
<br />
Press the NumLock button to start/stop logging.<br />
<br />
Instructions will be logged to sfx_trace.txt, in the folder with the emulator.<br />
<br />
Here's an example on how to interpret the results:<br><br />
00:e834 40 ldw (r0) r0=$0058 SRAM=00:5AAE<br><br />
00:e835 64 sub r4 r0=$0055 CY=1<br />
<br />
First line Loads Word (SRAM=00:5AAE) to (r0). In Geiger's SNES9X Debugger, this is address 705AAE in the RAM viewer. In ZSNES, you can find this in a save-state at 0x4127F + 0x5AAE (= 0x46D2D). The result of this operation is on the same line.<br />
<br />
Second line subtracts (r4) from (r0). This next result is on the same line as well. This can be coded out to give you Infinite Health in Doom, but it won't work as a Game Genie code. The file address would be either 6835 or 6A35. Only one address of those 2 will be 0x64.<br />
<br />
==Genesis==<br />
<br />
===Regen Debugger Build===<br />
This emulator can be found [http://aamirm.hacking-cult.org/ here]<br />
<br />
Backup: [http://www.gshi.org/downloads/Regen095D.zip Regen 0.95 Debugger]<br />
<br />
If you've used FCEUXDSP, Geiger's Snes9x, BGB, Nemu08, pSX, or pretty much any other active debugger, you'll realize that this is along the same lines of those debuggers. This is certainly what Genesis hackers have been waiting for when it comes to a user friendly debugger.<br />
<br />
It runs Genesis, Game Gear, and SMS files, but only debugs Genesis at the moment. Use [[#Emukon]] if you want to hack Game Gear or SMS.<br />
<br />
===Gens Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/337/ here].<br />
<br />
No breakpoints, but adequate tracing. A guide has been written on the specific usage of the emulator.<br />
<br />
The idea is that you can trace-log writes to and reads from memory, and you can also log all commands, and determine what's happening from the full log, by using what you find from the hook logging.<br />
<br />
===HazeMD===<br />
This emulator can be found at [http://haze.mameworld.info/ this address].<br />
<br />
This emulator is harder to get setup to use a ROM, but comes with a MAME-style debugger. MAME's debugger is well known for being so powerful, considering the number of systems it can be used with when compiled into a build of MAME. The Gens tracer tends to have slightly better compatibility, while the HazeMD emulator has more potential for cheat codes, already having a Cheat system designed to handle multiple CPUs, which could be used for 32x game ROM hacks, and RAM hacks.<br />
<br />
==Gameboy==<br />
===BGB===<br />
This emulator can be found [http://bgb.bircd.org/ here]<br />
<br />
Load a ROM, and right-click the screen.<br><br />
Other>debug mode enabled: to enable debugging<br><br />
Other>debugger to enter the debugger<br><br />
<br />
Setting breakpoints in ROM/RAM<br><br />
In the debugger window:<br><br />
Debug>breakpoints for execution breakpoints<br><br />
Debug>access breakpoints for read/write breaks.<br><br />
<br />
===Visual Boy Advance Tracer===<br />
See [[#Visual_Boy_Advance_Tracer_2]]<br />
<br />
==PC Engine / Turbo-Grafx 16==<br />
===Mednafen===<br />
This emulator can be found [http://mednafen.sourceforge.net/ here]<br />
<br />
Esc = Exit Mednafen (Careful about it)<br />
<br />
To use F12 to quit, and not the ESC key, edit this in mednafen.cfg:<br><br />
----<br />
";Exit"<br><br />
"command.exit keyboard 293~keyboard 27"<br><br />
----<br />
To this:<br><br />
----<br />
";Exit"<br><br />
"command.exit keyboard 293"<br><br />
----<br />
<br />
F5 = Save State<br><br />
F7 = Load State<br><br />
0-9 = Select Save Slot<br />
<br />
F10 = Reset<br><br />
F11 = Hard Reset (Power Switch style)<br />
<br />
Alt + D = Toggle Debugger<br />
<br />
In Debugger:<br><br />
Alt+1 = CPU debugger view<br><br />
Alt+3 = Memory editor<br><br />
R = Run<br><br />
S = Step<br><br />
Return = Goto Address(If on code)/Edit(If on register) (Type new values after original, press enter. Quicker.)<br><br />
Space = Set/Unset Execution Breakpoint<br><br />
Shift + Return = Edit watch address<br><br />
Shift + R = Edit Read Breakpoints<br><br />
Shift + W = Edit write breakpoints<br><br />
Shift + O = Opcode Breakpoints (Enter EA for "NOP", etc. Use 6502 ASM table mainly)<br />
<br />
See included Debugger.html file for complete command list<br />
<br />
==Game Gear==<br />
===Emukon===<br />
This emulator can be found [http://emukon.kontechs.de/ here].<br />
<br />
Backup: [http://www.gshi.org/downloads/Emukon105.zip Emukon 1.05]<br />
<br />
This is basically a friendlier style of Logging Debugger the way I tend to use it, with Breakpoints to help figure out how code you find operates. I've used it to at least as much success as I've used the Hook_log debuggers, only this was more boring because I didn't have to fight with the emulator as much.<br />
<br />
You can use a combination of Breakpoints and Log Files to debug games.<br />
<br />
Breakpoints have their own management window, or you can right click lines in the debugger.<br />
<br />
To use the log files effectively, you should focus on a single byte with a known effect, get to about where the setting you're looking for will change, go to the Debugger > Debugger menu, enable it if needed, then click the Clear Log button if you want a fresh start, and the Log button to start logging. Get the thing changed that you want, and then look under the DebugLogs folder for the game you're working on, and search the text logs for the address you want to check, whether it's the execution address by some chance or the memory address. Breakpoints and Logging work well together to discover the execution path to a piece of code.<br />
<br />
It's not as exceedingly simple as some other debuggers, but it's quite useful, and it's my first choice for hacking Game Gear as well as SMS.<br />
<br />
==Master System==<br />
===Emukon===<br />
See Game Gear section: [[#Emukon]]<br />
<br />
==Gameboy Advance==<br />
===Visual Boy Advance Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/340/ here].<br />
<br />
This emulator uses the Hook Log system. Those familiar with the hook_log Genesis or N64 emulators should have little trouble adapting to this system.<br />
<br />
Note that it has also been used to good effect for a small number of gameboy games that BGB doesn't support. [[Ugetab]] used this for GBS ripping, but with full code logging, and a save-state near when something changes, you could just as effectively search for a memory address in trace.log. Mind that while GB assembly doesn't pile up as quickly as GBA or N64, and it is still necessary to be relatively close to the change before activating logging, if you don't want to have to use a special text editor to open an enormous log file. <br />
<br />
===Visual Boy Advance===<br />
This emulator can be found at [http://vba.ngemu.com/downloads.shtml this address].<br />
<br />
Windows - SDL is required. Unfortunately, no cheat device exists that can change the assembly, so hacking it is more a matter of patching the ROM, and less a matter of using it for simple cheats. Not documented.<br />
<br />
==Playstation==<br />
===PCSX 1.5 With Debugger===<br />
This emulator is available [http://www.romhacking.net/utils/267/ here].<br />
<br />
Press F11 to enter the debugger. On-screen aids should be apparent.<br />
<br />
===PSX===<br />
This emulator can be found at [http://www.romhacking.net/utils/311/ this address].<br />
<br />
This can be a decent debugging alternative if a game doesn't work well in the above emulator.<br />
<br />
===PCSX Agemo debugger===<br />
This emulator can be found [http://www.romhacking.net/utils/475/ here].<br />
<br />
It could be favorable for some tasks, compared to the other debuggers.<br />
<br />
==N64==<br />
===Nemu64===<br />
This emulator can be found [http://www.emulator-zone.com/doc.php/n64/nemu64.html here]<br />
<br />
Setting execution breakpoints<br><br />
Plugins>Debugger: Commands...<br><br />
To set a break on execution, go to the line that you want to break on, and click in the vertical bar to the left(<) of the address you want to breakpoint.<br />
<br />
Setting breakpoints in RAM<br><br />
Plugins>Debugger: Memory...<br><br />
Enable the read and/or write check boxes, and right-click the memory space you want to set, unset, or change an access breakpoint on.<br />
<br />
Some games don't run in Nemu, so you may have to switch to this hook_log based emulator if you want the codes. The 1964 tracer can be useful, which is available [http://www.romhacking.net/utils/335/ here].<br />
<br />
The hook_log system is a little bit more demanding to use than a visual debugger, but with compatibility issues, it's better than lucky to have a second usable debugging emulator. The save-states can be decompressed, and loaded in their decompressed form if needed<br />
<br />
An issue with this emulator is that not all instructions are logged, but it's still worth knowing about for the fact that many instructions are logged, and it can be used with write logging.<br />
<br />
===Project64 debug build binary===<br />
This emulator can be found [http://www.thegshi.org/downloads/Project64%20Build%2052%20Debug%20Binary.zip here].<br />
<br />
This version of the emulator has better support for games than Nemu64, and Ugetab used this tool in combination with nemu64 to edit USFs, as well as make a few codes that people using only a single emulation tool were having extremely hard struggles with.<br />
<br />
==Saturn==<br />
===Yabause===<br />
This emulator can be found [http://www.romhacking.net/utils/482/ here].<br />
<br />
This is one of the few Saturn emulators out there.<br />
<br />
==Wonder Swan==<br />
===Cygne Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/244/ here].<br />
<br />
A decent Tracing program.<br />
<br />
===Oswan Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/338/ here].<br />
<br />
This is just another hook-log tracer.<br />
<br />
==Playstation 2==<br />
[The current author is too lazy to write this, but will get around to it later if no one else does]<br />
<br />
[[Category:Hacking and Game Info]]</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=SA1&diff=4473SA12010-03-25T05:34:59Z<p>Ugetab: Added a new mapping possibility to 'Memory Mapping Comparison'</p>
<hr />
<div>== Overview ==<br />
The SNES SA1 chip is an expansion chip added to an SNES cart that both contains a portion of the game's coding, and executes that portion of code to affect normal SNES RAM, and the additional RAM accessed primarily by the SA1 chip programming. The additional RAM is also accessible by the SNES CPU's instructions.<br />
<br />
There is no current information concerning hardware-based tests with Game Genie codes that change portions of ROM residing within the SA1.<br />
<br />
== Memory Mapping Comparison ==<br />
Region 30:0000 - 30:3FFF is SA1 related due to the fact that some RAM is 00 mapped for SA1-using games:<br />
<br />
Writes from the SNES CPU to 00:0000 - 00:3FFF region to change a mirrored region at 30:0000 - 30:3FFF region<br />
<br />
00:0000 - 00:3FFF<br><br />
30:0000 - 30:3FFF<br />
<br />
SA1 code such as "STA $DE" can access address 00:30DE, and show up in the log file as a line like...<br><br />
$C2:D286 85 DE . STA $DE . [$00:00DE]<br />
<br />
The above may not always hold true, but it should be known that not all addresses will appear exactly as expected.<br><br />
<br />
SA1 Address:<br />
Reads/Writes to these addresses from the SA1 CPU translate to the below CPU-accessible addresses in SNES memory<br><br />
00:4000 - 00:7FFF<br><br />
CPU Address:<br><br />
40:0000 - 40:3FFF<br><br />
<br />
Jikkyuu Oshaberi Parodius has the following in the SNES native CPU as well:<br><br />
00:676C writes going to 40:076C<br><br />
<br />
SA1 Address Testing:<br><br />
If you wish to test writes made by the SA1 to memory, and see what area is changed, you can use the following code with Super Mario RPG (US), while in a 3D stage. You should fall through the ground, and be unaligned with the map, but have the value FE written to the address you chose.<br />
<br />
Test SA1 Memory Writes (2 byte addresses, 0xFE written)<br><br />
C9C374A9<br><br />
C9C375FE<br><br />
C9C378FF<br><br />
C9C3793F<br />
<br />
Load value 0x00FE to write(could be made to load a 2-byte value)<br><br />
C9C374A9<br><br />
C9C375FE<br />
<br />
Address to write to(Writes to 3FFF with these values)<br><br />
C9C378FF<br><br />
C9C3793F<br />
<br />
[[Category:Hacking and Game Info]]</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Assembly_Hacking&diff=4435Assembly Hacking2010-02-02T20:30:57Z<p>Ugetab: /* FCEU */ Added a link and notes on FCEUX</p>
<hr />
<div>Assembly hacking is the art of editing a compiled program. Without the source code, and without notes from the source code, one has to deduce almost everything about the underlying code, and how it works with RAM.<br />
<br />
There are several emulators that can aid one in creating a modification for a game. Games for console systems fall into the category of compiled programs, and generally, the source code is unavailable for these games.<br />
<br />
The use of making an assembly hack for a game can be found with the Nintendo Entertainment System (NES) [[Game Genie]].<br />
<br />
The codes that are entered into an NES Game Genie represent single-byte assembly hacks. Any assembly hack that could be done with a change of 3 bytes or less is possible to implement with a single Game Genie. The SNES Game Genie allows up to 5 codes, and 5 bytes of change. While this makes the possible usage of codes very limiting, it didn't prevent single-byte invincibility and infinite lives codes from appearing that could make it unnecessary to use additional codes.<br />
<br />
For more modern assembly hacking of the same systems, emulators that support 50 or more codes for any given game aren't uncommon. The ROMs have been turned into files that can be patched with all the changes needed to give the game a script in a new language. Emulators that aid in the process of making assembly hacks have appeared for many different emulated systems. The effect is that more people are now capable of starting their own projects, and existing projects can be modified and/or repaired more easily.<br />
<br />
=Emulators=<br />
<br />
==NES==<br />
===FCEU===<br />
[http://fceux.com FCEUX] is the most up-to-date version of the FCEU* line of builds. It has taken several lines of FCEU offshoots and combined them into a single application. Even I(ugetab) have had the opportunity to contribute code, changes and fixes to it. If you were having trouble with any games while using FCEUXDSP, you can try FCEUX. If FCEUX has trouble with games, you can report the issue and, if someone gets interested in fixing it, you may end up seeing it repaired. It is currently compatible with FCEUXDSP's debugger files. If you want to use FCEUXDSP, see below.<br />
<br />
[http://www.the-interweb.com/serendipity/index.php?/categories/9-FCEUXD-SP FCEUXDSP] is the result of an emulator first developed by Parasyte called FCEUD, which was then picked up by bbitmaster and renamed to FCEUXD, and finally adopted as FCEUXD SP.<br />
<br />
====Setting breakpoints in ROM/RAM====<br />
Tools>Debug<br />
<br />
In the breakpoint window, 'Add' the Executable address or Memory address you want.<br><br />
ROM is 8000-FFFF<br><br />
RAM is 0000-07FF, 6000-7FFF<br><br />
0800-3FFF is mirrored from some part of RAM.<br><br />
4000-4015 can be breakpointed if working on an NSF. If you want to use this to deal with NSFs, try Ugetabs [http://www.angelfire.com/nc/ugetab edited version], which tends to play nicer with them<br />
<br />
'Hex Editor' is a memory viewer/modifier.<br />
<br />
==SNES==<br />
===Geiger's SNES9X Debugger===<br />
This emulator can be found at [http://geigercount.net/crypt/ Geiger's Crypt] and [http://www.zophar.net/snes/geiger-s-snes9x-debugger.html Zophar's Domain - Geiger’s Snes9x Debugger].<br />
<br />
====Setting breakpoints in ROM/RAM====<br />
Open ROM, Click 'Breakpoints'<br><br />
In the breakpoint window, enter the Executable address or Memory address you want.<br><br />
Standard RAM: 7E0000 - 7FFFFF<br><br />
SA1 RAM: 400000-407FFF, 303000-303FFF<br><br />
HiROM - C00000 - FFFFFF<br><br />
LoROM - 808000-BFFFFF (**0000 - **7FFF doesn't exist)<br />
<br />
If you use the [[SA1]] logger with an SA1-using game, and wish to find an address that changed an address in RAM, you can see if the conversion chart on the [[SA1]] page shows you the address to search for in the log file.<br />
<br />
===FuSoYa's SNES9X SuperFX Instruction Logger===<br />
This emulator can be found [http://www.gshi.org/downloads/snes9x1.43-FuSoYa-SFX_B2.zip here].<br />
<br />
This emulator allows you to log SuperFX instructions being used by the emulator.<br />
<br />
Press the NumLock button to start/stop logging.<br />
<br />
Instructions will be logged to sfx_trace.txt, in the folder with the emulator.<br />
<br />
Here's an example on how to interpret the results:<br><br />
00:e834 40 ldw (r0) r0=$0058 SRAM=00:5AAE<br><br />
00:e835 64 sub r4 r0=$0055 CY=1<br />
<br />
First line Loads Word (SRAM=00:5AAE) to (r0). In Geiger's SNES9X Debugger, this is address 705AAE in the RAM viewer. In ZSNES, you can find this in a save-state at 0x4127F + 0x5AAE (= 0x46D2D). The result of this operation is on the same line.<br />
<br />
Second line subtracts (r4) from (r0). This next result is on the same line as well. This can be coded out to give you Infinite Health in Doom, but it won't work as a Game Genie code. The file address would be either 6835 or 6A35. Only one address of those 2 will be 0x64.<br />
<br />
==Genesis==<br />
<br />
===Regen Debugger Build===<br />
This emulator can be found [http://aamirm.hacking-cult.org/ here]<br />
<br />
Backup: [http://www.gshi.org/downloads/Regen095D.zip Regen 0.95 Debugger]<br />
<br />
If you've used FCEUXDSP, Geiger's Snes9x, BGB, Nemu08, pSX, or pretty much any other active debugger, you'll realize that this is along the same lines of those debuggers. This is certainly what Genesis hackers have been waiting for when it comes to a user friendly debugger.<br />
<br />
It runs Genesis, Game Gear, and SMS files, but only debugs Genesis at the moment. Use [[#Emukon]] if you want to hack Game Gear or SMS.<br />
<br />
===Gens Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/337/ here].<br />
<br />
No breakpoints, but adequate tracing. A guide has been written on the specific usage of the emulator.<br />
<br />
The idea is that you can trace-log writes to and reads from memory, and you can also log all commands, and determine what's happening from the full log, by using what you find from the hook logging.<br />
<br />
===HazeMD===<br />
This emulator can be found at [http://haze.mameworld.info/ this address].<br />
<br />
This emulator is harder to get setup to use a ROM, but comes with a MAME-style debugger. MAME's debugger is well known for being so powerful, considering the number of systems it can be used with when compiled into a build of MAME. The Gens tracer tends to have slightly better compatibility, while the HazeMD emulator has more potential for cheat codes, already having a Cheat system designed to handle multiple CPUs, which could be used for 32x game ROM hacks, and RAM hacks.<br />
<br />
==Gameboy==<br />
===BGB===<br />
This emulator can be found [http://bgb.bircd.org/ here]<br />
<br />
Load a ROM, and right-click the screen.<br><br />
Other>debug mode enabled: to enable debugging<br><br />
Other>debugger to enter the debugger<br><br />
<br />
Setting breakpoints in ROM/RAM<br><br />
In the debugger window:<br><br />
Debug>breakpoints for execution breakpoints<br><br />
Debug>access breakpoints for read/write breaks.<br><br />
<br />
===Visual Boy Advance Tracer===<br />
See [[#Visual_Boy_Advance_Tracer_2]]<br />
<br />
==PC Engine / Turbo-Grafx 16==<br />
===Mednafen===<br />
This emulator can be found [http://mednafen.sourceforge.net/ here]<br />
<br />
Esc = Exit Mednafen (Careful about it)<br />
<br />
To use F12 to quit, and not the ESC key, edit this in mednafen.cfg:<br><br />
----<br />
";Exit"<br><br />
"command.exit keyboard 293~keyboard 27"<br><br />
----<br />
To this:<br><br />
----<br />
";Exit"<br><br />
"command.exit keyboard 293"<br><br />
----<br />
<br />
F5 = Save State<br><br />
F7 = Load State<br><br />
0-9 = Select Save Slot<br />
<br />
F10 = Reset<br><br />
F11 = Hard Reset (Power Switch style)<br />
<br />
Alt + D = Toggle Debugger<br />
<br />
In Debugger:<br><br />
Alt+1 = CPU debugger view<br><br />
Alt+3 = Memory editor<br><br />
R = Run<br><br />
S = Step<br><br />
Return = Goto Address(If on code)/Edit(If on register) (Type new values after original, press enter. Quicker.)<br><br />
Space = Set/Unset Execution Breakpoint<br><br />
Shift + Return = Edit watch address<br><br />
Shift + R = Edit Read Breakpoints<br><br />
Shift + W = Edit write breakpoints<br><br />
Shift + O = Opcode Breakpoints (Enter EA for "NOP", etc. Use 6502 ASM table mainly)<br />
<br />
See included Debugger.html file for complete command list<br />
<br />
==Game Gear==<br />
===Emukon===<br />
This emulator can be found [http://emukon.kontechs.de/ here].<br />
<br />
Backup: [http://www.gshi.org/downloads/Emukon105.zip Emukon 1.05]<br />
<br />
This is basically a friendlier style of Logging Debugger the way I tend to use it, with Breakpoints to help figure out how code you find operates. I've used it to at least as much success as I've used the Hook_log debuggers, only this was more boring because I didn't have to fight with the emulator as much.<br />
<br />
You can use a combination of Breakpoints and Log Files to debug games.<br />
<br />
Breakpoints have their own management window, or you can right click lines in the debugger.<br />
<br />
To use the log files effectively, you should focus on a single byte with a known effect, get to about where the setting you're looking for will change, go to the Debugger > Debugger menu, enable it if needed, then click the Clear Log button if you want a fresh start, and the Log button to start logging. Get the thing changed that you want, and then look under the DebugLogs folder for the game you're working on, and search the text logs for the address you want to check, whether it's the execution address by some chance or the memory address. Breakpoints and Logging work well together to discover the execution path to a piece of code.<br />
<br />
It's not as exceedingly simple as some other debuggers, but it's quite useful, and it's my first choice for hacking Game Gear as well as SMS.<br />
<br />
==Master System==<br />
===Emukon===<br />
See Game Gear section: [[#Emukon]]<br />
<br />
==Gameboy Advance==<br />
===Visual Boy Advance Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/340/ here].<br />
<br />
This emulator uses the Hook Log system. Those familiar with the hook_log Genesis or N64 emulators should have little trouble adapting to this system.<br />
<br />
Note that it has also been used to good effect for a small number of gameboy games that BGB doesn't support. [[Ugetab]] used this for GBS ripping, but with full code logging, and a save-state near when something changes, you could just as effectively search for a memory address in trace.log. Mind that while GB assembly doesn't pile up as quickly as GBA or N64, and it is still necessary to be relatively close to the change before activating logging, if you don't want to have to use a special text editor to open an enormous log file. <br />
<br />
===Visual Boy Advance===<br />
This emulator can be found at [http://vba.ngemu.com/downloads.shtml this address].<br />
<br />
Windows - SDL is required. Unfortunately, no cheat device exists that can change the assembly, so hacking it is more a matter of patching the ROM, and less a matter of using it for simple cheats. Not documented.<br />
<br />
==Playstation==<br />
===PCSX 1.5 With Debugger===<br />
This emulator is available [http://www.romhacking.net/utils/267/ here].<br />
<br />
Press F11 to enter the debugger. On-screen aids should be apparent.<br />
<br />
===PSX===<br />
This emulator can be found at [http://www.romhacking.net/utils/311/ this address].<br />
<br />
This can be a decent debugging alternative if a game doesn't work well in the above emulator.<br />
<br />
===PCSX Agemo debugger===<br />
This emulator can be found [http://www.romhacking.net/utils/475/ here].<br />
<br />
It could be favorable for some tasks, compared to the other debuggers.<br />
<br />
==N64==<br />
===Nemu64===<br />
This emulator can be found [http://www.emulator-zone.com/doc.php/n64/nemu64.html here]<br />
<br />
Setting execution breakpoints<br><br />
Plugins>Debugger: Commands...<br><br />
To set a break on execution, go to the line that you want to break on, and click in the vertical bar to the left(<) of the address you want to breakpoint.<br />
<br />
Setting breakpoints in RAM<br><br />
Plugins>Debugger: Memory...<br><br />
Enable the read and/or write check boxes, and right-click the memory space you want to set, unset, or change an access breakpoint on.<br />
<br />
Some games don't run in Nemu, so you may have to switch to this hook_log based emulator if you want the codes. The 1964 tracer can be useful, which is available [http://www.romhacking.net/utils/335/ here].<br />
<br />
The hook_log system is a little bit more demanding to use than a visual debugger, but with compatibility issues, it's better than lucky to have a second usable debugging emulator. The save-states can be decompressed, and loaded in their decompressed form if needed<br />
<br />
An issue with this emulator is that not all instructions are logged, but it's still worth knowing about for the fact that many instructions are logged, and it can be used with write logging.<br />
<br />
===Project64 debug build binary===<br />
This emulator can be found [http://www.thegshi.org/downloads/Project64%20Build%2052%20Debug%20Binary.zip here].<br />
<br />
This version of the emulator has better support for games than Nemu64, and Ugetab used this tool in combination with nemu64 to edit USFs, as well as make a few codes that people using only a single emulation tool were having extremely hard struggles with.<br />
<br />
==Saturn==<br />
===Yabause===<br />
This emulator can be found [http://www.romhacking.net/utils/482/ here].<br />
<br />
This is one of the few Saturn emulators out there.<br />
<br />
==Wonder Swan==<br />
===Cygne Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/244/ here].<br />
<br />
A decent Tracing program.<br />
<br />
===Oswan Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/338/ here].<br />
<br />
This is just another hook-log tracer.<br />
<br />
==Playstation 2==<br />
[The current author is too lazy to write this, but will get around to it later if no one else does]<br />
<br />
[[Category:Hacking and Game Info]]</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Music_Ripping&diff=4402Music Ripping2009-08-29T01:37:11Z<p>Ugetab: /* NES - NSF (Nintendo Sound Format) */ Fleshed out DPCM a bit. Good reference info.</p>
<hr />
<div>This is just a basic set of quick-start info for getting into any given format that someone is willing to provide information for.<br />
<br />
It's not meant to be comprehensive, but just informative enough to give you something to quickly refer to until you can easily recall the basic information for actually finding the addresses.<br />
<br />
Debugger-specific information can normally be found on the [[Assembly Hacking]] page.<br />
<br />
I use the following code set distinctions:<br><br />
Sound Init (Basic register initialization. Often close to Song Init and/or Play address. Not all games use a distinctive Sound Init. Some run Play once or several times before running Song Init to achieve Sound Init)<br><br />
Song Init (If you feed this address the right number in the right register, sounds or music are played by the Play routine)<br><br />
Play (Executes the sound generation code, also good if you enter this by using sound registers and find RAM addresses related to sound to breakpoint for Song Init)<br />
<br />
==NES - NSF (Nintendo Sound Format)==<br />
I suggest FCEUXDSP: [[Assembly_Hacking#FCEU]]<br />
<br />
$4000-$4009 = Sound Registers (Good for finding Play)<br><br />
$4010-$4013 = DMC / DPCM (This is a tricky addon. References info from $C000-$FFFF, and FCEUXDSP won't catch it reading this data unless you break on writes to $4012 for the start position '0x40 * value + 0xC000' and/or $4013 for length '(0x10 * value) + 1')<br><br />
$4015 = Channel Select (Good for finding Sound Init, sometimes Play)<br><br />
$4017 = Frame Cycle/Interrupt (If this is written once, write it once in the NSF with the value written. If it's written once for every time play is run, do that in the NSF. Match in the NSF any setup used in the original game. Games sound a bit off if you don't, and you might not notice on your own)<br />
<br />
==Gameboy - GBS (Gameboy Sound Format)==<br />
I suggest BGB: [[Assembly_Hacking#BGB]]<br />
<br />
$FF24 = Volume (Good for finding Sound Init, sometimes Play)<br><br />
$FF25 = L/R (00 often means a failed init. Visible in BGB)<br><br />
$FF26 = Channel On/Off (00 often means a failed init. Visible in BGB)<br><br />
<br />
$FF13 = A good register to find Play with (Try $FF18/$FF1D/$FF22 if it doesn't break on $FF13)<br />
<br />
$FF10-$FF23 Sound Register spread<br />
<br />
==PC Engine / Turbo-Grafx 16 - HES (Hudson Entertainment System)==<br />
I suggest Mednafen: [[Assembly_Hacking#Mednafen]]<br />
<br />
[http://pages.interlog.com/~daves/pce_info/pcesound.txt Source for below]<br />
<br />
$0800 = Voice Select (Good for sound init)<br><br />
$0801 = Main Volume (Probably also good for sound init)<br><br />
$0802 - Frequency (low)<br><br />
$0803 - Frequency (high)<br><br />
$0804 - Channel on/dda/volume - voice-dependent register<br><br />
$0805 - Pan volume ('balance') - voice-dependent register<br><br />
$0806 - Wave data<br><br />
$0807 = Note Frequency (Good for finding Play, which is itself good for finding Song Init by matching up to Sound RAM Addresses)<br><br />
$0808 - LFO Frequency<br><br />
$0809 - LFO Control<br />
<br />
==N64 - USF (Ultra 64 Sound Format)==<br />
I primarily suggest NEmu64: [[Assembly_Hacking#Nemu64]]<br />
<br />
This is a considerably different bag of tricks to use.<br />
<br />
I've written out a decent guide, and even put together some tool modifications to make the job easier. Check out usfbegin.txt for more in-depth info. The folder with this info is [http://www.gshi.org/ugetab/USF/ here]<br />
<br />
AM_RANGE(0x04500000, 0x045fffff) AM_READWRITE(n64_ai_reg_r, n64_ai_reg_w) // Audio Interface<br />
<br />
04500004 = When you hit this, step out until you're in an infinite loop, and you should be in the Play thread. Mark it down as such, so you know not to disable it completely.<br />
<br />
If you break on the opcode "ERET", then you can fairly easily build a list of threads to crash-test, until you've killed off all of them that won't kill the music.<br />
<br />
Finding music inits is considerably tougher in N64 coding. I usually brute-force my way. Play through the Play routine to find RAM, use File2File methods, sometimes both... Not exactly a walk in the park, but it's the best I've found, and it's just for the Init code that this needs to be done. Sound Tests make this a lot easier, because the value has to get from the temporary one in RAM to the sound routine in some fashion, and the temporary one used in a sound test is considerably easier to find with File2File and track through code than the pure coding method is.<br />
<br />
04040010 is written to for DList events. In Kirby64, it uses 00002B00 for this. This can help you remove graphics processing code. Note that not all writes to this are for graphics, and can crash the music if accesses are just outright removed.</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Music_Ripping&diff=4401Music Ripping2009-08-28T20:28:42Z<p>Ugetab: Tagged HES with the acronym meaning</p>
<hr />
<div>This is just a basic set of quick-start info for getting into any given format that someone is willing to provide information for.<br />
<br />
It's not meant to be comprehensive, but just informative enough to give you something to quickly refer to until you can easily recall the basic information for actually finding the addresses.<br />
<br />
Debugger-specific information can normally be found on the [[Assembly Hacking]] page.<br />
<br />
I use the following code set distinctions:<br><br />
Sound Init (Basic register initialization. Often close to Song Init and/or Play address. Not all games use a distinctive Sound Init. Some run Play once or several times before running Song Init to achieve Sound Init)<br><br />
Song Init (If you feed this address the right number in the right register, sounds or music are played by the Play routine)<br><br />
Play (Executes the sound generation code, also good if you enter this by using sound registers and find RAM addresses related to sound to breakpoint for Song Init)<br />
<br />
==NES - NSF (Nintendo Sound Format)==<br />
I suggest FCEUXDSP: [[Assembly_Hacking#FCEU]]<br />
<br />
$4000-$4009 = Sound Registers (Good for finding Play)<br><br />
$4010-$4013 = DMC / DPCM (This is a tricky addon. References info from $C000-$FFFF, and FCEUXDSP won't catch it reading this data unless you break on $4012/$4013 writes here)<br><br />
$4015 = Channel Select (Good for finding Sound Init, sometimes Play)<br><br />
$4017 = Frame Cycle/Interrupt (If this is written once, write it once in the NSF with the value written. If it's written once for every time play is run, do that in the NSF. Match in the NSF any setup used in the original game. Games sound a bit off if you don't, and you might not notice on your own)<br />
<br />
==Gameboy - GBS (Gameboy Sound Format)==<br />
I suggest BGB: [[Assembly_Hacking#BGB]]<br />
<br />
$FF24 = Volume (Good for finding Sound Init, sometimes Play)<br><br />
$FF25 = L/R (00 often means a failed init. Visible in BGB)<br><br />
$FF26 = Channel On/Off (00 often means a failed init. Visible in BGB)<br><br />
<br />
$FF13 = A good register to find Play with (Try $FF18/$FF1D/$FF22 if it doesn't break on $FF13)<br />
<br />
$FF10-$FF23 Sound Register spread<br />
<br />
==PC Engine / Turbo-Grafx 16 - HES (Hudson Entertainment System)==<br />
I suggest Mednafen: [[Assembly_Hacking#Mednafen]]<br />
<br />
[http://pages.interlog.com/~daves/pce_info/pcesound.txt Source for below]<br />
<br />
$0800 = Voice Select (Good for sound init)<br><br />
$0801 = Main Volume (Probably also good for sound init)<br><br />
$0802 - Frequency (low)<br><br />
$0803 - Frequency (high)<br><br />
$0804 - Channel on/dda/volume - voice-dependent register<br><br />
$0805 - Pan volume ('balance') - voice-dependent register<br><br />
$0806 - Wave data<br><br />
$0807 = Note Frequency (Good for finding Play, which is itself good for finding Song Init by matching up to Sound RAM Addresses)<br><br />
$0808 - LFO Frequency<br><br />
$0809 - LFO Control<br />
<br />
==N64 - USF (Ultra 64 Sound Format)==<br />
I primarily suggest NEmu64: [[Assembly_Hacking#Nemu64]]<br />
<br />
This is a considerably different bag of tricks to use.<br />
<br />
I've written out a decent guide, and even put together some tool modifications to make the job easier. Check out usfbegin.txt for more in-depth info. The folder with this info is [http://www.gshi.org/ugetab/USF/ here]<br />
<br />
AM_RANGE(0x04500000, 0x045fffff) AM_READWRITE(n64_ai_reg_r, n64_ai_reg_w) // Audio Interface<br />
<br />
04500004 = When you hit this, step out until you're in an infinite loop, and you should be in the Play thread. Mark it down as such, so you know not to disable it completely.<br />
<br />
If you break on the opcode "ERET", then you can fairly easily build a list of threads to crash-test, until you've killed off all of them that won't kill the music.<br />
<br />
Finding music inits is considerably tougher in N64 coding. I usually brute-force my way. Play through the Play routine to find RAM, use File2File methods, sometimes both... Not exactly a walk in the park, but it's the best I've found, and it's just for the Init code that this needs to be done. Sound Tests make this a lot easier, because the value has to get from the temporary one in RAM to the sound routine in some fashion, and the temporary one used in a sound test is considerably easier to find with File2File and track through code than the pure coding method is.<br />
<br />
04040010 is written to for DList events. In Kirby64, it uses 00002B00 for this. This can help you remove graphics processing code. Note that not all writes to this are for graphics, and can crash the music if accesses are just outright removed.</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Assembly_Hacking&diff=4400Assembly Hacking2009-08-27T15:41:24Z<p>Ugetab: /* Mednafen */ F12 exited by default. Changed the settings to just remove escape from use</p>
<hr />
<div>Assembly hacking is the art of editing a compiled program. Without the source code, and without notes from the source code, one has to deduce almost everything about the underlying code, and how it works with RAM.<br />
<br />
