Announcement

**Pugsy** · 09-03-2007, 12:49:33 PM

Originally posted by Whipon View Post

I tried looking for a bunch of nops by tracing, but I could't find them nowhere.
So I tried to change some instructions with a JSR.
For example 2ED94: 4EB9 000F CF9C
I choosed 0FCF9C because it has a lot of zeroes. So in 0FCF9C I wrote:
FCF9C: 33FC 270F 0304

But the games allways freeze when I enter in battle. In one ocasion, the fight continued forever with me and the enemy with 0 HP.

Only had a cursory look at the game (not really my sort of game), however if you are only poking 2ED94 & FCF9C: 33FC 270F 0304 it won't work...you've also got to replicate the code that you changed at 2ED94 and also need to do an RTS. So you'd need something like:-

2ED94: 4EB9 000F CF9C
FCF9C: 33FC 270F 0304
FCFA2: 3F30 0800 <--the code you changed at 2ED94
FCFA6: 3005 <--the code you changed at 2ED98
FCFA8: 4E75 <---an RTS

**Whipon** · 09-03-2007, 05:45:29 PM

Thank you very much!

Thank you very much Pugsy, I'll try it tonight and I'll post the results here.
If I manage to do it will be great!!!.
Whipon.

**Whipon** · 09-04-2007, 11:02:23 PM

Well...

I tried the method, and it worked very well. But the game seems to have a cheat protection of some kind. I'll explain me better:

I changed 03B3C6: 3039 00FF C37C => 4EB9 000F D0CC

This a trace of a clean rom:

Code:

03B3B6: sub.w   D0, ($1c,A0)
03B3BA: move.l  (-$8,A6), -(A7)
03B3BE: jsr     $37b82.l
037B82: link    A6, #-$4
037B86: movea.l ($8,A6), A0
037B8A: tst.w   ($1c,A0)
037B8E: bgt     $37d0a
037D0A: bra     $37c16
037C16: unlk    A6
037C18: rts
03B3C4: addq.w  #4, A7
03B3C6: move.w  $ffc37c.l, D0

03B3C6 is executed everytime somebody loose HP in a battle. I had to use this method because when I tried to use some instruction who is continuously executed the cheat protection appeared when you try to enter the Sorcerer's Academy at the beggining of the game.

Then in 0FD0CC I wrote:

Code:

33FC 008C 00FF 0304 Buc - HP
33FC 2328 00FF 0306 Buc - MP
33FC 32C8 00FF 0302 Buc - Exp
33FC FFFF 00FF 0316 Buc - Spells
13FC 00FF 00FF 0318 Buc - Spells
33FC 008C 00FF 043C Obliki - HP
33FC 2328 00FF 043E Obliki - MP
33FC 32C8 00FF 043A Obliki - Exp
33FC FFFF 00FF 044E Obliki - Spells
13FC 00FF 00FF 0450  Obliki - Spells
33FC 008C 00FF 04D8 Feather - HP
33FC 2328 00FF 04DA Feather - MP
33FC 32C8 00FF 04D6 Feather - Exp
33FC FFFF 00FF 04EA Feather - Spells
13FC 00FF 00FF 04EC Feather - Spells
33FC 008C 00FF 0540 Alexi - HP
33FC 2328 00FF 0542 Alexi - MP
33FC 32C8 00FF 053E Alexi - Exp
33FC FFFF 00FF 0552 Alexi - Spells
13FC 00FF 00FF 0554 Alexi - Spells
33FC 008C 00FF 0574 Slash - HP
33FC 2328 00FF 0576 Slash - MP
33FC 32C8 00FF 0572 Slash - Exp
33FC FFFF 00FF 0586 Slash - Spells
13FC 00FF 00FF 0588 Slash - Spells
33FC 008C 00FF 0644 Mortimer - HP
33FC 2328 00FF 0646 Mortimer - MP
33FC 32C8 00FF 0642 Mortimer - Exp
33FC FFFF 00FF 0656 Mortimer - Spells
13FC 00FF 00FF 0658 Mortimer - Spells
3039 00FF C37C The replaced instruction at 03B3C6
4E75 rts

These codes gives infinite HP & MP, all the spells and max experience.
It worked very well. But when you get the second member of the party (Slash the Knight) and you try to use some spells the cheat protection appears again. The same happens when you get the third member (Feather the Archer).

I tried to find the subroutine of the cheat protectin tracing a clean rom and the hacked rom with HazeMD and then compare the traces of both, but I couldn't find it.

Here's an screenshot of the cheat protection:

Then you must press any button and the game restarts.

Its posibble to disable the cheat protection?. Or I'm doing something wrong?.
Thanks in advance!.

EDIT:
I have found one more problem: The game assigns a random ram address to your chars each time you start a new game. The first char, Buc, the sorcerer is the only char with suffers no changes in his addresses. The remaining 5 chars receive a random address between FF0400 to FF0B00. Surelly the guys at Naughty Dog have done a nice work. Now I'm looking for a way to make the game give you the same adresses allways, so I can poke them. If you can lend me a hand with this one, I'd really appreciatte it. Also, please, correct me If I'm doing something wrong.

.
About the cheat protection: maybe is an error message, like a BSOD. I changed the code at 0FD0CC to only write at the HP & MP addresses and now doesn't appear so often. It keeps appearing sometimes.
Whipon

**Whipon** · 09-06-2007, 01:50:10 AM

I made lots of progress!!!

I managed to understand the "cheat protection". It appears when you try to write to a ram address who is not in use in the game. The game recalculates the addresses of all your chars (except the first (sorcerer)). So if you try to poke any saved ram addresss from another playtime, it seems to crash the game and it shows you that nasty screen.

So I poked only the sorcerer's stats:

Invincible Buc,
00127A: 52B9 00FF 0010 => 4EB9 000F D0CC
0FD0CC:
33FC 008C 00FF 0304 33FC 2328 00FF 0306 4E75

I managed to boost all my chars experience with this one:

Quick Level Up,HT0A-BALV
002C516 B27C => 303C

I saved lots of typing with this one:
All the chars start with all the spells:
Start with all the spells,
0241A6: 11BC 0001 0800 => 4EB9 000F CFB4
0FCFB4:
21BC FFFF FF00 0800 4E75

Some misc ones:
Start with the Magic Leaf,
02CE2A 0C6E 0005 FFFE => 4EB9 000F CF84
0FCF84:
13FC 0001 00FF C343 0C6E 0005 FFFE 4E75

Infinite Gold, Water and Food,
00F3D4: 1A18 1C33 5000 => 4EB9 000F CF94
0FCF94:
33FC 7530 00FF C364 33FC 7530 00FF C366 33FC 3A98 00FF 02DE 1A18 1C33 5000 4E75

My new GG codes for this game

It would be great if I could poke the other chars HP & MP. I found the code in the game that sets your chars stats when you get them:

Code:

024074: addq.w  #2, A7
024076: move.w  D4, D1
024078: muls.w  #$34, D1
02407C: lea     $ff02d4.l, A0
024082: move.w  D0, (A0,D1.l)
024086: move.w  D4, D0
024088: muls.w  #$34, D0
02408C: lea     $ff02d4.l, A0
024092: move.w  D4, D1
024094: muls.w  #$34, D1
024098: lea     $ff02d0.l, A1
02409E: move.w  (A0,D0.l), (A1,D1.l)
0240A4: move.w  D4, D0
0240A6: muls.w  #$34, D0
0240AA: lea     $ff02cc.l, A0
0240B0: move.w  (A0,D0.l), D1
0240B4: lsr.w   #4, D1
0240B6: and.w   #$f, D1
0240BA: move.w  D1, -(A7)
0240BC: jsr     $31946.l
031946: link    A6, #$0
03194A: move.w  ($8,A6), D0
03194E: addq.w  #1, D0
031950: muls.w  #$3e8, D0
031954: unlk    A6
031956: rts
0240C2: addq.w  #2, A7
0240C4: move.w  D4, D1
0240C6: muls.w  #$34, D1
0240CA: lea     $ff02d6.l, A0
0240D0: move.w  D0, (A0,D1.l)
0240D4: move.w  D4, D0
0240D6: muls.w  #$34, D0
0240DA: lea     $ff02d6.l, A0
0240E0: move.w  D4, D1
0240E2: muls.w  #$34, D1
0240E6: lea     $ff02d2.l, A1
0240EC: move.w  (A0,D0.l), (A1,D1.l)
0240F2: move.w  D4, D0
0240F4: muls.w  #$34, D0
0240F8: movea.l D0, A0
0240FA: lea     $ff02e0.l, A1
024100: adda.l  A1, A0
024102: andi.w  #$ff00, (A0)
024106: move.w  D4, D0

