Difference between revisions of "Assembly Hacking"

From Wiki - GameHacking.org
Jump to: navigation, search
(NES: Added some name history.)
Line 16: Line 16:
A project originated by Parasyte called FCEUd, picked up by bbitmaster and renamed to FCEUXD, and finally adopted as FCEUXD SP.
Setting breakpoints in ROM/RAM
Setting breakpoints in ROM/RAM

Revision as of 03:18, 7 January 2007


Assembly hacking is the art of editing a compiled program. Without the source code, and without notes from the source code, one has to deduce almost everything about the underlying code, and how it works with RAM.

There are several emulators that can aid one in creating a modification for a game. Games for console systems fall into the category of compiled programs, and generally, the source code is unavailable for these games.

The use of making an assembly hack for a game can be found with the Nintendo Entertainment System (NES) Game Genie.

The codes that are entered into an NES Game Genie represent single-byte assembly hacks. Any assembly hack that could be done with a change of 3 bytes or less is possible to implement with a single Game Genie. The SNES Game Genie allows up to 5 codes, and 5 bytes of change. While this makes the possible usage of codes very limiting, it didn't prevent single-byte invincibility and infinite lives codes from appearing that could make it unneccesary to use additional codes.

For more modern assembly hacking of the same systems, emulators that support 50 or more codes for any given game aren't uncommon. The ROMs have been turned into files that can be patched with all the changes needed to give the game a script in a new language. Emulators that aid in the process of making assembly hacks have appeared for many different emulated systems. The effect is that more people are now capable of starting their own projects, and existing projects can be modified and/or repaired more easily.




A project originated by Parasyte called FCEUd, picked up by bbitmaster and renamed to FCEUXD, and finally adopted as FCEUXD SP.

Setting breakpoints in ROM/RAM Tools>Debug

In the breakpoint window, 'Add' the Executable address or Memory address you want.
ROM is 8000-FFFF
RAM is 0000-07FF, 6000-7FFF
0800-3FFF is mirrored from some part of RAM.
4000-4015 can be breakpointed if working on an NSF. If the 'Hex Editor' is opened in a normal game, then an NSF is loaded, you can use it to work on NSF RAM, in conjunction with the debugger.

'Hex Editor' is a memory viewer/modifier.


Geiger's SNES9X Debugger

Setting breakpoints in ROM/RAM
Open ROM, Click 'Breakpoints'
In the breakpoint window, enter the Executable address or Memory address you want.
Standard RAM: 7E0000 - 7FFFFF
SA1 RAM: 400000-407FFF, 303000-303FFF
HiROM - C00000 - FFFFFF
LoROM - 808000-BFFFFF (**0000 - **7FFF doesn't exist)

If you use the SA1 logger with an SA1-using game, and wish to find an address that changed an address in RAM, you can see if the conversion chart on the SA1 page shows you the address to search for in the log file.


Gens Tracer

No breakpoints, but adequate tracing.

I've written a guide on the specific usage of the emulator.

The idea is that you can trace-log writes to and reads from memory, and you can also log all commands, and determine what's happening from the full log, by using what you find from the hook logging.


This emulator is harder to get setup to use a ROM, but comes with a MAME-style debugger. MAME's debugger is well known for being so powerful, considering the number of systems it can be used with when compiled into a build of MAME. The Gens tracer tends to have slightly better compatibility, while the HazeMD emulator has more potential for cheat codes, already having a Cheat system designed to handle multiple CPUs, which could be used for 32x game ROM hacks, and RAM hacks.



Load a ROM, and right-click the screen.
Other>debug mode enabled: to enable debugging
Other>debugger to enter the debugger

Setting breakpoints in ROM/RAM
In the debugger window:
Debug>breakpoints for execution breakpoints
Debug>access breakpoints for read/write breaks.

Gameboy Advance

Visual Boy Advance Tracer

This emulator uses the Hook Log system. Those familiar with the hook_log Genesis or N64 emulators should have little trouble adapting to this system.

Visual Boy Advance
Windows - SDL

Unfortunately, no cheat device exists that can change the assembly, so hacking it is more a matter of patching the ROM, and less a matter of using it for simple cheats.

Not documented.


PCSX 1.5 With Debugger

Press F11 to enter the debugger.
On-screen aids should be apparent.


Nemu64 (Project64 debug version for testing, etc.)

Setting execution breakpoints
Plugins>Debugger: Commands...
To set a break on execution, go to the line that you want to break on, and click in the vertical bar to the left(<) of the address you want to breakpoint.

Setting breakpoints in RAM
Plugins>Debugger: Memory...
Enable the read and/or write checkboxes, and right-click the memory space you want to set, unset, or change an access breakpoint on.

Some games don't run in Nemu, so you may have to switch to this hook_log based emulator if you want the codes

The hook_log system is a little bit more demanding to use than a visual debugger, but with compatibility issues, it's better than lucky to have a second usable debugging emulator. The save-states can be decompressed, and loaded in their decompressed form if needed

An issue with this emulator is that not all instructions are logged, but it's still worth knowing about for the fact that many instructions are logged, and it can be used with write logging.

Playstation 2

[The current author is too lazy to write this, but will get around to it later if no one else does]