Tuesday, January 29, 2013

Romhacking misconceptions

Today I'd like to talk about a few common misconceptions when hacking.

"I can't hex"

Look bro, I don't care who you are "hex" is not an action. It's a type of counting system
01-0F, and so on.

Just forget the term hex if it bothers you that much. Just refer to it as data however.

If you see 0x

Such as 0x0BADC0DE the 0x indicates we're using the hexadecimal system.

Now when you pull up a ROM in a hex editor, you'll see this

This image shows many things, but you're probably confused.

This is called a GBA header. It's of course stored in a binary data format. But since we know it's a GBA game header, we can just find the header structure on google and apply the info.

Here's the structure

0x000h 4 ROM Entry Point (32bit ARM branch opcode, eg. "B rom_start")  0x004h 156 Nintendo Logo (compressed bitmap, required!)
 0x0A0h 12 Game Title (uppercase ascii, max 12 characters)
 0x0ACh 4 Game Code (uppercase ascii, 4 characters)
 0x0B0h 2 Maker Code (uppercase ascii, 2 characters)
 0x0B2h 1 Fixed value (must be 96h, required!)
 0x0B3h 1 Main unit code (00h for current GBA models)
0x0B4h 1 Device type (usually 00h)
 0x0B5h 7 Reserved Area (should be zero filled)
 0x0BCh 1 Software version (usually 00h)
 0x0BDh 1 Complement check (header checksum, required!)
 0x0BEh 2 Reserved Area (should be zero filled)

So according to this, the first 4 bytes are an assembly instruction on where to start the game.
Then is a compressed image(Yes, that's stored in our hexadecimal data format)

Then so on.

Data is nothing to be scared of. The editors you use, the game itself relies on 
the data.

Let's move on to pointers.

They're scary for a lot of newbies. I didn't quite get them when I first started,but now I rely on them.

It's super simple

it's just address+0x8000000 and it's stored backwards in the rom

So the pointer 0x08123456 would be stored in rom at 56 34 12 08

Codes uses the pointer to get the address of the data.
Just add 0x8000000 for ROM pointers. Simple no?

Assembly is just a way of seeing the data as somewhat readable

nop instead of 0x46c0.

It's not hard and just needs to be learned.

If you have any questions, leave a comment. I'll get back to you.

Sunday, January 27, 2013

Thumb Decompiler update

Hey guys!

So the progress of the Thumb Decompiler plugin is going great. I'll be releasing the update for it soon. Source included of course as per the original thumb decompiler.

Here's a screenie!

I need to get the decompiled code to redirect to a new tab, get stack variables going. And some other stuff. But hopefully soon!

Friday, January 25, 2013

Your first GBA ASM hack!

Greetings! Today I will teach you how to find what you need to find using a debugger, then how to change it. Then what else you can do!

You will need no$gba debugger, or a sufficient GBA emulator with a good debugger. Grab a Metroid Fusion ROM(Rip your own preferably) and get a hex editor. I heard HxD is good.

We are going to find out how to get rid of Samus freezing her butt off in NOC with no Varia suit.
So, grab your emulator, load Fusion and head to ARC.

We'll need to know the current health samus has, load up Datacrystal.org and go to Fusion then RAM Map. This gives us the address of 3001310. Head to the room before it gets icy.

In no$gba(Or whatever debugger you have) set a breakpoint for when Samus's health gets a write(That means when something changes it) hit ctrl+b on your keyboard!
Now enter [3001310]!!(Or the equivalent in your debugger)
Continue playing until the emulator stops.

Woo! It hit.

You'll see something like

What do these lines mean?

080063CE LDRH    R0, [R2]
080063D0 SUBS    R0, #1
080063D2 STRH    R0, [R2]
080063D4 LDRH    R0, [R2] <---You'll break here

You'll basically encounter 3 variable types when hacking

Byte, Short, Long
1 Byte for a byte, 2 bytes for a short and 4 bytes for a long
Byte can hold 0-255
Short can hold 0-65535(0xFFFF)
And Long can hold 0-4294967295(0xFFFFFFFF)
Wow that's a lot!

So what does the following mean?!

080063CE LDRH    R0, [R2]
080063D0 SUBS    R0, #1
080063D2 STRH    R0, [R2]
080063D4 LDRH    R0, [R2]

LDRH means LoadRegisterHalfword

or Load a short

What it does is it reads 2 bytes from whatever address is in the Register R2 and puts them into 0

STRH is the same, except it stores.

And of course SUBS R0, #1 is subtract 1 from R0

In this tutorial we'll do 3 different things.

Delete the breakpoint, and write down the offset 080063D0 which has the SUBs instruction.

Make a save state and let's do some hacking

In your debugger, go to

type nop in, and it will appear in the debugger.
Now go to the frozen zone and bamf! No more damage.

Reload the rom and open your savestate, go to that address again. Type in ADD R0, 3

Then watch Samus gain health quickly.

Now, let's change it back to nop look at the two bytes to the right of the subs r0, #1 instruction.

Now if you go to the data viewer(At least in no$gba) and go to that address it'll look like

01 38


Now change the instruction to nop then those two bytes next to nop will be 46C0, and again if you look in the dataviewer it will be c0 46!

Now, that's cool but these results aren't saved to our ROM

Open up the ROM in your hex editor!

Let's have a quick lesson about GBA Addressing.

It's super simple.

The address 0x080063D0 we're playing with, in your hexeditor will be at 0x63D0
Just subtract 0x8000000 to convert(Or add in case of pointers)
So now go to  0x63D0 type c0 46 at the offset, save then test! No more damage in ARC! :)

Video included.

IDA Pro is best

Several weeks ago I found a plugin called Thumb decompiler, it does as it says. However it's around 6 or 7 years old and hasn't been updated. I grabbed the source and began modifying it, so far I only managed to fix one bug. But the plugins code is genius, it's made by a person named Ludde. Genius, simply genius. I'm adding to the plugin currently working on getting the decompiled code to it's own subview. I just figured out how to create subviews so it should be a piece of cake from there here's a picture!
I will release the plugin on this blog once I have substantial work put into it such as getting stack vars going and such.

Messing around with SA-X

Just a couple videos of me messing with SA-X

Just a funny few

Thursday, January 17, 2013

Metroid Fusions debug menu and Zero Missions forced lack of


I have a vast love for the Metroid series. It was the one I played with my parents when I was a toddler and such. I sadly only own Zero Mission and Fusion.

A friend of mine had told of me debug event text in Metroid Fusion, I have started a hack of Fusion to expand on it and I wanted this info for my ROM map. So he gives it to me, then I find what looks like a DrawText function near it and knew I was on to something. Faster forward 15 hours later, we had a full working Metroid Fusion debug menu. That NO ONE knew about outside of Nintendo for 11 years!

It's extremely powerful. I love Nintendo so hard.

So here is a video of it!

And so I also delved in the ZM rom for a bit.

While I didn't find anything new, I did look at Trunaur86s old menu hack for the on/off button.

When looking at the code, I discovered they intentionally removed access to it.

There's a register 'R6' which hold basically the onffswitch val. And the sets it to 0 and does checks to make sure it's 0, where as if it's non-zero you get the onoffswitch!

Sunday, January 6, 2013

New projects


I'm currently undertaking many projects and so I'll be posting here with how I'm doing them. Or tutorials to get others started.

So, that's it for this one. I'll probably begin another one today