There are several emulators that can aid one in creating a modification for a game. Games for console systems fall into the category of compiled programs, and generally, the source code is unavailable for these games.<br />
<br />
The use of making an assembly hack for a game can be found with the Nintendo Entertainment System (NES) [[Game Genie]].<br />
<br />
The codes that are entered into an NES Game Genie represent single-byte assembly hacks. Any assembly hack that could be done with a change of 3 bytes or less is possible to implement with a single Game Genie. The SNES Game Genie allows up to 5 codes, and 5 bytes of change. While this makes the possible usage of codes very limiting, it didn't prevent single-byte invincibility and infinite lives codes from appearing that could make it unnecessary to use additional codes.<br />
<br />
For more modern assembly hacking of the same systems, emulators that support 50 or more codes for any given game aren't uncommon. The ROMs have been turned into files that can be patched with all the changes needed to give the game a script in a new language. Emulators that aid in the process of making assembly hacks have appeared for many different emulated systems. The effect is that more people are now capable of starting their own projects, and existing projects can be modified and/or repaired more easily.<br />
<br />
=Emulators=<br />
<br />
==NES==<br />
===FCEU===<br />
[http://www.the-interweb.com/serendipity/index.php?/categories/9-FCEUXD-SP FCEUXDSP] is the result of a emulator first developed by Parasyte called FCEUD, which was then picked up by bbitmaster and renamed to FCEUXD, and finally adopted as FCEUXD SP.<br />
<br />
====Setting breakpoints in ROM/RAM====<br />
Tools>Debug<br />
<br />
In the breakpoint window, 'Add' the Executable address or Memory address you want.<br><br />
ROM is 8000-FFFF<br><br />
RAM is 0000-07FF, 6000-7FFF<br><br />
0800-3FFF is mirrored from some part of RAM.<br><br />
4000-4015 can be breakpointed if working on an NSF. If you want to use this to deal with NSFs, try Ugetabs [http://www.angelfire.com/nc/ugetab edited version], which tends to play nicer with them<br />
<br />
'Hex Editor' is a memory viewer/modifier.<br />
<br />
==SNES==<br />
===Geiger's SNES9X Debugger===<br />
This emulator can be found at [http://geigercount.net/crypt/ Geiger's Crypt] and [http://www.zophar.net/snes/geiger-s-snes9x-debugger.html Zophar's Domain - Geiger’s Snes9x Debugger].<br />
<br />
====Setting breakpoints in ROM/RAM====<br />
Open ROM, Click 'Breakpoints'<br><br />
In the breakpoint window, enter the Executable address or Memory address you want.<br><br />
Standard RAM: 7E0000 - 7FFFFF<br><br />
SA1 RAM: 400000-407FFF, 303000-303FFF<br><br />
HiROM - C00000 - FFFFFF<br><br />
LoROM - 808000-BFFFFF (**0000 - **7FFF doesn't exist)<br />
<br />
If you use the [[SA1]] logger with an SA1-using game, and wish to find an address that changed an address in RAM, you can see if the conversion chart on the [[SA1]] page shows you the address to search for in the log file.<br />
<br />
===FuSoYa's SNES9X SuperFX Instruction Logger===<br />
This emulator can be found [http://www.gshi.org/downloads/snes9x1.43-FuSoYa-SFX_B2.zip here].<br />
<br />
This emulator allows you to log SuperFX instructions being used by the emulator.<br />
<br />
Press the NumLock button to start/stop logging.<br />
<br />
Instructions will be logged to sfx_trace.txt, in the folder with the emulator.<br />
<br />
Here's an example on how to interpret the results:<br><br />
00:e834 40 ldw (r0) r0=$0058 SRAM=00:5AAE<br><br />
00:e835 64 sub r4 r0=$0055 CY=1<br />
<br />
First line Loads Word (SRAM=00:5AAE) to (r0). In Geiger's SNES9X Debugger, this is address 705AAE in the RAM viewer. In ZSNES, you can find this in a save-state at 0x4127F + 0x5AAE (= 0x46D2D). The result of this operation is on the same line.<br />
<br />
Second line subtracts (r4) from (r0). This next result is on the same line as well. This can be coded out to give you Infinite Health in Doom, but it won't work as a Game Genie code. The file address would be either 6835 or 6A35. Only one address of those 2 will be 0x64.<br />
<br />
==Genesis==<br />
<br />
===Regen Debugger Build===<br />
This emulator can be found [http://aamirm.hacking-cult.org/ here]<br />
<br />
Backup: [http://www.gshi.org/downloads/Regen095D.zip Regen 0.95 Debugger]<br />
<br />
If you've used FCEUXDSP, Geiger's Snes9x, BGB, Nemu08, pSX, or pretty much any other active debugger, you'll realize that this is along the same lines of those debuggers. This is certainly what Genesis hackers have been waiting for when it comes to a user friendly debugger.<br />
<br />
It runs Genesis, Game Gear, and SMS files, but only debugs Genesis at the moment. Use [[#Emukon]] if you want to hack Game Gear or SMS.<br />
<br />
===Gens Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/337/ here].<br />
<br />
No breakpoints, but adequate tracing. A guide has been written on the specific usage of the emulator.<br />
<br />
The idea is that you can trace-log writes to and reads from memory, and you can also log all commands, and determine what's happening from the full log, by using what you find from the hook logging.<br />
<br />
===HazeMD===<br />
This emulator can be found at [http://haze.mameworld.info/ this address].<br />
<br />
This emulator is harder to get setup to use a ROM, but comes with a MAME-style debugger. MAME's debugger is well known for being so powerful, considering the number of systems it can be used with when compiled into a build of MAME. The Gens tracer tends to have slightly better compatibility, while the HazeMD emulator has more potential for cheat codes, already having a Cheat system designed to handle multiple CPUs, which could be used for 32x game ROM hacks, and RAM hacks.<br />
<br />
==Gameboy==<br />
===BGB===<br />
This emulator can be found [http://bgb.bircd.org/ here]<br />
<br />
Load a ROM, and right-click the screen.<br><br />
Other>debug mode enabled: to enable debugging<br><br />
Other>debugger to enter the debugger<br><br />
<br />
Setting breakpoints in ROM/RAM<br><br />
In the debugger window:<br><br />
Debug>breakpoints for execution breakpoints<br><br />
Debug>access breakpoints for read/write breaks.<br><br />
<br />
===Visual Boy Advance Tracer===<br />
See [[#Visual_Boy_Advance_Tracer_2]]<br />
<br />
==PC Engine / Turbo-Grafx 16==<br />
===Mednafen===<br />
This emulator can be found [http://mednafen.sourceforge.net/ here]<br />
<br />
Esc = Exit Mednafen (Careful about it)<br />
<br />
To use F12 to quit, and not the ESC key, edit this in mednafen.cfg:<br><br />
----<br />
";Exit"<br><br />
"command.exit keyboard 293~keyboard 27"<br><br />
----<br />
To this:<br><br />
----<br />
";Exit"<br><br />
"command.exit keyboard 293"<br><br />
----<br />
<br />
F5 = Save State<br><br />
F7 = Load State<br><br />
0-9 = Select Save Slot<br />
<br />
F10 = Reset<br><br />
F11 = Hard Reset (Power Switch style)<br />
<br />
Alt + D = Toggle Debugger<br />
<br />
In Debugger:<br><br />
Alt+1 = CPU debugger view<br><br />
Alt+3 = Memory editor<br><br />
R = Run<br><br />
S = Step<br><br />
Return = Goto Address(If on code)/Edit(If on register) (Type new values after original, press enter. Quicker.)<br><br />
Space = Set/Unset Execution Breakpoint<br><br />
Shift + Return = Edit watch address<br><br />
Shift + R = Edit Read Breakpoints<br><br />
Shift + W = Edit write breakpoints<br><br />
Shift + O = Opcode Breakpoints (Enter EA for "NOP", etc. Use 6502 ASM table mainly)<br />
<br />
See included Debugger.html file for complete command list<br />
<br />
==Game Gear==<br />
===Emukon===<br />
This emulator can be found [http://emukon.kontechs.de/ here].<br />
<br />
Backup: [http://www.gshi.org/downloads/Emukon105.zip Emukon 1.05]<br />
<br />
This is basically a friendlier style of Logging Debugger the way I tend to use it, with Breakpoints to help figure out how code you find operates. I've used it to at least as much success as I've used the Hook_log debuggers, only this was more boring because I didn't have to fight with the emulator as much.<br />
<br />
You can use a combination of Breakpoints and Log Files to debug games.<br />
<br />
Breakpoints have their own management window, or you can right click lines in the debugger.<br />
<br />
To use the log files effectively, you should focus on a single byte with a known effect, get to about where the setting you're looking for will change, go to the Debugger > Debugger menu, enable it if needed, then click the Clear Log button if you want a fresh start, and the Log button to start logging. Get the thing changed that you want, and then look under the DebugLogs folder for the game you're working on, and search the text logs for the address you want to check, whether it's the execution address by some chance or the memory address. Breakpoints and Logging work well together to discover the execution path to a piece of code.<br />
<br />
It's not as exceedingly simple as some other debuggers, but it's quite useful, and it's my first choice for hacking Game Gear as well as SMS.<br />
<br />
==Master System==<br />
===Emukon===<br />
See Game Gear section: [[#Emukon]]<br />
<br />
==Gameboy Advance==<br />
===Visual Boy Advance Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/340/ here].<br />
<br />
This emulator uses the Hook Log system. Those familiar with the hook_log Genesis or N64 emulators should have little trouble adapting to this system.<br />
<br />
Note that it has also been used to good effect for a small number of gameboy games that BGB doesn't support. [[Ugetab]] used this for GBS ripping, but with full code logging, and a save-state near when something changes, you could just as effectively search for a memory address in trace.log. Mind that while GB assembly doesn't pile up as quickly as GBA or N64, and it is still necessary to be relatively close to the change before activating logging, if you don't want to have to use a special text editor to open an enormous log file. <br />
<br />
===Visual Boy Advance===<br />
This emulator can be found at [http://vba.ngemu.com/downloads.shtml this address].<br />
<br />
Windows - SDL is required. Unfortunately, no cheat device exists that can change the assembly, so hacking it is more a matter of patching the ROM, and less a matter of using it for simple cheats. Not documented.<br />
<br />
==Playstation==<br />
===PCSX 1.5 With Debugger===<br />
This emulator is available [http://www.romhacking.net/utils/267/ here].<br />
<br />
Press F11 to enter the debugger. On-screen aids should be apparent.<br />
<br />
===PSX===<br />
This emulator can be found at [http://www.romhacking.net/utils/311/ this address].<br />
<br />
This can be a decent debugging alternative if a game doesn't work well in the above emulator.<br />
<br />
===PCSX Agemo debugger===<br />
This emulator can be found [http://www.romhacking.net/utils/475/ here].<br />
<br />
It could be favorable for some tasks, compared to the other debuggers.<br />
<br />
==N64==<br />
===Nemu64===<br />
This emulator can be found [http://www.emulator-zone.com/doc.php/n64/nemu64.html here]<br />
<br />
Setting execution breakpoints<br><br />
Plugins>Debugger: Commands...<br><br />
To set a break on execution, go to the line that you want to break on, and click in the vertical bar to the left(<) of the address you want to breakpoint.<br />
<br />
Setting breakpoints in RAM<br><br />
Plugins>Debugger: Memory...<br><br />
Enable the read and/or write check boxes, and right-click the memory space you want to set, unset, or change an access breakpoint on.<br />
<br />
Some games don't run in Nemu, so you may have to switch to this hook_log based emulator if you want the codes. The 1964 tracer can be useful, which is available [http://www.romhacking.net/utils/335/ here].<br />
<br />
The hook_log system is a little bit more demanding to use than a visual debugger, but with compatibility issues, it's better than lucky to have a second usable debugging emulator. The save-states can be decompressed, and loaded in their decompressed form if needed<br />
<br />
An issue with this emulator is that not all instructions are logged, but it's still worth knowing about for the fact that many instructions are logged, and it can be used with write logging.<br />
<br />
===Project64 debug build binary===<br />
This emulator can be found [http://www.thegshi.org/downloads/Project64%20Build%2052%20Debug%20Binary.zip here].<br />
<br />
This version of the emulator has better support for games than Nemu64, and Ugetab used this tool in combination with nemu64 to edit USFs, as well as make a few codes that people using only a single emulation tool were having extremely hard struggles with.<br />
<br />
==Saturn==<br />
===Yabause===<br />
This emulator can be found [http://www.romhacking.net/utils/482/ here].<br />
<br />
This is one of the few Saturn emulators out there.<br />
<br />
==Wonder Swan==<br />
===Cygne Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/244/ here].<br />
<br />
A decent Tracing program.<br />
<br />
===Oswan Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/338/ here].<br />
<br />
This is just another hook-log tracer.<br />
<br />
==Playstation 2==<br />
[The current author is too lazy to write this, but will get around to it later if no one else does]<br />
<br />
[[Category:Hacking and Game Info]]</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Music_Ripping&diff=4399Music Ripping2009-08-26T14:43:12Z<p>Ugetab: Created page with 'This is just a basic set of quick-start info for getting into any given format that someone is willing to provide information for. It's not meant to be comprehensive, but just i...'</p>
<hr />
<div>This is just a basic set of quick-start info for getting into any given format that someone is willing to provide information for.<br />
<br />
It's not meant to be comprehensive, but just informative enough to give you something to quickly refer to until you can easily recall the basic information for actually finding the addresses.<br />
<br />
Debugger-specific information can normally be found on the [[Assembly Hacking]] page.<br />
<br />
I use the following code set distinctions:<br><br />
Sound Init (Basic register initialization. Often close to Song Init and/or Play address. Not all games use a distinctive Sound Init. Some run Play once or several times before running Song Init to achieve Sound Init)<br><br />
Song Init (If you feed this address the right number in the right register, sounds or music are played by the Play routine)<br><br />
Play (Executes the sound generation code, also good if you enter this by using sound registers and find RAM addresses related to sound to breakpoint for Song Init)<br />
<br />
==NES - NSF (Nintendo Sound Format)==<br />
I suggest FCEUXDSP: [[Assembly_Hacking#FCEU]]<br />
<br />
$4000-$4009 = Sound Registers (Good for finding Play)<br><br />
$4010-$4013 = DMC / DPCM (This is a tricky addon. References info from $C000-$FFFF, and FCEUXDSP won't catch it reading this data unless you break on $4012/$4013 writes here)<br><br />
$4015 = Channel Select (Good for finding Sound Init, sometimes Play)<br><br />
$4017 = Frame Cycle/Interrupt (If this is written once, write it once in the NSF with the value written. If it's written once for every time play is run, do that in the NSF. Match in the NSF any setup used in the original game. Games sound a bit off if you don't, and you might not notice on your own)<br />
<br />
==Gameboy - GBS (Gameboy Sound Format)==<br />
I suggest BGB: [[Assembly_Hacking#BGB]]<br />
<br />
$FF24 = Volume (Good for finding Sound Init, sometimes Play)<br><br />
$FF25 = L/R (00 often means a failed init. Visible in BGB)<br><br />
$FF26 = Channel On/Off (00 often means a failed init. Visible in BGB)<br><br />
<br />
$FF13 = A good register to find Play with (Try $FF18/$FF1D/$FF22 if it doesn't break on $FF13)<br />
<br />
$FF10-$FF23 Sound Register spread<br />
<br />
==PC Engine / Turbo-Grafx 16 - HES==<br />
I suggest Mednafen: [[Assembly_Hacking#Mednafen]]<br />
<br />
[http://pages.interlog.com/~daves/pce_info/pcesound.txt Source for below]<br />
<br />
$0800 = Voice Select (Good for sound init)<br><br />
$0801 = Main Volume (Probably also good for sound init)<br><br />
$0802 - Frequency (low)<br><br />
$0803 - Frequency (high)<br><br />
$0804 - Channel on/dda/volume - voice-dependent register<br><br />
$0805 - Pan volume ('balance') - voice-dependent register<br><br />
$0806 - Wave data<br><br />
$0807 = Note Frequency (Good for finding Play, which is itself good for finding Song Init by matching up to Sound RAM Addresses)<br><br />
$0808 - LFO Frequency<br><br />
$0809 - LFO Control<br />
<br />
==N64 - USF (Ultra 64 Sound Format)==<br />
I primarily suggest NEmu64: [[Assembly_Hacking#Nemu64]]<br />
<br />
This is a considerably different bag of tricks to use.<br />
<br />
I've written out a decent guide, and even put together some tool modifications to make the job easier. Check out usfbegin.txt for more in-depth info. The folder with this info is [http://www.gshi.org/ugetab/USF/ here]<br />
<br />
AM_RANGE(0x04500000, 0x045fffff) AM_READWRITE(n64_ai_reg_r, n64_ai_reg_w) // Audio Interface<br />
<br />
04500004 = When you hit this, step out until you're in an infinite loop, and you should be in the Play thread. Mark it down as such, so you know not to disable it completely.<br />
<br />
If you break on the opcode "ERET", then you can fairly easily build a list of threads to crash-test, until you've killed off all of them that won't kill the music.<br />
<br />
Finding music inits is considerably tougher in N64 coding. I usually brute-force my way. Play through the Play routine to find RAM, use File2File methods, sometimes both... Not exactly a walk in the park, but it's the best I've found, and it's just for the Init code that this needs to be done. Sound Tests make this a lot easier, because the value has to get from the temporary one in RAM to the sound routine in some fashion, and the temporary one used in a sound test is considerably easier to find with File2File and track through code than the pure coding method is.<br />
<br />
04040010 is written to for DList events. In Kirby64, it uses 00002B00 for this. This can help you remove graphics processing code. Note that not all writes to this are for graphics, and can crash the music if accesses are just outright removed.</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Assembly_Hacking&diff=4398Assembly Hacking2009-08-26T13:52:12Z<p>Ugetab: /* Mednafen */ More bits and bobs of info</p>
<hr />
<div>Assembly hacking is the art of editing a compiled program. Without the source code, and without notes from the source code, one has to deduce almost everything about the underlying code, and how it works with RAM.<br />
<br />
There are several emulators that can aid one in creating a modification for a game. Games for console systems fall into the category of compiled programs, and generally, the source code is unavailable for these games.<br />
<br />
The use of making an assembly hack for a game can be found with the Nintendo Entertainment System (NES) [[Game Genie]].<br />
<br />
The codes that are entered into an NES Game Genie represent single-byte assembly hacks. Any assembly hack that could be done with a change of 3 bytes or less is possible to implement with a single Game Genie. The SNES Game Genie allows up to 5 codes, and 5 bytes of change. While this makes the possible usage of codes very limiting, it didn't prevent single-byte invincibility and infinite lives codes from appearing that could make it unnecessary to use additional codes.<br />
<br />
For more modern assembly hacking of the same systems, emulators that support 50 or more codes for any given game aren't uncommon. The ROMs have been turned into files that can be patched with all the changes needed to give the game a script in a new language. Emulators that aid in the process of making assembly hacks have appeared for many different emulated systems. The effect is that more people are now capable of starting their own projects, and existing projects can be modified and/or repaired more easily.<br />
<br />
=Emulators=<br />
<br />
==NES==<br />
===FCEU===<br />
[http://www.the-interweb.com/serendipity/index.php?/categories/9-FCEUXD-SP FCEUXDSP] is the result of a emulator first developed by Parasyte called FCEUD, which was then picked up by bbitmaster and renamed to FCEUXD, and finally adopted as FCEUXD SP.<br />
<br />
====Setting breakpoints in ROM/RAM====<br />
Tools>Debug<br />
<br />
In the breakpoint window, 'Add' the Executable address or Memory address you want.<br><br />
ROM is 8000-FFFF<br><br />
RAM is 0000-07FF, 6000-7FFF<br><br />
0800-3FFF is mirrored from some part of RAM.<br><br />
4000-4015 can be breakpointed if working on an NSF. If you want to use this to deal with NSFs, try Ugetabs [http://www.angelfire.com/nc/ugetab edited version], which tends to play nicer with them<br />
<br />
'Hex Editor' is a memory viewer/modifier.<br />
<br />
==SNES==<br />
===Geiger's SNES9X Debugger===<br />
This emulator can be found at [http://geigercount.net/crypt/ Geiger's Crypt] and [http://www.zophar.net/snes/geiger-s-snes9x-debugger.html Zophar's Domain - Geiger’s Snes9x Debugger].<br />
<br />
====Setting breakpoints in ROM/RAM====<br />
Open ROM, Click 'Breakpoints'<br><br />
In the breakpoint window, enter the Executable address or Memory address you want.<br><br />
Standard RAM: 7E0000 - 7FFFFF<br><br />
SA1 RAM: 400000-407FFF, 303000-303FFF<br><br />
HiROM - C00000 - FFFFFF<br><br />
LoROM - 808000-BFFFFF (**0000 - **7FFF doesn't exist)<br />
<br />
If you use the [[SA1]] logger with an SA1-using game, and wish to find an address that changed an address in RAM, you can see if the conversion chart on the [[SA1]] page shows you the address to search for in the log file.<br />
<br />
===FuSoYa's SNES9X SuperFX Instruction Logger===<br />
This emulator can be found [http://www.gshi.org/downloads/snes9x1.43-FuSoYa-SFX_B2.zip here].<br />
<br />
This emulator allows you to log SuperFX instructions being used by the emulator.<br />
<br />
Press the NumLock button to start/stop logging.<br />
<br />
Instructions will be logged to sfx_trace.txt, in the folder with the emulator.<br />
<br />
Here's an example on how to interpret the results:<br><br />
00:e834 40 ldw (r0) r0=$0058 SRAM=00:5AAE<br><br />
00:e835 64 sub r4 r0=$0055 CY=1<br />
<br />
First line Loads Word (SRAM=00:5AAE) to (r0). In Geiger's SNES9X Debugger, this is address 705AAE in the RAM viewer. In ZSNES, you can find this in a save-state at 0x4127F + 0x5AAE (= 0x46D2D). The result of this operation is on the same line.<br />
<br />
Second line subtracts (r4) from (r0). This next result is on the same line as well. This can be coded out to give you Infinite Health in Doom, but it won't work as a Game Genie code. The file address would be either 6835 or 6A35. Only one address of those 2 will be 0x64.<br />
<br />
==Genesis==<br />
<br />
===Regen Debugger Build===<br />
This emulator can be found [http://aamirm.hacking-cult.org/ here]<br />
<br />
Backup: [http://www.gshi.org/downloads/Regen095D.zip Regen 0.95 Debugger]<br />
<br />
If you've used FCEUXDSP, Geiger's Snes9x, BGB, Nemu08, pSX, or pretty much any other active debugger, you'll realize that this is along the same lines of those debuggers. This is certainly what Genesis hackers have been waiting for when it comes to a user friendly debugger.<br />
<br />
It runs Genesis, Game Gear, and SMS files, but only debugs Genesis at the moment. Use [[#Emukon]] if you want to hack Game Gear or SMS.<br />
<br />
===Gens Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/337/ here].<br />
<br />
No breakpoints, but adequate tracing. A guide has been written on the specific usage of the emulator.<br />
<br />
The idea is that you can trace-log writes to and reads from memory, and you can also log all commands, and determine what's happening from the full log, by using what you find from the hook logging.<br />
<br />
===HazeMD===<br />
This emulator can be found at [http://haze.mameworld.info/ this address].<br />
<br />
This emulator is harder to get setup to use a ROM, but comes with a MAME-style debugger. MAME's debugger is well known for being so powerful, considering the number of systems it can be used with when compiled into a build of MAME. The Gens tracer tends to have slightly better compatibility, while the HazeMD emulator has more potential for cheat codes, already having a Cheat system designed to handle multiple CPUs, which could be used for 32x game ROM hacks, and RAM hacks.<br />
<br />
==Gameboy==<br />
===BGB===<br />
This emulator can be found [http://bgb.bircd.org/ here]<br />
<br />
Load a ROM, and right-click the screen.<br><br />
Other>debug mode enabled: to enable debugging<br><br />
Other>debugger to enter the debugger<br><br />
<br />
Setting breakpoints in ROM/RAM<br><br />
In the debugger window:<br><br />
Debug>breakpoints for execution breakpoints<br><br />
Debug>access breakpoints for read/write breaks.<br><br />
<br />
===Visual Boy Advance Tracer===<br />
See [[#Visual_Boy_Advance_Tracer_2]]<br />
<br />
==PC Engine / Turbo-Grafx 16==<br />
===Mednafen===<br />
This emulator can be found [http://mednafen.sourceforge.net/ here]<br />
<br />
Esc = Exit Mednafen (Careful about it)<br />
<br />
To use F12 to quit, and not the ESC key, edit this in mednafen.cfg:<br><br />
----<br />
";Exit"<br><br />
"command.exit keyboard 293~keyboard 27"<br><br />
----<br />
To this:<br><br />
----<br />
";Exit"<br><br />
"command.exit keyboard 293~keyboard 123"<br><br />
----<br />
<br />
F5 = Save State<br><br />
F7 = Load State<br><br />
0-9 = Select Save Slot<br />
<br />
F10 = Reset<br><br />
F11 = Hard Reset (Power Switch style)<br />
<br />
Alt + D = Toggle Debugger<br />
<br />
In Debugger:<br><br />
Alt+1 = CPU debugger view<br><br />
Alt+3 = Memory editor<br><br />
R = Run<br><br />
S = Step<br><br />
Return = Goto Address(If on code)/Edit(If on register) (Type new values after original, press enter. Quicker.)<br><br />
Space = Set/Unset Execution Breakpoint<br><br />
Shift + Return = Edit watch address<br><br />
Shift + R = Edit Read Breakpoints<br><br />
Shift + W = Edit write breakpoints<br><br />
Shift + O = Opcode Breakpoints (Enter EA for "NOP", etc. Use 6502 ASM table mainly)<br />
<br />
See included Debugger.html file for complete command list<br />
<br />
==Game Gear==<br />
===Emukon===<br />
This emulator can be found [http://emukon.kontechs.de/ here].<br />
<br />
Backup: [http://www.gshi.org/downloads/Emukon105.zip Emukon 1.05]<br />
<br />
This is basically a friendlier style of Logging Debugger the way I tend to use it, with Breakpoints to help figure out how code you find operates. I've used it to at least as much success as I've used the Hook_log debuggers, only this was more boring because I didn't have to fight with the emulator as much.<br />
<br />
You can use a combination of Breakpoints and Log Files to debug games.<br />
<br />
Breakpoints have their own management window, or you can right click lines in the debugger.<br />
<br />
To use the log files effectively, you should focus on a single byte with a known effect, get to about where the setting you're looking for will change, go to the Debugger > Debugger menu, enable it if needed, then click the Clear Log button if you want a fresh start, and the Log button to start logging. Get the thing changed that you want, and then look under the DebugLogs folder for the game you're working on, and search the text logs for the address you want to check, whether it's the execution address by some chance or the memory address. Breakpoints and Logging work well together to discover the execution path to a piece of code.<br />
<br />
It's not as exceedingly simple as some other debuggers, but it's quite useful, and it's my first choice for hacking Game Gear as well as SMS.<br />
<br />
==Master System==<br />
===Emukon===<br />
See Game Gear section: [[#Emukon]]<br />
<br />
==Gameboy Advance==<br />
===Visual Boy Advance Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/340/ here].<br />
<br />
This emulator uses the Hook Log system. Those familiar with the hook_log Genesis or N64 emulators should have little trouble adapting to this system.<br />
<br />
Note that it has also been used to good effect for a small number of gameboy games that BGB doesn't support. [[Ugetab]] used this for GBS ripping, but with full code logging, and a save-state near when something changes, you could just as effectively search for a memory address in trace.log. Mind that while GB assembly doesn't pile up as quickly as GBA or N64, and it is still necessary to be relatively close to the change before activating logging, if you don't want to have to use a special text editor to open an enormous log file. <br />
<br />
===Visual Boy Advance===<br />
This emulator can be found at [http://vba.ngemu.com/downloads.shtml this address].<br />
<br />
Windows - SDL is required. Unfortunately, no cheat device exists that can change the assembly, so hacking it is more a matter of patching the ROM, and less a matter of using it for simple cheats. Not documented.<br />
<br />
==Playstation==<br />
===PCSX 1.5 With Debugger===<br />
This emulator is available [http://www.romhacking.net/utils/267/ here].<br />
<br />
Press F11 to enter the debugger. On-screen aids should be apparent.<br />
<br />
===PSX===<br />
This emulator can be found at [http://www.romhacking.net/utils/311/ this address].<br />
<br />
This can be a decent debugging alternative if a game doesn't work well in the above emulator.<br />
<br />
===PCSX Agemo debugger===<br />
This emulator can be found [http://www.romhacking.net/utils/475/ here].<br />
<br />
It could be favorable for some tasks, compared to the other debuggers.<br />
<br />
==N64==<br />
===Nemu64===<br />
This emulator can be found [http://www.emulator-zone.com/doc.php/n64/nemu64.html here]<br />
<br />
Setting execution breakpoints<br><br />
Plugins>Debugger: Commands...<br><br />
To set a break on execution, go to the line that you want to break on, and click in the vertical bar to the left(<) of the address you want to breakpoint.<br />
<br />
Setting breakpoints in RAM<br><br />
Plugins>Debugger: Memory...<br><br />
Enable the read and/or write check boxes, and right-click the memory space you want to set, unset, or change an access breakpoint on.<br />
<br />
Some games don't run in Nemu, so you may have to switch to this hook_log based emulator if you want the codes. The 1964 tracer can be useful, which is available [http://www.romhacking.net/utils/335/ here].<br />
<br />
The hook_log system is a little bit more demanding to use than a visual debugger, but with compatibility issues, it's better than lucky to have a second usable debugging emulator. The save-states can be decompressed, and loaded in their decompressed form if needed<br />
<br />
An issue with this emulator is that not all instructions are logged, but it's still worth knowing about for the fact that many instructions are logged, and it can be used with write logging.<br />
<br />
===Project64 debug build binary===<br />
This emulator can be found [http://www.thegshi.org/downloads/Project64%20Build%2052%20Debug%20Binary.zip here].<br />
<br />
This version of the emulator has better support for games than Nemu64, and Ugetab used this tool in combination with nemu64 to edit USFs, as well as make a few codes that people using only a single emulation tool were having extremely hard struggles with.<br />
<br />
==Saturn==<br />
===Yabause===<br />
This emulator can be found [http://www.romhacking.net/utils/482/ here].<br />
<br />
This is one of the few Saturn emulators out there.<br />
<br />
==Wonder Swan==<br />
===Cygne Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/244/ here].<br />
<br />
A decent Tracing program.<br />
<br />
===Oswan Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/338/ here].<br />
<br />
This is just another hook-log tracer.<br />
<br />
==Playstation 2==<br />
[The current author is too lazy to write this, but will get around to it later if no one else does]<br />
<br />
[[Category:Hacking and Game Info]]</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Assembly_Hacking&diff=4397Assembly Hacking2009-08-26T13:17:51Z<p>Ugetab: /* Mednafen */ (Forgot a debugging command)</p>
<hr />
<div>Assembly hacking is the art of editing a compiled program. Without the source code, and without notes from the source code, one has to deduce almost everything about the underlying code, and how it works with RAM.<br />
<br />
There are several emulators that can aid one in creating a modification for a game. Games for console systems fall into the category of compiled programs, and generally, the source code is unavailable for these games.<br />
<br />
The use of making an assembly hack for a game can be found with the Nintendo Entertainment System (NES) [[Game Genie]].<br />
<br />
The codes that are entered into an NES Game Genie represent single-byte assembly hacks. Any assembly hack that could be done with a change of 3 bytes or less is possible to implement with a single Game Genie. The SNES Game Genie allows up to 5 codes, and 5 bytes of change. While this makes the possible usage of codes very limiting, it didn't prevent single-byte invincibility and infinite lives codes from appearing that could make it unnecessary to use additional codes.<br />
<br />
For more modern assembly hacking of the same systems, emulators that support 50 or more codes for any given game aren't uncommon. The ROMs have been turned into files that can be patched with all the changes needed to give the game a script in a new language. Emulators that aid in the process of making assembly hacks have appeared for many different emulated systems. The effect is that more people are now capable of starting their own projects, and existing projects can be modified and/or repaired more easily.<br />
<br />
=Emulators=<br />
<br />
==NES==<br />
===FCEU===<br />
[http://www.the-interweb.com/serendipity/index.php?/categories/9-FCEUXD-SP FCEUXDSP] is the result of a emulator first developed by Parasyte called FCEUD, which was then picked up by bbitmaster and renamed to FCEUXD, and finally adopted as FCEUXD SP.<br />
<br />
====Setting breakpoints in ROM/RAM====<br />
Tools>Debug<br />
<br />
In the breakpoint window, 'Add' the Executable address or Memory address you want.<br><br />
ROM is 8000-FFFF<br><br />
RAM is 0000-07FF, 6000-7FFF<br><br />
0800-3FFF is mirrored from some part of RAM.<br><br />
4000-4015 can be breakpointed if working on an NSF. If you want to use this to deal with NSFs, try Ugetabs [http://www.angelfire.com/nc/ugetab edited version], which tends to play nicer with them<br />
<br />
'Hex Editor' is a memory viewer/modifier.<br />
<br />
==SNES==<br />
===Geiger's SNES9X Debugger===<br />
This emulator can be found at [http://geigercount.net/crypt/ Geiger's Crypt] and [http://www.zophar.net/snes/geiger-s-snes9x-debugger.html Zophar's Domain - Geiger’s Snes9x Debugger].<br />
<br />
====Setting breakpoints in ROM/RAM====<br />
Open ROM, Click 'Breakpoints'<br><br />
In the breakpoint window, enter the Executable address or Memory address you want.<br><br />
Standard RAM: 7E0000 - 7FFFFF<br><br />
SA1 RAM: 400000-407FFF, 303000-303FFF<br><br />
HiROM - C00000 - FFFFFF<br><br />
LoROM - 808000-BFFFFF (**0000 - **7FFF doesn't exist)<br />
<br />
If you use the [[SA1]] logger with an SA1-using game, and wish to find an address that changed an address in RAM, you can see if the conversion chart on the [[SA1]] page shows you the address to search for in the log file.<br />
<br />
===FuSoYa's SNES9X SuperFX Instruction Logger===<br />
This emulator can be found [http://www.gshi.org/downloads/snes9x1.43-FuSoYa-SFX_B2.zip here].<br />
<br />
This emulator allows you to log SuperFX instructions being used by the emulator.<br />
<br />
Press the NumLock button to start/stop logging.<br />
<br />
Instructions will be logged to sfx_trace.txt, in the folder with the emulator.<br />
<br />
Here's an example on how to interpret the results:<br><br />
00:e834 40 ldw (r0) r0=$0058 SRAM=00:5AAE<br><br />
00:e835 64 sub r4 r0=$0055 CY=1<br />
<br />
First line Loads Word (SRAM=00:5AAE) to (r0). In Geiger's SNES9X Debugger, this is address 705AAE in the RAM viewer. In ZSNES, you can find this in a save-state at 0x4127F + 0x5AAE (= 0x46D2D). The result of this operation is on the same line.<br />
<br />
Second line subtracts (r4) from (r0). This next result is on the same line as well. This can be coded out to give you Infinite Health in Doom, but it won't work as a Game Genie code. The file address would be either 6835 or 6A35. Only one address of those 2 will be 0x64.<br />
<br />
==Genesis==<br />
<br />
===Regen Debugger Build===<br />
This emulator can be found [http://aamirm.hacking-cult.org/ here]<br />
<br />
Backup: [http://www.gshi.org/downloads/Regen095D.zip Regen 0.95 Debugger]<br />
<br />
If you've used FCEUXDSP, Geiger's Snes9x, BGB, Nemu08, pSX, or pretty much any other active debugger, you'll realize that this is along the same lines of those debuggers. This is certainly what Genesis hackers have been waiting for when it comes to a user friendly debugger.<br />
