Announcement

**ugetab** · 02-27-2008, 10:25:04 PM

If you need trace-logging capabilities, you'll need to switch to VBA with tracing support.

Program:
http://www.romhacking.net/utils/340/

Info:
http://www.gshi.org/wiki/index.php/A...ameboy_Advance

I've effectively used tracing with VBA when BGB wouldn't work with a game, but I still do 99% of my tasks with BGB. If you're serious about finding some code, you can even use tracing to find info for the BGB debugger, though that's usually not the easiest way to find something.

**Whipon** · 02-28-2008, 06:12:40 PM

Thank you very much

Thanks a lot, Ugetab.
I'm a bit confused with the Z80 asm.

I want to use the PAR genie method. So I need to change part of the code constantly executed to make it jump to an empty location of the rom, poking some ram addresses, then the replaced instruction and then a JSR or a JMP.
I readed some documents at Zophar.net, but I couldn't figure an easy way to implement the PAR Genie method.
I just need some examples to start to hack :P.

Thanks again n.n

Whipon.

**ugetab** · 02-29-2008, 08:12:15 PM

Decode some Gameboy GG codes by Galoob, and see how they work.

You should also grab GBS2GB, which I'll attach. It has some ASM basics you could use in a text file, and should help you get a handle on the assembly if you look at the examples included with it.

You can also look at GBSPLAY.ASM and see how the instructions work that way as well, as those instructions are in assembler format, rather than Z80 bytecode assembly. I've heavily investigated the inner workings of GBS2GB in the form of bytecode, so when it came time to change the .ASM file, it was straight-forward.

Attached Files

GBS2GB116.zip (44.5 KB, 191 views)

**Whipon** · 02-29-2008, 08:39:56 PM

Thanks Ugetab

Thank you very much n_n
I'll take a look at it right now
C U
Whipon

**Whipon** · 03-02-2008, 09:09:48 PM

Success!! n_______n

I managed to do it n.n

4BBA C3 22 2D JP $2D22
008BBA C3 22 2D => C3 51 2D JP $2D51

Code:

[B][COLOR="Red"]2D51:[/COLOR][/B]
3E 40.....LD A,$40
EA F6 CA.....LD $CAF6,A
3E 09.....LD A,$09
EA F7 CA.....LD $CAF7,A
3E 01.....LD A,$01
EA E2 CB....LD $CBE2,A
EA E3 CB....LD $CBE3,A
EA E4 CB....LD $CBE4,A
EA E5 CB....LD $CBE5,A
EA E6 CB....LD $CBE6,A
C3 22 2D....JP $2D22 (The replaced instruction at 4BBA - 008BBA)

Thank you very much, Ugetab

.

C U.

Whipon.

**Whipon** · 03-02-2008, 09:56:33 PM

A new problem u_u

I could't find a way to make a compare.
I want to have infinite weapons.
So, the weapon in use is stored at $CBBA.
The part of the code that substracts the weapon is:

Code:

[008547] 4547 0A     LD A,(BC)
[008548] 4548 03     INC BC
[B][COLOR="Red"][008549] 4549 77     LD (HL),A [/COLOR] [/B]

If I change 4549 to, for example, a NOP the game freezes when I enter a door. It seems this part of the code is not only used to subtract your weapons.
So I tought to make a JMP and compare HL with CBBA. If its true, do nothing, and If its not true, then make the LD (HL),A.
But I couldn't figure out how to do the compare, because these opcodes are a bit difficult to understand.
Its possible to make that compare?.
I also discovered that your actual weapon value is stored in $CB1B, and this address its not changed until you select another weapon.
Thanks in advance

:
Whipon.

**Pugsy** · 03-03-2008, 12:57:26 PM

Many ways you could do this...

You can make a jump at 4547 to code similar to this (don't know if it works as game doesn't work with the GB emulator I'm using) :

Code:

3E XX         ld   a,$XX
EA BA CB      ld   ($CBBA),a
0A            ld   a,(bc)
03            inc  bc    
77            ld   (hl),a
C9            ret

Alternatively try to change the reads. Looking at the code for the 'mystery' game there's reads at 5875, 58A2, 4F13 and 4F45.

**Whipon** · 03-03-2008, 07:57:42 PM

Thanks Pugsy

Thank you very much, Pugsy
Sorry, I tought I had posted the name of the game :lol:
The game is Batman Beyond - Return of the Joker (U) [C][!] for the Game Boy Color:
I can't just load an especific value, for example:

Code:

3E 02         ld   a,$02
EA BA CB      ld   ($CBBA),a

$02 is the Discuss (Batarang).
So if I'm using the Staff ($05), when I loose it I'll have the Discuss.
Is there a way to load the value of $CB1B to $CBBA?. Everytime you change your weapon the value of that weapon is stored in both addresses. The value at $CB1B never changes, unless you change your weapon.
Thanks again

.

Whipon.

**ugetab** · 03-04-2008, 12:17:11 PM

I've investigated this system rather a lot to be able to make a code for it.

The first thing to note is that there's a weapon select menu. Just press the select button, and it comes up.

Selection menus are generally harder to hack than inf. weapon codes, but this is a case where it was better to go after the menu. The decrementing routine for the weapons is dependant on the selection in that menu.

CBE1-CBE6 are the amounts remaining for the different weapons. I didn't consider there to be multiple weapon values before, so any work I did on it before that doesn't make much difference.

My attempts to make weapons infinite started with trying to make gained weapons infinite. To that end, knowing the range used for weapon values, I determined that the 'punch' weapon was at CBE1, and that it has the value 0A in it. Using this value for the other slots gave them real infinite amounts, and made them all selectable. I also knew, from previous tests, that using a weapon that had a value of 0 for the amount made it go below 0, to 255. This is helpful, because all weapons start off at 0, and if 0 is a usable value, you can just leave it 0.

From there, I tried to make it have them all selectable from the menu. There's enough delay between opening the menu and pausing emulation that I could get the menu started, and then put a memory breakpoint on a weapon value (CBE2 in my case). I managed to make a code to make them all look selectable, based on whether or not it was testing for values that were or weren't 0, but that didn't make them selectable. Sometimes the same test is used both for appearance and availability, so it was worth a shot. (57C8?20:18 was that code)

The routine that checks for visible availability wasn't worth anything to me, so I temporarily coded out the read in for that by right-clicking the line with the load a,(hl), chose modify data, and since it was 1 byte, used the value "00". This NOPed the line without any need for cheats.

With that coded out, the debugger stopped breaking, and let me use the keyboard to try to select the next weapon. Since I was on the 'Punch' option, and I had used CBE2, the next weapon was already going to be checked. When I moved the cursor down, there was a different test for 00 in that location. There's a jump right after the compare, so I nullified the jump by setting the second byte in the jump to 00. I disabled all the breakpoints from the Debug>Breakpoints menu, so I could keep using them later if needed, and tested selecting different weapons. It let me do so, and because I could use them with values of 00, the code can be considered complete.

To that end, only 1 code was needed.

1:56BC?E6:00

which translates to

Can Select Any Weapon(Open the menu from inside a stage, and press down to choose a weapon. Select the weapon and use it, and you'll have a weird number of them. Use up about 240 of them, and you'll have true infinite numbers of them, so no matter how many you use, it's infinite)
006-BCA-7F1

**Whipon** · 03-04-2008, 09:03:53 PM

Wow!!! Great n_n

1000 thanks, Ugetab. Your post was very very interesting. And I ended learning a new method n.n
I really appreciate the help of both of you.
C U next time

.
Whipon.

Announcement

Make a trace dump with BGB

Make a trace dump with BGB

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment