You will need no$gba debugger, or a sufficient GBA emulator with a good debugger. Grab a Metroid Fusion ROM(Rip your own preferably) and get a hex editor. I heard HxD is good.
We are going to find out how to get rid of Samus freezing her butt off in NOC with no Varia suit.
So, grab your emulator, load Fusion and head to ARC.
We'll need to know the current health samus has, load up Datacrystal.org and go to Fusion then RAM Map. This gives us the address of 3001310. Head to the room before it gets icy.
In no$gba(Or whatever debugger you have) set a breakpoint for when Samus's health gets a write(That means when something changes it) hit ctrl+b on your keyboard!
Now enter [3001310]!!(Or the equivalent in your debugger)
Continue playing until the emulator stops.
Woo! It hit.
You'll see something like
What do these lines mean?
080063CE LDRH R0, [R2]
080063D0 SUBS R0, #1
080063D2 STRH R0, [R2]
080063D4 LDRH R0, [R2] <---You'll break here
You'll basically encounter 3 variable types when hacking
Byte, Short, Long
1 Byte for a byte, 2 bytes for a short and 4 bytes for a long
Byte can hold 0-255
Short can hold 0-65535(0xFFFF)
And Long can hold 0-4294967295(0xFFFFFFFF)
Wow that's a lot!
So what does the following mean?!
080063CE LDRH R0, [R2]
080063D0 SUBS R0, #1
080063D2 STRH R0, [R2]
080063D4 LDRH R0, [R2]
LDRH means LoadRegisterHalfword
or Load a short
What it does is it reads 2 bytes from whatever address is in the Register R2 and puts them into 0
STRH is the same, except it stores.
And of course SUBS R0, #1 is subtract 1 from R0
In this tutorial we'll do 3 different things.
Delete the breakpoint, and write down the offset 080063D0 which has the SUBs instruction.
Make a save state and let's do some hacking
In your debugger, go to
080063D0
type nop in, and it will appear in the debugger.
Now go to the frozen zone and bamf! No more damage.
Reload the rom and open your savestate, go to that address again. Type in ADD R0, 3
Then watch Samus gain health quickly.
Now, let's change it back to nop look at the two bytes to the right of the subs r0, #1 instruction.
3801
Now if you go to the data viewer(At least in no$gba) and go to that address it'll look like
01 38
AND THAT IS A'OKAY.
Now change the instruction to nop then those two bytes next to nop will be 46C0, and again if you look in the dataviewer it will be c0 46!
Now, that's cool but these results aren't saved to our ROM
Open up the ROM in your hex editor!
Let's have a quick lesson about GBA Addressing.
It's super simple.
The address 0x080063D0 we're playing with, in your hexeditor will be at 0x63D0
Just subtract 0x8000000 to convert(Or add in case of pointers)
So now go to 0x63D0 type c0 46 at the offset, save then test! No more damage in ARC! :)
Video included.
Thanks even tho it's a bit confusing.
ReplyDelete