<br />
It runs Genesis, Game Gear, and SMS files, but only debugs Genesis at the moment. Use [[#Emukon]] if you want to hack Game Gear or SMS.<br />
<br />
===Gens Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/337/ here].<br />
<br />
No breakpoints, but adequate tracing. A guide has been written on the specific usage of the emulator.<br />
<br />
The idea is that you can trace-log writes to and reads from memory, and you can also log all commands, and determine what's happening from the full log, by using what you find from the hook logging.<br />
<br />
===HazeMD===<br />
This emulator can be found at [http://haze.mameworld.info/ this address].<br />
<br />
This emulator is harder to get setup to use a ROM, but comes with a MAME-style debugger. MAME's debugger is well known for being so powerful, considering the number of systems it can be used with when compiled into a build of MAME. The Gens tracer tends to have slightly better compatibility, while the HazeMD emulator has more potential for cheat codes, already having a Cheat system designed to handle multiple CPUs, which could be used for 32x game ROM hacks, and RAM hacks.<br />
<br />
==Gameboy==<br />
===BGB===<br />
This emulator can be found [http://bgb.bircd.org/ here]<br />
<br />
Load a ROM, and right-click the screen.<br><br />
Other>debug mode enabled: to enable debugging<br><br />
Other>debugger to enter the debugger<br><br />
<br />
Setting breakpoints in ROM/RAM<br><br />
In the debugger window:<br><br />
Debug>breakpoints for execution breakpoints<br><br />
Debug>access breakpoints for read/write breaks.<br><br />
<br />
===Visual Boy Advance Tracer===<br />
See [[#Visual_Boy_Advance_Tracer_2]]<br />
<br />
==PC Engine / Turbo-Grafx 16==<br />
===Mednafen===<br />
This emulator can be found [http://mednafen.sourceforge.net/ here]<br />
<br />
Esc = Exit Mednafen (Careful about it)<br />
<br />
To use F12 to quit, and not the ESC key, edit this in mednafen.cfg:<br><br />
----<br />
";Exit"<br><br />
"command.exit keyboard 293~keyboard 27"<br><br />
----<br />
To this:<br><br />
----<br />
";Exit"<br><br />
"command.exit keyboard 293~keyboard 123"<br><br />
----<br />
<br />
F5 = Save State<br><br />
F7 = Load State<br><br />
0-9 = Select Save Slot<br />
<br />
Alt + D = Toggle Debugger<br />
<br />
In Debugger:<br><br />
Alt+1 = CPU debugger view<br><br />
Alt+3 = Memory editor<br><br />
R = Run<br><br />
S = Step<br><br />
Return = Goto Address(If on code)/Edit(If on register)<br><br />
Space = Set/Unset Execution Breakpoint<br><br />
Shift + Return = Edit watch address<br><br />
Shift + R = Edit Read Breakpoints<br><br />
Shift + W = Edit write breakpoints<br><br />
Shift + O = Opcode Breakpoints<br />
<br />
See included Debugger.html file for complete command list<br />
<br />
==Game Gear==<br />
===Emukon===<br />
This emulator can be found [http://emukon.kontechs.de/ here].<br />
<br />
Backup: [http://www.gshi.org/downloads/Emukon105.zip Emukon 1.05]<br />
<br />
This is basically a friendlier style of Logging Debugger the way I tend to use it, with Breakpoints to help figure out how code you find operates. I've used it to at least as much success as I've used the Hook_log debuggers, only this was more boring because I didn't have to fight with the emulator as much.<br />
<br />
You can use a combination of Breakpoints and Log Files to debug games.<br />
<br />
Breakpoints have their own management window, or you can right click lines in the debugger.<br />
<br />
To use the log files effectively, you should focus on a single byte with a known effect, get to about where the setting you're looking for will change, go to the Debugger > Debugger menu, enable it if needed, then click the Clear Log button if you want a fresh start, and the Log button to start logging. Get the thing changed that you want, and then look under the DebugLogs folder for the game you're working on, and search the text logs for the address you want to check, whether it's the execution address by some chance or the memory address. Breakpoints and Logging work well together to discover the execution path to a piece of code.<br />
<br />
It's not as exceedingly simple as some other debuggers, but it's quite useful, and it's my first choice for hacking Game Gear as well as SMS.<br />
<br />
==Master System==<br />
===Emukon===<br />
See Game Gear section: [[#Emukon]]<br />
<br />
==Gameboy Advance==<br />
===Visual Boy Advance Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/340/ here].<br />
<br />
This emulator uses the Hook Log system. Those familiar with the hook_log Genesis or N64 emulators should have little trouble adapting to this system.<br />
<br />
Note that it has also been used to good effect for a small number of gameboy games that BGB doesn't support. [[Ugetab]] used this for GBS ripping, but with full code logging, and a save-state near when something changes, you could just as effectively search for a memory address in trace.log. Mind that while GB assembly doesn't pile up as quickly as GBA or N64, and it is still necessary to be relatively close to the change before activating logging, if you don't want to have to use a special text editor to open an enormous log file. <br />
<br />
===Visual Boy Advance===<br />
This emulator can be found at [http://vba.ngemu.com/downloads.shtml this address].<br />
<br />
Windows - SDL is required. Unfortunately, no cheat device exists that can change the assembly, so hacking it is more a matter of patching the ROM, and less a matter of using it for simple cheats. Not documented.<br />
<br />
==Playstation==<br />
===PCSX 1.5 With Debugger===<br />
This emulator is available [http://www.romhacking.net/utils/267/ here].<br />
<br />
Press F11 to enter the debugger. On-screen aids should be apparent.<br />
<br />
===PSX===<br />
This emulator can be found at [http://www.romhacking.net/utils/311/ this address].<br />
<br />
This can be a decent debugging alternative if a game doesn't work well in the above emulator.<br />
<br />
===PCSX Agemo debugger===<br />
This emulator can be found [http://www.romhacking.net/utils/475/ here].<br />
<br />
It could be favorable for some tasks, compared to the other debuggers.<br />
<br />
==N64==<br />
===Nemu64===<br />
This emulator can be found [http://www.emulator-zone.com/doc.php/n64/nemu64.html here]<br />
<br />
Setting execution breakpoints<br><br />
Plugins>Debugger: Commands...<br><br />
To set a break on execution, go to the line that you want to break on, and click in the vertical bar to the left(<) of the address you want to breakpoint.<br />
<br />
Setting breakpoints in RAM<br><br />
Plugins>Debugger: Memory...<br><br />
Enable the read and/or write check boxes, and right-click the memory space you want to set, unset, or change an access breakpoint on.<br />
<br />
Some games don't run in Nemu, so you may have to switch to this hook_log based emulator if you want the codes. The 1964 tracer can be useful, which is available [http://www.romhacking.net/utils/335/ here].<br />
<br />
The hook_log system is a little bit more demanding to use than a visual debugger, but with compatibility issues, it's better than lucky to have a second usable debugging emulator. The save-states can be decompressed, and loaded in their decompressed form if needed<br />
<br />
An issue with this emulator is that not all instructions are logged, but it's still worth knowing about for the fact that many instructions are logged, and it can be used with write logging.<br />
<br />
===Project64 debug build binary===<br />
This emulator can be found [http://www.thegshi.org/downloads/Project64%20Build%2052%20Debug%20Binary.zip here].<br />
<br />
This version of the emulator has better support for games than Nemu64, and Ugetab used this tool in combination with nemu64 to edit USFs, as well as make a few codes that people using only a single emulation tool were having extremely hard struggles with.<br />
<br />
==Saturn==<br />
===Yabause===<br />
This emulator can be found [http://www.romhacking.net/utils/482/ here].<br />
<br />
This is one of the few Saturn emulators out there.<br />
<br />
==Wonder Swan==<br />
===Cygne Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/244/ here].<br />
<br />
A decent Tracing program.<br />
<br />
===Oswan Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/338/ here].<br />
<br />
This is just another hook-log tracer.<br />
<br />
==Playstation 2==<br />
[The current author is too lazy to write this, but will get around to it later if no one else does]<br />
<br />
[[Category:Hacking and Game Info]]</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Assembly_Hacking&diff=4396Assembly Hacking2009-08-26T01:44:02Z<p>Ugetab: Added PC Engine/TG16 Debugger Info (Thinking of making some HES rips)</p>
<hr />
<div>Assembly hacking is the art of editing a compiled program. Without the source code, and without notes from the source code, one has to deduce almost everything about the underlying code, and how it works with RAM.<br />
<br />
There are several emulators that can aid one in creating a modification for a game. Games for console systems fall into the category of compiled programs, and generally, the source code is unavailable for these games.<br />
<br />
The use of making an assembly hack for a game can be found with the Nintendo Entertainment System (NES) [[Game Genie]].<br />
<br />
The codes that are entered into an NES Game Genie represent single-byte assembly hacks. Any assembly hack that could be done with a change of 3 bytes or less is possible to implement with a single Game Genie. The SNES Game Genie allows up to 5 codes, and 5 bytes of change. While this makes the possible usage of codes very limiting, it didn't prevent single-byte invincibility and infinite lives codes from appearing that could make it unnecessary to use additional codes.<br />
<br />
For more modern assembly hacking of the same systems, emulators that support 50 or more codes for any given game aren't uncommon. The ROMs have been turned into files that can be patched with all the changes needed to give the game a script in a new language. Emulators that aid in the process of making assembly hacks have appeared for many different emulated systems. The effect is that more people are now capable of starting their own projects, and existing projects can be modified and/or repaired more easily.<br />
<br />
=Emulators=<br />
<br />
==NES==<br />
===FCEU===<br />
[http://www.the-interweb.com/serendipity/index.php?/categories/9-FCEUXD-SP FCEUXDSP] is the result of a emulator first developed by Parasyte called FCEUD, which was then picked up by bbitmaster and renamed to FCEUXD, and finally adopted as FCEUXD SP.<br />
<br />
====Setting breakpoints in ROM/RAM====<br />
Tools>Debug<br />
<br />
In the breakpoint window, 'Add' the Executable address or Memory address you want.<br><br />
ROM is 8000-FFFF<br><br />
RAM is 0000-07FF, 6000-7FFF<br><br />
0800-3FFF is mirrored from some part of RAM.<br><br />
4000-4015 can be breakpointed if working on an NSF. If you want to use this to deal with NSFs, try Ugetabs [http://www.angelfire.com/nc/ugetab edited version], which tends to play nicer with them<br />
<br />
'Hex Editor' is a memory viewer/modifier.<br />
<br />
==SNES==<br />
===Geiger's SNES9X Debugger===<br />
This emulator can be found at [http://geigercount.net/crypt/ Geiger's Crypt] and [http://www.zophar.net/snes/geiger-s-snes9x-debugger.html Zophar's Domain - Geiger’s Snes9x Debugger].<br />
<br />
====Setting breakpoints in ROM/RAM====<br />
Open ROM, Click 'Breakpoints'<br><br />
In the breakpoint window, enter the Executable address or Memory address you want.<br><br />
Standard RAM: 7E0000 - 7FFFFF<br><br />
SA1 RAM: 400000-407FFF, 303000-303FFF<br><br />
HiROM - C00000 - FFFFFF<br><br />
LoROM - 808000-BFFFFF (**0000 - **7FFF doesn't exist)<br />
<br />
If you use the [[SA1]] logger with an SA1-using game, and wish to find an address that changed an address in RAM, you can see if the conversion chart on the [[SA1]] page shows you the address to search for in the log file.<br />
<br />
===FuSoYa's SNES9X SuperFX Instruction Logger===<br />
This emulator can be found [http://www.gshi.org/downloads/snes9x1.43-FuSoYa-SFX_B2.zip here].<br />
<br />
This emulator allows you to log SuperFX instructions being used by the emulator.<br />
<br />
Press the NumLock button to start/stop logging.<br />
<br />
Instructions will be logged to sfx_trace.txt, in the folder with the emulator.<br />
<br />
Here's an example on how to interpret the results:<br><br />
00:e834 40 ldw (r0) r0=$0058 SRAM=00:5AAE<br><br />
00:e835 64 sub r4 r0=$0055 CY=1<br />
<br />
First line Loads Word (SRAM=00:5AAE) to (r0). In Geiger's SNES9X Debugger, this is address 705AAE in the RAM viewer. In ZSNES, you can find this in a save-state at 0x4127F + 0x5AAE (= 0x46D2D). The result of this operation is on the same line.<br />
<br />
Second line subtracts (r4) from (r0). This next result is on the same line as well. This can be coded out to give you Infinite Health in Doom, but it won't work as a Game Genie code. The file address would be either 6835 or 6A35. Only one address of those 2 will be 0x64.<br />
<br />
==Genesis==<br />
<br />
===Regen Debugger Build===<br />
This emulator can be found [http://aamirm.hacking-cult.org/ here]<br />
<br />
Backup: [http://www.gshi.org/downloads/Regen095D.zip Regen 0.95 Debugger]<br />
<br />
If you've used FCEUXDSP, Geiger's Snes9x, BGB, Nemu08, pSX, or pretty much any other active debugger, you'll realize that this is along the same lines of those debuggers. This is certainly what Genesis hackers have been waiting for when it comes to a user friendly debugger.<br />
<br />
It runs Genesis, Game Gear, and SMS files, but only debugs Genesis at the moment. Use [[#Emukon]] if you want to hack Game Gear or SMS.<br />
<br />
===Gens Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/337/ here].<br />
<br />
No breakpoints, but adequate tracing. A guide has been written on the specific usage of the emulator.<br />
<br />
The idea is that you can trace-log writes to and reads from memory, and you can also log all commands, and determine what's happening from the full log, by using what you find from the hook logging.<br />
<br />
===HazeMD===<br />
This emulator can be found at [http://haze.mameworld.info/ this address].<br />
<br />
This emulator is harder to get setup to use a ROM, but comes with a MAME-style debugger. MAME's debugger is well known for being so powerful, considering the number of systems it can be used with when compiled into a build of MAME. The Gens tracer tends to have slightly better compatibility, while the HazeMD emulator has more potential for cheat codes, already having a Cheat system designed to handle multiple CPUs, which could be used for 32x game ROM hacks, and RAM hacks.<br />
<br />
==Gameboy==<br />
===BGB===<br />
This emulator can be found [http://bgb.bircd.org/ here]<br />
<br />
Load a ROM, and right-click the screen.<br><br />
Other>debug mode enabled: to enable debugging<br><br />
Other>debugger to enter the debugger<br><br />
<br />
Setting breakpoints in ROM/RAM<br><br />
In the debugger window:<br><br />
Debug>breakpoints for execution breakpoints<br><br />
Debug>access breakpoints for read/write breaks.<br><br />
<br />
===Visual Boy Advance Tracer===<br />
See [[#Visual_Boy_Advance_Tracer_2]]<br />
<br />
==PC Engine / Turbo-Grafx 16==<br />
===Mednafen===<br />
This emulator can be found [http://mednafen.sourceforge.net/ here]<br />
<br />
Esc = Exit Mednafen (Careful about it)<br />
<br />
To use F12 to quit, and not the ESC key, edit this in mednafen.cfg:<br><br />
----<br />
";Exit"<br><br />
"command.exit keyboard 293~keyboard 27"<br><br />
----<br />
To this:<br><br />
----<br />
";Exit"<br><br />
"command.exit keyboard 293~keyboard 123"<br><br />
----<br />
<br />
F5 = Save State<br><br />
F7 = Load State<br><br />
0-9 = Select Save Slot<br />
<br />
Alt + D = Toggle Debugger<br />
<br />
In Debugger:<br><br />
Alt+1 = CPU debugger view<br><br />
Alt+3 = Memory editor<br><br />
R = Run<br><br />
S = Step<br><br />
Return = Goto Address(If on code)/Edit(If on register)<br><br />
Shift + Return = Edit watch address<br><br />
Shift + R = Edit Read Breakpoints<br><br />
Shift + W = Edit write breakpoints<br><br />
Shift + O = Opcode Breakpoints<br />
<br />
See included Debugger.html file for complete command list<br />
<br />
==Game Gear==<br />
===Emukon===<br />
This emulator can be found [http://emukon.kontechs.de/ here].<br />
<br />
Backup: [http://www.gshi.org/downloads/Emukon105.zip Emukon 1.05]<br />
<br />
This is basically a friendlier style of Logging Debugger the way I tend to use it, with Breakpoints to help figure out how code you find operates. I've used it to at least as much success as I've used the Hook_log debuggers, only this was more boring because I didn't have to fight with the emulator as much.<br />
<br />
You can use a combination of Breakpoints and Log Files to debug games.<br />
<br />
Breakpoints have their own management window, or you can right click lines in the debugger.<br />
<br />
To use the log files effectively, you should focus on a single byte with a known effect, get to about where the setting you're looking for will change, go to the Debugger > Debugger menu, enable it if needed, then click the Clear Log button if you want a fresh start, and the Log button to start logging. Get the thing changed that you want, and then look under the DebugLogs folder for the game you're working on, and search the text logs for the address you want to check, whether it's the execution address by some chance or the memory address. Breakpoints and Logging work well together to discover the execution path to a piece of code.<br />
<br />
It's not as exceedingly simple as some other debuggers, but it's quite useful, and it's my first choice for hacking Game Gear as well as SMS.<br />
<br />
==Master System==<br />
===Emukon===<br />
See Game Gear section: [[#Emukon]]<br />
<br />
==Gameboy Advance==<br />
===Visual Boy Advance Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/340/ here].<br />
<br />
This emulator uses the Hook Log system. Those familiar with the hook_log Genesis or N64 emulators should have little trouble adapting to this system.<br />
<br />
Note that it has also been used to good effect for a small number of gameboy games that BGB doesn't support. [[Ugetab]] used this for GBS ripping, but with full code logging, and a save-state near when something changes, you could just as effectively search for a memory address in trace.log. Mind that while GB assembly doesn't pile up as quickly as GBA or N64, and it is still necessary to be relatively close to the change before activating logging, if you don't want to have to use a special text editor to open an enormous log file. <br />
<br />
===Visual Boy Advance===<br />
This emulator can be found at [http://vba.ngemu.com/downloads.shtml this address].<br />
<br />
Windows - SDL is required. Unfortunately, no cheat device exists that can change the assembly, so hacking it is more a matter of patching the ROM, and less a matter of using it for simple cheats. Not documented.<br />
<br />
==Playstation==<br />
===PCSX 1.5 With Debugger===<br />
This emulator is available [http://www.romhacking.net/utils/267/ here].<br />
<br />
Press F11 to enter the debugger. On-screen aids should be apparent.<br />
<br />
===PSX===<br />
This emulator can be found at [http://www.romhacking.net/utils/311/ this address].<br />
<br />
This can be a decent debugging alternative if a game doesn't work well in the above emulator.<br />
<br />
===PCSX Agemo debugger===<br />
This emulator can be found [http://www.romhacking.net/utils/475/ here].<br />
<br />
It could be favorable for some tasks, compared to the other debuggers.<br />
<br />
==N64==<br />
===Nemu64===<br />
This emulator can be found [http://www.emulator-zone.com/doc.php/n64/nemu64.html here]<br />
<br />
Setting execution breakpoints<br><br />
Plugins>Debugger: Commands...<br><br />
To set a break on execution, go to the line that you want to break on, and click in the vertical bar to the left(<) of the address you want to breakpoint.<br />
<br />
Setting breakpoints in RAM<br><br />
Plugins>Debugger: Memory...<br><br />
Enable the read and/or write check boxes, and right-click the memory space you want to set, unset, or change an access breakpoint on.<br />
<br />
Some games don't run in Nemu, so you may have to switch to this hook_log based emulator if you want the codes. The 1964 tracer can be useful, which is available [http://www.romhacking.net/utils/335/ here].<br />
<br />
The hook_log system is a little bit more demanding to use than a visual debugger, but with compatibility issues, it's better than lucky to have a second usable debugging emulator. The save-states can be decompressed, and loaded in their decompressed form if needed<br />
<br />
An issue with this emulator is that not all instructions are logged, but it's still worth knowing about for the fact that many instructions are logged, and it can be used with write logging.<br />
<br />
===Project64 debug build binary===<br />
This emulator can be found [http://www.thegshi.org/downloads/Project64%20Build%2052%20Debug%20Binary.zip here].<br />
<br />
This version of the emulator has better support for games than Nemu64, and Ugetab used this tool in combination with nemu64 to edit USFs, as well as make a few codes that people using only a single emulation tool were having extremely hard struggles with.<br />
<br />
==Saturn==<br />
===Yabause===<br />
This emulator can be found [http://www.romhacking.net/utils/482/ here].<br />
<br />
This is one of the few Saturn emulators out there.<br />
<br />
==Wonder Swan==<br />
===Cygne Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/244/ here].<br />
<br />
A decent Tracing program.<br />
<br />
===Oswan Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/338/ here].<br />
<br />
This is just another hook-log tracer.<br />
<br />
==Playstation 2==<br />
[The current author is too lazy to write this, but will get around to it later if no one else does]<br />
<br />
[[Category:Hacking and Game Info]]</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Assembly_Hacking&diff=4393Assembly Hacking2009-08-09T23:18:54Z<p>Ugetab: /* SNES */ - SuperFX logging emulator added</p>
<hr />
<div>Assembly hacking is the art of editing a compiled program. Without the source code, and without notes from the source code, one has to deduce almost everything about the underlying code, and how it works with RAM.<br />
<br />
There are several emulators that can aid one in creating a modification for a game. Games for console systems fall into the category of compiled programs, and generally, the source code is unavailable for these games.<br />
<br />
The use of making an assembly hack for a game can be found with the Nintendo Entertainment System (NES) [[Game Genie]].<br />
<br />
The codes that are entered into an NES Game Genie represent single-byte assembly hacks. Any assembly hack that could be done with a change of 3 bytes or less is possible to implement with a single Game Genie. The SNES Game Genie allows up to 5 codes, and 5 bytes of change. While this makes the possible usage of codes very limiting, it didn't prevent single-byte invincibility and infinite lives codes from appearing that could make it unnecessary to use additional codes.<br />
<br />
For more modern assembly hacking of the same systems, emulators that support 50 or more codes for any given game aren't uncommon. The ROMs have been turned into files that can be patched with all the changes needed to give the game a script in a new language. Emulators that aid in the process of making assembly hacks have appeared for many different emulated systems. The effect is that more people are now capable of starting their own projects, and existing projects can be modified and/or repaired more easily.<br />
<br />
=Emulators=<br />
<br />
==NES==<br />
===FCEU===<br />
[http://www.the-interweb.com/serendipity/index.php?/categories/9-FCEUXD-SP FCEUXDSP] is the result of a emulator first developed by Parasyte called FCEUD, which was then picked up by bbitmaster and renamed to FCEUXD, and finally adopted as FCEUXD SP.<br />
<br />
====Setting breakpoints in ROM/RAM====<br />
Tools>Debug<br />
<br />
In the breakpoint window, 'Add' the Executable address or Memory address you want.<br><br />
ROM is 8000-FFFF<br><br />
RAM is 0000-07FF, 6000-7FFF<br><br />
0800-3FFF is mirrored from some part of RAM.<br><br />
4000-4015 can be breakpointed if working on an NSF. If you want to use this to deal with NSFs, try Ugetabs [http://www.angelfire.com/nc/ugetab edited version], which tends to play nicer with them<br />
<br />
'Hex Editor' is a memory viewer/modifier.<br />
<br />
==SNES==<br />
===Geiger's SNES9X Debugger===<br />
This emulator can be found at [http://geigercount.net/crypt/ Geiger's Crypt] and [http://www.zophar.net/snes/geiger-s-snes9x-debugger.html Zophar's Domain - Geiger’s Snes9x Debugger].<br />
<br />
====Setting breakpoints in ROM/RAM====<br />
Open ROM, Click 'Breakpoints'<br><br />
In the breakpoint window, enter the Executable address or Memory address you want.<br><br />
Standard RAM: 7E0000 - 7FFFFF<br><br />
SA1 RAM: 400000-407FFF, 303000-303FFF<br><br />
HiROM - C00000 - FFFFFF<br><br />
LoROM - 808000-BFFFFF (**0000 - **7FFF doesn't exist)<br />
<br />
If you use the [[SA1]] logger with an SA1-using game, and wish to find an address that changed an address in RAM, you can see if the conversion chart on the [[SA1]] page shows you the address to search for in the log file.<br />
<br />
===FuSoYa's SNES9X SuperFX Instruction Logger===<br />
This emulator can be found [http://www.gshi.org/downloads/snes9x1.43-FuSoYa-SFX_B2.zip here].<br />
<br />
This emulator allows you to log SuperFX instructions being used by the emulator.<br />
<br />
Press the NumLock button to start/stop logging.<br />
<br />
Instructions will be logged to sfx_trace.txt, in the folder with the emulator.<br />
<br />
Here's an example on how to interpret the results:<br><br />
00:e834 40 ldw (r0) r0=$0058 SRAM=00:5AAE<br><br />
00:e835 64 sub r4 r0=$0055 CY=1<br />
<br />
First line Loads Word (SRAM=00:5AAE) to (r0). In Geiger's SNES9X Debugger, this is address 705AAE in the RAM viewer. In ZSNES, you can find this in a save-state at 0x4127F + 0x5AAE (= 0x46D2D). The result of this operation is on the same line.<br />
<br />
Second line subtracts (r4) from (r0). This next result is on the same line as well. This can be coded out to give you Infinite Health in Doom, but it won't work as a Game Genie code. The file address would be either 6835 or 6A35. Only one address of those 2 will be 0x64.<br />
<br />
==Genesis==<br />
<br />
===Regen Debugger Build===<br />
This emulator can be found [http://aamirm.hacking-cult.org/ here]<br />
<br />
Backup: [http://www.gshi.org/downloads/Regen095D.zip Regen 0.95 Debugger]<br />
<br />
If you've used FCEUXDSP, Geiger's Snes9x, BGB, Nemu08, pSX, or pretty much any other active debugger, you'll realize that this is along the same lines of those debuggers. This is certainly what Genesis hackers have been waiting for when it comes to a user friendly debugger.<br />
<br />
It runs Genesis, Game Gear, and SMS files, but only debugs Genesis at the moment. Use [[#Emukon]] if you want to hack Game Gear or SMS.<br />
<br />
===Gens Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/337/ here].<br />
<br />
No breakpoints, but adequate tracing. A guide has been written on the specific usage of the emulator.<br />
<br />
The idea is that you can trace-log writes to and reads from memory, and you can also log all commands, and determine what's happening from the full log, by using what you find from the hook logging.<br />
<br />
===HazeMD===<br />
This emulator can be found at [http://haze.mameworld.info/ this address].<br />
<br />
This emulator is harder to get setup to use a ROM, but comes with a MAME-style debugger. MAME's debugger is well known for being so powerful, considering the number of systems it can be used with when compiled into a build of MAME. The Gens tracer tends to have slightly better compatibility, while the HazeMD emulator has more potential for cheat codes, already having a Cheat system designed to handle multiple CPUs, which could be used for 32x game ROM hacks, and RAM hacks.<br />
<br />
==Gameboy==<br />
===BGB===<br />
This emulator can be found [http://bgb.bircd.org/ here]<br />
<br />
Load a ROM, and right-click the screen.<br><br />
Other>debug mode enabled: to enable debugging<br><br />
Other>debugger to enter the debugger<br><br />
<br />
Setting breakpoints in ROM/RAM<br><br />
In the debugger window:<br><br />
Debug>breakpoints for execution breakpoints<br><br />
Debug>access breakpoints for read/write breaks.<br><br />
<br />
===Visual Boy Advance Tracer===<br />
See [[#Visual_Boy_Advance_Tracer_2]]<br />
<br />
==Game Gear==<br />
===Emukon===<br />
This emulator can be found [http://emukon.kontechs.de/ here].<br />
<br />
Backup: [http://www.gshi.org/downloads/Emukon105.zip Emukon 1.05]<br />
<br />
This is basically a friendlier style of Logging Debugger the way I tend to use it, with Breakpoints to help figure out how code you find operates. I've used it to at least as much success as I've used the Hook_log debuggers, only this was more boring because I didn't have to fight with the emulator as much.<br />
<br />
You can use a combination of Breakpoints and Log Files to debug games.<br />
<br />
Breakpoints have their own management window, or you can right click lines in the debugger.<br />
<br />
To use the log files effectively, you should focus on a single byte with a known effect, get to about where the setting you're looking for will change, go to the Debugger > Debugger menu, enable it if needed, then click the Clear Log button if you want a fresh start, and the Log button to start logging. Get the thing changed that you want, and then look under the DebugLogs folder for the game you're working on, and search the text logs for the address you want to check, whether it's the execution address by some chance or the memory address. Breakpoints and Logging work well together to discover the execution path to a piece of code.<br />
<br />
It's not as exceedingly simple as some other debuggers, but it's quite useful, and it's my first choice for hacking Game Gear as well as SMS.<br />
<br />
==Master System==<br />
===Emukon===<br />
See Game Gear section: [[#Emukon]]<br />
<br />
==Gameboy Advance==<br />
===Visual Boy Advance Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/340/ here].<br />
<br />
This emulator uses the Hook Log system. Those familiar with the hook_log Genesis or N64 emulators should have little trouble adapting to this system.<br />
<br />
Note that it has also been used to good effect for a small number of gameboy games that BGB doesn't support. [[Ugetab]] used this for GBS ripping, but with full code logging, and a save-state near when something changes, you could just as effectively search for a memory address in trace.log. Mind that while GB assembly doesn't pile up as quickly as GBA or N64, and it is still necessary to be relatively close to the change before activating logging, if you don't want to have to use a special text editor to open an enormous log file. <br />
<br />
===Visual Boy Advance===<br />
This emulator can be found at [http://vba.ngemu.com/downloads.shtml this address].<br />
<br />
Windows - SDL is required. Unfortunately, no cheat device exists that can change the assembly, so hacking it is more a matter of patching the ROM, and less a matter of using it for simple cheats. Not documented.<br />
<br />
==Playstation==<br />
===PCSX 1.5 With Debugger===<br />
This emulator is available [http://www.romhacking.net/utils/267/ here].<br />
<br />
Press F11 to enter the debugger. On-screen aids should be apparent.<br />
<br />
===PSX===<br />
This emulator can be found at [http://www.romhacking.net/utils/311/ this address].<br />
<br />
This can be a decent debugging alternative if a game doesn't work well in the above emulator.<br />
<br />
===PCSX Agemo debugger===<br />
This emulator can be found [http://www.romhacking.net/utils/475/ here].<br />
<br />
It could be favorable for some tasks, compared to the other debuggers.<br />
<br />
==N64==<br />
===Nemu64===<br />
This emulator can be found [http://www.emulator-zone.com/doc.php/n64/nemu64.html here]<br />
<br />
Setting execution breakpoints<br><br />
Plugins>Debugger: Commands...<br><br />
To set a break on execution, go to the line that you want to break on, and click in the vertical bar to the left(<) of the address you want to breakpoint.<br />
<br />
Setting breakpoints in RAM<br><br />
Plugins>Debugger: Memory...<br><br />
Enable the read and/or write check boxes, and right-click the memory space you want to set, unset, or change an access breakpoint on.<br />
<br />
Some games don't run in Nemu, so you may have to switch to this hook_log based emulator if you want the codes. The 1964 tracer can be useful, which is available [http://www.romhacking.net/utils/335/ here].<br />
<br />
The hook_log system is a little bit more demanding to use than a visual debugger, but with compatibility issues, it's better than lucky to have a second usable debugging emulator. The save-states can be decompressed, and loaded in their decompressed form if needed<br />
<br />
An issue with this emulator is that not all instructions are logged, but it's still worth knowing about for the fact that many instructions are logged, and it can be used with write logging.<br />
<br />
===Project64 debug build binary===<br />
This emulator can be found [http://www.thegshi.org/downloads/Project64%20Build%2052%20Debug%20Binary.zip here].<br />
<br />
This version of the emulator has better support for games than Nemu64, and Ugetab used this tool in combination with nemu64 to edit USFs, as well as make a few codes that people using only a single emulation tool were having extremely hard struggles with.<br />
<br />
==Saturn==<br />
===Yabause===<br />
This emulator can be found [http://www.romhacking.net/utils/482/ here].<br />
<br />
This is one of the few Saturn emulators out there.<br />
<br />
==Wonder Swan==<br />
===Cygne Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/244/ here].<br />
<br />
A decent Tracing program.<br />
<br />
===Oswan Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/338/ here].<br />
<br />
This is just another hook-log tracer.<br />
<br />
==Playstation 2==<br />
[The current author is too lazy to write this, but will get around to it later if no one else does]<br />
<br />
[[Category:Hacking and Game Info]]</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Assembly_Hacking&diff=4329Assembly Hacking2009-06-15T00:35:18Z<p>Ugetab: Visual Boy Tracer link added, spelling</p>
<hr />
<div>Assembly hacking is the art of editing a compiled program. Without the source code, and without notes from the source code, one has to deduce almost everything about the underlying code, and how it works with RAM.<br />
<br />
There are several emulators that can aid one in creating a modification for a game. Games for console systems fall into the category of compiled programs, and generally, the source code is unavailable for these games.<br />
<br />
The use of making an assembly hack for a game can be found with the Nintendo Entertainment System (NES) [[Game Genie]].<br />
<br />
The codes that are entered into an NES Game Genie represent single-byte assembly hacks. Any assembly hack that could be done with a change of 3 bytes or less is possible to implement with a single Game Genie. The SNES Game Genie allows up to 5 codes, and 5 bytes of change. While this makes the possible usage of codes very limiting, it didn't prevent single-byte invincibility and infinite lives codes from appearing that could make it unnecessary to use additional codes.<br />
<br />
For more modern assembly hacking of the same systems, emulators that support 50 or more codes for any given game aren't uncommon. The ROMs have been turned into files that can be patched with all the changes needed to give the game a script in a new language. Emulators that aid in the process of making assembly hacks have appeared for many different emulated systems. The effect is that more people are now capable of starting their own projects, and existing projects can be modified and/or repaired more easily.<br />
<br />
=Emulators=<br />
<br />
==NES==<br />
===FCEU===<br />
[http://www.the-interweb.com/serendipity/index.php?/categories/9-FCEUXD-SP FCEUXDSP] is the result of a emulator first developed by Parasyte called FCEUD, which was then picked up by bbitmaster and renamed to FCEUXD, and finally adopted as FCEUXD SP.<br />
<br />
====Setting breakpoints in ROM/RAM====<br />
Tools>Debug<br />
<br />
In the breakpoint window, 'Add' the Executable address or Memory address you want.<br><br />
ROM is 8000-FFFF<br><br />
RAM is 0000-07FF, 6000-7FFF<br><br />
0800-3FFF is mirrored from some part of RAM.<br><br />