But I don't know how to use it to hack the rom. I understand it calculates the address adding A0 to the efective address loaded. But with my actual my programing skills I can't use this data to achieve my goal u_u.
Thank you very much.
Whipon.

**Pugsy** · 09-06-2007, 10:33:58 AM

I do hate games like this....sort of RPG I guess? Without playing the game it's hard to give a proper solution. What you could try is finding if the enemy locations vary a lot or if they stick to a few locations (BP 3B3B6 and check the A0 register during battles), then change the code at 3B3B6 to jump to a separate routine - check the value of A0 (use compares and a branches) and if it's an enemy do the SUB. If it's not then either do nothing or poke the location it's trying to change via the indexed address.

BTW, it's does not sound to be a form of cheat protection it's just the mechanics of the game...dynamic memory allocation (RAM cheat addresses change between levels/games) is often one of the side effects of using a compiler rather than programming directly in assembler. Poking memory which may not hold what you think it holds will obviously often have undesired effects (crashing etc.)

**Whipon** · 09-06-2007, 11:42:50 AM

Great!

Yes Rings of Power is a very rare RPG.
I discovered that some addresses given to your party in an actual game can be given to enemies in a future game. I found this poking all the ram addresses i found in a previous search. Then when I tried to test them, some enemies had infinite HP & MP, also enemies that wasn't in the fight o_O (buggie HP,MP counters appeared). So maybe its imposible to distinguish enemy addresses from your party addresses.
Anyway I will try you method right now

.

Thank you for your help

.

Whipon.

**Whipon** · 09-06-2007, 04:43:03 PM

Good news!

I put a BP on 3B3B6 (HP) and another one on 37DD8 (MP).
These are the values of the A0 registers when these instructions are executed:

A0 (Enemy)
FF02B4
FF031C
FF0350
FF0384
FF03B8
FF03EC
FF0420
FF0448
FF0454*
FF0488*
FF04BC
FF04F0

A0 (Your Party)
Buc
FF02E8

Slash
FF0558

Feather
FF0454

Alexi
FF0488

Obliki
FF0384

Mortimer
FF058C

Maybe there's more values for the enemies. And FF0454 & FF0488 are used sometimes for the enemy before you complete your party. But I tested the method given above 3 times. And the A0 registers for your party never changes. When someone looses HP or MP the value in the A0 register is the same for both instructions. So we'll found a static value to use in the hack ñ____ñ.
Now I'm playing with the rom triying to make good use of these addresses. If you figured already how to implement them, please let me know. I'm still learning 68k asm and most of my hacks are stealed instructions and subroutines from traces of the game. I need just a little example routine. Anyway I'm triying on my own

.
EDIT:
I'm having problems replacing the SUB in 3B3B6 with a JSR:
03B3B6: 9168 001C 2F2E FFF8 => 4EB9 000F D0E4 4E71
0FD0E4:
9168 001C 2F2E FFF8 4E75

Using a 4E71 in 3B3BC freezes the game when you get hit. I tried 6000 and 6002 with the same results.

I just testing how to replace it to start the hacking process. The problem is I need 3 slots to the JSR and there's 2 instructions with 2 slots each one.
03B3B6: 9168 001C sub.w D0, ($1c,A0)
03B3BA: 2F2E FFF8 move.l (-$8,A6), -(A7)

I'll keep investigating n.n.

