Difference between revisions of "Assembly Hacking"

From Wiki - GameHacking.org
Jump to: navigation, search
(Added PC Engine/TG16 Debugger Info (Thinking of making some HES rips))
m (Mednafen: (Forgot a debugging command))
Line 125: Line 125:
 
S = Step<br>
 
S = Step<br>
 
Return = Goto Address(If on code)/Edit(If on register)<br>
 
Return = Goto Address(If on code)/Edit(If on register)<br>
 +
Space = Set/Unset Execution Breakpoint<br>
 
Shift + Return = Edit watch address<br>
 
Shift + Return = Edit watch address<br>
 
Shift + R = Edit Read Breakpoints<br>
 
Shift + R = Edit Read Breakpoints<br>

Revision as of 13:17, 26 August 2009

Assembly hacking is the art of editing a compiled program. Without the source code, and without notes from the source code, one has to deduce almost everything about the underlying code, and how it works with RAM.

There are several emulators that can aid one in creating a modification for a game. Games for console systems fall into the category of compiled programs, and generally, the source code is unavailable for these games.

The use of making an assembly hack for a game can be found with the Nintendo Entertainment System (NES) Game Genie.

The codes that are entered into an NES Game Genie represent single-byte assembly hacks. Any assembly hack that could be done with a change of 3 bytes or less is possible to implement with a single Game Genie. The SNES Game Genie allows up to 5 codes, and 5 bytes of change. While this makes the possible usage of codes very limiting, it didn't prevent single-byte invincibility and infinite lives codes from appearing that could make it unnecessary to use additional codes.

For more modern assembly hacking of the same systems, emulators that support 50 or more codes for any given game aren't uncommon. The ROMs have been turned into files that can be patched with all the changes needed to give the game a script in a new language. Emulators that aid in the process of making assembly hacks have appeared for many different emulated systems. The effect is that more people are now capable of starting their own projects, and existing projects can be modified and/or repaired more easily.

Emulators

NES

FCEU

FCEUXDSP is the result of a emulator first developed by Parasyte called FCEUD, which was then picked up by bbitmaster and renamed to FCEUXD, and finally adopted as FCEUXD SP.

Setting breakpoints in ROM/RAM

Tools>Debug

In the breakpoint window, 'Add' the Executable address or Memory address you want.
ROM is 8000-FFFF
RAM is 0000-07FF, 6000-7FFF
0800-3FFF is mirrored from some part of RAM.
4000-4015 can be breakpointed if working on an NSF. If you want to use this to deal with NSFs, try Ugetabs edited version, which tends to play nicer with them

'Hex Editor' is a memory viewer/modifier.

SNES

Geiger's SNES9X Debugger

This emulator can be found at Geiger's Crypt and Zophar's Domain - Geiger’s Snes9x Debugger.

Setting breakpoints in ROM/RAM

Open ROM, Click 'Breakpoints'
In the breakpoint window, enter the Executable address or Memory address you want.
Standard RAM: 7E0000 - 7FFFFF
SA1 RAM: 400000-407FFF, 303000-303FFF
HiROM - C00000 - FFFFFF
LoROM - 808000-BFFFFF (**0000 - **7FFF doesn't exist)

If you use the SA1 logger with an SA1-using game, and wish to find an address that changed an address in RAM, you can see if the conversion chart on the SA1 page shows you the address to search for in the log file.

FuSoYa's SNES9X SuperFX Instruction Logger

This emulator can be found here.

This emulator allows you to log SuperFX instructions being used by the emulator.

Press the NumLock button to start/stop logging.

Instructions will be logged to sfx_trace.txt, in the folder with the emulator.

Here's an example on how to interpret the results:
00:e834 40 ldw (r0) r0=$0058 SRAM=00:5AAE
00:e835 64 sub r4 r0=$0055 CY=1

First line Loads Word (SRAM=00:5AAE) to (r0). In Geiger's SNES9X Debugger, this is address 705AAE in the RAM viewer. In ZSNES, you can find this in a save-state at 0x4127F + 0x5AAE (= 0x46D2D). The result of this operation is on the same line.

Second line subtracts (r4) from (r0). This next result is on the same line as well. This can be coded out to give you Infinite Health in Doom, but it won't work as a Game Genie code. The file address would be either 6835 or 6A35. Only one address of those 2 will be 0x64.

Genesis

Regen Debugger Build

This emulator can be found here

Backup: Regen 0.95 Debugger

If you've used FCEUXDSP, Geiger's Snes9x, BGB, Nemu08, pSX, or pretty much any other active debugger, you'll realize that this is along the same lines of those debuggers. This is certainly what Genesis hackers have been waiting for when it comes to a user friendly debugger.

It runs Genesis, Game Gear, and SMS files, but only debugs Genesis at the moment. Use #Emukon if you want to hack Game Gear or SMS.

Gens Tracer

This emulator can be found here.

No breakpoints, but adequate tracing. A guide has been written on the specific usage of the emulator.

The idea is that you can trace-log writes to and reads from memory, and you can also log all commands, and determine what's happening from the full log, by using what you find from the hook logging.

HazeMD

This emulator can be found at this address.