4000-4015 can be breakpointed if working on an NSF. If you want to use this to deal with NSFs, try Ugetabs [http://www.angelfire.com/nc/ugetab edited version], which tends to play nicer with them<br />
<br />
'Hex Editor' is a memory viewer/modifier.<br />
<br />
==SNES==<br />
===Geiger's SNES9X Debugger===<br />
This emulator can be found at [http://geigercount.net/crypt/ Geiger's Crypt] and [http://www.zophar.net/snes/geiger-s-snes9x-debugger.html Zophar's Domain - Geiger’s Snes9x Debugger].<br />
<br />
====Setting breakpoints in ROM/RAM====<br />
Open ROM, Click 'Breakpoints'<br><br />
In the breakpoint window, enter the Executable address or Memory address you want.<br><br />
Standard RAM: 7E0000 - 7FFFFF<br><br />
SA1 RAM: 400000-407FFF, 303000-303FFF<br><br />
HiROM - C00000 - FFFFFF<br><br />
LoROM - 808000-BFFFFF (**0000 - **7FFF doesn't exist)<br />
<br />
If you use the [[SA1]] logger with an SA1-using game, and wish to find an address that changed an address in RAM, you can see if the conversion chart on the [[SA1]] page shows you the address to search for in the log file.<br />
<br />
==Genesis==<br />
<br />
===Regen Debugger Build===<br />
This emulator can be found [http://aamirm.hacking-cult.org/ here]<br />
<br />
Backup: [http://www.gshi.org/downloads/Regen095D.zip Regen 0.95 Debugger]<br />
<br />
If you've used FCEUXDSP, Geiger's Snes9x, BGB, Nemu08, pSX, or pretty much any other active debugger, you'll realize that this is along the same lines of those debuggers. This is certainly what Genesis hackers have been waiting for when it comes to a user friendly debugger.<br />
<br />
It runs Genesis, Game Gear, and SMS files, but only debugs Genesis at the moment. Use [[#Emukon]] if you want to hack Game Gear or SMS.<br />
<br />
===Gens Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/337/ here].<br />
<br />
No breakpoints, but adequate tracing. A guide has been written on the specific usage of the emulator.<br />
<br />
The idea is that you can trace-log writes to and reads from memory, and you can also log all commands, and determine what's happening from the full log, by using what you find from the hook logging.<br />
<br />
===HazeMD===<br />
This emulator can be found at [http://haze.mameworld.info/ this address].<br />
<br />
This emulator is harder to get setup to use a ROM, but comes with a MAME-style debugger. MAME's debugger is well known for being so powerful, considering the number of systems it can be used with when compiled into a build of MAME. The Gens tracer tends to have slightly better compatibility, while the HazeMD emulator has more potential for cheat codes, already having a Cheat system designed to handle multiple CPUs, which could be used for 32x game ROM hacks, and RAM hacks.<br />
<br />
==Gameboy==<br />
===BGB===<br />
This emulator can be found [http://bgb.bircd.org/ here]<br />
<br />
Load a ROM, and right-click the screen.<br><br />
Other>debug mode enabled: to enable debugging<br><br />
Other>debugger to enter the debugger<br><br />
<br />
Setting breakpoints in ROM/RAM<br><br />
In the debugger window:<br><br />
Debug>breakpoints for execution breakpoints<br><br />
Debug>access breakpoints for read/write breaks.<br><br />
<br />
===Visual Boy Advance Tracer===<br />
See [[#Visual_Boy_Advance_Tracer_2]]<br />
<br />
==Game Gear==<br />
===Emukon===<br />
This emulator can be found [http://emukon.kontechs.de/ here].<br />
<br />
Backup: [http://www.gshi.org/downloads/Emukon105.zip Emukon 1.05]<br />
<br />
This is basically a friendlier style of Logging Debugger the way I tend to use it, with Breakpoints to help figure out how code you find operates. I've used it to at least as much success as I've used the Hook_log debuggers, only this was more boring because I didn't have to fight with the emulator as much.<br />
<br />
You can use a combination of Breakpoints and Log Files to debug games.<br />
<br />
Breakpoints have their own management window, or you can right click lines in the debugger.<br />
<br />
To use the log files effectively, you should focus on a single byte with a known effect, get to about where the setting you're looking for will change, go to the Debugger > Debugger menu, enable it if needed, then click the Clear Log button if you want a fresh start, and the Log button to start logging. Get the thing changed that you want, and then look under the DebugLogs folder for the game you're working on, and search the text logs for the address you want to check, whether it's the execution address by some chance or the memory address. Breakpoints and Logging work well together to discover the execution path to a piece of code.<br />
<br />
It's not as exceedingly simple as some other debuggers, but it's quite useful, and it's my first choice for hacking Game Gear as well as SMS.<br />
<br />
==Master System==<br />
===Emukon===<br />
See Game Gear section: [[#Emukon]]<br />
<br />
==Gameboy Advance==<br />
===Visual Boy Advance Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/340/ here].<br />
<br />
This emulator uses the Hook Log system. Those familiar with the hook_log Genesis or N64 emulators should have little trouble adapting to this system.<br />
<br />
Note that it has also been used to good effect for a small number of gameboy games that BGB doesn't support. [[Ugetab]] used this for GBS ripping, but with full code logging, and a save-state near when something changes, you could just as effectively search for a memory address in trace.log. Mind that while GB assembly doesn't pile up as quickly as GBA or N64, and it is still necessary to be relatively close to the change before activating logging, if you don't want to have to use a special text editor to open an enormous log file. <br />
<br />
===Visual Boy Advance===<br />
This emulator can be found at [http://vba.ngemu.com/downloads.shtml this address].<br />
<br />
Windows - SDL is required. Unfortunately, no cheat device exists that can change the assembly, so hacking it is more a matter of patching the ROM, and less a matter of using it for simple cheats. Not documented.<br />
<br />
==Playstation==<br />
===PCSX 1.5 With Debugger===<br />
This emulator is available [http://www.romhacking.net/utils/267/ here].<br />
<br />
Press F11 to enter the debugger. On-screen aids should be apparent.<br />
<br />
===PSX===<br />
This emulator can be found at [http://www.romhacking.net/utils/311/ this address].<br />
<br />
This can be a decent debugging alternative if a game doesn't work well in the above emulator.<br />
<br />
===PCSX Agemo debugger===<br />
This emulator can be found [http://www.romhacking.net/utils/475/ here].<br />
<br />
It could be favorable for some tasks, compared to the other debuggers.<br />
<br />
==N64==<br />
===Nemu64===<br />
This emulator can be found [http://www.emulator-zone.com/doc.php/n64/nemu64.html here]<br />
<br />
Setting execution breakpoints<br><br />
Plugins>Debugger: Commands...<br><br />
To set a break on execution, go to the line that you want to break on, and click in the vertical bar to the left(<) of the address you want to breakpoint.<br />
<br />
Setting breakpoints in RAM<br><br />
Plugins>Debugger: Memory...<br><br />
Enable the read and/or write check boxes, and right-click the memory space you want to set, unset, or change an access breakpoint on.<br />
<br />
Some games don't run in Nemu, so you may have to switch to this hook_log based emulator if you want the codes. The 1964 tracer can be useful, which is available [http://www.romhacking.net/utils/335/ here].<br />
<br />
The hook_log system is a little bit more demanding to use than a visual debugger, but with compatibility issues, it's better than lucky to have a second usable debugging emulator. The save-states can be decompressed, and loaded in their decompressed form if needed<br />
<br />
An issue with this emulator is that not all instructions are logged, but it's still worth knowing about for the fact that many instructions are logged, and it can be used with write logging.<br />
<br />
===Project64 debug build binary===<br />
This emulator can be found [http://www.thegshi.org/downloads/Project64%20Build%2052%20Debug%20Binary.zip here].<br />
<br />
This version of the emulator has better support for games than Nemu64, and Ugetab used this tool in combination with nemu64 to edit USFs, as well as make a few codes that people using only a single emulation tool were having extremely hard struggles with.<br />
<br />
==Saturn==<br />
===Yabause===<br />
This emulator can be found [http://www.romhacking.net/utils/482/ here].<br />
<br />
This is one of the few Saturn emulators out there.<br />
<br />
==Wonder Swan==<br />
===Cygne Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/244/ here].<br />
<br />
A decent Tracing program.<br />
<br />
===Oswan Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/338/ here].<br />
<br />
This is just another hook-log tracer.<br />
<br />
==Playstation 2==<br />
[The current author is too lazy to write this, but will get around to it later if no one else does]<br />
<br />
[[Category:Hacking and Game Info]]</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Assembly_Hacking&diff=4328Assembly Hacking2009-06-15T00:28:37Z<p>Ugetab: Game Gear/Master System debugger</p>
<hr />
<div>Assembly hacking is the art of editing a compiled program. Without the source code, and without notes from the source code, one has to deduce almost everything about the underlying code, and how it works with RAM.<br />
<br />
There are several emulators that can aid one in creating a modification for a game. Games for console systems fall into the category of compiled programs, and generally, the source code is unavailable for these games.<br />
<br />
The use of making an assembly hack for a game can be found with the Nintendo Entertainment System (NES) [[Game Genie]].<br />
<br />
The codes that are entered into an NES Game Genie represent single-byte assembly hacks. Any assembly hack that could be done with a change of 3 bytes or less is possible to implement with a single Game Genie. The SNES Game Genie allows up to 5 codes, and 5 bytes of change. While this makes the possible usage of codes very limiting, it didn't prevent single-byte invincibility and infinite lives codes from appearing that could make it unneccesary to use additional codes.<br />
<br />
For more modern assembly hacking of the same systems, emulators that support 50 or more codes for any given game aren't uncommon. The ROMs have been turned into files that can be patched with all the changes needed to give the game a script in a new language. Emulators that aid in the process of making assembly hacks have appeared for many different emulated systems. The effect is that more people are now capable of starting their own projects, and existing projects can be modified and/or repaired more easily.<br />
<br />
=Emulators=<br />
<br />
==NES==<br />
===FCEU===<br />
[http://www.the-interweb.com/serendipity/index.php?/categories/9-FCEUXD-SP FCEUXDSP] is the result of a emulator first developed by Parasyte called FCEUD, which was then picked up by bbitmaster and renamed to FCEUXD, and finally adopted as FCEUXD SP.<br />
<br />
====Setting breakpoints in ROM/RAM====<br />
Tools>Debug<br />
<br />
In the breakpoint window, 'Add' the Executable address or Memory address you want.<br><br />
ROM is 8000-FFFF<br><br />
RAM is 0000-07FF, 6000-7FFF<br><br />
0800-3FFF is mirrored from some part of RAM.<br><br />
4000-4015 can be breakpointed if working on an NSF. If you want to use this to deal with NSFs, try Ugetabs [http://www.angelfire.com/nc/ugetab edited version], which tends to play nicer with them<br />
<br />
'Hex Editor' is a memory viewer/modifier.<br />
<br />
==SNES==<br />
===Geiger's SNES9X Debugger===<br />
This emulator can be found at [http://geigercount.net/crypt/ Geiger's Crypt] and [http://www.zophar.net/snes/geiger-s-snes9x-debugger.html Zophar's Domain - Geiger’s Snes9x Debugger].<br />
<br />
====Setting breakpoints in ROM/RAM====<br />
Open ROM, Click 'Breakpoints'<br><br />
In the breakpoint window, enter the Executable address or Memory address you want.<br><br />
Standard RAM: 7E0000 - 7FFFFF<br><br />
SA1 RAM: 400000-407FFF, 303000-303FFF<br><br />
HiROM - C00000 - FFFFFF<br><br />
LoROM - 808000-BFFFFF (**0000 - **7FFF doesn't exist)<br />
<br />
If you use the [[SA1]] logger with an SA1-using game, and wish to find an address that changed an address in RAM, you can see if the conversion chart on the [[SA1]] page shows you the address to search for in the log file.<br />
<br />
==Genesis==<br />
<br />
===Regen Debugger Build===<br />
This emulator can be found [http://aamirm.hacking-cult.org/ here]<br />
<br />
Backup: [http://www.gshi.org/downloads/Regen095D.zip Regen 0.95 Debugger]<br />
<br />
If you've used FCEUXDSP, Geiger's Snes9x, BGB, Nemu08, pSX, or pretty much any other active debugger, you'll realize that this is along the same lines of those debuggers. This is certainly what Genesis hackers have been waiting for when it comes to a user friendly debugger.<br />
<br />
It runs Genesis, Game Gear, and SMS files, but only debugs Genesis at the moment. Use [[#Emukon]] if you want to hack Game Gear or SMS.<br />
<br />
===Gens Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/337/ here].<br />
<br />
No breakpoints, but adequate tracing. A guide has been written on the specific usage of the emulator.<br />
<br />
The idea is that you can trace-log writes to and reads from memory, and you can also log all commands, and determine what's happening from the full log, by using what you find from the hook logging.<br />
<br />
===HazeMD===<br />
This emulator can be found at [http://haze.mameworld.info/ this address].<br />
<br />
This emulator is harder to get setup to use a ROM, but comes with a MAME-style debugger. MAME's debugger is well known for being so powerful, considering the number of systems it can be used with when compiled into a build of MAME. The Gens tracer tends to have slightly better compatibility, while the HazeMD emulator has more potential for cheat codes, already having a Cheat system designed to handle multiple CPUs, which could be used for 32x game ROM hacks, and RAM hacks.<br />
<br />
==Gameboy==<br />
===BGB===<br />
This emulator can be found [http://bgb.bircd.org/ here]<br />
<br />
Load a ROM, and right-click the screen.<br><br />
Other>debug mode enabled: to enable debugging<br><br />
Other>debugger to enter the debugger<br><br />
<br />
Setting breakpoints in ROM/RAM<br><br />
In the debugger window:<br><br />
Debug>breakpoints for execution breakpoints<br><br />
Debug>access breakpoints for read/write breaks.<br><br />
<br />
Also, see below about Visual Boy Advance Tracer.<br />
<br />
==Game Gear==<br />
===Emukon===<br />
This emulator can be found [http://emukon.kontechs.de/ here].<br />
<br />
Backup: [http://www.gshi.org/downloads/Emukon105.zip Emukon 1.05]<br />
<br />
This is basically a friendlier style of Logging Debugger the way I tend to use it, with Breakpoints to help figure out how code you find operates. I've used it to at least as much success as I've used the Hook_log debuggers, only this was more boring because I didn't have to fight with the emulator as much.<br />
<br />
You can use a combination of Breakpoints and Log Files to debug games.<br />
<br />
Breakpoints have their own management window, or you can right click lines in the debugger.<br />
<br />
To use the log files effectively, you should focus on a single byte with a known effect, get to about where the setting you're looking for will change, go to the Debugger > Debugger menu, enable it if needed, then click the Clear Log button if you want a fresh start, and the Log button to start logging. Get the thing changed that you want, and then look under the DebugLogs folder for the game you're working on, and search the text logs for the address you want to check, whether it's the execution address by some chance or the memory address. Breakpoints and Logging work well together to discover the execution path to a piece of code.<br />
<br />
It's not as exceedingly simple as some other debuggers, but it's quite useful, and it's my first choice for hacking Game Gear as well as SMS.<br />
<br />
==Master System==<br />
===Emukon===<br />
See Game Gear section: [[#Emukon]]<br />
<br />
==Gameboy Advance==<br />
===Visual Boy Advance Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/340/ here].<br />
<br />
This emulator uses the Hook Log system. Those familiar with the hook_log Genesis or N64 emulators should have little trouble adapting to this system.<br />
<br />
Note that it has also been used to good effect for a small number of gameboy games that BGB doesn't support. [[Ugetab]] used this for GBS ripping, but with full code logging, and a save-state near when something changes, you could just as effectively search for a memory address in trace.log. Mind that while GB assembly doesn't pile up as quickly as GBA or N64, and it is still nessesary to be relatively close to the change before activating logging, if you don't want to have to use a special text editor to open an enormous log file. <br />
<br />
===Visual Boy Advance===<br />
This emulator can be found at [http://vba.ngemu.com/downloads.shtml this address].<br />
<br />
Windows - SDL is required. Unfortunately, no cheat device exists that can change the assembly, so hacking it is more a matter of patching the ROM, and less a matter of using it for simple cheats. Not documented.<br />
<br />
==Playstation==<br />
===PCSX 1.5 With Debugger===<br />
This emulator is available [http://www.romhacking.net/utils/267/ here].<br />
<br />
Press F11 to enter the debugger. On-screen aids should be apparent.<br />
<br />
===PSX===<br />
This emulator can be found at [http://www.romhacking.net/utils/311/ this address].<br />
<br />
This can be a decent debugging alternative if a game doesn't work well in the above emulator.<br />
<br />
===PCSX Agemo debugger===<br />
This emulator can be found [http://www.romhacking.net/utils/475/ here].<br />
<br />
It could be favorable for some tasks, compared to the other debuggers.<br />
<br />
==N64==<br />
===Nemu64===<br />
This emulator can be found [http://www.emulator-zone.com/doc.php/n64/nemu64.html here]<br />
<br />
Setting execution breakpoints<br><br />
Plugins>Debugger: Commands...<br><br />
To set a break on execution, go to the line that you want to break on, and click in the vertical bar to the left(<) of the address you want to breakpoint.<br />
<br />
Setting breakpoints in RAM<br><br />
Plugins>Debugger: Memory...<br><br />
Enable the read and/or write checkboxes, and right-click the memory space you want to set, unset, or change an access breakpoint on.<br />
<br />
Some games don't run in Nemu, so you may have to switch to this hook_log based emulator if you want the codes. The 1964 tracer can be useful, which is available [http://www.romhacking.net/utils/335/ here].<br />
<br />
The hook_log system is a little bit more demanding to use than a visual debugger, but with compatibility issues, it's better than lucky to have a second usable debugging emulator. The save-states can be decompressed, and loaded in their decompressed form if needed<br />
<br />
An issue with this emulator is that not all instructions are logged, but it's still worth knowing about for the fact that many instructions are logged, and it can be used with write logging.<br />
<br />
===Project64 debug build binary===<br />
This emulator can be found [http://www.thegshi.org/downloads/Project64%20Build%2052%20Debug%20Binary.zip here].<br />
<br />
This version of the emulator has better support for games than Nemu64, and Ugetab used this tool in combination with nemu64 to edit USFs, as well as make a few codes that people using only a single emulation tool were having extremely hard struggles with.<br />
<br />
==Saturn==<br />
===Yabause===<br />
This emulator can be found [http://www.romhacking.net/utils/482/ here].<br />
<br />
This is one of the few Saturn emulators out there.<br />
<br />
==Wonder Swan==<br />
===Cygne Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/244/ here].<br />
<br />
A decent Tracing program.<br />
<br />
===Oswan Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/338/ here].<br />
<br />
This is just another hook-log tracer.<br />
<br />
==Playstation 2==<br />
[The current author is too lazy to write this, but will get around to it later if no one else does]<br />
<br />
[[Category:Hacking and Game Info]]</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Assembly_Hacking&diff=4327Assembly Hacking2009-06-14T03:33:12Z<p>Ugetab: /* Genesis - Added Regen */</p>
<hr />
<div>Assembly hacking is the art of editing a compiled program. Without the source code, and without notes from the source code, one has to deduce almost everything about the underlying code, and how it works with RAM.<br />
<br />
There are several emulators that can aid one in creating a modification for a game. Games for console systems fall into the category of compiled programs, and generally, the source code is unavailable for these games.<br />
<br />
The use of making an assembly hack for a game can be found with the Nintendo Entertainment System (NES) [[Game Genie]].<br />
<br />
The codes that are entered into an NES Game Genie represent single-byte assembly hacks. Any assembly hack that could be done with a change of 3 bytes or less is possible to implement with a single Game Genie. The SNES Game Genie allows up to 5 codes, and 5 bytes of change. While this makes the possible usage of codes very limiting, it didn't prevent single-byte invincibility and infinite lives codes from appearing that could make it unneccesary to use additional codes.<br />
<br />
For more modern assembly hacking of the same systems, emulators that support 50 or more codes for any given game aren't uncommon. The ROMs have been turned into files that can be patched with all the changes needed to give the game a script in a new language. Emulators that aid in the process of making assembly hacks have appeared for many different emulated systems. The effect is that more people are now capable of starting their own projects, and existing projects can be modified and/or repaired more easily.<br />
<br />
=Emulators=<br />
<br />
==NES==<br />
===FCEU===<br />
[http://www.the-interweb.com/serendipity/index.php?/categories/9-FCEUXD-SP FCEUXDSP] is the result of a emulator first developed by Parasyte called FCEUD, which was then picked up by bbitmaster and renamed to FCEUXD, and finally adopted as FCEUXD SP.<br />
<br />
====Setting breakpoints in ROM/RAM====<br />
Tools>Debug<br />
<br />
In the breakpoint window, 'Add' the Executable address or Memory address you want.<br><br />
ROM is 8000-FFFF<br><br />
RAM is 0000-07FF, 6000-7FFF<br><br />
0800-3FFF is mirrored from some part of RAM.<br><br />
4000-4015 can be breakpointed if working on an NSF. If you want to use this to deal with NSFs, try Ugetabs [http://www.angelfire.com/nc/ugetab edited version], which tends to play nicer with them<br />
<br />
'Hex Editor' is a memory viewer/modifier.<br />
<br />
==SNES==<br />
===Geiger's SNES9X Debugger===<br />
This emulator can be found at [http://geigercount.net/crypt/ Geiger's Crypt] and [http://www.zophar.net/snes/geiger-s-snes9x-debugger.html Zophar's Domain - Geiger’s Snes9x Debugger].<br />
<br />
====Setting breakpoints in ROM/RAM====<br />
Open ROM, Click 'Breakpoints'<br><br />
In the breakpoint window, enter the Executable address or Memory address you want.<br><br />
Standard RAM: 7E0000 - 7FFFFF<br><br />
SA1 RAM: 400000-407FFF, 303000-303FFF<br><br />
HiROM - C00000 - FFFFFF<br><br />
LoROM - 808000-BFFFFF (**0000 - **7FFF doesn't exist)<br />
<br />
If you use the [[SA1]] logger with an SA1-using game, and wish to find an address that changed an address in RAM, you can see if the conversion chart on the [[SA1]] page shows you the address to search for in the log file.<br />
<br />
==Genesis==<br />
<br />
===Regen Debugger Build===<br />
To get this emulator, you can visit it's [http://aamirm.hacking-cult.org/ Homepage]<br />
<br />
This is a backup: [http://www.gshi.org/downloads/Regen095D.zip Regen 0.95 Debugger]<br />
<br />
If you've used FCEUXDSP, Geiger's Snes9x, BGB, Nemu08, pSX, or pretty much any other active debugger, you'll realize that this is along the same lines of those debuggers. This is certainly what Genesis hackers have been waiting for when it comes to a user friendly debugger.<br />
<br />
It runs Genesis, Game Gear, and SMS files, but only debugs Genesis at the moment. This is not a problem, in this hacker's opinion.<br />
<br />
===Gens Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/337/ here].<br />
<br />
No breakpoints, but adequate tracing. A guide has been written on the specific usage of the emulator.<br />
<br />
The idea is that you can trace-log writes to and reads from memory, and you can also log all commands, and determine what's happening from the full log, by using what you find from the hook logging.<br />
<br />
===HazeMD===<br />
This emulator can be found at [http://haze.mameworld.info/ this address].<br />
<br />
This emulator is harder to get setup to use a ROM, but comes with a MAME-style debugger. MAME's debugger is well known for being so powerful, considering the number of systems it can be used with when compiled into a build of MAME. The Gens tracer tends to have slightly better compatibility, while the HazeMD emulator has more potential for cheat codes, already having a Cheat system designed to handle multiple CPUs, which could be used for 32x game ROM hacks, and RAM hacks.<br />
<br />
==Gameboy==<br />
===BGB===<br />
This emulator can be found [http://bgb.bircd.org/ here]<br />
<br />
Load a ROM, and right-click the screen.<br><br />
Other>debug mode enabled: to enable debugging<br><br />
Other>debugger to enter the debugger<br><br />
<br />
Setting breakpoints in ROM/RAM<br><br />
In the debugger window:<br><br />
Debug>breakpoints for execution breakpoints<br><br />
Debug>access breakpoints for read/write breaks.<br><br />
<br />
Also, see below about Visual Boy Advance Tracer.<br />
<br />
==Gameboy Advance==<br />
===Visual Boy Advance Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/340/ here].<br />
<br />
This emulator uses the Hook Log system. Those familiar with the hook_log Genesis or N64 emulators should have little trouble adapting to this system.<br />
<br />
Note that it has also been used to good effect for a small number of gameboy games that BGB doesn't support. [[Ugetab]] used this for GBS ripping, but with full code logging, and a save-state near when something changes, you could just as effectively search for a memory address in trace.log. Mind that while GB assembly doesn't pile up as quickly as GBA or N64, and it is still nessesary to be relatively close to the change before activating logging, if you don't want to have to use a special text editor to open an enormous log file. <br />
<br />
===Visual Boy Advance===<br />
This emulator can be found at [http://vba.ngemu.com/downloads.shtml this address].<br />
<br />
Windows - SDL is required. Unfortunately, no cheat device exists that can change the assembly, so hacking it is more a matter of patching the ROM, and less a matter of using it for simple cheats. Not documented.<br />
<br />
==Playstation==<br />
===PCSX 1.5 With Debugger===<br />
This emulator is available [http://www.romhacking.net/utils/267/ here].<br />
<br />
Press F11 to enter the debugger. On-screen aids should be apparent.<br />
<br />
===PSX===<br />
This emulator can be found at [http://www.romhacking.net/utils/311/ this address].<br />
<br />
This can be a decent debugging alternative if a game doesn't work well in the above emulator.<br />
<br />
===PCSX Agemo debugger===<br />
This emulator can be found [http://www.romhacking.net/utils/475/ here].<br />
<br />
It could be favorable for some tasks, compared to the other debuggers.<br />
<br />
==N64==<br />
===Nemu64===<br />
This emulator can be found [http://www.emulator-zone.com/doc.php/n64/nemu64.html here]<br />
<br />
Setting execution breakpoints<br><br />
Plugins>Debugger: Commands...<br><br />
To set a break on execution, go to the line that you want to break on, and click in the vertical bar to the left(<) of the address you want to breakpoint.<br />
<br />
Setting breakpoints in RAM<br><br />
Plugins>Debugger: Memory...<br><br />
Enable the read and/or write checkboxes, and right-click the memory space you want to set, unset, or change an access breakpoint on.<br />
<br />
Some games don't run in Nemu, so you may have to switch to this hook_log based emulator if you want the codes. The 1964 tracer can be useful, which is available [http://www.romhacking.net/utils/335/ here].<br />
<br />
The hook_log system is a little bit more demanding to use than a visual debugger, but with compatibility issues, it's better than lucky to have a second usable debugging emulator. The save-states can be decompressed, and loaded in their decompressed form if needed<br />
<br />
An issue with this emulator is that not all instructions are logged, but it's still worth knowing about for the fact that many instructions are logged, and it can be used with write logging.<br />
<br />
===Project64 debug build binary===<br />
This emulator can be found [http://www.thegshi.org/downloads/Project64%20Build%2052%20Debug%20Binary.zip here].<br />
<br />
This version of the emulator has better support for games than Nemu64, and Ugetab used this tool in combination with nemu64 to edit USFs, as well as make a few codes that people using only a single emulation tool were having extremely hard struggles with.<br />
<br />
==Saturn==<br />
===Yabause===<br />
This emulator can be found [http://www.romhacking.net/utils/482/ here].<br />
<br />
This is one of the few Saturn emulators out there.<br />
<br />
==Wonder Swan==<br />
===Cygne Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/244/ here].<br />
<br />
A decent Tracing program.<br />
<br />
===Oswan Tracer===<br />
This emulator can be found [http://www.romhacking.net/utils/338/ here].<br />
<br />
This is just another hook-log tracer.<br />
<br />
==Playstation 2==<br />
[The current author is too lazy to write this, but will get around to it later if no one else does]<br />
<br />
[[Category:Hacking and Game Info]]</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=CRI_ROFS&diff=4325CRI ROFS2009-05-31T18:11:54Z<p>Ugetab: Link names lost Jap chars</p>
<hr />
<div>ROFS is a bulk data file structure developed by CRI Middleware Co., Ltd. It is greatly built off of the ISO-9660 standard. These are easily identified as having the file name extension of CVM.<br />
<br />
<br />
__TOC__<br />
<br />
<br />
== Random ==<br />
<br />
Several official programs for handling CVM files are known to exist. Usage is not known and guessed below.<br />
<br />
rofstoko.exe - ? Seemingly used to change existing data and perhaps conversion of some file types.<br />
rofsedit.exe - ?<br />
rofsgen.exe - ?<br />
rofsbld.exe - ? Most likely the program used to compile an ROFS structure from a list of files.<br />
rofsview.exe - ?<br />
<br />
There are a few homemade programs created for interacting with CVM filesystems with various limited functionality.<br />
<br />
'''Apache3''' - Badly named but effective for extracting the contents of a CVM (and several other disc image types such as GCM). It can also replace files inside the image. Has entirely no capacity to create new files from scratch.<br />
<br />
[http://gshi.org/downloads/cvm_tools/apache3_setup.exe apache3_setup.exe v3.10.6 beta]<br />
<br />
'''Daemon Tools (and some other disc mounting software)''' - If a 0x1800 block is removed from the start of the file, it can be mounted as a disc image. Other mounting utilities may not cooperate.<br />
<br />
'''Abyss''' - A tiny custom tool made by darthi8nt for beating up the TO7BTL.cvm file from Tales Of The Abyss. It looks to be only for that specific file and no others.<br />
<br />
[http://gshi.org/downloads/cvm_tools/abyss.zip abyss.zip]<br />
<br />
[http://gshi.org/downloads/cvm_tools/abyss_update.zip abyss_update.zip]<br />
<br />
'''VF4EXt_n_reb''' - Another tool from darthi8nt. Same deal as with Abyss, but for VF4STRMS.cvm on Virtua Fighter 4.<br />
<br />
[http://gshi.org/downloads/cvm_tools/VF4EXt_n_reb.rar VF4EXt_n_reb.rar]<br />
<br />
<br />
== Structure ==<br />
<br />
This information is incomplete and may by itself not be of much help. Note also that it may not apply to all containers of this format being that there are known to be incompatible revisions.<br />
<br />
=== Basic ===<br />
<br />
As the format is built on top of the original Yellow Book standard, the file storage itself is well documented. Since both ISO and IEC are greedy bastards a relevant item to look up is ECMA-119. The ==Logical Block Size== is 2048 bytes.<br />
<br />
At least two versions exist, perhaps not compatible with each other. One is '''''ROFSROFSBLD Ver.1.52 2003-06-09''''', another is '''''ROFSROFSBLD Ver.1.23 2001-10-17'''''.<br />
<br />
From: [http://forum.xentax.com/viewtopic.php?p=22826#p22826 XeNTaX - ROFS Compression?Encryption? Method]<br />
<br />
ROFS , By turning off the 0x1800 byte from the forefront of the file (header), and change the extension to .iso, Daemon tools can mount it.<br />
<br />
With the header where 0x1800 is gone, then it seems that its retained with the file system ( ISO9660 )<br />
<br />
ROFS (CVM) file format memo<br />
<br />
B = byte (8bit)<br />
W = word (16bit)<br />
L = long word (32bit)<br />
<br />
-- <br />
0x0000-0xb7ff<br />
- ROFS version<br />
- GAME TITLE and PUBLISHER_NAME etc.<br />
<br />
offset 0xb800<br />
1W: first data length = A<br />
1L: START address START (little endian)<br />
1L: START address START (big endian)<br />
1L: FAT SIZE (little endian)<br />
1L: FAT SIZE (big endian)<br />
1B: 0x68??<br />
1B: data length X<br />
XB: ?? (date?)<br />
4B: 01 00 00 01 ??<br />
2B: 01 00 or 01 01<br />
01 01 as for the FAT SIZE-related data end?<br />
<br />
1W: next data length = B<br />
<br />
here byte become A. Reading B Byte next, it processes. <br />
<br />
However, because completely it has become the same contents as A in regard to data which is read next, <br />
as for meaning in regard to data of B you do not understand well. For verification?<br />
<br />
-- <br />
offset 0xb800 + A + B<br />
1W: data length C<br />
<br />
:DATA FIRST<br />
<br />
1L: START address START (little endian)<br />
1L: START address START (big endian)<br />
FILE START address = 0x800*START + 0x1800<br />
1L: file size (little endian)<br />
1L: file size (big endian)<br />
<br />
1B: 0x68 ??<br />
1B: data length Y<br />
YB: ?? (date?)<br />
4B: 01 00 00 01 ??<br />
1B: file name length Z<br />
ZB: file name<br />
2B: 3B 31 (flag?)<br />
<br />
0 fill are done<br />
<br />
last 1W: In case of data length of following data D<br />
0x0000, it adjusts the length of the following data and is packed (?)There is a place where it is done. The data other than<br />
0x00 appears to has the necessity to search. <br />
<br />
The quantities of all to here byte become C. Reading D Byte next, it processes. <br />
However, it adjusts and is packed (?)When it was done, data length stops being agreeable. <br />
<br />
After returning to DATA FIRST, to FAT SIZE + 0x1800 it repeats processing.<br />
<br />
<br />
From: [http://forum.xentax.com/viewtopic.php?p=24509#p24509 XeNTaX - - ROFS Compression?Encryption? Method]<br />
<br />
struct ROFSRootEntry<br />
{<br />
int Offset;<br />
short Unknown;<br />
std::string Name;<br />
};<br />
<br />
struct ROFSEntry<br />
{<br />
unsigned short EntrySize; // Entry Header Size<br />
unsigned int Address; // File start offset<br />
unsigned int Size; // File Size<br />
unsigned char Unk0[10];<br />
unsigned short Unk;<br />
std::string Name;<br />
};<br />
<br />
if I remember correctly the root entries are a listing of all directories in the file. <br />
from there the rofsentry structure is used to navigate the actual directory and file structure. <br />
a flag in the rofsentry structure tells if the entry is a directory(0x02) or a file(0x01) but I don't know <br />
where that was ^_^; when the entry is a directory the offset leads to another listing of directories <br />
or files. the file is padded to 4096 or 2048 I don't remember. (directories always have "." and ".." entries)<br />
<br />
First read the root entries at offset ??? load them into memory and use that to get the entire <br />
file list(with rofsentry structure) it is just a bunch of interconnecting nodes.<br />
<br />
== Partial List of Games ==<br />
<br />
=== Playstation 2 ===<br />
<br />
Arcana Heart<br />
<br />
Namcollection<br />
<br />
Odin Sphere<br />
<br />
Persona 3<br />
<br />
Persona 3 FES<br />
<br />
Persona 4<br />
<br />
Sakura Taisen V<br />
<br />
Sonic Gems Collection<br />
<br />
Sonic Heroes<br />
<br />
Tales of Symphonia<br />
<br />
Tales of the Abyss<br />
<br />
Virtua Fighter 4<br />
<br />
Virtua Fighter 4 Evolution<br />
<br />
<br />
== Links ==<br />
*[http://www.cri-mw.co.jp/insidemw/rofs1/index_j.htm CRI・ミドルウェア : インサイドミドルウェア : 第2話 インサイドROFS 「ROFSTOKO.EXE」:] - Japanese page roughly describing ROFS.<br />
