-
-
I found a PAR code to always select 150cc class but it's a ram address. Is there any way to do a traceback or something using snes9x debug to find where it's loading from the rom? I need a game geanie code so i can hex it into the rom.
code
7e0085:04Last edited by darknezz19; 05-24-2015, 03:53:08 PM. -
Alright after watching some videos and reading posts here I got it to work using a breakpoint and trace key. I'll explain how I did this any you guys tell me if I did this right or just got extremely lucky.
1 - Finding the ram address that is used to enable 150cc.
First i uses the snes9x comparative cheat search to locate the ram address that is changed in a 150cc locked save state and one that has it unlocked. I started a search, and then would go back to the game and load the save state with the 150cc unlocked. Once loaded go back to the seach tool and select value > than previous, and repeat until you get the address down to a handful and start editing them to see which works. 7e0085:04 changes it so 150cc is always selected no matter which cc class is picked. I'm not sure why it always selects 150cc when this is active but it was good enough for me to go off of.
2 - Breakpoint and trace logging
set your breakpoint to the address we just found, 7e0085 checking read. Go back to your game and you will notice the game stops when you select menu options. Get to the menu just before it lets you pick the cc class in Mario GP. Now what you want to do is hit the '*' key right before hitting the start button to advance. This will start logging all thee cpu assembly to log files. There will be 3 breakpoints in between menu sections and I thought it was best to capture all three breakpoints. After the third one I hit the '*' key again to stop the trace log. This left me with three log files in my snes9x directory. I opened them up and there is a lot of routines in there, most of it all looks the same though.
3 - Putting it all together
So now that we have these traceback logs we need to search through them. I decided the '0085' address we found earlier would be a good candidate. Throughout the 3 different log files created there was about 6-9 found hits using that search term. In the second log file we found the magic routine.
$85/86F7 A5 85 LDA $85 [$00:0085] A:0014 X:0006 Y:00B0 P:envMXdiZC
Now add the '8586F7' to your cheat list in snes9x. But what value should we give it? The only thing I could think to try was the previous value '04' that was uses in the unlocked 150cc save state at 7e0085. Success, when you arrive on the cc selection menu 150cc is selected by default, but you just can not see the menu item for it. What was surprising was that if you press up you could still select 100cc and 50cc, but once you go off 150cc you can't select it again. To get around this just back out of that menu and go back to it and it'll be on 150cc again.
So how did I do? Is this how something like this should be done or did I just get extremely lucky here? Thanks for your input and time.Comment
-
Not a bad start but what I would do is set a break on read on that ram address and go to the last option in the menu I believe it to be 100cc then activate the trace log feature and press down, it should have a few breaks like you said and once you go back to the 50cc turn off trace logging.
Now you need to look at those breakpoint addresses that show in the console and search in the logs for those (1 at a time) and then look a little before and after the break for a compare and branch and alter the branches after seeing which it might be.
Basically the compare is looking to see if you unlocked the 150cc and if you didn't it will skip it and go to 50cc so if you force the branch to go to where it thinks you unlocked the 150cc then there is your code.
Edit: it wasn't too hard to find but I used another address a little further down 7E0301 for the ram address to break on and after looking at 2 traces there is a branch that always gets skipped when you have the 150cc Unlocked and this should be the code:
8587E9:00
which I got from this snippet of trace:
Oh and this code loads the 3 actual Menu options instead of just 2 (50cc and 100cc)Code:$85/87E0 AF F5 67 30 LDA $3067F5[$30:67F5] A:0004 X:0006 Y:0074 P:envMXdiZC $85/87E4 29 03 AND #$03 A:0011 X:0006 Y:0074 P:envMXdizC $85/87E6 C9 01 CMP #$01 A:0001 X:0006 Y:0074 P:envMXdizC [COLOR=#0000ff]$85/87E8 D0 0B BNE $0B[/COLOR] [$87F5] A:0001 X:0006 Y:0074 P:envMXdiZC $85/87EA A5 85 LDA $85 [$00:0085] A:0001 X:0006 Y:0074 P:envMXdiZC $85/87EC 29 06 AND #$06 A:0002 X:0006 Y:0074 P:envMXdizC $85/87EE C9 04 CMP #$04 A:0002 X:0006 Y:0074 P:envMXdizC $85/87F0 F0 45 BEQ $45 [$8837] A:0002 X:0006 Y:0074 P:eNvMXdizc $85/87F2 4C FB 87 JMP $87FB [$85:87FB] A:0002 X:0006 Y:0074 P:eNvMXdizc $85/87FB A5 85 LDA $85 [$00:0085] A:0002 X:0006 Y:0074 P:eNvMXdizc $85/87FD 18 CLC A:0002 X:0006 Y:0074 P:envMXdizc $85/87FE 69 02 ADC #$02 A:0002 X:0006 Y:0074 P:envMXdizc $85/8800 85 85 STA $85 [$00:0085] A:0004 X:0006 Y:0074 P:envMXdizc $85/8802 20 44 88 JSR $8844 [$85:8844] A:0004 X:0006 Y:0074 P:envMXdizc
Show 150cc
85834B:38
this code is based off of a ram address that shows how many selections there and that ram address is 7E0186 in case you were wondering.Spoiler Alert! Click to view...