Thanks.

Whipon.

**Pugsy** · 09-06-2007, 05:48:40 PM

Like I say I haven't looked at the game indepth at all..

Regarding the problem with the JSR use 3 words for the JSR and put a NOP (4e71) in the other word. Don't forget before you do an RTS though you will need to replicate what you've removed....looking at the above code replicating "move.l (-$8,A6), -(A7)" may create some problems as it changes the stack so you may have to JMP rather than JSR and you will have JMP back to 3B3BE (not RTS).

**Whipon** · 09-06-2007, 06:45:32 PM

Thanks

Thank you. I'll apply it right now.

**Whipon** · 10-01-2007, 05:38:00 AM

Joker Codes?

Well, after triying lots of methods involving Compare and Branches, I couldn't find any way of achieve my goal, because an enemy, or two or all get Infinite HP & MP also. So I was thinking of a diferent method: Joker Codes, like in PSX:
You know, writing to the indexed address when you press an especific button. I tried the following:

Code:

Press Right in the spell list in battle to max out hp & mp,
02B678: 1030 1800 C004 => 4EB9 000F D0CC

0FD0CC:
1030 1800 C004 The replaced Instruction in 02B678
0C39 0001 00FF 011A Compare FF011A to 01
6702 BEQ
4E75 RTS
117C 008C FFED Full HP
2178 2328 FFEF Full MP
4E75 RTS

I tried to find a memory address involved in the spells submenu screen in battle. So I searched for the position of the cursor in this submenu. After a little of search I came to FFBB72. Doing a write wp I found a CPM FF011A before the write. It seems its used to compare if you go down in the menu. If you do a read WP, everytime you press a direction in the D-Pad you'll get a read with a different value (01 for right, 02 for up...). So I tried 0C39 0001 00FF 011A to make the write everytime you press right. But I had no luck.
Its possible to implement this method?. If its possible, can you please send me a simple example of the routine if mine's wrong?. And a few examples of a way to find the memory address changed when you press a button.

Thanks a lot, Pugsy. I had lots of fun with your previous advice and your 68k opcode list

.

Whipon.

**Pugsy** · 10-01-2007, 10:56:26 AM

A few pointers....

Just had a quick look at the code....I think you will find that the controls are mapped to FF0018 throughout the game (it may be the generic location for the joypad?), so that is the location you will need to do a compare on.

Bear in mind that it will be bit based (x01, x02,x04,x08,x10,x20,x40,x80) so if you press 2 buttons at the same time you will get the values for the two buttons added together.

**Pugsy** · 10-01-2007, 11:19:39 AM

Another point to note you may need to hijack the game's FF0018 read...which may mean that the index values may not be correct if you branch/jump from there.

**Whipon** · 10-01-2007, 08:22:42 PM

A very usefull advice

.

I was a little lost

. Thank you very much. I'll post the results here n___n.
Whipon.

**Whipon** · 10-01-2007, 10:00:34 PM

Success!!!

Well I managed to do it the following way:

Code:

[B]Press A button in the spell list in battle to max out hp & mp:[/B]

02B678 1030 1800 C004 => 4EB9 000F D0CC

0FD0CC:
1030 1800 C004 The replaced instruction in $02B678
3638 0040 Write 40 to D3 (the value of the A button)
B679 00FF 0018 Compare D3 with FF0018
6702 Branch if Equal to the cheat routine
4E75 RTS
2178 2328 FFED Set HP to 9000
2178 2328 FFEF Set MP to 9000
2178 2328 FFF1 Set Max HP to 9000
2178 2328 FFF3 Set Max MP to 9000
4E75 RTS

I'm very happy ñ___ñ. This game was a very hard one. This never had been possible without your help and advices. You have 99 % of the credit!!!.
Thank you very much

.
Whipon.

Announcement

Rings of Power - Infinite HP & MP

Rings of Power - Infinite HP & MP

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment