Announcement

Collapse
No announcement yet.

Branching asm help

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Branching asm help

    Hello! fellow game hacker fanatics i'm in desperate need of some help and clarification here, regarding when to nop an branch instruction in asm because I recently found two new codes by an accident in asm in the debugger, when I was playing Street Fighter Ex2 Plus I found the first hack, by placing a write breakpoint on the round status ram modifier in the game, I then traced a bit backwards in the debugger until i came across an beq branch so I placed a breakpoint on it, then nopped the branch instruction, and noticed that before the match I could the match without any countdown before the fight, pretty cool but the code was accidentally found I have no idea what I done at the time of the hack?

    The question is how do you know when an asm code has a branch routine involved in it, because I would really appreciate if someone could give me an an example of when to nop a branch instruction in the debugger when trying to hack and find certain asm codes using it.

    Another code I found in the game is an asm code that allows player 1 to always win a fight, when playing as player 2.

    I found the code by placing a breakpoint on the player 2's wins a match ram modifier code, I then traced backwards in the debugger, and placed a breakpoint on an beq branch, after I got the break I then nopped the branch instruction, which then allowed player 1 to always win a match, regardless if player 2 won the match or not.

    I found these two asm codes without very little knowledge on branches in MIPS, but I found that I always have to guess when I'm suppose to nop a branch instruction when trying to create a new asm code in the game, could someone who's experienced in making branch codes explain to me exactly why certain codes in asm require nopping of the branch instruction, because I'm clueless on knowing why programmers do this?
    Tags: None
  • #2
    You have to pay attention to the code. By setting a breakpoint on the branch, you should observe what's happening in the game when that line of code executes.

    Edit 1: Also, sometimes you might not need to use a NOP; instead, you might have to always branch to that location. It all depends on the code and how you want to manipulate it.

    Edit 2: Here is your example:
    Code:
    0800C678 4A13     ldr     r2,=0x3004FEC     ;@ Loads the ring address.
0800C67A 8810     ldrh    r0,[r2]           ;@ Loads the amount of rings you currently have.
0800C67C 2800     cmp     r0,#0x0           ;@ If you have 0 rings and get hit...
0800C67E D027     beq     #0x800C6D0        ;@ This returns true and jumps to your player's death routine. It returns false otherwise. 
                                            ;@ NOP this address to kill that jump to the death routine/keep your player alive.
    I only bother with things that interest me.

    Comment

    • #3
      Your question can't really be answered the way you want because what you're looking for is a bit backwards. You have to have some inkling of what the code is doing in order to know whether or not you should modify an operation, and some knowledge of operations themselves to decide what it needs to be replaced with. There's some small value in hunting and pecking, but that value quickly diminishes if you're doing it in fragments of code about which you understand nothing or very little. The only reason you've hit upon much of value here is because you were hunting in areas around codes that already exist.

      What you're doing is a learning tool, not a method of hacking that I would recommend to anyone. Your ultimate goal in poking around like that should be to learn more about what the game's code is doing, and not so much making cool cheats.

      For example, you broke the round countdown. Now you know that the code between that branch operation and the branch target has something to do with performing or triggering the countdown, and you can analyze it or modify it to see what it's doing. Maybe you'll find out that by decreasing an immediate value by one somewhere in that code, the countdown starts at 2 instead of 3. Then increasing it by one might cause a crash because Capcom didn't bother creating assets for a "4". You might find that the round countdown uses the same code as the actual round timer, and you can manipulate it to go twice as fast, or drop to zero or reset with a button press.

      There's really no such thing as a "branch code"; or there's no such thing as a "branch code method" at any rate. What most of us are doing is a lot more complex than:
      1. Op code starts with "B".
      2. Other magical factor we've kept secret from Jin299 is true?
      3. NOP it.
      4. Is result awesome?
      5. Yes: Publish code.
      6. No: Stupid magic! Try next branch

      Comment

      • #4
        Jin299 I thought you already had this down, again you are throwing away all of the damn advise we gave you and that you apparently used. When you put a break on the conditional branch you should scroll up a few more instructions and find some kind of load instruction and go line by line till you reach that branch and observe the registers like you had learned about. After viewing the routine run a few times and going line by line you will realize what is going on in the code to know whether nop the branch or make it always branch (Demonic gave good example above).
        Spoiler Alert! Click to view...

        THE BAD GUY!!!!!!

        Comment

        • #5
          Right guys If i post some pictures of me attempting to hack the code will you guys help me out I'm fully prepared to put the leg work into it whatever the results maybe?

          By the way I'm not trying to annoy any of you guys by posting such vague threads, but I know that all I need a sense of clarity into knowing what I nned to do, when confronted with such issues like these.

          Also Demonic 772 I have a question to ask you man. I broke on an bne branch v0, v1, $80103988 at the time i was hacking when I was hacking the first code for the game, the condition was confirmed as true when i broke on the instruction i took a quick glance at register v0 in the debugger and I was loading 0000005B into the register, so should I modify that register to ori v0, zero, $5B and see what happens in the game, or will this not do anything?
          Last edited by jin299; 11-15-2014, 07:44:41 PM.

          Comment

          • #6
            I'm not quite sure what you're asking. Should you modify the branch with an ori instruction? Probably not unless there's a conditional ori instruction. A compare without a conditional is asinine. Here are some questions:

            1. When was the condition confirmed true?
            2. Why would you even consider doing that if NOPing the other branch worked?
            3. Do you understand why NOPing that branch worked?
            4. Are both of the branches jumping to the same location?
            I only bother with things that interest me.

            Comment

            • #7
              Demonic722, I'm trying to find an an code that would let me perform no charge moves free of any restrictions by glitches, for Street Fighter EX2 Plus, so I placed a write breakpoint on the ram address for no charge needed ram for the game [801E81AA] !, then started a match playing as Bison then held the pressed back button the controller, which causes it to breakpoint on that address, now the problem I'm having is I know I'm supposed to nop a Beq or bne instruction to find the code, but the problem i'm having is I don't know find the correct branch to nop in the debugger, is there anyway after placing a breakpoint on a beq or bne instruction, and it breaks on the branch, Is there anyway of knowing exactly where the correct branch is located, by observing the registers to do so?

              Comment

              • #8
                Problem with your searching is that this address you're using for breakpoints doesn't seem to be the address to control the charging, from what I have seen by looking at this address in the memory viewer this pretty much has a value set for whatever direction you press. I tried looking for a code that actually controls the charge counter but found nothing (using Artmoney which isn't helping much), I might be able to find something with MESS but I think you need to re-do your RAM code.
                Spoiler Alert! Click to view...

                THE BAD GUY!!!!!!

                Comment

                • #9
                  it occured to me too man that the code wasn't the right ram code, I apologize for wasting your time and mine, I will try searching for the ram address again, and hopefully i will find , a legit code..

                  Now I have a very important question to ask you man in relation to tracing a code by branching, if jr ra is the return function for a routine and after you have set a breakpoint on the jr ra instruction, how do you trace backwards in the debugger, from this instruction, do you use the trace key which is F7, or do you use the return to sub routine function?
                  Last edited by jin299; 11-18-2014, 06:43:36 PM.

                  Comment

                  Previous template Next
                  Working...
                  X