THE BAD GUY!!!!!!
Comment
-
Your's works perfect compared to mine Helder. How did you come to that new address for the breakpoint? How did you know from $85/87E8 D0 in the tracelog to 8587E9:00 will let you move the cursor down to 150cc? I'd like to try something similar to open up the special cup.
Edit: I tried to recreate what you did with the 150cc but am at a wall.
I did a traceback log on one instance with the 150cc locked and one unlocked via the sram, then pressed down from the 100cc and searched the logs to compare. Both of them had the "$85/87E8 D0 0B BNE $0B [$87F5] A:0001 X:0006 Y:0074 P:envMXdiZC" lines though. What did I do wrong here or is there more to this?after looking at 2 traces there is a branch that always gets skipped when you have the 150cc UnlockedLast edited by darknezz19; 05-25-2015, 01:38:17 AM.Comment
-
I tried your Ram code but the addresses I got weren't useful to me so I had 2 save states made with one having 150cc unlocked and the other not. I then opened up the Memory Viewer which is the button "Show Hex" and choose RAM in the Drop Down menu.
Next I loaded the saves one after another and looked for differences in the Memory between the 2 and I found those 2 Ram addresses up above that I used to hack my codes. The code that I first found was the one that said where the cursor was and naturally these codes usually have a compare and branch to either do down or go to the beginning of the menu so I used this theory.
What I did was set the break using the RAM address 7E0301 and moved the Unlocked 150cc save cursor down to 100cc and cleared the breaks then set the trace log and press down and we got a break and I resumed and no further breaks occurred. I then looked for that occurrence of that break in one of the log files and discarded the rest, I keep this log file open so I can compare the next log file I plan to make.
Next I loaded up the save locked 150cc and moved the cursor down to 100cc set the trace and repeat, I notice we get the a different break (2 breaks if I remember) and turn off the trace and look through the logs for the break and once I find it I look up from the break and notice the same routine is run in both. So I line the logs up and go line by line till I see a difference which is the branch:
$85/87E8 D0 0B BNE $0B [$87F5] A:0001 X:0006 Y:0074 P:envMXdiZC
So I out a break on Execute in this address (8587E8) and shut off the Ram address break and go down the menu and going to the next line to see what this
branch does and in the 150cc it never branches but in the 1ocked 150cc it does so obviously we change it so the branch never occurs.
In the address above the BNE $0B is one address per instruction so the D0 is the BNE and the 0B is the next line which says how many address lines to jump.
So 8587E8 would contain the D0 instruction and 8587E9 contains the 0B, so if we change the 0B to 00 when the branch occurs it will go to the next line as
if it never occurred just like in the Unlocked 150cc.
I hope this explanation helps as I can't explain it any simpler for you to understand.Spoiler Alert! Click to view...
THE BAD GUY!!!!!!
Comment
-
In the ram I found the address that changes depending on where the cursor is for the cup selection, it's 7E0150. I set a breakpoint on write for this address because that was the only one that would initiate a break. Then I did a trace log with one that goes from star cup to special cup and one thats locked going from star cup back to mushroom cup. The part I'm stuck on now is locating the breakpoint in the logs. Is there something to look for that signifies a break in there?
I was able to coble a somewhat working code together via this tutorial by eadmaster. In the debug console it shows "$84/FAFF 9C 50 01" when going from star to mushroom, and every other down press with the open cups showed "$84/FAD1 8D 50 01" so I replaced the 9C instruction on the locked down press to 8D that was used in the unlocked down presses and it lets me select special cup now. The only problem is of course it's not lit up as if it were unlocked and you can keep pressing down past special and the game will lock up. This might cause more bugs in the game and I'd like to get a clean edit like you did Helder.Last edited by darknezz19; 05-25-2015, 11:13:27 AM.Comment
-
It's not hard if you follow what I said in the previous post but it seems like it's not sinking in for you so I will explain where it should make sense.
I took you ram address and with the special cup unlocked I got for my break and I also did a trace log:
$84/FAD1 8D 50 01 STA $0150
now open that log and sear for "$84/FAD1" and you should find only 1 occurrence so simple enough, and looking at where it was it is part of a routine which is easy to tell since there are spaces separating routines and this is what I got:
Next I did the same thing fo the save with special cup locked and go this break:Code:$84/FA81 8B PHB A:0001 X:0008 Y:00A0 P:eNvmxdizc $84/FA82 4B PHK A:0001 X:0008 Y:00A0 P:eNvmxdizc $84/FA83 AB PLB A:0001 X:0008 Y:00A0 P:eNvmxdizc $84/FA84 A5 6A LDA $6A [$00:006A] A:0001 X:0008 Y:00A0 P:eNvmxdizc $84/FA86 05 6C ORA $6C [$00:006C] A:0400 X:0008 Y:00A0 P:envmxdizc $84/FA88 29 00 2C AND #$2C00 A:0400 X:0008 Y:00A0 P:envmxdizc $84/FA8B C9 00 04 CMP #$0400 A:0400 X:0008 Y:00A0 P:envmxdizc $84/FA8E F0 0D BEQ $0D [$FA9D] A:0400 X:0008 Y:00A0 P:envmxdiZC $84/FA9D AD 30 00 LDA $0030 [$84:0030] A:0400 X:0008 Y:00A0 P:envmxdiZC $84/FAA0 F0 35 BEQ $35 [$FAD7] A:0004 X:0008 Y:00A0 P:envmxdizC $84/FAA2 AF F2 67 30 LDA $3067F2[$30:67F2] A:0004 X:0008 Y:00A0 P:envmxdizC $84/FAA6 29 03 00 AND #$0003 A:1515 X:0008 Y:00A0 P:envmxdizC $84/FAA9 C9 01 00 CMP #$0001 A:0001 X:0008 Y:00A0 P:envmxdizC [COLOR=#008000]$84/FAAC D0 29[/COLOR] BNE $29 [$FAD7] A:0001 X:0008 Y:00A0 P:envmxdiZC $84/FAAE AF F3 67 30 LDA $3067F3[$30:67F3] A:0001 X:0008 Y:00A0 P:envmxdiZC $84/FAB2 29 03 00 AND #$0003 A:1515 X:0008 Y:00A0 P:envmxdizC $84/FAB5 C9 01 00 CMP #$0001 A:0001 X:0008 Y:00A0 P:envmxdizC $84/FAB8 D0 1D BNE $1D [$FAD7] A:0001 X:0008 Y:00A0 P:envmxdiZC $84/FABA AF F4 67 30 LDA $3067F4[$30:67F4] A:0001 X:0008 Y:00A0 P:envmxdiZC $84/FABE 29 03 00 AND #$0003 A:1115 X:0008 Y:00A0 P:envmxdizC $84/FAC1 C9 01 00 CMP #$0001 A:0001 X:0008 Y:00A0 P:envmxdizC $84/FAC4 D0 11 BNE $11 [$FAD7] A:0001 X:0008 Y:00A0 P:envmxdiZC $84/FAC6 AD 50 01 LDA $0150 [$84:0150] A:0001 X:0008 Y:00A0 P:envmxdiZC $84/FAC9 85 6E STA $6E [$00:006E] A:0002 X:0008 Y:00A0 P:envmxdizC $84/FACB 1A INC A A:0002 X:0008 Y:00A0 P:envmxdizC [COLOR=#ff8c00]$84/FACC C9 04 00 CMP #$0004[/COLOR] A:0003 X:0008 Y:00A0 P:envmxdizC $84/FACF F0 2E BEQ $2E [$FAFF] A:0003 X:0008 Y:00A0 P:eNvmxdizc [COLOR=#ff0000]$84/FAD1 8D 50 01[/COLOR] STA $0150 [$84:0150] A:0003 X:0008 Y:00A0 P:eNvmxdizc $84/FAD4 4C F3 FA JMP $FAF3 [$84:FAF3] A:0003 X:0008 Y:00A0 P:eNvmxdizc $84/FAF3 A9 2C 00 LDA #$002C A:0003 X:0008 Y:00A0 P:eNvmxdizc $84/FAF6 22 A7 F5 81 JSL $81F5A7[$81:F5A7] A:002C X:0008 Y:00A0 P:envmxdizc
$84/FAFF 9C 50 01 STZ $0150
Opened the new trace I made for this save and did a search for "$84/FAFF" and again super easy only 1 occurrence so we look at the routine and it pretty much is the same as the one I got before:
So comparing the 2 logs you can see the address $84/FAAC D0 29 BNE $29 which is the branch always occurs in the locked special cup and always is skipped when it is unlocked almost exactly the same as the code I made to choose the 150cc. So taking this info which I explained in the last post we take the branch addressCode:$84/FA81 8B PHB A:2879 X:00A0 Y:0050 P:eNvmxdizC $84/FA82 4B PHK A:2879 X:00A0 Y:0050 P:eNvmxdizC $84/FA83 AB PLB A:2879 X:00A0 Y:0050 P:eNvmxdizC $84/FA84 A5 6A LDA $6A [$00:006A] A:2879 X:00A0 Y:0050 P:eNvmxdizC $84/FA86 05 6C ORA $6C [$00:006C] A:0400 X:00A0 Y:0050 P:envmxdizC $84/FA88 29 00 2C AND #$2C00 A:0400 X:00A0 Y:0050 P:envmxdizC $84/FA8B C9 00 04 CMP #$0400 A:0400 X:00A0 Y:0050 P:envmxdizC $84/FA8E F0 0D BEQ $0D [$FA9D] A:0400 X:00A0 Y:0050 P:envmxdiZC $84/FA9D AD 30 00 LDA $0030 [$84:0030] A:0400 X:00A0 Y:0050 P:envmxdiZC $84/FAA0 F0 35 BEQ $35 [$FAD7] A:0004 X:00A0 Y:0050 P:envmxdizC $84/FAA2 AF F2 67 30 LDA $3067F2[$30:67F2] A:0004 X:00A0 Y:0050 P:envmxdizC $84/FAA6 29 03 00 AND #$0003 A:0000 X:00A0 Y:0050 P:envmxdiZC $84/FAA9 C9 01 00 CMP #$0001 A:0000 X:00A0 Y:0050 P:envmxdiZC [COLOR=#008000]$84/FAAC D0 29[/COLOR] BNE $29 [$FAD7] A:0000 X:00A0 Y:0050 P:eNvmxdizc $84/FAD7 AD 50 01 LDA $0150 [$84:0150] A:0000 X:00A0 Y:0050 P:eNvmxdizc $84/FADA 85 6E STA $6E [$00:006E] A:0002 X:00A0 Y:0050 P:envmxdizc $84/FADC 1A INC A A:0002 X:00A0 Y:0050 P:envmxdizc [COLOR=#ff8c00]$84/FADD C9 03 00 CMP #$0003 [/COLOR] A:0003 X:00A0 Y:0050 P:envmxdizc $84/FAE0 F0 1D BEQ $1D [$FAFF] A:0003 X:00A0 Y:0050 P:envmxdiZC [COLOR=#ff0000]$84/FAFF 9C 50 01[/COLOR] STZ $0150 [$84:0150] A:0003 X:00A0 Y:0050 P:envmxdiZC $84/FB02 4C F3 FA JMP $FAF3 [$84:FAF3] A:0003 X:00A0 Y:0050 P:envmxdiZC $84/FAF3 A9 2C 00 LDA #$002C A:0003 X:00A0 Y:0050 P:envmxdiZC $84/FAF6 22 A7 F5 81 JSL $81F5A7[$81:F5A7] A:002C X:00A0 Y:0050 P:envmxdizC
84FAAC D0 29 and we know that the D0 is ad the address 84FAAC and that 29 is at address 84FAAD which is what we want to change so our code then becomes:
Can Choose Special Cup
84FAAD:00
BUT in this case it is not the code because if we test it and we can see it doesn't work and putting a break on execute on the branch address 84FAAC and go line by line there is another check or compare that follows and going line by line and looking at the trace log of when we can choose the special cup you can see where the branch occurs.
So what to do? Well if we look at both trace logs above you can see there is a check or compare of 4 in the unlocked cup and of 3 in the locked cup which correspond to how many choices you are able to choose. I highlighted each compare above for your viewing pleasure.
So we throw the previous code away and try out a theory what if we change the compare value to 4 instead 3 in the locked trace so take the address of
$84/FADD C9 03 00 CMP #$0003
and change the 3 to a 4 and the code becomes:
Can Choose Special Cup
84FADE:03
and it works! let's hope you practice what I have shown above and test ideas and theories to find the code you want.
Edit: the code is a partial code which does allow you to choose the stages but as soon as the first course starts the whole level is messed up so there is definitely some additional code needed to load the levels or officially unlock the cup since all we did was a cursor mod of sorts. But this next task is up to you.Spoiler Alert! Click to view...
THE BAD GUY!!!!!!
Comment
-
Thanks for all the input so far Helder. I've been kinda busy lately but want to come back to this and put these lessons into play. Appreciate you taking the time to help a me out.Comment
- If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. Also, before requesting codes, note that there is a main site, which may contain what you are looking for already. Also, if you know what you want, feel free to search for it directly.
Tweet
Comment