*[http://homepage1.nifty.com/~hin/rofs.html ROFS について] - Another page in Japanese, with actual information about the file structure.<br />
*[http://apache3.net/ Apache3] - Site for Apache3, Munge Explorer, and several other programs.<br />
*[http://www.mactech.com/articles/develop/issue_03/high_sierra.html The Ins And Outs Of ISO 9660 And High Sierra] - A rather detailed explanation of an ISO-9660 filesystem.<br />
*[http://www.ecma-international.org/publications/standards/Ecma-119.htm ECMA-119 - Volume and File Structure of CDROM for Information Interchange 2nd edition (December 1987)]<br />
<br />
[[Category:File Systems]]</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=GSCentral&diff=1923GSCentral2008-01-30T04:31:38Z<p>Ugetab: </p>
<hr />
<div>== History ==<br />
<br />
A [[Gameshark]] code site created in 1998 by a person going by the name [[Jim Reinhart]]. At some point much later a clone of the site was produced after [[Rune]] either was banned or left on his own (depending on who you wish to believe). The original lasted until sometime late 2005/early 2006, when it disappeared without any particular notice. The GSCentral.com domain is still owned by [[Stinky613]], presumably until March 10th, 2012.<br />
<br />
As of early October, 2006, the majority of GSCentral's veteran members (and staff) left due to dislike of Rune's recent administrative actions, and his bullshit regarding when the code database would be up.<br />
<br />
The exodus of the GSCentral members began when Rune took down the forum (the only thing left at GSCentral), and took away the administrative powers of the very people who made the site worth visiting. (Parasyte, Viper187)<br />
<br />
Many call the actions Rune took that day '[[Batshit fucking insane]]!', which is indeed quite accurate considering in just one night, Rune got rid of all of the talented and capable individuals at GSCentral, and soon replaced them all with a bunch of clueless newbies.<br />
<br />
Not too long after the exodus, the GSCentral Forums were hacked by unknown person(s).<br />
It is unknown at this time whether or not those who did the hacking were ever caught, or found out.<br />
But it is rumored to be the doing of a coalition between [[GameFAQs]], [[NSider]], and [[Haxxorworld]].<br />
<br />
== Present ==<br />
The reason given for taking the code database down was to prevent "thieves" from stealing their content. The irony of it all is that GSCentral gets the majority of its content from other sites, and often fails to give proper credit. Since then more codes have been added but it is not known whether or not the codes have been credited.<br />
<br />
After a ridiculous amount of procrastination, the database was ''technically'' restored. There is no way to browse codes, and is only accessible though a buggy search box.<br />
<br />
== Technical Information ==<br />
<br />
The hosting is provided by the German host [http://all-inkl.com/eng/index.php?cna=&cnb= All-Inkl]. It runs on Apache Apache 1.3.36, and has PHP 4.4.2, FrontPage extension 5.0.2.4803, mod_fastcgi-SNAP-0404142202, mod_ssl 2.8.27, and OpenSSL 0.9.6i. Due to circumstantial evidence, it is presumed to have access to a MySQL database. <br />
<br />
The newly added search function has a limitation of only accepting 3 or more characters. Non-alphanumeric characters are stripped. For example, you can't search for "C-12" and get the game "C-12 - Final Resistance", but the full name of the game gives results. The maximum search string is 8,197 bytes (8 kilobytes exactly). After this, the server gives an HTTP 414 error, complaining about the input being too large.<br />
<br />
Each game is split into pages. Each page has a likely unique key generated and checked for by mcrypt. Each key is 32 characters in length. Invalid (but of the right length) keys give this error: <br />
<br />
<br />
----<br />
An error occurred. We are unable to satisfy your request. Please contact the webmaster to notify him of this error. Upon contacting us if you could provide the URL address you tried to access and details on where you found this hyperlink it would be greatly appreciated. Thank you. We apologize for the inconvenience.<br />
----<br />
<br />
<br />
It has been discovered that nowhere near the quantity of codes that should be up actually are. Recently however more codes have been added. It is not known whether or not the codes taken from other sites have been completey credited.<br />
<br />
== External Links ==<br />
[http://gscentral.org GSCentral Main Page]<br><br />
[http://gscentral.org/board/index.php GSCentral Forums]</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=GSCentral&diff=1922GSCentral2008-01-25T20:58:16Z<p>Ugetab: </p>
<hr />
<div>== History ==<br />
<br />
A [[Gameshark]] code site created in 1998 by a person going by the name [[Jim Reinhart]]. At some point much later a clone of the site was produced after [[Rune]] either was banned or left on his own (depending on who you wish to believe). The original lasted until sometime late 2005/early 2006, when it disappeared without any particular notice. The GSCentral.com domain is still owned by [[Stinky613]], presumably until March 10th, 2012.<br />
<br />
As of early October, 2006, the majority of GSCentral's veteran members (and staff) left due to dislike of Rune's recent administrative actions, and his bullshit regarding when the code database would be up.<br />
<br />
The exodus of the GSCentral members began when Rune took down the forum (the only thing left at GSCentral), and took away the administrative powers of the very people who made the site worth visiting. (Parasyte, Viper187)<br />
<br />
Many call the actions Rune took that day '[[Batshit fucking insane]]!', which is indeed quite accurate considering in just one night, Rune got rid of all of the talented and capable individuals at GSCentral, and soon replaced them all with a bunch of clueless newbies.<br />
<br />
Not too long after the exodus, the GSCentral Forums were hacked by unknown person(s).<br />
It is unknown at this time whether or not those who did the hacking were ever caught, or found out.<br />
But it is rumored to be the doing of a coalition between [[GameFAQs]], [[NSider]], and [[Haxxorworld]].<br />
<br />
== Present ==<br />
The reason given for taking the code database down was to prevent content. The irony of it all is that GSCentral gets the majority of its content from other sites, and often fails to give proper credit. Since then more codes have been added but it is not known whether or not the codes have been credited.<br />
<br />
After a ridiculous amount of procrastination, the database was ''technically'' restored. There is no way to browse codes, and is only accessible though a buggy search box.<br />
<br />
== Technical Information ==<br />
<br />
The hosting is provided by the German host [http://all-inkl.com/eng/index.php?cna=&cnb= All-Inkl]. It runs on Apache Apache 1.3.36, and has PHP 4.4.2, FrontPage extension 5.0.2.4803, mod_fastcgi-SNAP-0404142202, mod_ssl 2.8.27, and OpenSSL 0.9.6i. Due to circumstantial evidence, it is presumed to have access to a MySQL database. <br />
<br />
The newly added search function has a limitation of only accepting 3 or more characters. Non-alphanumeric characters are stripped. For example, you can't search for "C-12" and get the game "C-12 - Final Resistance", but the full name of the game gives results. The maximum search string is 8,197 bytes (8 kilobytes exactly). After this, the server gives an HTTP 414 error, complaining about the input being too large.<br />
<br />
Each game is split into pages. Each page has a likely unique key generated and checked for by mcrypt. Each key is 32 characters in length. Invalid (but of the right length) keys give this error: <br />
<br />
<br />
----<br />
An error occurred. We are unable to satisfy your request. Please contact the webmaster to notify him of this error. Upon contacting us if you could provide the URL address you tried to access and details on where you found this hyperlink it would be greatly appreciated. Thank you. We apologize for the inconvenience.<br />
----<br />
<br />
<br />
It has been discovered that nowhere near the quantity of codes that should be up actually are. Recently however more codes have been added. It is not known whether or not the codes taken from other sites have been completey credited.<br />
<br />
== External Links ==<br />
[http://gscentral.org GSCentral Main Page]<br><br />
[http://gscentral.org/board/index.php GSCentral Forums]</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=SA1&diff=1921SA12008-01-25T20:53:55Z<p>Ugetab: /* Memory Mapping Comparison */ (Added STA Z SA1 info)</p>
<hr />
<div>== Overview ==<br />
The SNES SA1 chip is an expansion chip added to an SNES cart that both contains a portion of the game's coding, and executes that portion of code to affect normal SNES RAM, and the additional RAM accessed primarily by the SA1 chip programming. The additional RAM is also accessible by the SNES CPU's instructions.<br />
<br />
There is no current information concerning hardware-based tests with Game Genie codes that change portions of ROM residing within the SA1.<br />
<br />
== Memory Mapping Comparison ==<br />
Region 30:0000 - 30:3FFF is SA1 related due to the fact that some RAM is 00 mapped for SA1-using games:<br />
<br />
Writes from the SNES CPU to 00:0000 - 00:3FFF region to change a mirrored region at 30:0000 - 30:3FFF region<br />
<br />
00:0000 - 00:3FFF<br><br />
30:0000 - 30:3FFF<br />
<br />
SA1 code such as "STA $DE" can access address 00:30DE, and show up in the log file as a line like...<br><br />
$C2:D286 85 DE . STA $DE . [$00:00DE]<br />
<br />
The above may not always hold true, but it should be known that not all addresses will appear exactly as expected.<br><br />
<br />
SA1 Address:<br />
Reads/Writes to these addresses from the SA1 CPU translate to the below CPU-accessible addresses in SNES memory<br><br />
00:4000 - 00:7FFF<br><br />
CPU Address:<br><br />
40:0000 - 40:3FFF<br />
<br />
SA1 Address Testing:<br><br />
If you wish to test writes made by the SA1 to memory, and see what area is changed, you can use the following code with Super Mario RPG (US), while in a 3D stage. You should fall through the ground, and be unaligned with the map, but have the value FE written to the address you chose.<br />
<br />
Test SA1 Memory Writes (2 byte addresses, 0xFE written)<br><br />
C9C374A9<br><br />
C9C375FE<br><br />
C9C378FF<br><br />
C9C3793F<br />
<br />
Load value 0x00FE to write(could be made to load a 2-byte value)<br><br />
C9C374A9<br><br />
C9C375FE<br />
<br />
Address to write to(Writes to 3FFF with these values)<br><br />
C9C378FF<br><br />
C9C3793F</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Assembly_Hacking&diff=1918Assembly Hacking2008-01-16T07:52:13Z<p>Ugetab: /* Playstation */ added some more links</p>
<hr />
<div>=Overview=<br />
<br />
Assembly hacking is the art of editing a compiled program. Without the source code, and without notes from the source code, one has to deduce almost everything about the underlying code, and how it works with RAM.<br />
<br />
There are several emulators that can aid one in creating a modification for a game. Games for console systems fall into the category of compiled programs, and generally, the source code is unavailable for these games.<br />
<br />
The use of making an assembly hack for a game can be found with the Nintendo Entertainment System (NES) [[Game Genie]].<br />
<br />
The codes that are entered into an NES Game Genie represent single-byte assembly hacks. Any assembly hack that could be done with a change of 3 bytes or less is possible to implement with a single Game Genie. The SNES Game Genie allows up to 5 codes, and 5 bytes of change. While this makes the possible usage of codes very limiting, it didn't prevent single-byte invincibility and infinite lives codes from appearing that could make it unneccesary to use additional codes.<br />
<br />
For more modern assembly hacking of the same systems, emulators that support 50 or more codes for any given game aren't uncommon. The ROMs have been turned into files that can be patched with all the changes needed to give the game a script in a new language. Emulators that aid in the process of making assembly hacks have appeared for many different emulated systems. The effect is that more people are now capable of starting their own projects, and existing projects can be modified and/or repaired more easily.<br />
<br />
=Emulators=<br />
<br />
==NES==<br />
FCEUXDSP<br><br />
http://www.the-interweb.com/serendipity/index.php?/categories/9-FCEUXD-SP<br />
<br />
A project originated by Parasyte called FCEUd, picked up by bbitmaster and renamed to FCEUXD, and finally adopted as FCEUXD SP.<br />
<br />
Setting breakpoints in ROM/RAM<br />
Tools>Debug<br />
<br />
In the breakpoint window, 'Add' the Executable address or Memory address you want.<br><br />
ROM is 8000-FFFF<br><br />
RAM is 0000-07FF, 6000-7FFF<br><br />
0800-3FFF is mirrored from some part of RAM.<br><br />
4000-4015 can be breakpointed if working on an NSF. If you want to use this to deal with NSFs, try my edited version, which tends to play nicer with them ( http://www.angelfire.com/nc/ugetab )<br />
<br />
'Hex Editor' is a memory viewer/modifier.<br />
<br />
==SNES==<br />
Geiger's SNES9X Debugger <br><br />
http://geigercount.net/crypt/ <br><br />
http://www.zophar.net/snes.html<br />
<br />
Setting breakpoints in ROM/RAM<br><br />
Open ROM, Click 'Breakpoints'<br><br />
In the breakpoint window, enter the Executable address or Memory address you want.<br><br />
Standard RAM: 7E0000 - 7FFFFF<br><br />
SA1 RAM: 400000-407FFF, 303000-303FFF<br><br />
HiROM - C00000 - FFFFFF<br><br />
LoROM - 808000-BFFFFF (**0000 - **7FFF doesn't exist)<br />
<br />
If you use the [[SA1]] logger with an SA1-using game, and wish to find an address that changed an address in RAM, you can see if the conversion chart on the [[SA1]] page shows you the address to search for in the log file.<br />
<br />
==Genesis==<br />
Gens Tracer <br><br />
http://www.romhacking.net/utils/337/<br />
<br />
No breakpoints, but adequate tracing.<br />
<br />
I've written a guide on the specific usage of the emulator.<br />
<br />
The idea is that you can trace-log writes to and reads from memory, and you can also log all commands, and determine what's happening from the full log, by using what you find from the hook logging.<br />
<br />
<br />
HazeMD <br><br />
http://haze.mameworld.info/<br />
<br />
This emulator is harder to get setup to use a ROM, but comes with a MAME-style debugger. MAME's debugger is well known for being so powerful, considering the number of systems it can be used with when compiled into a build of MAME. The Gens tracer tends to have slightly better compatibility, while the HazeMD emulator has more potential for cheat codes, already having a Cheat system designed to handle multiple CPUs, which could be used for 32x game ROM hacks, and RAM hacks.<br />
<br />
==Gameboy==<br />
BGB <br><br />
http://bgb.bircd.org/<br />
<br />
Load a ROM, and right-click the screen.<br><br />
Other>debug mode enabled: to enable debugging<br><br />
Other>debugger to enter the debugger<br><br />
<br />
Setting breakpoints in ROM/RAM<br><br />
In the debugger window:<br><br />
Debug>breakpoints for execution breakpoints<br><br />
Debug>access breakpoints for read/write breaks.<br><br />
<br />
<br />
Also, see below about Visual Boy Advance Tracer. <br><br />
<br />
==Gameboy Advance==<br />
Visual Boy Advance Tracer <br><br />
http://www.romhacking.net/utils/340/<br />
<br />
This emulator uses the Hook Log system. Those familiar with the hook_log Genesis or N64 emulators should have little trouble adapting to this system. <br><br />
<br />
Note that it has also been used to good effect for a small number of gameboy games that BGB doesn't support. I(ugetab) used this for GBS ripping, but with full code logging, and a save-state near when something changes, you could just as effectively search for a memory address in trace.log. Mind that while GB assembly doesn't pile up as quickly as GBA or N64, you still have to be relatively close to the change before activating logging, if you don't want to have to use a special text editor to open an enormous log file. <br><br />
<br />
<br />
Visual Boy Advance <br><br />
http://vba.ngemu.com/downloads.shtml <br><br />
Windows - SDL<br />
<br />
Unfortunately, no cheat device exists that can change the assembly, so hacking it is more a matter of patching the ROM, and less a matter of using it for simple cheats.<br />
<br />
Not documented.<br />
<br />
==Playstation==<br />
PCSX 1.5 With Debugger <br><br />
http://www.romhacking.net/utils/267/<br />
<br />
Press F11 to enter the debugger.<br><br />
On-screen aids should be apparent.<br />
<br />
pSX <br><br />
http://www.romhacking.net/utils/311/<br />
<br />
This can be a decent debugging alternative if a game doesn't work well in the above emulator.<br />
<br />
PCSX Agemo debugger <br><br />
http://www.romhacking.net/utils/475/<br />
<br />
An emulator I don't have any experience with. It could be favorable for some tasks, compared to the other debuggers.<br />
<br />
==N64==<br />
Nemu64 <br><br />
http://www.emulator-zone.com/doc.php/n64/nemu64.html <br><br />
http://www.nemu.com/downloads.php (Expired)<br><br />
<br />
Setting execution breakpoints<br><br />
Plugins>Debugger: Commands...<br><br />
To set a break on execution, go to the line that you want to break on, and click in the vertical bar to the left(<) of the address you want to breakpoint.<br />
<br />
Setting breakpoints in RAM<br><br />
Plugins>Debugger: Memory...<br><br />
Enable the read and/or write checkboxes, and right-click the memory space you want to set, unset, or change an access breakpoint on.<br />
<br />
<br />
Some games don't run in Nemu, so you may have to switch to this hook_log based emulator if you want the codes <br><br />
http://www.romhacking.net/utils/335/<br />
<br />
The hook_log system is a little bit more demanding to use than a visual debugger, but with compatibility issues, it's better than lucky to have a second usable debugging emulator. The save-states can be decompressed, and loaded in their decompressed form if needed<br />
<br />
An issue with this emulator is that not all instructions are logged, but it's still worth knowing about for the fact that many instructions are logged, and it can be used with write logging.<br />
<br />
<br />
Project64 debug build binary <br><br />
http://www.thegshi.org/downloads/Project64%20Build%2052%20Debug%20Binary.zip<br />
<br />
This version of the emulator has better support for games than Nemu64, and I've(ugetab) used this tool in combination with nemu64 to edit USFs, as well as make a few codes that people using only a single emulation tool were having extremely hard struggles with.<br />
<br />
<br />
==Saturn==<br />
Yabause<br />
http://www.romhacking.net/utils/482/<br />
<br />
No info yet<br />
<br />
==Wonder Swan==<br />
Cygne Tracer<br />
http://www.romhacking.net/utils/244/<br />
<br />
No info yet<br />
<br />
Oswan Tracer<br />
http://www.romhacking.net/utils/338/<br />
<br />
Another hook-log tracer<br />
<br />
==Playstation 2==<br />
<br />
[The current author is too lazy to write this, but will get around to it later if no one else does]</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=GSCentral&diff=1915GSCentral2008-01-16T07:16:54Z<p>Ugetab: </p>
<hr />
<div>== History ==<br />
<br />
A [[Gameshark]] code site created in 1998 by a person going by the name [[Jim Reinhart]]. At some point much later a clone of the site was produced after [[Rune]] either was banned or left on his own (depending on who you wish to believe). The original lasted until sometime late 2005/early 2006, when it disappeared without any particular notice. The GSCentral.com domain is still owned by [[Stinky613]], presumably until March 10th, 2012.<br />
<br />
As of early October, 2006, the majority of GSCentral's veteran members (and staff) left due to dislike of Rune's recent administrative actions, and his bullshit regarding when the code database would be up.<br />
<br />
The exodus of the GSCentral members began when Rune took down the forum (the only thing left at GSCentral), and took away the administrative powers of the very people who made the site worth visiting. (Parasyte, Viper187)<br />
<br />
Many call the actions Rune took that day '[[Batshit fucking insane]]!', which is indeed quite accurate considering in just one night, Rune got rid of all of the talented and capable individuals at GSCentral, and soon replaced them all with a bunch of clueless newbies.<br />
<br />
Not too long after the exodus, the GSCentral Forums were hacked by unknown person(s).<br />
It is unknown at this time whether or not those who did the hacking were ever caught, or found out.<br />
But it is rumored to be the doing of a coalition between [[GameFAQs]], [[NSider]], and [[Haxxorworld]].<br />
<br />
== Present ==<br />
The reason given for taking the code database down was to prevent ''thieves'' from stealing their content. The irony of it all is that GSCentral gets the majority of its content from other sites, and often fails to give proper credit.<br />
<br />
After a ridiculous amount of procrastination, the database was ''technically'' restored. There is no way to browse codes, and is only accessible though a buggy search box.<br />
<br />
== Technical Information ==<br />
<br />
The hosting is provided by the German host [http://all-inkl.com/eng/index.php?cna=&cnb= All-Inkl]. It runs on Apache Apache 1.3.36, and has PHP 4.4.2, FrontPage extension 5.0.2.4803, mod_fastcgi-SNAP-0404142202, mod_ssl 2.8.27, and OpenSSL 0.9.6i. Due to circumstantial evidence, it is presumed to have access to a MySQL database. <br />
<br />
The newly added search function has a limitation of only accepting 3 or more characters. Non-alphanumeric characters are stripped. For example, you can't search for "C-12" and get the game "C-12 - Final Resistance", but the full name of the game gives results. The maximum search string is 8,197 bytes (8 kilobytes exactly). After this, the server gives an HTTP 414 error, complaining about the input being too large.<br />
<br />
Each game is split into pages. Each page has a likely unique key generated and checked for by mcrypt. Each key is 32 characters in length. Invalid (but of the right length) keys give this error: <br />
<br />
<br />
----<br />
An error occurred. We are unable to satisfy your request. Please contact the webmaster to notify him of this error. Upon contacting us if you could provide the URL address you tried to access and details on where you found this hyperlink it would be greatly appreciated. Thank you. We apologize for the inconvenience.<br />
----<br />
<br />
<br />
It has been discovered that nowhere near the quantity of codes that should be up actually are. Recently however more codes have been added. It is not known whether or not the codes taken from other sites have been completey credited.<br />
<br />
== External Links ==<br />
[http://gscentral.org GSCentral Main Page]<br><br />
[http://gscentral.org/board/index.php GSCentral Forums]</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Talk:Main_Page&diff=1914Talk:Main Page2008-01-16T07:14:55Z<p>Ugetab: Reverted edits by Cryptone (Talk); changed back to last version by Ace</p>
<hr />
<div></div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Assembly_Hacking&diff=1905Assembly Hacking2008-01-09T19:36:46Z<p>Ugetab: added some sections, edited some links, a little maintainance</p>
<hr />
<div>=Overview=<br />
<br />
Assembly hacking is the art of editing a compiled program. Without the source code, and without notes from the source code, one has to deduce almost everything about the underlying code, and how it works with RAM.<br />
<br />
There are several emulators that can aid one in creating a modification for a game. Games for console systems fall into the category of compiled programs, and generally, the source code is unavailable for these games.<br />
<br />
The use of making an assembly hack for a game can be found with the Nintendo Entertainment System (NES) [[Game Genie]].<br />
<br />
The codes that are entered into an NES Game Genie represent single-byte assembly hacks. Any assembly hack that could be done with a change of 3 bytes or less is possible to implement with a single Game Genie. The SNES Game Genie allows up to 5 codes, and 5 bytes of change. While this makes the possible usage of codes very limiting, it didn't prevent single-byte invincibility and infinite lives codes from appearing that could make it unneccesary to use additional codes.<br />
<br />
For more modern assembly hacking of the same systems, emulators that support 50 or more codes for any given game aren't uncommon. The ROMs have been turned into files that can be patched with all the changes needed to give the game a script in a new language. Emulators that aid in the process of making assembly hacks have appeared for many different emulated systems. The effect is that more people are now capable of starting their own projects, and existing projects can be modified and/or repaired more easily.<br />
<br />
=Emulators=<br />
<br />
==NES==<br />
FCEUXDSP<br><br />
http://www.the-interweb.com/serendipity/index.php?/categories/9-FCEUXD-SP<br />
<br />
A project originated by Parasyte called FCEUd, picked up by bbitmaster and renamed to FCEUXD, and finally adopted as FCEUXD SP.<br />
<br />
Setting breakpoints in ROM/RAM<br />
Tools>Debug<br />
<br />
In the breakpoint window, 'Add' the Executable address or Memory address you want.<br><br />
ROM is 8000-FFFF<br><br />
RAM is 0000-07FF, 6000-7FFF<br><br />
0800-3FFF is mirrored from some part of RAM.<br><br />
4000-4015 can be breakpointed if working on an NSF. If you want to use this to deal with NSFs, try my edited version, which tends to play nicer with them ( http://www.angelfire.com/nc/ugetab )<br />
<br />
'Hex Editor' is a memory viewer/modifier.<br />
<br />
==SNES==<br />
Geiger's SNES9X Debugger <br><br />
http://geigercount.net/crypt/ <br><br />
http://www.zophar.net/snes.html<br />
<br />
Setting breakpoints in ROM/RAM<br><br />
Open ROM, Click 'Breakpoints'<br><br />
In the breakpoint window, enter the Executable address or Memory address you want.<br><br />
Standard RAM: 7E0000 - 7FFFFF<br><br />
SA1 RAM: 400000-407FFF, 303000-303FFF<br><br />
HiROM - C00000 - FFFFFF<br><br />
LoROM - 808000-BFFFFF (**0000 - **7FFF doesn't exist)<br />
<br />
If you use the [[SA1]] logger with an SA1-using game, and wish to find an address that changed an address in RAM, you can see if the conversion chart on the [[SA1]] page shows you the address to search for in the log file.<br />
<br />
==Genesis==<br />
Gens Tracer <br><br />
http://www.romhacking.net/utils/337/<br />
<br />
No breakpoints, but adequate tracing.<br />
<br />
I've written a guide on the specific usage of the emulator.<br />
<br />
The idea is that you can trace-log writes to and reads from memory, and you can also log all commands, and determine what's happening from the full log, by using what you find from the hook logging.<br />
<br />
<br />
HazeMD <br><br />
http://haze.mameworld.info/<br />
<br />
This emulator is harder to get setup to use a ROM, but comes with a MAME-style debugger. MAME's debugger is well known for being so powerful, considering the number of systems it can be used with when compiled into a build of MAME. The Gens tracer tends to have slightly better compatibility, while the HazeMD emulator has more potential for cheat codes, already having a Cheat system designed to handle multiple CPUs, which could be used for 32x game ROM hacks, and RAM hacks.<br />
<br />
==Gameboy==<br />
BGB <br><br />
http://bgb.bircd.org/<br />
<br />
Load a ROM, and right-click the screen.<br><br />
Other>debug mode enabled: to enable debugging<br><br />
Other>debugger to enter the debugger<br><br />
<br />
Setting breakpoints in ROM/RAM<br><br />
In the debugger window:<br><br />
Debug>breakpoints for execution breakpoints<br><br />
Debug>access breakpoints for read/write breaks.<br><br />
<br />
<br />
Also, see below about Visual Boy Advance Tracer. <br><br />
<br />
==Gameboy Advance==<br />
Visual Boy Advance Tracer <br><br />
http://www.romhacking.net/utils/340/<br />
<br />
This emulator uses the Hook Log system. Those familiar with the hook_log Genesis or N64 emulators should have little trouble adapting to this system. <br><br />
<br />
Note that it has also been used to good effect for a small number of gameboy games that BGB doesn't support. I(ugetab) used this for GBS ripping, but with full code logging, and a save-state near when something changes, you could just as effectively search for a memory address in trace.log. Mind that while GB assembly doesn't pile up as quickly as GBA or N64, you still have to be relatively close to the change before activating logging, if you don't want to have to use a special text editor to open an enormous log file. <br><br />
<br />
<br />
Visual Boy Advance <br><br />
http://vba.ngemu.com/downloads.shtml <br><br />
Windows - SDL<br />
<br />
Unfortunately, no cheat device exists that can change the assembly, so hacking it is more a matter of patching the ROM, and less a matter of using it for simple cheats.<br />
<br />
Not documented.<br />
<br />
==Playstation==<br />
PCSX 1.5 With Debugger <br><br />
http://www.romhacking.net/utils/267/<br />
<br />
Press F11 to enter the debugger.<br><br />
On-screen aids should be apparent.<br />
<br />
==N64==<br />
Nemu64 <br><br />
http://www.emulator-zone.com/doc.php/n64/nemu64.html <br><br />
http://www.nemu.com/downloads.php (Expired)<br><br />
<br />
Setting execution breakpoints<br><br />
Plugins>Debugger: Commands...<br><br />
To set a break on execution, go to the line that you want to break on, and click in the vertical bar to the left(<) of the address you want to breakpoint.<br />
<br />
Setting breakpoints in RAM<br><br />
Plugins>Debugger: Memory...<br><br />
Enable the read and/or write checkboxes, and right-click the memory space you want to set, unset, or change an access breakpoint on.<br />
<br />
<br />
Some games don't run in Nemu, so you may have to switch to this hook_log based emulator if you want the codes <br><br />
http://www.romhacking.net/utils/335/<br />
<br />
The hook_log system is a little bit more demanding to use than a visual debugger, but with compatibility issues, it's better than lucky to have a second usable debugging emulator. The save-states can be decompressed, and loaded in their decompressed form if needed<br />
<br />
An issue with this emulator is that not all instructions are logged, but it's still worth knowing about for the fact that many instructions are logged, and it can be used with write logging.<br />
<br />
<br />
Project64 debug build binary <br><br />
http://www.thegshi.org/downloads/Project64%20Build%2052%20Debug%20Binary.zip<br />
<br />
This version of the emulator has better support for games than Nemu64, and I've(ugetab) used this tool in combination with nemu64 to edit USFs, as well as make a few codes that people using only a single emulation tool were having extremely hard struggles with.<br />
<br />
<br />
==Saturn==<br />
Yabause<br />
http://www.romhacking.net/utils/482/<br />
<br />
No info yet<br />
<br />
==Wonder Swan==<br />
Cygne Tracer<br />
http://www.romhacking.net/utils/244/<br />
<br />
No info yet<br />
<br />
Oswan Tracer<br />
http://www.romhacking.net/utils/338/<br />
<br />
Another hook-log tracer<br />
<br />
==Playstation 2==<br />
<br />
[The current author is too lazy to write this, but will get around to it later if no one else does]</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=NSF&diff=1889NSF2007-07-20T05:28:01Z<p>Ugetab: </p>
<hr />
<div>The basic idea is one rips the music/sound code from an NES game and prepends a small header to the data.<br />
<br />
A program of some form (6502/sound emulator) then takes the data and loads it into the proper place into the 6502's address space, then inits and plays the tune.<br />
<br />
Many of the same methods used for finding cheat codes are compatible with finding sound information. The extra work of getting the right code into the right place and setting up the header is the primary difference between ripping and cheat making.<br />
<br />
<br />
(The following is a modified version of the text on the nesdev.parodius.org wiki)<br />
== Header Overview ==<br />
<br />
offset # of bytes Function<br />
----------------------------<br />
0000 5 STRING "NESM",01Ah ; denotes an NES sound format file<br />
0005 1 BYTE Version number (currently 01h)<br />
0006 1 BYTE Total songs (1=1 song, 2=2 songs, etc)<br />
0007 1 BYTE Starting song (1=1st song, 2=2nd song, etc)<br />
0008 2 WORD (lo/hi) load address of data (8000-FFFF)<br />
000a 2 WORD (lo/hi) init address of data (8000-FFFF)<br />
000c 2 WORD (lo/hi) play address of data (8000-FFFF)<br />
000e 32 STRING The name of the song, null terminated<br />
002e 32 STRING The artist, if known, null terminated<br />
004e 32 STRING The Copyright holder, null terminated<br />
006e 2 WORD (lo/hi) speed, in 1/1000000th sec ticks, NTSC (see text)<br />
0070 8 BYTE Bankswitch Init Values (see text, and FDS section)<br />
0078 2 WORD (lo/hi) speed, in 1/1000000th sec ticks, PAL (see text)<br />
007a 1 BYTE PAL/NTSC bits:<br />
bit 0: if clear, this is an NTSC tune<br />
bit 0: if set, this is a PAL tune<br />
bit 1: if set, this is a dual PAL/NTSC tune<br />
bits 2-7: not used. they *must* be 0<br />
007b 1 BYTE Extra Sound Chip Support<br />
bit 0: if set, this song uses VRCVI<br />
bit 1: if set, this song uses VRCVII<br />
bit 2: if set, this song uses FDS Sound<br />
bit 3: if set, this song uses MMC5 audio<br />
bit 4: if set, this song uses Namco 106<br />
bit 5: if set, this song uses Sunsoft FME-07<br />
bits 6,7: future expansion: they *must* be 0<br />
007c 4 ---- 4 extra bytes for expansion (must be 00h)<br />
0080 nnn ---- The music program/data follows<br />
<br />
This may look somewhat familiar; if so that's because this is somewhat sort of based on the PSID file format for C64 music/sound.<br />
<br />
<br />
== Loading a tune into RAM ==<br />
<br />
If offsets 0070h to 0077h have 00h in them, then bankswitching is *not* used. If one or more bytes are something other than 00h then bankswitching is used. If bankswitching is used then the load address is still used, but you now use (ADDRESS AND 0FFFh) to determine where on the first bank to load the data.<br />
<br />
Each bank is 1K in size, and that means there are 8 of them for the<br />
entire 08000h-0ffffh range in the 6502's address space. You determine where in memory the data goes by setting bytes 070h thru 077h in the file. These determine the inital bank values that will be used, and hence where the data will be loaded into the address space.<br />
<br />
Here's an example:<br />
<br />
METROID.NSF will be used for the following explaination.<br />
<br />
The file is set up like so: (starting at 070h in the file)<br />
<br />
0070: 05 05 05 05 05 05 05 05 - 00 00 00 00 00 00 00 00<br />
0080: ... music data goes here...<br />
<br />
Since 0070h-0077h are something other than 00h, then we know that this tune uses bankswitching. The load address for the data is specified as 08000h. We take this AND 0fffh and get 0000h, so we will load data in at byte 0 of bank 0, since data is loaded into the banks sequentially starting from bank 0 up until the music data is fully loaded.<br />
<br />
Metroid has 6 1K banks in it, numbered 0 through 5. The 6502's address space has 8 1K bankswitchable blocks on it, starting at 08000h-08fffh, 09000h-09fffh, 0a000h-0afffh ... 0f000h-0ffffh. In the Metroid NSF header, all banks start out loaded with the 6th 1K bank of data, which is 5. Each one of these is 1K in size, and the current bank is controlled by writes to 05ff8h thru 05fffh, one byte per bank. So, 05ff8h controls the 08000h-08fffh range, 05ff9h controls the 09000h-09fffh range, etc. up to 05fffh which controls the 0f000h-0ffffh range. When the song is loaded into RAM, it is loaded into the banks and not the 6502's address space. Once this is done, then the bank control registers are written to set up the inital bank values. To do this, the value at 0070h in the file is written to 05ff8h, 0071h is written to 05ff9h, etc. all the way to 0077h is written to 05fffh.<br />
This is should be done before every call to the init routine.<br />
<br />
If the tune was not bankswitched, then it is simply loaded in at the <br />
specified load address, until EOF<br />
<br />
<br />
== Initalizing a tune ==<br />
<br />
This is pretty simple. Load the desired song # into the accumulator,<br />
minus 1 and set the X register to specify PAL (X=1) or NTSC (X=0).<br />
If this is a single standard tune (i.e. PAL *or* NTSC but not both)<br />
then the X register contents should not matter. Once the song # and<br />
optional PAL/NTSC standard are loaded, simply call the INIT address.<br />
Once init is done, it should perform an RTS.<br />
<br />
<br />
== Playing a tune ==<br />
<br />
Once the tune has been initalized, it can now be played. To do this,<br />