This emulator is harder to get setup to use a ROM, but comes with a MAME-style debugger. MAME's debugger is well known for being so powerful, considering the number of systems it can be used with when compiled into a build of MAME. The Gens tracer tends to have slightly better compatibility, while the HazeMD emulator has more potential for cheat codes, already having a Cheat system designed to handle multiple CPUs, which could be used for 32x game ROM hacks, and RAM hacks.

Gameboy

BGB

This emulator can be found here

Load a ROM, and right-click the screen.
Other>debug mode enabled: to enable debugging
Other>debugger to enter the debugger

Setting breakpoints in ROM/RAM
In the debugger window:
Debug>breakpoints for execution breakpoints
Debug>access breakpoints for read/write breaks.

Visual Boy Advance Tracer

See #Visual_Boy_Advance_Tracer_2

PC Engine / Turbo-Grafx 16

Mednafen

This emulator can be found here

Esc = Exit Mednafen (Careful about it)

To use F12 to quit, and not the ESC key, edit this in mednafen.cfg:


";Exit"
"command.exit keyboard 293~keyboard 27"


To this:


";Exit"
"command.exit keyboard 293~keyboard 123"


F5 = Save State
F7 = Load State
0-9 = Select Save Slot

Alt + D = Toggle Debugger

In Debugger:
Alt+1 = CPU debugger view
Alt+3 = Memory editor
R = Run
S = Step
Return = Goto Address(If on code)/Edit(If on register)
Space = Set/Unset Execution Breakpoint
Shift + Return = Edit watch address
Shift + R = Edit Read Breakpoints
Shift + W = Edit write breakpoints
Shift + O = Opcode Breakpoints

See included Debugger.html file for complete command list

Game Gear

Emukon

This emulator can be found here.

Backup: Emukon 1.05

This is basically a friendlier style of Logging Debugger the way I tend to use it, with Breakpoints to help figure out how code you find operates. I've used it to at least as much success as I've used the Hook_log debuggers, only this was more boring because I didn't have to fight with the emulator as much.

You can use a combination of Breakpoints and Log Files to debug games.

Breakpoints have their own management window, or you can right click lines in the debugger.

To use the log files effectively, you should focus on a single byte with a known effect, get to about where the setting you're looking for will change, go to the Debugger > Debugger menu, enable it if needed, then click the Clear Log button if you want a fresh start, and the Log button to start logging. Get the thing changed that you want, and then look under the DebugLogs folder for the game you're working on, and search the text logs for the address you want to check, whether it's the execution address by some chance or the memory address. Breakpoints and Logging work well together to discover the execution path to a piece of code.

It's not as exceedingly simple as some other debuggers, but it's quite useful, and it's my first choice for hacking Game Gear as well as SMS.

Master System

Emukon

See Game Gear section: #Emukon

Gameboy Advance

Visual Boy Advance Tracer

This emulator can be found here.

This emulator uses the Hook Log system. Those familiar with the hook_log Genesis or N64 emulators should have little trouble adapting to this system.

Note that it has also been used to good effect for a small number of gameboy games that BGB doesn't support. Ugetab used this for GBS ripping, but with full code logging, and a save-state near when something changes, you could just as effectively search for a memory address in trace.log. Mind that while GB assembly doesn't pile up as quickly as GBA or N64, and it is still necessary to be relatively close to the change before activating logging, if you don't want to have to use a special text editor to open an enormous log file.

Visual Boy Advance

This emulator can be found at this address.

Windows - SDL is required. Unfortunately, no cheat device exists that can change the assembly, so hacking it is more a matter of patching the ROM, and less a matter of using it for simple cheats. Not documented.

Playstation

PCSX 1.5 With Debugger

This emulator is available here.

Press F11 to enter the debugger. On-screen aids should be apparent.

PSX

This emulator can be found at this address.

This can be a decent debugging alternative if a game doesn't work well in the above emulator.

PCSX Agemo debugger

This emulator can be found here.

It could be favorable for some tasks, compared to the other debuggers.

N64

Nemu64

This emulator can be found here

Setting execution breakpoints
Plugins>Debugger: Commands...
To set a break on execution, go to the line that you want to break on, and click in the vertical bar to the left(<) of the address you want to breakpoint.

Setting breakpoints in RAM
Plugins>Debugger: Memory...
Enable the read and/or write check boxes, and right-click the memory space you want to set, unset, or change an access breakpoint on.

Some games don't run in Nemu, so you may have to switch to this hook_log based emulator if you want the codes. The 1964 tracer can be useful, which is available here.

The hook_log system is a little bit more demanding to use than a visual debugger, but with compatibility issues, it's better than lucky to have a second usable debugging emulator. The save-states can be decompressed, and loaded in their decompressed form if needed

An issue with this emulator is that not all instructions are logged, but it's still worth knowing about for the fact that many instructions are logged, and it can be used with write logging.

Project64 debug build binary

This emulator can be found here.

This version of the emulator has better support for games than Nemu64, and Ugetab used this tool in combination with nemu64 to edit USFs, as well as make a few codes that people using only a single emulation tool were having extremely hard struggles with.

Saturn

Yabause

This emulator can be found here.

This is one of the few Saturn emulators out there.

Wonder Swan

Cygne Tracer

This emulator can be found here.

A decent Tracing program.

Oswan Tracer

This emulator can be found here.

This is just another hook-log tracer.

Playstation 2

[The current author is too lazy to write this, but will get around to it later if no one else does]