Difference between revisions of "Assembly Hacking"

From Wiki - GameHacking.org
Jump to: navigation, search
Line 140: Line 140:
 
[The current author is too lazy to write this, but will get around to it later if no one else does]
 
[The current author is too lazy to write this, but will get around to it later if no one else does]
  
[[Category:GSHI pages]]
+
[[Category:Hacking and Game Info]]

Revision as of 18:52, 9 November 2008

Assembly hacking is the art of editing a compiled program. Without the source code, and without notes from the source code, one has to deduce almost everything about the underlying code, and how it works with RAM.

There are several emulators that can aid one in creating a modification for a game. Games for console systems fall into the category of compiled programs, and generally, the source code is unavailable for these games.

The use of making an assembly hack for a game can be found with the Nintendo Entertainment System (NES) Game Genie.

The codes that are entered into an NES Game Genie represent single-byte assembly hacks. Any assembly hack that could be done with a change of 3 bytes or less is possible to implement with a single Game Genie. The SNES Game Genie allows up to 5 codes, and 5 bytes of change. While this makes the possible usage of codes very limiting, it didn't prevent single-byte invincibility and infinite lives codes from appearing that could make it unneccesary to use additional codes.

For more modern assembly hacking of the same systems, emulators that support 50 or more codes for any given game aren't uncommon. The ROMs have been turned into files that can be patched with all the changes needed to give the game a script in a new language. Emulators that aid in the process of making assembly hacks have appeared for many different emulated systems. The effect is that more people are now capable of starting their own projects, and existing projects can be modified and/or repaired more easily.

Emulators

NES

FCEU

FCEUXDSP is the result of a emulator first developed by Parasyte called FCEUD, which was then picked up by bbitmaster and renamed to FCEUXD, and finally adopted as FCEUXD SP.

Setting breakpoints in ROM/RAM

Tools>Debug

In the breakpoint window, 'Add' the Executable address or Memory address you want.
ROM is 8000-FFFF
RAM is 0000-07FF, 6000-7FFF
0800-3FFF is mirrored from some part of RAM.
4000-4015 can be breakpointed if working on an NSF. If you want to use this to deal with NSFs, try Ugetabs edited version, which tends to play nicer with them

'Hex Editor' is a memory viewer/modifier.

SNES

Geiger's SNES9X Debugger

This emulator can be found here and here.

Setting breakpoints in ROM/RAM

Open ROM, Click 'Breakpoints'
In the breakpoint window, enter the Executable address or Memory address you want.
Standard RAM: 7E0000 - 7FFFFF
SA1 RAM: 400000-407FFF, 303000-303FFF
HiROM - C00000 - FFFFFF
LoROM - 808000-BFFFFF (**0000 - **7FFF doesn't exist)

If you use the SA1 logger with an SA1-using game, and wish to find an address that changed an address in RAM, you can see if the conversion chart on the SA1 page shows you the address to search for in the log file.

Genesis

Gens Tracer

This emulator can be found here.

No breakpoints, but adequate tracing. A guide has been written on the specific usage of the emulator.

The idea is that you can trace-log writes to and reads from memory, and you can also log all commands, and determine what's happening from the full log, by using what you find from the hook logging.

HazeMD

This emulator can be found at this address.

This emulator is harder to get setup to use a ROM, but comes with a MAME-style debugger. MAME's debugger is well known for being so powerful, considering the number of systems it can be used with when compiled into a build of MAME. The Gens tracer tends to have slightly better compatibility, while the HazeMD emulator has more potential for cheat codes, already having a Cheat system designed to handle multiple CPUs, which could be used for 32x game ROM hacks, and RAM hacks.

Gameboy

BGB

This emulator can be found here

Load a ROM, and right-click the screen.
Other>debug mode enabled: to enable debugging
Other>debugger to enter the debugger

Setting breakpoints in ROM/RAM
In the debugger window:
Debug>breakpoints for execution breakpoints
Debug>access breakpoints for read/write breaks.

Also, see below about Visual Boy Advance Tracer.

Gameboy Advance

Visual Boy Advance Tracer

This emulator can be found here.

This emulator uses the Hook Log system. Those familiar with the hook_log Genesis or N64 emulators should have little trouble adapting to this system.

Note that it has also been used to good effect for a small number of gameboy games that BGB doesn't support. Ugetab used this for GBS ripping, but with full code logging, and a save-state near when something changes, you could just as effectively search for a memory address in trace.log. Mind that while GB assembly doesn't pile up as quickly as GBA or N64, and it is still nessesary to be relatively close to the change before activating logging, if you don't want to have to use a special text editor to open an enormous log file.

Visual Boy Advance

This emulator can be found at this address.

Windows - SDL is required. Unfortunately, no cheat device exists that can change the assembly, so hacking it is more a matter of patching the ROM, and less a matter of using it for simple cheats. Not documented.

Playstation

PCSX 1.5 With Debugger

This emulator is available here.

Press F11 to enter the debugger. On-screen aids should be apparent.

PSX

This emulator can be found at this address.

This can be a decent debugging alternative if a game doesn't work well in the above emulator.

PCSX Agemo debugger

This emulator can be found here.

It could be favorable for some tasks, compared to the other debuggers.

N64

Nemu64

This emulator can be found here

Setting execution breakpoints
Plugins>Debugger: Commands...
To set a break on execution, go to the line that you want to break on, and click in the vertical bar to the left(<) of the address you want to breakpoint.

Setting breakpoints in RAM
Plugins>Debugger: Memory...
Enable the read and/or write checkboxes, and right-click the memory space you want to set, unset, or change an access breakpoint on.

Some games don't run in Nemu, so you may have to switch to this hook_log based emulator if you want the codes. The 1964 tracer can be useful, which is available here.

The hook_log system is a little bit more demanding to use than a visual debugger, but with compatibility issues, it's better than lucky to have a second usable debugging emulator. The save-states can be decompressed, and loaded in their decompressed form if needed

An issue with this emulator is that not all instructions are logged, but it's still worth knowing about for the fact that many instructions are logged, and it can be used with write logging.

Project64 debug build binary

This emulator can be found here.

This version of the emulator has better support for games than Nemu64, and Ugetab used this tool in combination with nemu64 to edit USFs, as well as make a few codes that people using only a single emulation tool were having extremely hard struggles with.

Saturn

Yabause

This emulator can be found here.

This is one of the few Saturn emulators out there.

Wonder Swan

Cygne Tracer

This emulator can be found here.

A decent Tracing program.

Oswan Tracer

This emulator can be found here.

This is just another hook-log tracer.

Playstation 2

[The current author is too lazy to write this, but will get around to it later if no one else does]