simply call the play address several times a second. How many times<br />
per second is determined by offsets 006eh and 006fh in the file.<br />
These bytes denote the speed of playback in 1/1000000ths of a second. <br />
For the "usual" 60Hz playback rate, set this to 411ah.<br />
<br />
To generate a differing playback rate, use this formula:<br />
<br />
<br />
1000000<br />
PBRATE= ---------<br />
speed<br />
<br />
Where PBRATE is the value you stick into 006e/006fh in the file, and<br />
speed is the desired speed in hertz. <br />
<br />
<br />
== Properly Loading a Tune ==<br />
<br />
* If the tune is bankswitched, go to #3.<br />
<br />
* Load the data into the 6502's address space starting at the specified load address. Go to #4.<br />
<br />
* Load the data into a RAM area, starting at (start_address AND 0fffh).<br />
<br />
* Tune load is done.<br />
<br />
<br />
== Properly Initializing a Tune ==<br />
<br />
* Clear all RAM at 0000h-07ffh.<br />
<br />
* Clear all RAM at 6000h-7fffh.<br />
<br />
* Init the sound registers by writing 00h to 04000-0400Fh, 10h to 4010h, and 00h to 4011h-4013h.<br />
<br />
* Set volume register 04015h to 00fh.<br />
<br />
* If this is a banked tune, load the bank values from the header into 5ff8-5fffh.<br />
<br />
* Set the accumulator and X registers for the desired song.<br />
<br />
* Call the music init routine.<br />
<br />
<br />
== Properly Playing a Tune ==<br />
Call the play address of the music at periodic intervals determined by the speed words. Which word to use is determined by which mode you are in- PAL or NTSC.<br />
<br />
== Changes Since This Guide Was Written ==<br />
Some players no longer use the playback rate bytes.<br />
<br />
== Adding DPCM ==<br />
There is a large section on how to deal with DPCM samples in the [http://www.zophar.net/tech/files/NESAudioRipping.TXT NES Music Ripping Guide], but the basic information on DPCM is that writes to $4012 and $4013 access sample data stored at and between $c000 and $ffff.<br />
<br />
Writes to $4012 determine the location of the sample data. The value written to $4012, multiplied by 0040h, plus 0c000h, is the point in ROM space the sample starts.<br />
<br />
Writes to $4013 determine the length of the sample data. The value written to $4013, multiplied by 0010h, plus 1, is the length of the sample data.<br />
<br />
If 00h is written to $4012 and $4013, the sample would be located at $c000, and would be 1 byte in length. If 0080h is written to $4012 and $4013, the sample would be located at $e000, and would be 0x801 bytes in length.<br />
<br />
DPCM samples can be attached to an NSF by either relocating the neccesary data, or by including the banks with the DPCM data in the NSF. Relocating the data correctly will often lead to a smaller file size, but including the original data in it's original location is usually easier to do.<br />
<br />
== Sound Chip Support ==<br />
Byte 007bh of the file stores the sound chip flags. If a particular flag is set, those sound registers should be enabled. If the flag is clear, then those registers should be disabled. All I/O registers within 8000-FFFF are ''write only'' and must not disrupt music code that happens to be stored there.<br />
<br />
=== VRCVI ===<br />
* Uses registers 9000-9002, A000-A002, and B000-B002, write only. See [[VRC6 Audio]] for more information.<br />
* Note: The A0 and A1 lines are flipped on a few games! If you rip the music and it sounds all funny, flip around the xxx1 and xxx2 register pairs. (i.e. 9001 and 9002) 9000 and 9003 can be left untouched. I decided to do this since it would make things easier all around, and this means you only will have to change the music code in a very few places (6). Esper2 and Madara will need this change, while Castlevania 3j will not for instance.<br />
<br />
=== VRCVII ===<br />
* Uses registers 9010 and 9030, write only. See [[VRC7 Audio]] for more information.<br />
<br />
=== FDS Sound ===<br />
* Uses registers from 4040 through 4092. See [[FDS Audio]] for more information.<br />
<br />
Notes:<br />
* 6000-DFFF is assumed to be RAM, since 6000-DFFF is RAM on the FDS. E000-FFFF is usually not included in FDS games because it is the BIOS ROM. However, it can be used on FDS rips to help the ripper (for modified play/init addresses).<br />
* Bankswitching operates slightly different on FDS tunes. 5FF6 and 5FF7 control the banks 6000-6FFF and 7000-7FFF respectively. NSF header offsets 76h and 77h correspond to *both* 6000-7FFF *AND* E000-FFFF. Keep this in mind!<br />
<br />
=== MMC5 Sound ===<br />
* Uses registers 5000-5015, write only as well as 5205 and 5206, and 5C00-5FF5. see [[MMC5 Audio]] for more information.<br />
<br />
Notes:<br />
* 5205 and 5206 are a hardware 8*8 multiplier. The idea being you write your two bytes to be multiplied into 5205 and 5206 and after doing so, you read the result back out.<br />
* 5C00-5FF5 should be RAM to emulate EXRAM while in MMC5 mode.<br />
<br />
=== Namco 106 Sound ===<br />
* Uses registers 4800 and F800. See [[Namco 106 Audio]] for more information.<br />
<br />
=== Sunsoft FME-07 Sound ===<br />
* Uses registers C000 and E000. See [[Sunsoft Audio]] for more information.<br />
<br />
== Caveats ==<br />
# The starting song number and maximum song numbers start counting at 1, while the init address of the tune starts counting at 0. To "fix", simply pass the desired song number minus 1 to the init routine.<br />
# The NTSC speed word is used *only* for NTSC tunes, or dual PAL/NTSC tunes. The PAL speed word is used *only* for PAL tunes, or dual PAL/NTSC tunes.<br />
# The length of the text in the name, artist, and copyright fields must be 31 characters or less! There has to be at least a single NULL byte (00h) after the text, between fields.<br />
# If a field is not known (name, artist, copyright) then the field must contain the string "<?>" (without quotes). <br />
# There should be 8K of RAM present at 6000-7FFFh. MMC5 tunes need RAM at 5C00-5FF7 to emulate its EXRAM. 8000-FFFF should be read-only (not writable) after a tune has loaded. The only time this area should be writable is if an FDS tune is being played.<br />
# Do not assume the state of *anything* on entry to the init routine except A and X. Y can be anything, as can the flags. <br />
# Do not assume the state of *anything* on entry to the play routine either. Flags, X, A, and Y could be at any state. I've fixed about 10 tunes because of this problem and the problem above.<br />
# The stack sits at 1FFh and grows down to 100h. Make sure the tune does not attempt to use 1E0h-1FFh for variables. (Armed Dragon Villigust did and I had to relocate its RAM usage to 2xx) Tunes that do use this area are likely relying on direct lookup of stack values. Games that do this need to be debugged to find the location that pushes or writes this information.<br />
# Variables should sit in the 0000h-07FFh area *only*. If the tune writes outside this range, say 1400h this is bad and should be relocated. (Terminator 3 did this and I relocated it to 04xx). Note that most recent players also support RAM at 6000h-7FFFh.<br />
# Some games require A/X/Y to be 'cleaned' before running some code. This can be required during the Init routine, or before the Play address is run. In one case, all the songs in an NSF wouldn't loop because the Y register wasn't zeroed in the init routine.<br />
<br />
== Using FCEUXDSP ==<br />
Ripping can be made much easier by using this relatively new NES debugging emulator.<br />
<br />
By breakpointing writes to $4015, then resetting the game, you can often find the part of code that initializes the sound registers(Sound Init), and see if it's doing anything unusual at that point.<br />
<br />
Breaking on writes to $4000 - $400F will usually show you part of the Play routine. Using the 'Step Out' option tends to help show the entry point into the routine.<br />
<br />
Discovering what part of memory changes to choose the next note is helpful in figuring out where the music init is. Breaking on writes to these addresses helps find the Song Init coding, either by visually dissecting the code, or by using Step Out to try to find a place to breakpoint, and change the A/X/Y registers, in hopes of choosing a different song, which will confirm that it's a Song Init routine.<br />
<br />
If you load an NSF, you can use the debugger to check for errors without much difficulty. You can also use a trick for debugging that lets you use verified Game memory to test the NSF for correct music information, and Play routine...<br />
<br />
Open any regular game rom, open the hex viewer, then open the NSF file you want with the Hex viewer open. Run another copy of FCEUXDSP, and load the rom of the game you're working on an NSF of. In the game window, open it's hex-editor window too. In the emulator with the game running, get some music going, and click-drag downward from 0x200 until you have 0x700 bytes selected, and copy the information to the clipboard. This skips 0x100, where the stack is stored. In the NSF-emulating window's hex editor, paste the info at 0x200, and see if the NSF plays the music correctly. If it does, you can narrow down the amount of info copied selectively, until you get the bit of information it needs to play, and find what routine needs to be adding this info to RAM. Some fixes can consist of a single byte of difference in RAM between the original, and the repaired version of an NSF. Note that this will require that the right banks be loaded, or it will fail outright. An inaccurate Play address can also result in a lack of sound.</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=NSF&diff=1888NSF2007-07-17T02:22:35Z<p>Ugetab: </p>
<hr />
<div>The basic idea is one rips the music/sound code from an NES game and prepends a small header to the data.<br />
<br />
A program of some form (6502/sound emulator) then takes the data and loads it into the proper place into the 6502's address space, then inits and plays the tune.<br />
<br />
Many of the same methods used for finding cheat codes are compatible with finding sound information. The extra work of getting the right code into the right place and setting up the header is the primary difference between ripping and cheat making.<br />
<br />
<br />
(The following is a modified version of the text on the nesdev.parodius.org wiki)<br />
== Header Overview ==<br />
<br />
offset # of bytes Function<br />
----------------------------<br />
0000 5 STRING "NESM",01Ah ; denotes an NES sound format file<br />
0005 1 BYTE Version number (currently 01h)<br />
0006 1 BYTE Total songs (1=1 song, 2=2 songs, etc)<br />
0007 1 BYTE Starting song (1=1st song, 2=2nd song, etc)<br />
0008 2 WORD (lo/hi) load address of data (8000-FFFF)<br />
000a 2 WORD (lo/hi) init address of data (8000-FFFF)<br />
000c 2 WORD (lo/hi) play address of data (8000-FFFF)<br />
000e 32 STRING The name of the song, null terminated<br />
002e 32 STRING The artist, if known, null terminated<br />
004e 32 STRING The Copyright holder, null terminated<br />
006e 2 WORD (lo/hi) speed, in 1/1000000th sec ticks, NTSC (see text)<br />
0070 8 BYTE Bankswitch Init Values (see text, and FDS section)<br />
0078 2 WORD (lo/hi) speed, in 1/1000000th sec ticks, PAL (see text)<br />
007a 1 BYTE PAL/NTSC bits:<br />
bit 0: if clear, this is an NTSC tune<br />
bit 0: if set, this is a PAL tune<br />
bit 1: if set, this is a dual PAL/NTSC tune<br />
bits 2-7: not used. they *must* be 0<br />
007b 1 BYTE Extra Sound Chip Support<br />
bit 0: if set, this song uses VRCVI<br />
bit 1: if set, this song uses VRCVII<br />
bit 2: if set, this song uses FDS Sound<br />
bit 3: if set, this song uses MMC5 audio<br />
bit 4: if set, this song uses Namco 106<br />
bit 5: if set, this song uses Sunsoft FME-07<br />
bits 6,7: future expansion: they *must* be 0<br />
007c 4 ---- 4 extra bytes for expansion (must be 00h)<br />
0080 nnn ---- The music program/data follows<br />
<br />
This may look somewhat familiar; if so that's because this is somewhat sort of based on the PSID file format for C64 music/sound.<br />
<br />
<br />
== Loading a tune into RAM ==<br />
<br />
If offsets 0070h to 0077h have 00h in them, then bankswitching is *not* used. If one or more bytes are something other than 00h then bankswitching is used. If bankswitching is used then the load address is still used, but you now use (ADDRESS AND 0FFFh) to determine where on the first bank to load the data.<br />
<br />
Each bank is 4K in size, and that means there are 8 of them for the<br />
entire 08000h-0ffffh range in the 6502's address space. You determine where in memory the data goes by setting bytes 070h thru 077h in the file. These determine the inital bank values that will be used, and hence where the data will be loaded into the address space.<br />
<br />
Here's an example:<br />
<br />
METROID.NSF will be used for the following explaination.<br />
<br />
The file is set up like so: (starting at 070h in the file)<br />
<br />
0070: 05 05 05 05 05 05 05 05 - 00 00 00 00 00 00 00 00<br />
0080: ... music data goes here...<br />
<br />
Since 0070h-0077h are something other than 00h, then we know that this tune uses bankswitching. The load address for the data is specified as 08000h. We take this AND 0fffh and get 0000h, so we will load data in at byte 0 of bank 0, since data is loaded into the banks sequentially starting from bank 0 up until the music data is fully loaded.<br />
<br />
Metroid has 6 4K banks in it, numbered 0 through 5. The 6502's address space has 8 4K bankswitchable blocks on it, starting at 08000h-08fffh, 09000h-09fffh, 0a000h-0afffh ... 0f000h-0ffffh. In the Metroid NSF header, all banks start out loaded with the 6th 4K bank of data, which is 5. Each one of these is 4K in size, and the current bank is controlled by writes to 05ff8h thru 05fffh, one byte per bank. So, 05ff8h controls the 08000h-08fffh range, 05ff9h controls the 09000h-09fffh range, etc. up to 05fffh which controls the 0f000h-0ffffh range. When the song is loaded into RAM, it is loaded into the banks and not the 6502's address space. Once this is done, then the bank control registers are written to set up the inital bank values. To do this, the value at 0070h in the file is written to 05ff8h, 0071h is written to 05ff9h, etc. all the way to 0077h is written to 05fffh.<br />
This is should be done before every call to the init routine.<br />
<br />
If the tune was not bankswitched, then it is simply loaded in at the <br />
specified load address, until EOF<br />
<br />
<br />
== Initalizing a tune ==<br />
<br />
This is pretty simple. Load the desired song # into the accumulator,<br />
minus 1 and set the X register to specify PAL (X=1) or NTSC (X=0).<br />
If this is a single standard tune (i.e. PAL *or* NTSC but not both)<br />
then the X register contents should not matter. Once the song # and<br />
optional PAL/NTSC standard are loaded, simply call the INIT address.<br />
Once init is done, it should perform an RTS.<br />
<br />
<br />
== Playing a tune ==<br />
<br />
Once the tune has been initalized, it can now be played. To do this,<br />
simply call the play address several times a second. How many times<br />
per second is determined by offsets 006eh and 006fh in the file.<br />
These bytes denote the speed of playback in 1/1000000ths of a second. <br />
For the "usual" 60Hz playback rate, set this to 411ah.<br />
<br />
To generate a differing playback rate, use this formula:<br />
<br />
<br />
1000000<br />
PBRATE= ---------<br />
speed<br />
<br />
Where PBRATE is the value you stick into 006e/006fh in the file, and<br />
speed is the desired speed in hertz. <br />
<br />
<br />
== Properly Loading a Tune ==<br />
<br />
* If the tune is bankswitched, go to #3.<br />
<br />
* Load the data into the 6502's address space starting at the specified load address. Go to #4.<br />
<br />
* Load the data into a RAM area, starting at (start_address AND 0fffh).<br />
<br />
* Tune load is done.<br />
<br />
<br />
== Properly Initializing a Tune ==<br />
<br />
* Clear all RAM at 0000h-07ffh.<br />
<br />
* Clear all RAM at 6000h-7fffh.<br />
<br />
* Init the sound registers by writing 00h to 04000-0400Fh, 10h to 4010h, and 00h to 4011h-4013h.<br />
<br />
* Set volume register 04015h to 00fh.<br />
<br />
* If this is a banked tune, load the bank values from the header into 5ff8-5fffh.<br />
<br />
* Set the accumulator and X registers for the desired song.<br />
<br />
* Call the music init routine.<br />
<br />
<br />
== Properly Playing a Tune ==<br />
Call the play address of the music at periodic intervals determined by the speed words. Which word to use is determined by which mode you are in- PAL or NTSC.<br />
<br />
== Changes Since This Guide Was Written ==<br />
Some players no longer use the playback rate bytes.<br />
<br />
== Adding DPCM ==<br />
There is a large section on how to deal with DPCM samples in the [http://www.zophar.net/tech/files/NESAudioRipping.TXT NES Music Ripping Guide], but the basic information on DPCM is that writes to $4012 and $4013 access sample data stored at and between $c000 and $ffff.<br />
<br />
Writes to $4012 determine the location of the sample data. The value written to $4012, multiplied by 0040h, plus 0c000h, is the point in ROM space the sample starts.<br />
<br />
Writes to $4013 determine the length of the sample data. The value written to $4013, multiplied by 0010h, plus 1, is the length of the sample data.<br />
<br />
If 00h is written to $4012 and $4013, the sample would be located at $c000, and would be 1 byte in length. If 0080h is written to $4012 and $4013, the sample would be located at $e000, and would be 0x801 bytes in length.<br />
<br />
DPCM samples can be attached to an NSF by either relocating the neccesary data, or by including the banks with the DPCM data in the NSF. Relocating the data correctly will often lead to a smaller file size, but including the original data in it's original location is usually easier to do.<br />
<br />
== Sound Chip Support ==<br />
Byte 007bh of the file stores the sound chip flags. If a particular flag is set, those sound registers should be enabled. If the flag is clear, then those registers should be disabled. All I/O registers within 8000-FFFF are ''write only'' and must not disrupt music code that happens to be stored there.<br />
<br />
=== VRCVI ===<br />
* Uses registers 9000-9002, A000-A002, and B000-B002, write only. See [[VRC6 Audio]] for more information.<br />
* Note: The A0 and A1 lines are flipped on a few games! If you rip the music and it sounds all funny, flip around the xxx1 and xxx2 register pairs. (i.e. 9001 and 9002) 9000 and 9003 can be left untouched. I decided to do this since it would make things easier all around, and this means you only will have to change the music code in a very few places (6). Esper2 and Madara will need this change, while Castlevania 3j will not for instance.<br />
<br />
=== VRCVII ===<br />
* Uses registers 9010 and 9030, write only. See [[VRC7 Audio]] for more information.<br />
<br />
=== FDS Sound ===<br />
* Uses registers from 4040 through 4092. See [[FDS Audio]] for more information.<br />
<br />
Notes:<br />
* 6000-DFFF is assumed to be RAM, since 6000-DFFF is RAM on the FDS. E000-FFFF is usually not included in FDS games because it is the BIOS ROM. However, it can be used on FDS rips to help the ripper (for modified play/init addresses).<br />
* Bankswitching operates slightly different on FDS tunes. 5FF6 and 5FF7 control the banks 6000-6FFF and 7000-7FFF respectively. NSF header offsets 76h and 77h correspond to *both* 6000-7FFF *AND* E000-FFFF. Keep this in mind!<br />
<br />
=== MMC5 Sound ===<br />
* Uses registers 5000-5015, write only as well as 5205 and 5206, and 5C00-5FF5. see [[MMC5 Audio]] for more information.<br />
<br />
Notes:<br />
* 5205 and 5206 are a hardware 8*8 multiplier. The idea being you write your two bytes to be multiplied into 5205 and 5206 and after doing so, you read the result back out.<br />
* 5C00-5FF5 should be RAM to emulate EXRAM while in MMC5 mode.<br />
<br />
=== Namco 106 Sound ===<br />
* Uses registers 4800 and F800. See [[Namco 106 Audio]] for more information.<br />
<br />
=== Sunsoft FME-07 Sound ===<br />
* Uses registers C000 and E000. See [[Sunsoft Audio]] for more information.<br />
<br />
== Caveats ==<br />
# The starting song number and maximum song numbers start counting at 1, while the init address of the tune starts counting at 0. To "fix", simply pass the desired song number minus 1 to the init routine.<br />
# The NTSC speed word is used *only* for NTSC tunes, or dual PAL/NTSC tunes. The PAL speed word is used *only* for PAL tunes, or dual PAL/NTSC tunes.<br />
# The length of the text in the name, artist, and copyright fields must be 31 characters or less! There has to be at least a single NULL byte (00h) after the text, between fields.<br />
# If a field is not known (name, artist, copyright) then the field must contain the string "<?>" (without quotes). <br />
# There should be 8K of RAM present at 6000-7FFFh. MMC5 tunes need RAM at 5C00-5FF7 to emulate its EXRAM. 8000-FFFF should be read-only (not writable) after a tune has loaded. The only time this area should be writable is if an FDS tune is being played.<br />
# Do not assume the state of *anything* on entry to the init routine except A and X. Y can be anything, as can the flags. <br />
# Do not assume the state of *anything* on entry to the play routine either. Flags, X, A, and Y could be at any state. I've fixed about 10 tunes because of this problem and the problem above.<br />
# The stack sits at 1FFh and grows down to 100h. Make sure the tune does not attempt to use 1E0h-1FFh for variables. (Armed Dragon Villigust did and I had to relocate its RAM usage to 2xx) Tunes that do use this area are likely relying on direct lookup of stack values. Games that do this need to be debugged to find the location that pushes or writes this information.<br />
# Variables should sit in the 0000h-07FFh area *only*. If the tune writes outside this range, say 1400h this is bad and should be relocated. (Terminator 3 did this and I relocated it to 04xx). Note that most recent players also support RAM at 6000h-7FFFh.<br />
# Some games require A/X/Y to be 'cleaned' before running some code. This can be required during the Init routine, or before the Play address is run. In one case, all the songs in an NSF wouldn't loop because the Y register wasn't zeroed in the init routine.<br />
<br />
== Using FCEUXDSP ==<br />
Ripping can be made much easier by using this relatively new NES debugging emulator.<br />
<br />
By breakpointing writes to $4015, then resetting the game, you can often find the part of code that initializes the sound registers(Sound Init), and see if it's doing anything unusual at that point.<br />
<br />
Breaking on writes to $4000 - $400F will usually show you part of the Play routine. Using the 'Step Out' option tends to help show the entry point into the routine.<br />
<br />
Discovering what part of memory changes to choose the next note is helpful in figuring out where the music init is. Breaking on writes to these addresses helps find the Song Init coding, either by visually dissecting the code, or by using Step Out to try to find a place to breakpoint, and change the A/X/Y registers, in hopes of choosing a different song, which will confirm that it's a Song Init routine.<br />
<br />
If you load an NSF, you can use the debugger to check for errors without much difficulty. You can also use a trick for debugging that lets you use verified Game memory to test the NSF for correct music information, and Play routine...<br />
<br />
Open any regular game rom, open the hex viewer, then open the NSF file you want with the Hex viewer open. Run another copy of FCEUXDSP, and load the rom of the game you're working on an NSF of. In the game window, open it's hex-editor window too. In the emulator with the game running, get some music going, and click-drag downward from 0x200 until you have 0x700 bytes selected, and copy the information to the clipboard. This skips 0x100, where the stack is stored. In the NSF-emulating window's hex editor, paste the info at 0x200, and see if the NSF plays the music correctly. If it does, you can narrow down the amount of info copied selectively, until you get the bit of information it needs to play, and find what routine needs to be adding this info to RAM. Some fixes can consist of a single byte of difference in RAM between the original, and the repaired version of an NSF. Note that this will require that the right banks be loaded, or it will fail outright. An inaccurate Play address can also result in a lack of sound.</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=CMGSCCC&diff=1745CMGSCCC2007-02-27T19:18:19Z<p>Ugetab: /* GSCCC, Incorporated */</p>
<hr />
<div>A GameShark code site started on September 23rd, 1996 by Code Master. After battles with many enemies, such as the Girl Scout Council of Colonial Coast and InterAct Accessories, the site was renamed from GameShark Code Creators Club to Game Software Code Creators Club. Code Master eventually changed his own name to CMX, presumably to make it seem as though he's more like DMX.<br />
<br />
At an unknown point, CMX accepted a position as Pelican's official code hacker and the site was converted over to being [[Code Breaker]] specific. Since then, the site has become heavily ad laden, requires becoming a member to view any codes, and has turned into a place to generally avoid. <br />
<br />
More recently, though reports indicate this has been going on for around a year, an Internet Explorer exploit known as "EXP/Agent.B" was installed on the forums. A topic about this was made [http://forums.cmgsccc.com/showthread.php?t=16224 here]. Another topic about this was posted on GSHI's forums here: [http://gshi.org/vb/showthread.php?t=2031 CMGSCCC is spreading malware]. It has also been noticed that there are popups containing pornography on the GSCCC forums as of late.<br />
<br />
== GSCCC, Incorporated ==<br />
A domestic corporation in Waterloo, Illinois. The corporation is a "Single Owner Corporation," in that all officers of the corporation are the same. As CMX refers to himself as the President of GSCCC, Incorporated, it appears his name is Bryan Black.<br />
<br />
From 2000 to 2005, the address of the corporation's registered agent was [http://maps.google.com/?q=5725%20Sportsman%20Rd%20Waterloo%20IL%2062298%20US 5725 Sportsman Rd, Waterloo IL 62298 US], which Mapquest high resolution imagery showed to be a farm house.<br />
<br />
From 2005 to 2006, the address of the corporation's registered agent was [http://maps.google.com/?q=411+Park+St,+Waterloo,+IL+62298&ie=UTF8&z=15&ll=38.333712,-90.154924&spn=0.015182,0.043259&om=1&iwloc=addr 411 Park Street Suite C, Waterloo, IL 62298], which is the PDQ Tax Service in Waterloo. <br />
<br />
The Illinois Secretary of State's website shows that GSCCC, Incorporated has never filed an annual report, and is a "corporation not in good standing," indicating that the corporation is not legally allowed to conduct business under that name for failing to obey Illinois Statutes.<br />
<br />
== External Links ==<br />
[http://www.cmgsccc.com CMGSCCC.com]<br />
<br />
[http://web.archive.org/web/20010722015402/http://cmgsccc.com/ GSCCC index page as retrieved on 2001-07-22 by the Internet Archive]</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Code_Types&diff=1729Code Types2007-01-15T21:51:55Z<p>Ugetab: /* '''Codebreaker Advance''' */</p>
<hr />
<div>Explanation of what a code type is, and what they're used for here..<br />
<br />
<br />
= <font color="blue">Playstation Systems</font> =<br />
<br />
<br />
== Playstation 2 ==<br />
<br />
==='''Code Breaker'''===<br />
----<br />
<br />
<br />
==='''GameShark (Interact)'''===<br />
----<br />
<br />
<br />
<br />
==='''GameShark (Mad Catz)'''===<br />
----<br />
<br />
<br />
==='''Xploder'''===<br />
----<br />
<br />
== Playstation ==<br />
<br />
==='''Gameshark'''===<br />
----<br />
{| style="border:1px solid #000000; margin: 0; padding:0;" width="100%" cellspacing="0" cellpadding="5""<br />
! Type !! Description !! Example !! Other<br />
<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! 30<br />
| 8-bit constant write || 3XXXXXXX 00YY <br> Writes YY to Address XXXXXXX || NA<br />
|- align="center" style="font-size: 105%; background-color:#d0d8e0; text-align: center; padding:0;"<br />
! 80<br />
| 16-bit constant write || 8XXXXXXX ZZYY <br> Writes ZZYY to Address XXXXXXX || NA<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! 50<br />
| serial repeater || 5000XXYY 00ZZ <br> TTTTTTTT VVVV <br> Writes XX codes, with YY added to the address for each code after TTTTTTTT, and ZZZZ added to the amount for each code after value VVVV || Gameshark 2.2 and higher. May need to seperate pairs of serial codes with a 00000000 0000 code for disk-based gamesharks<br />
|- align="center" style="font-size: 105%; background-color:#d0d8e0; text-align: center; padding:0;"<br />
! E0<br />
| 8-bit equal-to trigger || E0XXXXXX 00YY <br> Activates next code if address 80XXXXXX is equal to YY || Gameshark 2.2 and higher.<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! E1<br />
| 8-bit different-from trigger || E1XXXXXX 00YY <br> Activates next code if address 80XXXXXX is different from YY || Gameshark 2.2(?) and higher.<br />
|- align="center" style="font-size: 105%; background-color:#d0d8e0; text-align: center; padding:0;"<br />
! E2<br />
| 8-bit less-than trigger || E2XXXXXX 00YY <br> Activates next code if address 80XXXXXX is less than YY || Gameshark 2.2 and higher.<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! E3<br />
| 8-bit greater-than trigger || E3XXXXXX 00YY <br> Activates next code if address 80XXXXXX is greater than YY || Gameshark 2.2 and higher.<br />
|- align="center" style="font-size: 105%; background-color:#d0d8e0; text-align: center; padding:0;"<br />
! D0<br />
| 16-bit equal-to trigger || D0XXXXXX YYYY <br> Activates next code if address 80XXXXXX is equal to YYYY || NA<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! D1<br />
| 16-bit different-from trigger || D1XXXXXX YYYY <br> Activates next code if address 80XXXXXX is different from YYYY || Gameshark 2.2 and higher.<br />
|- align="center" style="font-size: 105%; background-color:#d0d8e0; text-align: center; padding:0;"<br />
! D2<br />
| 16-bit less-than trigger || D2XXXXXX YYYY <br> Activates next code if address 80XXXXXX is less than YYYY || Gameshark 2.2 and higher.<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! D3<br />
| 16-bit greater-than trigger || D3XXXXXX YYYY <br> Activates next code if address 80XXXXXX is greater than YYYY || Gameshark 2.2 and higher.<br />
|- align="center" style="font-size: 105%; background-color:#d0d8e0; text-align: center; padding:0;"<br />
! D4<br />
| 16-bit universal joker || D4000000 YYYY <br> Activates next code if the button presses equate to YYYY || Gameshark 2.41 and higher. Needs a button chart<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! D5<br />
| 16-bit codes-on trigger || D5000000 YYYY <br> Activates all codes if buton presses equate to YYYY || Gameshark 2.41 and higher. Needs a button chart<br />
|- align="center" style="font-size: 105%; background-color:#d0d8e0; text-align: center; padding:0;"<br />
! D6<br />
| 16-bit codes-off trigger || D6000000 YYYY <br> Activates all codes if buton presses equate to YYYY || Gameshark 2.41 and higher. Needs a button chart<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! 10<br />
| 16-bit incrementer || 10XXXXXX YYYY <br> Increments value at address 80XXXXXX by YYYY || Gameshark 2.2 and higher. Use with a joker<br />
|- align="center" style="font-size: 105%; background-color:#d0d8e0; text-align: center; padding:0;"<br />
! 11<br />
| 16-bit decrementer || 11XXXXXX YYYY <br> Decrements value at address 80XXXXXX by YYYY || Gameshark 2.2 and higher. Use with a joker<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! 20<br />
| 8-bit incrementer || 20XXXXXX 00YY <br> Increments value at address 80XXXXXX by YY || Gameshark 2.2 and higher. Use with a joker<br />
|- align="center" style="font-size: 105%; background-color:#d0d8e0; text-align: center; padding:0;"<br />
! 21<br />
| 8-bit decrementer || 21XXXXXX 00YY <br> Decrements value at address 80XXXXXX by YY || Gameshark 2.2 and higher. Use with a joker<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! C0<br />
| enable all codes trigger || C0XXXXXX YYYY <br> If value at address 80XXXXXX is equal to YYYY, enable all loaded codes in game. Affects all codes, not just the one this line is used in. || Gameshark 2.41 or higher.<br />
|- align="center" style="font-size: 105%; background-color:#d0d8e0; text-align: center; padding:0;"<br />
! C1<br />
| codes-on delay || C1000000 YYYY <br> Delays codes from being on by YYYY time when game starts. 4000-5000 should give 20-30 seconds. || NA<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! C2<br />
| copy memory || C2XXXXXX YYYY <br> 80ZZZZZZ 0000 <br> Copy YYYY bytes from 80XXXXXX to 80ZZZZZZ. Could be used for copying large sets of complex character stats from one character to another, like working-magic-only, if serial repeater won't work || NA<br />
<br />
|}<br />
<br />
==='''Xploder/Codebreaker'''===<br />
----<br />
{| style="border:1px solid #000000; margin: 0; padding:0;" width="100%" cellspacing="0" cellpadding="5""<br />
! Type !! Description !! Example !! Other<br />
<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! 30<br />
| 8-bit constant write || 3XXXXXXX 00YY <br> Writes YY to Address XXXXXXX || NA<br />
|- align="center" style="font-size: 105%; background-color:#d0d8e0; text-align: center; padding:0;"<br />
! 80<br />
| 16-bit constant write || 8XXXXXXX ZZYY <br> Writes ZZYY to Address XXXXXXX || NA<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! 70<br />
| 16-bit equal-to trigger || 70XXXXXX YYYY <br> Activates next code if address 80XXXXXX is equal to YYYY || NA<br />
<br />
|}<br />
<br />
==='''Action Replay'''===<br />
----<br />
<br />
<br />
==='''Gold Finger'''===<br />
----<br />
<br />
<br />
==='''Caetla'''===<br />
----<br />
<br />
= <font color="blue">Nintendo Systems</font> =<br />
<br />
<br />
== GameCube ==<br />
<br />
<br />
==='''Action Replay'''===<br />
----<br />
<br />
== Nintendo 64 ==<br />
<br />
<br />
==='''GameShark'''===<br />
----<br />
<br />
== GameBoy Advance ==<br />
<br />
<br />
<br />
==='''Codebreaker Advance'''===<br />
----<br />
{| style="border:1px solid #000000; margin: 0; padding:0;" width="100%" cellspacing="0" cellpadding="5""<br />
! Type !! Description !! Example !! Other<br />
<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! 0<br />
| Master Code 1 || 0000XXXX YYYY <br> XXXX is the CRC value (the "Game ID" converted to hex) <br> Flags ("yyyy"): <br> 0008 - CRC Exists (CRC is used to autodetect the inserted game) <br> 0002 - Disable Interupts || NA<br />
|- align="center" style="font-size: 105%; background-color:#d0d8e0; text-align: center; padding:0;"<br />
! 1<br />
| Master Code 2 || 1XXXXXXX YYYZ <br> 'Z' is the CBA Code Handler Store Address (0-7) [address = ((d << 0x16) + 0x08000100)] <br> YYY: <br> 100 - 32-bit Long-Branch Type (Thumb) <br> 200 - 32-bit Long-Branch Type (ARM) <br> 300 - 8-bit(?) Long-Branch Type (Thumb) <br> 400 - 8-bit(?) Long-Branch Type (ARM) <br> 002 - Unknown (Odd Effect) <br> XXXXXXX = ? || NA<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! 2<br />
| 16-bit bitwise OR || 2XXXXXXX YYYY <br> XXXXXXX = Address <br> YYYY = Value to OR with || Tested on VBA, not tested on hardware<br />
|- align="center" style="font-size: 105%; background-color:#d0d8e0; text-align: center; padding:0;"<br />
! 3<br />
| 8-bit RAM Write || 3XXXXXXX 00YY <br> XXXXXXX = Address <br> YY = Value to write || NA<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! 4<br />
| serial repeater || 4qqqqqqq xxyy <br> XXYY#### ++++ <br> qqqqqqq=Address to Start At <br> xxyy = Start Value <br> XXYY = Add To Value <br> #### = Number of Address Iterations <br> ++++ = Amount Added to each Address Iteration || XXYY portion tested in VBA, not tested on hardware<br />
|- align="center" style="font-size: 105%; background-color:#d0d8e0; text-align: center; padding:0;"<br />
! 5<br />
| Unknown || Unknown || NA<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! 6<br />
| 16-bit bitwise AND || 6XXXXXXX YYYY <br> XXXXXXX = Address <br> YYYY = Value to AND with || NA<br />
|- align="center" style="font-size: 105%; background-color:#d0d8e0; text-align: center; padding:0;"<br />
! 7<br />
| 16-bit equal-to trigger || 7XXXXXXX YYYY <br> Activates next code if address XXXXXXX is equal to YYYY || NA<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! 8<br />
| 16-bit RAM Write || 8XXXXXXX YYYY <br> XXXXXXX = Address <br> YYYY = Value to write || NA<br />
|- align="center" style="font-size: 105%; background-color:#d0d8e0; text-align: center; padding:0;"<br />
! 9<br />
| Change Encryption Seeds (if used as first code) || 9YYYYYYY YYYY <br> Details not researched || NA<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! A<br />
| 16-bit not-equal-to trigger || AXXXXXXX YYYY <br> Activates next code if address XXXXXXX is not equal to YYYY || NA<br />
|- align="center" style="font-size: 105%; background-color:#d0d8e0; text-align: center; padding:0;"<br />
! B<br />
| Unknown || Unknown || NA<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! C<br />
| Unknown || Unknown || NA<br />
|- align="center" style="font-size: 105%; background-color:#d0d8e0; text-align: center; padding:0;"<br />
! D<br />
| Unknown || Unknown || NA<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! E<br />
| Unknown || Unknown || NA<br />
|- align="center" style="font-size: 105%; background-color:#d0d8e0; text-align: center; padding:0;"<br />
! F<br />
| Unknown || Unknown || NA<br />
<br />
|}<br />
<br />
==='''GameShark Advance (Interact)'''===<br />
----<br />
<br />
<br />
==='''GameShark Advance (Mad Catz)'''===<br />
----<br />
<br />
<br />
==='''Action Replay'''===<br />
----<br />
<br />
<br />
== Nintendo DS ==<br />
<br />
==='''Codebreaker Advance'''===<br />
----<br />
<br />
<br />
= <font color="blue">Sega Systems</font> =<br />
<br />
<br />
<br />
== Dreamcast ==<br />
<br />
==='''GameShark CDX'''===<br />
----<br />
<br />
<br />
==='''Codebreaker'''===<br />
----<br />
<br />
== Saturn ==<br />
<br />
==='''GameShark'''===<br />
----</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=NSF&diff=1695NSF2006-12-12T05:29:01Z<p>Ugetab: </p>
<hr />
<div>The basic idea is one rips the music/sound code from an NES game and prepends a small header to the data.<br />
<br />
A program of some form (6502/sound emulator) then takes the data and loads it into the proper place into the 6502's address space, then inits and plays the tune.<br />
<br />
Many of the same methods used for finding cheat codes are compatible with finding sound information. The extra work of getting the right code into the right place and setting up the header is the primary difference between ripping and cheat making.<br />
<br />
<br />
== Header Overview ==<br />
<br />
offset # of bytes Function<br />
----------------------------<br />
0000 5 STRING "NESM",01Ah ; denotes an NES sound format file<br />
0005 1 BYTE Version number (currently 01h)<br />
0006 1 BYTE Total songs (1=1 song, 2=2 songs, etc)<br />
0007 1 BYTE Starting song (1= 1st song, 2=2nd song, etc)<br />
0008 2 WORD (lo/hi) load address of data (8000-FFFF)<br />
000a 2 WORD (lo/hi) init address of data (8000-FFFF)<br />
000c 2 WORD (lo/hi) play address of data (8000-FFFF)<br />
000e 32 STRING The name of the song, null terminated<br />
002e 32 STRING The artist, if known, null terminated<br />
004e 32 STRING The Copyright holder, null terminated<br />
006e 2 WORD (lo/hi) speed, in 1/1000000th sec ticks, NTSC (see text)<br />
0070 8 BYTE Bankswitch Init Values (see text, and FDS section)<br />
0078 2 WORD (lo/hi) speed, in 1/1000000th sec ticks, PAL (see text)<br />
007a 1 BYTE PAL/NTSC bits:<br />
bit 0: if clear, this is an NTSC tune<br />
bit 0: if set, this is a PAL tune<br />
bit 1: if set, this is a dual PAL/NTSC tune<br />
bits 2-7: not used. they *must* be 0<br />
007b 1 BYTE Extra Sound Chip Support<br />
bit 0: if set, this song uses VRCVI<br />
bit 1: if set, this song uses VRCVII<br />
bit 2: if set, this song uses FDS Sound<br />
bit 3: if set, this song uses MMC5 audio<br />
bit 4: if set, this song uses Namco 106<br />
bit 5: if set, this song uses Sunsoft FME-07<br />
bits 6,7: future expansion: they *must* be 0<br />
007c 4 ---- 4 extra bytes for expansion (must be 00h)<br />
0080 nnn ---- The music program/data follows<br />
<br />
This may look somewhat familiar; if so that's because this is somewhat sorta of based on the PSID file format for C64 music/sound.<br />
<br />
<br />
== Loading a tune into RAM ==<br />
<br />
If offsets 0070h to 0077h have 00h in them, then bankswitching is *not* used. If one or more bytes are something other than 00h then bankswitching is used. If bankswitching is used then the load address is still used, but you now use (ADDRESS AND 0FFFh) to determine where on the first bank to load the data.<br />
<br />
Each bank is 4K in size, and that means there are 8 of them for the<br />
entire 08000h-0ffffh range in the 6502's address space. You determine where in memory the data goes by setting bytes 070h thru 077h in the file. These determine the inital bank values that will be used, and hence where the data will be loaded into the address space.<br />
<br />
Here's an example:<br />
<br />
METROID.NSF will be used for the following explaination.<br />
<br />
The file is set up like so: (starting at 070h in the file)<br />
<br />
0070: 05 05 05 05 05 05 05 05 - 00 00 00 00 00 00 00 00<br />
0080: ... music data goes here...<br />
<br />
Since 0070h-0077h are something other than 00h, then we know that this tune uses bankswitching. The load address for the data is specified as 08000h. We take this AND 0fffh and get 0000h, so we will load data in at byte 0 of bank 0, since data is loaded into the banks sequentially starting from bank 0 up until the music data is fully loaded.<br />
<br />
Metroid has 6 4K banks in it, numbered 0 through 5. The 6502's address space has 8 4K bankswitchable blocks on it, starting at 08000h-08fffh, 09000h-09fffh, 0a000h-0afffh ... 0f000h-0ffffh. Each one of these is 4K in size, and the current bank is controlled by writes to 05ff8h thru 05fffh, one byte per bank. So, 05ff8h controls the 08000h-08fffh range, 05ff9h controls the 09000h-09fffh range, etc. up to 05fffh which controls the 0f000h-0ffffh range. When the song is loaded into RAM, it is loaded into the banks and not the 6502's address space. Once this is done, then the bank control registers are written to set up the inital bank values. To do this, the value at 0070h in the file is written to 05ff8h, 0071h<br />
is written to 05ff9h, etc. all the way to 0077h is written to 05fffh.<br />
This is should be done before every call to the init routine.<br />
<br />
If the tune was not bankswitched, then it is simply loaded in at the <br />
specified load address, until EOF<br />
<br />
<br />
== Initalizing a tune ==<br />
<br />
This is pretty simple. Load the desired song # into the accumulator,<br />
minus 1 and set the X register to specify PAL (X=1) or NTSC (X=0).<br />
If this is a single standard tune (i.e. PAL *or* NTSC but not both)<br />
then the X register contents should not matter. Once the song # and<br />
optional PAL/NTSC standard are loaded, simply call the INIT address.<br />
Once init is done, it should perform an RTS.<br />
<br />
<br />
== Playing a tune ==<br />
<br />
Once the tune has been initalized, it can now be played. To do this,<br />
simply call the play address several times a second. How many times<br />
per second is determined by offsets 006eh and 006fh in the file.<br />
These bytes denote the speed of playback in 1/1000000ths of a second. <br />
For the "usual" 60Hz playback rate, set this to 411ah. <br />
<br />
To generate a differing playback rate, use this formula:<br />
<br />
<br />
1000000<br />
PBRATE= ---------<br />
speed<br />
<br />
Where PBRATE is the value you stick into 006e/006fh in the file, and<br />
speed is the desired speed in hertz. <br />
<br />
<br />
== Properly Loading a Tune ==<br />
<br />
* If the tune is bankswitched, go to #3.<br />
<br />
* Load the data into the 6502's address space starting at the specified load address. Go to #4.<br />
<br />
* Load the data into a RAM area, starting at (start_address AND 0fffh).<br />
<br />
* Tune load is done.<br />
<br />
<br />
== Properly Initializing a Tune ==<br />
<br />
* Clear all RAM at 0000h-07ffh.<br />
<br />
* Clear all RAM at 6000h-7fffh.<br />
<br />
* Init the sound registers by writing 00h to 04000-0400Fh, 10h to 4010h, and 00h to 4011h-4013h.<br />
<br />
* Set volume register 04015h to 00fh.<br />
<br />
* If this is a banked tune, load the bank values from the header into 5ff8-5fffh.<br />
<br />
* Set the accumulator and X registers for the desired song.<br />
<br />
* Call the music init routine.<br />
<br />
<br />
== Properly Playing a Tune ==<br />
<br />
Call the play address of the music at periodic intervals determined by the speed words. Which word to use is determined by which mode you are in- PAL or NTSC.<br />
<br />
== Adding DPCM ==<br />
There is a large section on how to deal with DPCM samples in the [http://www.zophar.net/tech/files/NESAudioRipping.TXT NES Music Ripping Guide], but the basic information on DPCM is that writes to $4012 and $4013 access sample data stored at and between $c000 and $ffff.<br />
<br />
Writes to $4012 determine the location of the sample data. The value written to $4012, multiplied by 0040h, plus 0c000h, is the point in ROM space the sample starts.<br />
<br />
Writes to $4013 determine the length of the sample data. The value written to $4013, multiplied by 0010h, plus 1, is the length of the sample data.<br />
<br />
If 00h is written to $4012 and $4013, the sample would be located at $c000, and would be 1 byte in length. If 0080h is written to $4012 and $4013, the sample would be located at $e000, and would be 0x801 bytes in length.<br />
<br />
DPCM samples can be attached to an NSF by either relocating the neccesary data, or by including the banks with the DPCM data in the NSF. Relocating the data correctly will often lead to a smaller file size, but including the original data in it's original location is usually easier to do.<br />
<br />
== Sound Chip Support ==<br />
Byte 007bh of the file stores the sound chip flags. If a particular flag is set, those sound registers should be enabled. If the flag is clear, then those registers should be disabled. All I/O registers within 8000-FFFF are ''write only'' and must not disrupt music code that happens to be stored there.<br />
<br />
=== VRCVI ===<br />
* Uses registers 9000-9002, A000-A002, and B000-B002, write only. See [[VRC6 Audio]] for more information.<br />
* Note: The A0 and A1 lines are flipped on a few games! If you rip the music and it sounds all funny, flip around the xxx1 and xxx2 register pairs. (i.e. 9001 and 9002) 9000 and 9003 can be left untouched. I decided to do this since it would make things easier all around, and this means you only will have to change the music code in a very few places (6). Esper2 and Madara will need this change, while Castlevania 3j will not for instance.<br />
<br />
=== VRCVII ===<br />
* Uses registers 9010 and 9030, write only. See [[VRC7 Audio]] for more information.<br />
<br />
=== FDS Sound ===<br />
* Uses registers from 4040 through 4092. See [[FDS Audio]] for more information.<br />
<br />
Notes:<br />
* 6000-DFFF is assumed to be RAM, since 6000-DFFF is RAM on the FDS. E000-FFFF is usually not included in FDS games because it is the BIOS ROM. However, it can be used on FDS rips to help the ripper (for modified play/init addresses).<br />
* Bankswitching operates slightly different on FDS tunes. 5FF6 and 5FF7 control the banks 6000-6FFF and 7000-7FFF respectively. NSF header offsets 76h and 77h correspond to *both* 6000-7FFF *AND* E000-FFFF. Keep this in mind!<br />
<br />
=== MMC5 Sound ===<br />
* Uses registers 5000-5015, write only as well as 5205 and 5206, and 5C00-5FF5. see [[MMC5 Audio]] for more information.<br />
<br />
Notes:<br />
* 5205 and 5206 are a hardware 8*8 multiplier. The idea being you write your two bytes to be multiplied into 5205 and 5206 and after doing so, you read the result back out.<br />
* 5C00-5FF5 should be RAM to emulate EXRAM while in MMC5 mode.<br />
<br />
=== Namco 106 Sound ===<br />
* Uses registers 4800 and F800. See [[Namco 106 Audio]] for more information.<br />
<br />
=== Sunsoft FME-07 Sound ===<br />
* Uses registers C000 and E000. See [[Sunsoft Audio]] for more information.<br />
<br />
== Caveats ==<br />
# The starting song number and maximum song numbers start counting at 1, while the init address of the tune starts counting at 0. To "fix", simply pass the desired song number minus 1 to the init routine.<br />
# The NTSC speed word is used *only* for NTSC tunes, or dual PAL/NTSC tunes. The PAL speed word is used *only* for PAL tunes, or dual PAL/NTSC tunes.<br />
# The length of the text in the name, artist, and copyright fields must be 31 characters or less! There has to be at least a single NULL byte (00h) after the text, between fields.<br />
# If a field is not known (name, artist, copyright) then the field must contain the string "<?>" (without quotes). <br />
# There should be 8K of RAM present at 6000-7FFFh. MMC5 tunes need RAM at 5C00-5FF7 to emulate its EXRAM. 8000-FFFF should be read-only (not writable) after a tune has loaded. The only time this area should be writable is if an FDS tune is being played.<br />
# Do not assume the state of *anything* on entry to the init routine except A and X. Y can be anything, as can the flags. <br />
# Do not assume the state of *anything* on entry to the play routine either. Flags, X, A, and Y could be at any state. I've fixed about 10 tunes because of this problem and the problem, above.<br />
# The stack sits at 1FFh and grows down. Make sure the tune does not attempt to use 1F0h-1FFh for variables. (Armed Dragon Villigust did and I had to relocate its RAM usage to 2xx)<br />
# Variables should sit in the 0000h-07FFh area *only*. If the tune writes outside this range, say 1400h this is bad and should be relocated. (Terminator 3 did this and I relocated it to 04xx).<br />
<br />
== Using FCEUXDSP ==<br />
Ripping can be made much easier by using this relatively new NES debugging emulator.<br />
<br />
By breakpointing writes to $4015, then resetting the game, you can often find the part of code that initializes the sound registers(Sound Init), and see if it's doing anything unusual at that point.<br />
<br />
Breaking on writes to $4000 - $400F will usually show you part of the Play routine. Using the 'Step Out' option tends to help show the entry point into the routine.<br />
<br />
Discovering what part of memory changes to choose the next note is helpful in figuring out where the music init is. Breaking on writes to these addresses helps find the Song Init coding, either by visually disecting the code, or by using Step Out to try to find a place to breakpoint, and change the A/X/Y registers, in hopes of choosing a different song, which will confirm that it's a Song Init routine.<br />
<br />
If you load an NSF, you can use the debugger to check for errors without much difficulty. You can also use a trick for debugging that lets you use verified Game memory to test the NSF for correct music information, and Play routine...<br />
<br />
Open a regular game rom, and open the hex viewer, then open the NSF file you want with the Hex viewer open. Run another copy of FCEUXDSP, and load the rom of the game you're working on an NSF of. In the other copy, open it's hex-editor window too. In the emulator with the game running, get some music going, and click-drag downward from 0x200 until you have 0x700 bytes selected, and copy the information to the clipboard. This skips 0x100, where the stack is stored. In the NSF-emulating window's hex editor, paste the info at 0x200, and see if the NSF plays the music correctly. If it does, you can narrow down the amount of info copied selectively, until you get the bit of information it needs to play, and find what routine needs to be adding this info to RAM. Some fixed can consist of a single byte of difference in RAM between the original, and the repaired version of an NSF.</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Code_Types&diff=1694Code Types2006-12-11T23:38:42Z<p>Ugetab: </p>
<hr />
<div>Explanation of what a code type is, and what they're used for here..<br />
<br />
<br />
= <font color="blue">Playstation Systems</font> =<br />
<br />
<br />
== Playstation 2 ==<br />
<br />
==='''Code Breaker'''===<br />
----<br />
<br />
<br />
==='''GameShark (Interact)'''===<br />
----<br />
<br />
<br />
<br />
==='''GameShark (Mad Catz)'''===<br />
----<br />
<br />
<br />
==='''Xploder'''===<br />
----<br />
<br />
== Playstation ==<br />
<br />
==='''Gameshark'''===<br />
----<br />
{| style="border:1px solid #000000; margin: 0; padding:0;" width="100%" cellspacing="0" cellpadding="5""<br />
! Type !! Description !! Example !! Other<br />
<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! 30<br />
| 8-bit constant write || 3XXXXXXX 00YY <br> Writes YY to Address XXXXXXX || NA<br />
|- align="center" style="font-size: 105%; background-color:#d0d8e0; text-align: center; padding:0;"<br />
! 80<br />
| 16-bit constant write || 8XXXXXXX ZZYY <br> Writes ZZYY to Address XXXXXXX || NA<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! 50<br />
| serial repeater || 5000XXYY 00ZZ <br> TTTTTTTT VVVV <br> Writes XX codes, with YY added to the address for each code after TTTTTTTT, and ZZZZ added to the amount for each code after value VVVV || Gameshark 2.2 and higher. May need to seperate pairs of serial codes with a 00000000 0000 code for disk-based gamesharks<br />
|- align="center" style="font-size: 105%; background-color:#d0d8e0; text-align: center; padding:0;"<br />
! E0<br />
| 8-bit equal-to trigger || E0XXXXXX 00YY <br> Activates next code if address 80XXXXXX is equal to YY || Gameshark 2.2 and higher.<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! E1<br />
| 8-bit different-from trigger || E1XXXXXX 00YY <br> Activates next code if address 80XXXXXX is different from YY || Gameshark 2.2(?) and higher.<br />
|- align="center" style="font-size: 105%; background-color:#d0d8e0; text-align: center; padding:0;"<br />
! E2<br />
| 8-bit less-than trigger || E2XXXXXX 00YY <br> Activates next code if address 80XXXXXX is less than YY || Gameshark 2.2 and higher.<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! E3<br />
| 8-bit greater-than trigger || E3XXXXXX 00YY <br> Activates next code if address 80XXXXXX is greater than YY || Gameshark 2.2 and higher.<br />
|- align="center" style="font-size: 105%; background-color:#d0d8e0; text-align: center; padding:0;"<br />
! D0<br />
| 16-bit equal-to trigger || D0XXXXXX YYYY <br> Activates next code if address 80XXXXXX is equal to YYYY || NA<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! D1<br />
| 16-bit different-from trigger || D1XXXXXX YYYY <br> Activates next code if address 80XXXXXX is different from YYYY || Gameshark 2.2 and higher.<br />
|- align="center" style="font-size: 105%; background-color:#d0d8e0; text-align: center; padding:0;"<br />
! D2<br />
| 16-bit less-than trigger || D2XXXXXX YYYY <br> Activates next code if address 80XXXXXX is less than YYYY || Gameshark 2.2 and higher.<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! D3<br />
| 16-bit greater-than trigger || D3XXXXXX YYYY <br> Activates next code if address 80XXXXXX is greater than YYYY || Gameshark 2.2 and higher.<br />
|- align="center" style="font-size: 105%; background-color:#d0d8e0; text-align: center; padding:0;"<br />
! D4<br />
| 16-bit universal joker || D4000000 YYYY <br> Activates next code if the button presses equate to YYYY || Gameshark 2.41 and higher. Needs a button chart<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! D5<br />
| 16-bit codes-on trigger || D5000000 YYYY <br> Activates all codes if buton presses equate to YYYY || Gameshark 2.41 and higher. Needs a button chart<br />
|- align="center" style="font-size: 105%; background-color:#d0d8e0; text-align: center; padding:0;"<br />
! D6<br />
| 16-bit codes-off trigger || D6000000 YYYY <br> Activates all codes if buton presses equate to YYYY || Gameshark 2.41 and higher. Needs a button chart<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! 10<br />
| 16-bit incrementer || 10XXXXXX YYYY <br> Increments value at address 80XXXXXX by YYYY || Gameshark 2.2 and higher. Use with a joker<br />
|- align="center" style="font-size: 105%; background-color:#d0d8e0; text-align: center; padding:0;"<br />
! 11<br />
| 16-bit decrementer || 11XXXXXX YYYY <br> Decrements value at address 80XXXXXX by YYYY || Gameshark 2.2 and higher. Use with a joker<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! 20<br />
| 8-bit incrementer || 20XXXXXX 00YY <br> Increments value at address 80XXXXXX by YY || Gameshark 2.2 and higher. Use with a joker<br />
|- align="center" style="font-size: 105%; background-color:#d0d8e0; text-align: center; padding:0;"<br />
! 21<br />
| 8-bit decrementer || 21XXXXXX 00YY <br> Decrements value at address 80XXXXXX by YY || Gameshark 2.2 and higher. Use with a joker<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! C0<br />
| enable all codes trigger || C0XXXXXX YYYY <br> If value at address 80XXXXXX is equal to YYYY, enable all loaded codes in game. Affects all codes, not just the one this line is used in. || Gameshark 2.41 or higher.<br />
|- align="center" style="font-size: 105%; background-color:#d0d8e0; text-align: center; padding:0;"<br />
! C1<br />
| codes-on delay || C1000000 YYYY <br> Delays codes from being on by YYYY time when game starts. 4000-5000 should give 20-30 seconds. || NA<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! C2<br />
| copy memory || C2XXXXXX YYYY <br> 80ZZZZZZ 0000 <br> Copy YYYY bytes from 80XXXXXX to 80ZZZZZZ. Could be used for copying large sets of complex character stats from one character to another, like working-magic-only, if serial repeater won't work || NA<br />
<br />
|}<br />
<br />
==='''Xploder/Codebreaker'''===<br />
----<br />
{| style="border:1px solid #000000; margin: 0; padding:0;" width="100%" cellspacing="0" cellpadding="5""<br />
! Type !! Description !! Example !! Other<br />
<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! 30<br />
| 8-bit constant write || 3XXXXXXX 00YY <br> Writes YY to Address XXXXXXX || NA<br />
|- align="center" style="font-size: 105%; background-color:#d0d8e0; text-align: center; padding:0;"<br />
! 80<br />
| 16-bit constant write || 8XXXXXXX ZZYY <br> Writes ZZYY to Address XXXXXXX || NA<br />
|- align="center" style="font-size: 105%; background-color:#cedff2; text-align: center; padding:0;"<br />
! 70<br />
| 16-bit equal-to trigger || 70XXXXXX YYYY <br> Activates next code if address 80XXXXXX is equal to YYYY || NA<br />
<br />
|}<br />
<br />
==='''Action Replay'''===<br />
----<br />
<br />
<br />
==='''Gold Finger'''===<br />
----<br />
<br />
<br />
==='''Caetla'''===<br />
----<br />
<br />
= <font color="blue">Nintendo Systems</font> =<br />
<br />
<br />
== GameCube ==<br />
<br />
<br />
==='''Action Replay'''===<br />
----<br />
<br />
== Nintendo 64 ==<br />
<br />
<br />
==='''GameShark'''===<br />
----<br />
<br />
== GameBoy Advance ==<br />
<br />
<br />
<br />
==='''Codebreaker Advance'''===<br />
----<br />
<br />
<br />
==='''GameShark Advance (Interact)'''===<br />
----<br />
<br />
<br />
==='''GameShark Advance (Mad Catz)'''===<br />
----<br />
<br />
<br />
==='''Action Replay'''===<br />
----<br />
<br />
<br />
== Nintendo DS ==<br />
<br />
==='''Codebreaker Advance'''===<br />
----<br />
<br />
<br />
= <font color="blue">Sega Systems</font> =<br />
<br />
<br />
<br />
== Dreamcast ==<br />
<br />
==='''GameShark CDX'''===<br />
----<br />
<br />
<br />
==='''Codebreaker'''===<br />
----<br />
<br />
== Saturn ==<br />
<br />
==='''GameShark'''===<br />
----</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Caetla&diff=1693Caetla2006-12-11T23:35:35Z<p>Ugetab: Reverted edits by Goquendo (Talk); changed back to last version by LiquidManZero</p>
<hr />
<div>Originally produced by kcomm for use as a development tool, it was soon leaked onto the internet. Later versions had a massive flaw in that they stored codes on a special memory card file. The problem with this is that the program to create the file seems not to exist.<br />
<br />
Most versions of Caetla could be used to run out of region and pirated discs on an unmodified playstation.</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Game_Enhancer&diff=1671Game Enhancer2006-12-09T04:30:31Z<p>Ugetab: </p>
<hr />
<div>A game enhancer is a device, usually a cartridge or a CD/DVD, which is used for altering a games memory, which allows access to hidden content or typical cheats.<br />
<br />
== List of Game Enhancers ==<br />
[[Action Replay]]<br><br />
[[Caetla]]<br><br />
[[Codebreaker]]<Br><br />
[[Game Genie]]<br><br />
[[Gameshark]]<br><br />
[[Gold Finger]]<br><br />
[[Xploder]]<br></div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Unhacked:_Playstation&diff=1665Unhacked: Playstation2006-12-07T18:08:22Z<p>Ugetab: </p>
<hr />
<div>{| border="1"<br />
|+ Unhacked PlayStation Games<br />
! Game !! License Code(s) !! Hacker(s) attempting hacks !! Attempt start date<br />
|-<br />
! Activision Classics<br />
| SLUS-00777<br />
|<br />
|<br />
|-<br />
! [[Chronicles of the Sword]]<br />
| SCUS-94700<br />
SCUS-94701<br />
|<br />
|-<br />
! Nova Storm<br />
| SCUS-94404<br />
SCUS-94707<br />
|<br />
|-<br />
! Pshychic Detective<br />
| SLUS-00165-7<br />
|<br />
|<br />
|-<br />
! Zoop<br />
| SLUS-00078<br />
|<br />
|<br />
|-<br />
|}<br />
<br />
<br />
== Related ==<br />
*[[Unhacked: Index|Unhacked Games Index]]</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=SA1&diff=1660SA12006-12-06T22:26:05Z<p>Ugetab: </p>
<hr />
<div>== Overview ==<br />
The SNES SA1 chip is an expansion chip added to an SNES cart that both contains a portion of the game's coding, and executes that portion of code to affect normal SNES RAM, and the additional RAM accessed primarily by the SA1 chip programming. The additional RAM is also accessible by the SNES CPU's instructions.<br />
<br />
There is no current information concerning hardware-based tests with Game Genie codes that change portions of ROM residing within the SA1.<br />
<br />
== Memory Mapping Comparison ==<br />
Region 30:0000 - 30:3FFF is SA1 related due to the fact that some RAM is 00 mapped for SA1-using games:<br />
<br />
Writes from the SNES CPU to 00:0000 - 00:3FFF region to change a mirrored region at 30:0000 - 30:3FFF region<br />
<br />
00:0000 - 00:3FFF<br><br />
30:0000 - 30:3FFF<br />
<br />
SA1 Address:<br />
Reads/Writes to these addresses from the SA1 CPU translate to the below CPU-accessible addresses in SNES memory<br><br />
00:4000 - 00:7FFF<br><br />
CPU Address:<br><br />
40:0000 - 40:3FFF<br />
<br />
SA1 Address Testing:<br><br />
If you wish to test writes made by the SA1 to memory, and see what area is changed, you can use the following code with Super Mario RPG (US), while in a 3D stage. You should fall through the ground, and be unaligned with the map, but have the value FE written to the address you chose.<br />
<br />
Test SA1 Memory Writes (2 byte addresses, 0xFE written)<br><br />
C9C374A9<br><br />
C9C375FE<br><br />
C9C378FF<br><br />
C9C3793F<br />
<br />
Load value 0x00FE to write(could be made to load a 2-byte value)<br><br />
C9C374A9<br><br />
C9C375FE<br />
<br />
Address to write to(Writes to 3FFF with these values)<br><br />
C9C378FF<br><br />
C9C3793F</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Main_Page&diff=1538Main Page2006-12-01T17:57:08Z<p>Ugetab: </p>
<hr />
<div>Please follow the [[GSHI:Guidelines]] when contributing to the wiki<br><br />
<H1>Game Systems Headquarters International</H1><br />
{| style="border:1px solid #aaaaaa; margin: 0; padding:0;" width="25%" cellspacing="0" cellpadding="5" align="right"<br />
|- valign="top" style="font-size: 105%; background-color:#98FB98; border-bottom:1px solid #aaaaaa; text-align: center; padding:0;"<br />
| '''Featured Page'''<br />
|- style="background:#ffffff; padding:0.2em 0.4em 0.2em 0.4em; text-align: center;"<br />
|<br />
<br><br />
[[Assembly Hacking]]<br />
|}<br />
<blockquote>GSHI is a longstanding collaborative group of code hackers, who have contributed many, many codes to the scene, for such cheat systems as Gameshark, Action Replay, CodeBreaker, and Game Genie. The website and forums were started by and are currently coadministrated by the member who calls himself Lazy Bastard. Many people who use these cheat systems and devices are unaware that the companies who manufacture and market them use websites and communities such as GSHI to produce and distribute the codes that cause them to be as popular as they are. <BR><BR>The website is located here: http://www.gshi.org<BR>The community itself gathers at the website's home forums, located here: http://www.gshi.org/vb/</blockquote><br />
<br><br />
{| style="border:1px solid #aaaaaa; margin: 0; padding:0;" cellspacing="0" cellpadding="5" align="right"<br />
|- valign="top" style="font-size: 105%; background-color:#FFDEAD; border-bottom:1px solid #aaaaaa; text-align: center; padding:0;" align="center"<br />
| '''Pages that need information'''<br />
|- style="background:#ffffff; padding:0.2em 0.4em 0.2em 0.4em;"<br />
|<br />
* [[GSHI]]<br />
* [[Code Types]]<br />
* [[Game Genie]]<br />
* [[Action Replay]]<br />
* [[Codebreaker]]<br />
* [[Gameshark]]<br />
* [[Xploder]]<br />
* [[GCNrd]]<br />
* [[CMGSCCC]]<br />
* [[GSCentral]]<br />
|}</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Help:Contents&diff=1536Help:Contents2006-12-01T03:40:44Z<p>Ugetab: </p>
<hr />
<div>A basic statement concerning why this wiki exists, and how it was intended to be used can be found here:<br><br />
http://www.gshi.org/wiki/index.php/GSHI:Guidelines<br />
<br />
Several good explainations on how to effectively edit pages can be found here:<br><br />
http://en.wikipedia.org/wiki/Help:Contents/Editing_Wikipedia<br />
<br />
If you wish to experiment, you are free to use your own user page to test editing methods. Using the preview button when testing changes to your own page and wiki articles will help prevent the need to edit pages multiple times to fix errors you make.</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Wiki_-_GameHacking.org:Guidelines&diff=1535Wiki - GameHacking.org:Guidelines2006-12-01T03:33:28Z<p>Ugetab: </p>
<hr />
<div>The primary guidelines for using this wiki are that you should be providing information relavent to hacking, discussing said content, or simply viewing the content available.<br />
<br />
This wiki is not a forum, and wasn't intended to be. Discussions that are limited to users' personal pages aren't strictly required to follow an orientation towards hacking, but are required to be civil.<br />
<br />
I believe that the topic shown at wikipedia concerning their view of civility will suffice if you've never recognized civil behavior for yourself, or find the meaning unclear:<br><br />
[http://en.wikipedia.org/wiki/WP:CIV Civility]<br />
<br />
Other wikipedia standards may be adopted in the future, if problems in comprehension arise.</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=User_talk:Lemmayoshi&diff=1534User talk:Lemmayoshi2006-12-01T02:38:40Z<p>Ugetab: </p>
<hr />
<div>Leave the insults to The Pit in the forums.</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Main_Page&diff=1521Main Page2006-11-30T22:09:03Z<p>Ugetab: </p>
<hr />
<div><H1>Game Systems Headquarters International</H1><br />
{| style="border:1px solid #aaaaaa; margin: 0; padding:0;" width="25%" cellspacing="0" cellpadding="5" align="right"<br />
|- valign="top" style="font-size: 105%; background-color:#98FB98; border-bottom:1px solid #aaaaaa; text-align: center; padding:0;"<br />
| '''Featured Page'''<br />
|- style="background:#ffffff; padding:0.2em 0.4em 0.2em 0.4em; text-align: center;"<br />
|<br />
<br><br />
[[Assembly Hacking]]<br />
|}<br />
<blockquote>GSHI is a longstanding collaborative group of code hackers, who have contributed many, many codes to the scene, for such cheat systems as Gameshark, Action Replay, CodeBreaker, and Game Genie. The website and forums were started by and are currently coadministrated by the member who calls himself Lazy Bastard. Many people who use these cheat systems and devices are unaware that the companies who manufacture and market them use websites and communities such as GSHI to produce and distribute the codes that cause them to be as popular as they are. <BR><BR>The website is located here: http://www.gshi.org<BR>The community itself gathers at the website's home forums, located here: http://www.gshi.org/vb/</blockquote><br />
<br><br />
{| style="border:1px solid #aaaaaa; margin: 0; padding:0;" cellspacing="0" cellpadding="5" align="right"<br />
|- valign="top" style="font-size: 105%; background-color:#FFDEAD; border-bottom:1px solid #aaaaaa; text-align: center; padding:0;" align="center"<br />
| '''Pages that need information'''<br />
|- style="background:#ffffff; padding:0.2em 0.4em 0.2em 0.4em;"<br />
|<br />
* [[GSHI]]<br />
* [[Code Types]]<br />
* [[Game Genie]]<br />
* [[Action Replay]]<br />
* [[Codebreaker]]<br />
* [[Gameshark]]<br />
* [[Xploder]]<br />
* [[GCNrd]]<br />
* [[CMGSCCC]]<br />
* [[GSCentral]]<br />
|}</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Game_Genie&diff=1519Game Genie2006-11-30T22:08:30Z<p>Ugetab: Game genie moved to Game Genie</p>
<hr />
<div>Game Genie starter page.</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Code_Types&diff=1518Code Types2006-11-30T21:59:42Z<p>Ugetab: </p>
<hr />
<div>Explanation of what a code type is, and what they're used for here..<br />
<br />
<br />
= <font color="blue">Playstation Systems</font> =<br />
<br />
<br />
== Playstation 2 ==<br />
<br />
==='''Code Breaker'''===<br />
----<br />
<br />
<br />
==='''GameShark (Interact)'''===<br />
----<br />
<br />
<br />
<br />
==='''GameShark (Mad Catz)'''===<br />
----<br />
<br />
<br />
==='''Xploder'''===<br />
----<br />
<br />
== Playstation ==<br />
<br />
==='''Gameshark'''===<br />
----<br />
{| style="border:1px solid #000000; margin: 0; padding:0;" width="100%" cellspacing="0" cellpadding="5""<br />
! Type !! Description !! Example !! Other<br />
<br />
|- align="center" style="font-size: 105%; background-color:#ccffff; text-align: center; padding:0;"<br />
! 30<br />
| 8-bit constant write || 3XXXXXXX 00YY <br> Writes YY to Address XXXXXXX || NA<br />
|- align="center" style="font-size: 105%; background-color:#ffffff; text-align: center; padding:0;"<br />
! 80<br />
| 16-bit constant write || 8XXXXXXX ZZYY <br> Writes ZZYY to Address XXXXXXX || NA<br />
|- align="center" style="font-size: 105%; background-color:#ccffff; text-align: center; padding:0;"<br />
! 50<br />
| serial repeater || 5000XXYY 00ZZ <br> TTTTTTTT VVVV <br> Writes XX codes, with YY added to the address for each code after TTTTTTTT, and ZZZZ added to the amount for each code after value VVVV || Gameshark 2.41 and higher. May need to seperate pairs of serial codes with a 00000000 0000 code for disk-based gamesharks<br />
|- align="center" style="font-size: 105%; background-color:#ffffff; text-align: center; padding:0;"<br />
! E0<br />
| 8-bit equal-to joker || E0XXXXXX 00YY <br> Activates next code if address 80XXXXXX is equal to YY || NA<br />
|- align="center" style="font-size: 105%; background-color:#ccffff; text-align: center; padding:0;"<br />
! E1<br />
| 8-bit different-from joker || E1XXXXXX 00YY <br> Activates next code if address 80XXXXXX is different from YY || NA<br />
|- align="center" style="font-size: 105%; background-color:#ffffff; text-align: center; padding:0;"<br />
! E2<br />
| 8-bit less-than joker || E2XXXXXX 00YY <br> Activates next code if address 80XXXXXX is less than YY || NA<br />
|- align="center" style="font-size: 105%; background-color:#ccffff; text-align: center; padding:0;"<br />
! E3<br />
| 8-bit greater-than joker || E3XXXXXX 00YY <br> Activates next code if address 80XXXXXX is greater than YY || NA<br />
|- align="center" style="font-size: 105%; background-color:#ffffff; text-align: center; padding:0;"<br />
! D0<br />
| 16-bit equal-to joker || D0XXXXXX YYYY <br> Activates next code if address 80XXXXXX is equal to YYYY || NA<br />
|- align="center" style="font-size: 105%; background-color:#ccffff; text-align: center; padding:0;"<br />
! D1<br />
| 16-bit different-from joker || D1XXXXXX YYYY <br> Activates next code if address 80XXXXXX is different from YYYY || NA<br />
|- align="center" style="font-size: 105%; background-color:#ffffff; text-align: center; padding:0;"<br />
! D2<br />
| 16-bit less-than joker || D2XXXXXX YYYY <br> Activates next code if address 80XXXXXX is less than YYYY || NA<br />
|- align="center" style="font-size: 105%; background-color:#ccffff; text-align: center; padding:0;"<br />
! D3<br />
| 16-bit greater-than joker || D3XXXXXX YYYY <br> Activates next code if address 80XXXXXX is greater than YYYY || NA<br />
|- align="center" style="font-size: 105%; background-color:#ffffff; text-align: center; padding:0;"<br />
! D4<br />
| 16-bit universal joker || D4000000 YYYY <br> Activates next code if the button presses equate to YYYY || Needs a button chart<br />
|- align="center" style="font-size: 105%; background-color:#ccffff; text-align: center; padding:0;"<br />
! D5<br />
| 16-bit codes-on joker || D5000000 YYYY <br> Activates all codes if buton presses equate to YYYY || Needs a button chart<br />
|- align="center" style="font-size: 105%; background-color:#ffffff; text-align: center; padding:0;"<br />
! D6<br />
| 16-bit codes-off joker || D6000000 YYYY <br> Activates all codes if buton presses equate to YYYY || Needs a button chart<br />
|- align="center" style="font-size: 105%; background-color:#ccffff; text-align: center; padding:0;"<br />
! 10<br />
| 16-bit incrementer || 10XXXXXX YYYY <br> Increments value at address 80XXXXXX by YYYY || Use with a joker<br />
|- align="center" style="font-size: 105%; background-color:#ffffff; text-align: center; padding:0;"<br />
! 11<br />
| 16-bit decrementer || 11XXXXXX YYYY <br> Decrements value at address 80XXXXXX by YYYY || Use with a joker<br />
|- align="center" style="font-size: 105%; background-color:#ccffff; text-align: center; padding:0;"<br />
! 20<br />
| 8-bit incrementer || 20XXXXXX 00YY <br> Increments value at address 80XXXXXX by YY || Use with a joker<br />
|- align="center" style="font-size: 105%; background-color:#ffffff; text-align: center; padding:0;"<br />
! 21<br />
| 8-bit decrementer || 21XXXXXX 00YY <br> Decrements value at address 80XXXXXX by YY || Use with a joker<br />
|- align="center" style="font-size: 105%; background-color:#ccffff; text-align: center; padding:0;"<br />
! C1<br />
| codes-on delay || C1000000 YYYY <br> Delays codes from being on by YYYY time when game starts. 4000-5000 should give 20-30 seconds. || NA<br />
|- align="center" style="font-size: 105%; background-color:#ffffff; text-align: center; padding:0;"<br />
! C2<br />
| copy memory || C2XXXXXX YYYY <br> 80ZZZZZZ 0000 <br> Copy YYYY bytes from 80XXXXXX to 80ZZZZZZ. Could be used for copying large sets of complex character stats from one character to another, like working-magic-only, if serial repeater won't work || NA<br />
<br />
|}<br />
<br />
<br />
==='''Xploder/Codebreaker'''===<br />
----<br />
<br />
<br />
==='''Action Replay'''===<br />
----<br />
<br />
<br />
==='''Gold Finger'''===<br />
----<br />
<br />
<br />
==='''Caetla'''===<br />
----<br />
<br />
= <font color="blue">Nintendo Systems</font> =<br />
<br />
<br />
== GameCube ==<br />
<br />
<br />
==='''Action Replay'''===<br />
----<br />
<br />
== Nintendo 64 ==<br />
<br />
<br />
==='''GameShark'''===<br />
----<br />
<br />
== GameBoy Advance ==<br />
<br />
<br />
<br />
==='''Codebreaker Advance'''===<br />
----<br />
<br />
<br />
==='''GameShark Advance (Interact)'''===<br />
----<br />
<br />
<br />
==='''GameShark Advance (Mad Catz)'''===<br />
----<br />
<br />
<br />
==='''Action Replay'''===<br />
----<br />
<br />
= <font color="blue">Sega Systems</font> =<br />
<br />
<br />
<br />
== Dreamcast ==<br />
<br />
==='''GameShark CDX'''===<br />
----<br />
<br />
<br />
==='''Codebreaker'''===<br />
----<br />
<br />
== Saturn ==<br />
<br />
==='''GameShark'''===<br />
----</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Code_Types&diff=1517Code Types2006-11-30T21:54:25Z<p>Ugetab: /* Playstation */</p>
<hr />
<div>Explanation of what a code type is, and what they're used for here..<br />
<br />
<br />
== <font color="blue">Playstation Systems</font> ==<br />
<br />
<br />
=== Playstation 2 ===<br />
<br />
'''Code Breaker'''<br />
----<br />
<br />
<br />
<br />
'''GameShark (Interact)'''<br />
----<br />
<br />
<br />
<br />
<br />
'''GameShark (Mad Catz)'''<br />
----<br />
<br />
<br />
<br />
'''Xploder'''<br />
----<br />
<br />
<br />
=== Playstation ===<br />
<br />
'''Gameshark'''<br />
----<br />
{| style="border:1px solid #000000; margin: 0; padding:0;" width="100%" cellspacing="0" cellpadding="5""<br />
! Type !! Description !! Example !! Other<br />
<br />
|- align="center" style="font-size: 105%; background-color:#ccffff; text-align: center; padding:0;"<br />
! 30<br />
| 8-bit constant write || 3XXXXXXX 00YY <br> Writes YY to Address XXXXXXX || NA<br />
|- align="center" style="font-size: 105%; background-color:#ffffff; text-align: center; padding:0;"<br />
! 80<br />
| 16-bit constant write || 8XXXXXXX ZZYY <br> Writes ZZYY to Address XXXXXXX || NA<br />
|- align="center" style="font-size: 105%; background-color:#ccffff; text-align: center; padding:0;"<br />
! 50<br />
| serial repeater || 5000XXYY 00ZZ <br> TTTTTTTT VVVV <br> Writes XX codes, with YY added to the address for each code after TTTTTTTT, and ZZZZ added to the amount for each code after value VVVV || Gameshark 2.41 and higher. May need to seperate pairs of serial codes with a 00000000 0000 code for disk-based gamesharks<br />
|- align="center" style="font-size: 105%; background-color:#ffffff; text-align: center; padding:0;"<br />
! E0<br />
| 8-bit equal-to joker || E0XXXXXX 00YY <br> Activates next code if address 80XXXXXX is equal to YY || NA<br />
|- align="center" style="font-size: 105%; background-color:#ccffff; text-align: center; padding:0;"<br />
! E1<br />
| 8-bit different-from joker || E1XXXXXX 00YY <br> Activates next code if address 80XXXXXX is different from YY || NA<br />
|- align="center" style="font-size: 105%; background-color:#ffffff; text-align: center; padding:0;"<br />
! E2<br />
| 8-bit less-than joker || E2XXXXXX 00YY <br> Activates next code if address 80XXXXXX is less than YY || NA<br />
|- align="center" style="font-size: 105%; background-color:#ccffff; text-align: center; padding:0;"<br />
! E3<br />
| 8-bit greater-than joker || E3XXXXXX 00YY <br> Activates next code if address 80XXXXXX is greater than YY || NA<br />
|- align="center" style="font-size: 105%; background-color:#ffffff; text-align: center; padding:0;"<br />
! D0<br />
| 16-bit equal-to joker || D0XXXXXX YYYY <br> Activates next code if address 80XXXXXX is equal to YYYY || NA<br />
|- align="center" style="font-size: 105%; background-color:#ccffff; text-align: center; padding:0;"<br />
! D1<br />
| 16-bit different-from joker || D1XXXXXX YYYY <br> Activates next code if address 80XXXXXX is different from YYYY || NA<br />
|- align="center" style="font-size: 105%; background-color:#ffffff; text-align: center; padding:0;"<br />
! D2<br />
| 16-bit less-than joker || D2XXXXXX YYYY <br> Activates next code if address 80XXXXXX is less than YYYY || NA<br />
|- align="center" style="font-size: 105%; background-color:#ccffff; text-align: center; padding:0;"<br />
! D3<br />
| 16-bit greater-than joker || D3XXXXXX YYYY <br> Activates next code if address 80XXXXXX is greater than YYYY || NA<br />
|- align="center" style="font-size: 105%; background-color:#ffffff; text-align: center; padding:0;"<br />
! D4<br />
| 16-bit universal joker || D4000000 YYYY <br> Activates next code if the button presses equate to YYYY || Needs a button chart<br />
|- align="center" style="font-size: 105%; background-color:#ccffff; text-align: center; padding:0;"<br />
! D5<br />
| 16-bit codes-on joker || D5000000 YYYY <br> Activates all codes if buton presses equate to YYYY || Needs a button chart<br />
|- align="center" style="font-size: 105%; background-color:#ffffff; text-align: center; padding:0;"<br />
! D6<br />
| 16-bit codes-off joker || D6000000 YYYY <br> Activates all codes if buton presses equate to YYYY || Needs a button chart<br />
|- align="center" style="font-size: 105%; background-color:#ccffff; text-align: center; padding:0;"<br />
! 10<br />
| 16-bit incrementer || 10XXXXXX YYYY <br> Increments value at address 80XXXXXX by YYYY || Use with a joker<br />
|- align="center" style="font-size: 105%; background-color:#ffffff; text-align: center; padding:0;"<br />
! 11<br />
| 16-bit decrementer || 11XXXXXX YYYY <br> Decrements value at address 80XXXXXX by YYYY || Use with a joker<br />
|- align="center" style="font-size: 105%; background-color:#ccffff; text-align: center; padding:0;"<br />
! 20<br />
| 8-bit incrementer || 20XXXXXX 00YY <br> Increments value at address 80XXXXXX by YY || Use with a joker<br />
|- align="center" style="font-size: 105%; background-color:#ffffff; text-align: center; padding:0;"<br />
! 21<br />
| 8-bit decrementer || 21XXXXXX 00YY <br> Decrements value at address 80XXXXXX by YY || Use with a joker<br />
|- align="center" style="font-size: 105%; background-color:#ccffff; text-align: center; padding:0;"<br />
! C1<br />
| codes-on delay || C1000000 YYYY <br> Delays codes from being on by YYYY time when game starts. 4000-5000 should give 20-30 seconds. || NA<br />
|- align="center" style="font-size: 105%; background-color:#ffffff; text-align: center; padding:0;"<br />
! C2<br />
| copy memory || C2XXXXXX YYYY <br> 80ZZZZZZ 0000 <br> Copy YYYY bytes from 80XXXXXX to 80ZZZZZZ. Could be used for copying large sets of complex character stats from one character to another, like working-magic-only, if serial repeater won't work || NA<br />
<br />
|}<br />
<br />
<br />
'''Xploder/Codebreaker'''<br />
----<br />
<br />
<br />
<br />
'''Action Replay'''<br />
----<br />
<br />
<br />
<br />
'''Gold Finger'''<br />
----<br />
<br />
<br />
<br />
'''Caetla'''<br />
----<br />
<br />
== <font color="blue">Nintendo Systems</font> ==<br />
<br />
<br />
=== GameCube ===<br />
<br />
<br />
'''Action Replay'''<br />
----<br />
<br />
<br />
=== Nintendo 64 ===<br />
<br />
<br />
'''GameShark'''<br />
----<br />
<br />
<br />
=== GameBoy Advance ===<br />
<br />
<br />
<br />
'''Codebreaker Advance'''<br />
----<br />
<br />
<br />
<br />
'''GameShark Advance (Interact)'''<br />
----<br />
<br />
<br />
<br />
'''GameShark Advance (Mad Catz)'''<br />
----<br />
<br />
<br />
<br />
'''Action Replay'''<br />
----<br />
<br />
<br />
== <font color="blue">Sega Systems</font> ==<br />
<br />
<br />
<br />
=== Dreamcast ===<br />
<br />
'''GameShark CDX'''<br />
----<br />
<br />
<br />
<br />
'''Codebreaker'''<br />
----<br />
<br />
<br />
=== Saturn ===<br />
<br />
'''GameShark'''<br />
----</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Assembly_Hacking&diff=1516Assembly Hacking2006-11-30T21:11:54Z<p>Ugetab: /* Overview */</p>
<hr />
<div>=Overview=<br />
<br />
Assembly hacking is the art of editing a compiled program. Without the source code, and without notes from the source code, one has to deduce almost everything about the underlying code, and how it works with RAM.<br />
<br />
There are several emulators that can aid one in creating a modification for a game. Games for console systems fall into the category of compiled programs, and generally, the source code is unavailable for these games.<br />
<br />
The use of making an assembly hack for a game can be found with the Nintendo Entertainment System (NES) [[Game Genie]].<br />
<br />
The codes that are entered into an NES Game Genie represent single-byte assembly hacks. Any assembly hack that could be done with a change of 3 bytes or less is possible to implement with a single Game Genie. The SNES Game Genie allows up to 5 codes, and 5 bytes of change. While this makes the possible usage of codes very limiting, it didn't prevent single-byte invincibility and infinite lives codes from appearing that could make it unneccesary to use additional codes.<br />
<br />
For more modern assembly hacking of the same systems, emulators that support 50 or more codes for any given game aren't uncommon. The ROMs have been turned into files that can be patched with all the changes needed to give the game a script in a new language. Emulators that aid in the process of making assembly hacks have appeared for many different emulated systems. The effect is that more people are now capable of starting their own projects, and existing projects can be modified and/or repaired more easily.<br />
<br />
=Emulators=<br />
<br />
==NES==<br />
FCEUXDSP<br><br />
http://www.the-interweb.com/serendipity/index.php?/categories/9-FCEUXD-SP<br />
<br />
Setting breakpoints in ROM/RAM<br />
Tools>Debug<br />
<br />
In the breakpoint window, 'Add' the Executable address or Memory address you want.<br><br />
ROM is 8000-FFFF<br><br />
RAM is 0000-07FF, 6000-7FFF<br><br />
0800-3FFF is mirrored from some part of RAM.<br><br />
4000-4015 can be breakpointed if working on an NSF. If the 'Hex Editor' is opened in a normal game, then an NSF is loaded, you can use it to work on NSF RAM, in conjunction with the debugger.<br />
<br />
'Hex Editor' is a memory viewer/modifier.<br />
<br />
==SNES==<br />
Geiger's SNES9X Debugger <br><br />
http://geigercount.net/crypt/ <br><br />
http://www.zophar.net/snes.html<br />
<br />
Setting breakpoints in ROM/RAM<br><br />
Open ROM, Click 'Breakpoints'<br><br />
In the breakpoint window, enter the Executable address or Memory address you want.<br><br />
Standard RAM: 7E0000 - 7FFFFF<br><br />
SA1 RAM: 400000-407FFF, 303000-303FFF<br><br />
HiROM - C00000 - FFFFFF<br><br />
LoROM - 808000-BFFFFF (**0000 - **7FFF doesn't exist)<br />
<br />
If you use the [[SA1]] logger with an SA1-using game, and wish to find an address that changed an address in RAM, you can see if the conversion chart on the [[SA1]] page shows you the address to search for in the log file.<br />
<br />
==Genesis==<br />
Gens Tracer <br><br />
http://www.romhacking.net/?Category=&Console=0&Game=0&Author=0&Recm=&Level=&utilsearch=++Go++&title=Gens+Tracer&dsearch=&page=utils&action=utillist<br />
<br />
No breakpoints, but adequate tracing.<br />
<br />
I've written a guide on the specific usage of the emulator.<br />
<br />
The idea is that you can trace-log writes to and reads from memory, and you can also log all commands, and determine what's happening from the full log, by using what you find from the hook logging.<br />
<br />
<br />
HazeMD <br><br />
http://haze.mameworld.info/<br />
<br />
This emulator is harder to get setup to use a ROM, but comes with a MAME-style debugger. MAME's debugger is well known for being so powerful, considering the number of systems it can be used with when compiled into a build of MAME. The Gens tracer tends to have slightly better compatibility, while the HazeMD emulator has more potential for cheat codes, already having a Cheat system designed to handle multiple CPUs, which could be used for 32x game ROM hacks, and RAM hacks.<br />
<br />
==Gameboy==<br />
BGB <br><br />
http://bgb.bircd.org/<br />
<br />
Load a ROM, and right-click the screen.<br><br />
Other>debug mode enabled: to enable debugging<br><br />
Other>debugger to enter the debugger<br><br />
<br />
Setting breakpoints in ROM/RAM<br><br />
In the debugger window:<br><br />
Debug>breakpoints for execution breakpoints<br><br />
Debug>access breakpoints for read/write breaks.<br><br />
<br />
==Gameboy Advance==<br />
Visual Boy Advance Tracer <br><br />
http://www.romhacking.net/?Category=&Console=10&Game=0&Author=695&Recm=&Level=&utilsearch=++Go++&title=&dsearch=&page=utils&action=utillist<br />
<br />
This emulator uses the Hook Log system. Those familiar with the hook_log Genesis or N64 emulators should have little trouble adapting to this system.<br />
<br />
<br />
Visual Boy Advance <br><br />
http://vba.ngemu.com/downloads.shtml <br><br />
Windows - SDL<br />
<br />
Unfortunately, no cheat device exists that can change the assembly, so hacking it is more a matter of patching the ROM, and less a matter of using it for simple cheats.<br />
<br />
Not documented.<br />
<br />
==Playstation==<br />
PCSX 1.5 With Debugger <br><br />
http://www.romhacking.net/?Category=&Console=0&Game=0&Author=0&Recm=&Level=&utilsearch=++Go++&title=PCSX+1.5+With+Debugger&dsearch=&page=utils&action=utillist<br />
<br />
Press F11 to enter the debugger.<br><br />
On-screen aids should be apparent.<br />
<br />
==N64==<br />
Nemu64 (Project64 debug version for testing, etc.) <br><br />
http://www.nemu.com/downloads.php <br><br />
http://www.thegshi.org/downloads/Project64%20Build%2052%20Debug%20Binary.zip<br />
<br />
Setting execution breakpoints<br><br />
Plugins>Debugger: Commands...<br><br />
To set a break on execution, go to the line that you want to break on, and click in the vertical bar to the left(<) of the address you want to breakpoint.<br />
<br />
Setting breakpoints in RAM<br><br />
Plugins>Debugger: Memory...<br><br />
Enable the read and/or write checkboxes, and right-click the memory space you want to set, unset, or change an access breakpoint on.<br />
<br />
<br />
Some games don't run in Nemu, so you may have to switch to this hook_log based emulator if you want the codes <br><br />
http://www.romhacking.net/?Category=&Console=27&Game=0&Author=0&Recm=&Level=&utilsearch=++Go++&title=tracer&dsearch=&page=utils&action=utillist<br />
<br />
The hook_log system is a little bit more demanding to use than a visual debugger, but with compatibility issues, it's better than lucky to have a second usable debugging emulator. The save-states can be decompressed, and loaded in their decompressed form if needed<br />
<br />
An issue with this emulator is that not all instructions are logged, but it's still worth knowing about for the fact that many instructions are logged, and it can be used with write logging.</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Assembly_Hacking&diff=1513Assembly Hacking2006-11-30T19:30:55Z<p>Ugetab: </p>
<hr />
<div>=Overview=<br />
<br />
Assembly hacking is the art of editing a compiled program. Without the source code, and without notes from the source code, one has to deduce almost everything about the underlying code, and how it works with RAM.<br />
<br />
There are several emulators that can aid one in creating a modification for a game. Games for console systems fall into the category of compiled programs, and generally, the source code is unavailable for these games.<br />
<br />
The use of making an assembly hack for a game can be found with the Nintendo Entertainment System (NES) [[Game Genie]].<br />
<br />
The codes are were entered into an NES Game Genie represented single-byte assembly hacks. Any assembly hack that could be done with a change of 3 bytes or less was possible to implement with a single Game Genie. The SNES Game Genie allowed up to 5 codes, and 5 bytes of change. While this makes the possible usage of codes very limiting, it didn't prevent single-line invincibility and infinite lives codes from appearing that could make it unneccesary to use additional codes.<br />
<br />
For more modern assembly hacking of the same systems, emulators that support 50 or more codes for any given game aren't uncommon. The ROMs have been turned into files that can be patched with all the changes needed to give the game a script in a new language. Emulators that aid in the process of making assembly hacks have appeared for many different emulated systems. The effect is that more people are now capable of starting their own projects, and existing projects can be modified and/or repaired more easily.<br />
<br />
=Emulators=<br />
<br />
==NES==<br />
FCEUXDSP<br><br />
http://www.the-interweb.com/serendipity/index.php?/categories/9-FCEUXD-SP<br />
<br />
Setting breakpoints in ROM/RAM<br />
Tools>Debug<br />
<br />
In the breakpoint window, 'Add' the Executable address or Memory address you want.<br><br />
ROM is 8000-FFFF<br><br />
RAM is 0000-07FF, 6000-7FFF<br><br />
0800-3FFF is mirrored from some part of RAM.<br><br />
4000-4015 can be breakpointed if working on an NSF. If the 'Hex Editor' is opened in a normal game, then an NSF is loaded, you can use it to work on NSF RAM, in conjunction with the debugger.<br />
<br />
'Hex Editor' is a memory viewer/modifier.<br />
<br />
==SNES==<br />
Geiger's SNES9X Debugger <br><br />
http://geigercount.net/crypt/ <br><br />
http://www.zophar.net/snes.html<br />
<br />
Setting breakpoints in ROM/RAM<br><br />
Open ROM, Click 'Breakpoints'<br><br />
In the breakpoint window, enter the Executable address or Memory address you want.<br><br />
Standard RAM: 7E0000 - 7FFFFF<br><br />
SA1 RAM: 400000-407FFF, 303000-303FFF<br><br />
HiROM - C00000 - FFFFFF<br><br />
LoROM - 808000-BFFFFF (**0000 - **7FFF doesn't exist)<br />
<br />
If you use the [[SA1]] logger with an SA1-using game, and wish to find an address that changed an address in RAM, you can see if the conversion chart on the [[SA1]] page shows you the address to search for in the log file.<br />
<br />
==Genesis==<br />
Gens Tracer <br><br />
http://www.romhacking.net/?Category=&Console=0&Game=0&Author=0&Recm=&Level=&utilsearch=++Go++&title=Gens+Tracer&dsearch=&page=utils&action=utillist<br />
<br />
No breakpoints, but adequate tracing.<br />
<br />
I've written a guide on the specific usage of the emulator.<br />
<br />
The idea is that you can trace-log writes to and reads from memory, and you can also log all commands, and determine what's happening from the full log, by using what you find from the hook logging.<br />
<br />
<br />
HazeMD <br><br />
http://haze.mameworld.info/<br />
<br />
This emulator is harder to get setup to use a ROM, but comes with a MAME-style debugger. MAME's debugger is well known for being so powerful, considering the number of systems it can be used with when compiled into a build of MAME. The Gens tracer tends to have slightly better compatibility, while the HazeMD emulator has more potential for cheat codes, already having a Cheat system designed to handle multiple CPUs, which could be used for 32x game ROM hacks, and RAM hacks.<br />
<br />
==Gameboy==<br />
BGB <br><br />
http://bgb.bircd.org/<br />
<br />
Load a ROM, and right-click the screen.<br><br />
Other>debug mode enabled: to enable debugging<br><br />
Other>debugger to enter the debugger<br><br />
<br />
Setting breakpoints in ROM/RAM<br><br />
In the debugger window:<br><br />
Debug>breakpoints for execution breakpoints<br><br />
Debug>access breakpoints for read/write breaks.<br><br />
<br />
==Gameboy Advance==<br />
Visual Boy Advance Tracer <br><br />
http://www.romhacking.net/?Category=&Console=10&Game=0&Author=695&Recm=&Level=&utilsearch=++Go++&title=&dsearch=&page=utils&action=utillist<br />
<br />
This emulator uses the Hook Log system. Those familiar with the hook_log Genesis or N64 emulators should have little trouble adapting to this system.<br />
<br />
<br />
Visual Boy Advance <br><br />
http://vba.ngemu.com/downloads.shtml <br><br />
Windows - SDL<br />
<br />
Unfortunately, no cheat device exists that can change the assembly, so hacking it is more a matter of patching the ROM, and less a matter of using it for simple cheats.<br />
<br />
Not documented.<br />
<br />
==Playstation==<br />
PCSX 1.5 With Debugger <br><br />
http://www.romhacking.net/?Category=&Console=0&Game=0&Author=0&Recm=&Level=&utilsearch=++Go++&title=PCSX+1.5+With+Debugger&dsearch=&page=utils&action=utillist<br />
<br />
Press F11 to enter the debugger.<br><br />
On-screen aids should be apparent.<br />
<br />
==N64==<br />
Nemu64 (Project64 debug version for testing, etc.) <br><br />
http://www.nemu.com/downloads.php <br><br />
http://www.thegshi.org/downloads/Project64%20Build%2052%20Debug%20Binary.zip<br />
<br />
Setting execution breakpoints<br><br />
Plugins>Debugger: Commands...<br><br />
To set a break on execution, go to the line that you want to break on, and click in the vertical bar to the left(<) of the address you want to breakpoint.<br />
<br />
Setting breakpoints in RAM<br><br />
Plugins>Debugger: Memory...<br><br />
Enable the read and/or write checkboxes, and right-click the memory space you want to set, unset, or change an access breakpoint on.<br />
<br />
<br />
Some games don't run in Nemu, so you may have to switch to this hook_log based emulator if you want the codes <br><br />
http://www.romhacking.net/?Category=&Console=27&Game=0&Author=0&Recm=&Level=&utilsearch=++Go++&title=tracer&dsearch=&page=utils&action=utillist<br />
<br />
The hook_log system is a little bit more demanding to use than a visual debugger, but with compatibility issues, it's better than lucky to have a second usable debugging emulator. The save-states can be decompressed, and loaded in their decompressed form if needed<br />
<br />
An issue with this emulator is that not all instructions are logged, but it's still worth knowing about for the fact that many instructions are logged, and it can be used with write logging.</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=SA1&diff=1511SA12006-11-30T18:32:30Z<p>Ugetab: </p>
<hr />
<div>==Overview==<br />
The SNES SA1 chip is an expansion chip added to an SNES cart that both contains a portion of the game's coding, and executes that portion of code to affect normal SNES RAM, and the additional RAM accessed primarily by the SA1 chip programming. The additional RAM is also accessible by the SNES CPU's instructions.<br />
<br />
<br />
There is no current information concerning hardware-based tests with Game Genie codes that change portions of ROM residing within the SA1.<br />
<br />
==Memory Mapping Comparison==<br />
Region 30:0000 - 30:3FFF is SA1 related due to the fact that some RAM is 00 mapped for SA1-using games:<br />
<br />
Writes from the SNES CPU to 00:0000 - 00:3FFF region to change a mirrored region at 30:0000 - 30:3FFF region<br />
<br />
00:0000 - 00:3FFF<br />
30:0000 - 30:3FFF<br />
<br />
SA1 Address:<br />
Reads/Writes to these addresses from the SA1 CPU translate to the below CPU-accessible addresses in SNES memory<br />
00:4000 - 00:7FFF<br />
CPU Address:<br />
40:0000 - 40:3FFF<br />
<br />
SA1 Address Testing:<br />
If you wish to test writes made by the SA1 to memory, and see what area is changed, you can use the following code with Super Mario RPG (US), while in a 3D stage. You should fall through the ground, and be unaligned with the map, but have the value FE written to the address you chose.<br />
<br />
Test SA1 Memory Writes (2 byte addresses, 0xFE written)<br />
C9C374A9<br />
C9C375FE<br />
C9C378FF<br />
C9C3793F<br />
<br />
Load value 0x00FE to write(could be made to load a 2-byte value)<br />
C9C374A9<br />
C9C375FE<br />
<br />
Address to write to(Writes to 3FFF with these values)<br />
C9C378FF<br />
C9C3793F</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=SA1&diff=1510SA12006-11-30T18:30:22Z<p>Ugetab: </p>
<hr />
<div>==Overview==<br />
----<br />
The SNES SA1 chip is an expansion chip added to an SNES cart that both contains a portion of the game's coding, and executes that portion of code to affect normal SNES RAM, and the additional RAM accessed primarily by the SA1 chip programming. The additional RAM is also accessible by the SNES CPU's instructions.<br />
<br />
There is no current information concerning hardware-based tests with Game Genie codes that change portions of ROM residing within the SA1.<br />
<br />
==Memory Mapping Comparison==<br />
----<br />
Region 30:0000 - 30:3FFF is SA1 related due to the fact that some RAM is 00 mapped for SA1-using games:<br />
<br />
Writes from the SNES CPU to 00:0000 - 00:3FFF region to change a mirrored region at 30:0000 - 30:3FFF region<br />
<br />
00:0000 - 00:3FFF<br />
30:0000 - 30:3FFF<br />
<br />
SA1 Address:<br />
Reads/Writes to these addresses from the SA1 CPU translate to the below CPU-accessible addresses in SNES memory<br />
00:4000 - 00:7FFF<br />
CPU Address:<br />
40:0000 - 40:3FFF<br />
<br />
<br />
SA1 Address Testing:<br />
If you wish to test writes made by the SA1 to memory, and see what area is changed, you can use the following code with Super Mario RPG (US), while in a 3D stage. You should fall through the ground, and be unaligned with the map, but have the value FE written to the address you chose.<br />
<br />
Test SA1 Memory Writes (2 byte addresses, 0xFE written)<br />
C9C374A9<br />
C9C375FE<br />
C9C378FF<br />
C9C3793F<br />
<br />
Load value 0x00FE to write(could be made to load a 2-byte value)<br />
C9C374A9<br />
C9C375FE<br />
<br />
Address to write to(Writes to 3FFF with these values)<br />
C9C378FF<br />
C9C3793F</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Final_Fantasy_VI_Advance_(Hacking)&diff=1493Final Fantasy VI Advance (Hacking)2006-11-29T21:50:55Z<p>Ugetab: </p>
<hr />
<div>===Post Final Fantasy 6 GBA finds here===<br />
<br />
----<br />
<br />
{| style="border:1px solid #aaaaaa; margin: 0; padding:0;" width="25%" cellspacing="0" cellpadding="5" align="right"<br />
|- valign="top" style="font-size: 105%; background-color:#FFDEAD; border-bottom:1px solid #aaaaaa; text-align: center; padding:0;"<br />
| '''Fly on Daryl's Airship'''<br />
|- style="background:#ffffff; padding:0.2em 0.4em 0.2em 0.4em; text-align: center;"<br />
|<br />
[[image: Daryl2.png]]<br><br />
|- style="background:#ffffff; padding:0.2em 0.4em 0.2em 0.4em; text-align: center;"<br />
|<br />
----<br />
32001E94 00FF<br>320011FA 0003<br>'''<br />
----<br />
On the World Map,''' access the main menu and exit it to be in the Airship. From there, press Start and you'll be on the deck of Daryl's Airship. - Ace<br />
|}<br />
02000056 - Change to 01 to call a battle (doesn't work on world map). It seems to call the last battle you were in. Ace's enemy group mod works with it. - KE<br />
<br />
0200004C - Screen fade. F0 is normal brightness, 00 is pitch black - KE<br><br />
0200004D - Background brightness. 00 is normal, F0 is hellabright(tm) - KE<br> <br />
0200004B - some digits start a brightness loop. F0 will give you a seizure - KE<br><br />
020000FF - Setting this to anything but 00 will put you in "oh chit KE hav to much sakeke" mode, world map only - KE<br><br />
'<br />
<br><br />
02001CF5 - changes which party you are in control of. 01-03 are the normal parties (2 and 3 are only used in multiple-party scenarios), 00 puts you in a party with a character that has kefka's sprite on the world map, ghestal's portrait, and cyan in battle. - KE<br><br />
<br />
02026237 - Changes how many parties you can put your characters into at the party selection screen. - KE <br><br />
<br />
8200185E 5951 - before using code clear the 3rd and 4th slots of your party. with the code on they will be kefka and leo. both have sprites for normal maps and the world map, and work in battle. Kefka must be given commands before he can be used in battle.<br />
<br><br />
<br />
== cadohacan ==<br />
32001F64 00xx < room modifer looking for debug room right now<br />
<br />
== Event Modifier/Activator ==<br />
I think the primary Event Modifier/Activator address is 020000E7<br />
<br />
F1 - Load Intro<br><br />
F4 - Call Ending Screen<br><br><br />
There's more that effects it. I've managed to call battles, shops, menus, etc with it. Right now it's all about figuring it out...<br><br />
<br />
'''Note 1: When I said I didn't know much about it, I meant it. :P<br>'''<br />
Note 2: These values will work in town without having to change anything else..<br><br />
<br />
Anyway, There seems to be a lot of stuff that effects this. So expect mixed effects....<br><br />
<br />
<br />
<br />
<!--- EXTERNAL LINKS GO HERE ---><br />
==External links==<br />
<br />
*[http://gshi.org/?s=v2&sys=7&gid=6366 Codes for Final Fantasy VI (J) (GBA) on the GSHI]</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Final_Fantasy_VI_Advance_(Hacking)&diff=1451Final Fantasy VI Advance (Hacking)2006-11-29T04:53:51Z<p>Ugetab: </p>
<hr />
<div>===Post Final Fantasy 6 GBA finds here===<br />
<br />
----<br />
<br />
{| border="1" cellpadding="0" align="center" width="75%"<br />
|- style="background:#ffdead;"<br />
|Fly on Daryl's Airship<br />
|- align="center"<br />
|http://gshi.org/ace/images/daryl.png<br />
|- align="center"<br />
|32001E94 00FF<br>320011FA 0003<br><br />
|-<br />
|'''On the World Map,''' access the main menu and exit it to be in the Airship. From there, press Start and you'll be on the deck of Daryl's Airship. <br>- Ace<br />
|-<br />
|}<br />
<br />
<br />
02000056 - Change to 01 to call a battle (doesn't work on world map). It seems to call the last battle you were in. Ace's enemy group mod works with it. - KE<br />
<br />
0200004C - Screen fade. F0 is normal brightness, 00 is pitch black - KE<br><br />
0200004D - Background brightness. 00 is normal, F0 is hellabright(tm) - KE<br> <br />
0200004B - some digits start a brightness loop. F0 will give you a seizure - KE<br><br />
020000FF - Setting this to anything but 00 will put you in "oh chit KE hav to much sakeke" mode, world map only - KE<br><br />
'<br />
<br><br />
02001CF5 - changes which party you are in control of. 01-03 are the normal parties (2 and 3 are only used in multiple-party scenarios), 00 puts you in a party with a character that has kefka's sprite on the world map, ghestal's portrait, and cyan in battle. - KE<br><br />
<br />
02026237 - Changes how many parties you can put your characters into at the party selection screen. - KE <br><br />
<br />
8200185E 5951 - before using code clear the 3rd and 4th slots of your party. with the code on they will be kefka and leo. both have sprites for normal maps and the world map, and work in battle. Kefka must be given commands before he can be used in battle.<br />
<br><br />
<br />
----<br />
<br />
===Event Modifier/Activator===<br />
When I said I didn't know much about it, I meant it. :P<br><br />
Anyway, what I think to be the primary address is this: 020000E7<br><br />
'''NOTE 1: There seems to be a lot of stuff that effects this. So expect mixed effects....<br>NOTE 2: These values will work in town without having to change anything else..'''<br><br />
F1 - Load Intro<br><br />
F4 - Call Ending Screen<br><br><br />
There's more that effects it. I've managed to call battles, shops, menus, etc with it. Right now it's all about figuring it out...<br><br />
<br />
---- <br />
<!-- ANYTHING BELOW THIS LINE IS TO BE EXTERNAL LINKS --><br />
<br />
'''External Links:'''<br />
<br>[http://gshi.org/?s=v2&sys=7&gid=6366 Codes for Final Fantasy VI (J) on the GSHI]</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Main_Page&diff=1450Main Page2006-11-29T03:06:09Z<p>Ugetab: </p>
<hr />
<div><H1>Game Systems Headquarters International</H1><br />
{| style="border:1px solid #aaaaaa; margin: 0; padding:0;" width="25%" cellspacing="0" cellpadding="5" align="right"<br />
|- valign="top" style="font-size: 105%; background-color:#98FB98; border-bottom:1px solid #aaaaaa; text-align: center; padding:0;"<br />
| '''Featured Page'''<br />
|- style="background:#ffffff; padding:0.2em 0.4em 0.2em 0.4em;"<br />
|<br />
<br><br />
[[image: Kefka-t.png|center]] <br />
* [[Hacking:FF6A|Final Fantasy VI Code Hacking]]<br />
|}<br />
<blockquote>GSHI is a longstanding collaborative group of code hackers, who have contributed many, many codes to the scene, for such cheat systems as Gameshark, Action Replay, CodeBreaker, and Game Genie. The website and forums were started by and are currently coadministrated by the member who calls himself Lazy Bastard. Many people who use these cheat systems and devices are unaware that the companies who manufacture and market them use websites and communities such as GSHI to produce and distribute the codes that cause them to be as popular as they are. <BR><BR>The website is located here: http://www.gshi.org<BR>The community itself gathers at the website's home forums, located here: http://www.gshi.org/vb/</blockquote><br />
<br><br />
<br><br />
{| style="border:1px solid #aaaaaa; margin: 0; padding:0;" cellspacing="0" cellpadding="5" align="right"<br />
|- valign="top" style="font-size: 105%; background-color:#FFDEAD; border-bottom:1px solid #aaaaaa; text-align: center; padding:0;" align="center"<br />
| '''Pages that need information'''<br />
|- style="background:#ffffff; padding:0.2em 0.4em 0.2em 0.4em;"<br />
|<br />
* [[GSHI]]<br />
* [[Kodewerx]]<br />
* [[Game genie]]<br />
* [[Action Replay]]<br />
* [[Codebreaker]]<br />
* [[Gameshark]]<br />
* [[Xploder]]<br />
|}</div>Ugetabhttps://wiki.gamehacking.org/index.php?title=Main_Page&diff=1449Main Page2006-11-29T01:44:26Z<p>Ugetab: </p>
<hr />
<div><H1>Game Systems Headquarters International</H1><br />
<div><br />
{| style="border:0; margin: 0;" width="25%" cellspacing="10" align="right"<br />
| valign="top" style="padding:0; border:1px solid #aaaaaa; margin-bottom:5px;" <br />
| <div style="font-size: 105%; padding:0.4em; background-color:#98FB98; border-bottom:1px solid #aaaaaa; text-align: center;">'''Featured Page'''</div><br />
<div style="background:#ffffff; padding:0.2em 0.4em 0.2em 0.4em;"><br />
{| style="border: 0; margin: 0;" cellpadding="3"<br />
| valign="top" | <br />
| valign="top" |<br />
<br><br />
[[image: Kefka-t.png|center]] <br />
* [[Hacking:FF6A|Final Fantasy VI Code Hacking]]<br />
|}<br />
</div><br />
|}<br />
</div><br />
<blockquote>GSHI is a longstanding collaborative group of code hackers, who have contributed many, many codes to the scene, for such cheat systems as Gameshark, Action Replay, CodeBreaker, and Game Genie. The website and forums were started by and are currently coadministrated by the member who calls himself Lazy Bastard. Many people who use these cheat systems and devices are unaware that the companies who manufacture and market them use websites and communities such as GSHI to produce and distribute the codes that cause them to be as popular as they are. <BR><BR>The website is located here: http://www.gshi.org<BR>The community itself gathers at the website's home forums, located here: http://www.gshi.org/vb/</blockquote><br />
<br><br />
<br><br />
<div><br />
{| align="right"<br />
| valign="center" style="padding:0; border:1px solid #aaaaaa; margin-bottom:5px;" <br />
| <div style="font-size: 105%; padding:0.4em; background-color:#FFDEAD; border-bottom:1px solid #aaaaaa; text-align: center;" align="center">'''Pages that need information'''</div><br />
<div style="background:#ffffff; padding:0.2em 0.4em 0.2em 0.4em;"><br />
{| style="border: 0; margin: 0;" cellpadding="3"<br />
| valign="top" | <br />
| valign="top" | <br />
* [[GSHI]]<br />
* [[Kodewerx]]<br />
* [[Game genie]]<br />
* [[Action Replay]]<br />
* [[Codebreaker]]<br />
* [[Gameshark]]<br />
* [[Xploder]]<br />
|}<br />
</div><br />
|}<br />
</div></div>Ugetab