Lernin teh Assemblies

[Deleted]

Last night, Sakura was helping me get set up for assembly modding on Skype. She got me hooked up with with nice tool called Renegade and a python script she wrote that converts the output to a Nemu ini file
Unfortunately....didn't get far really...she was trying to set me up with OoT dbg and I was using 1.0 ( U) lol.

Anyway, while I was waiting for her to get on today, I figured it out on my own! The steps I took were this:

• I set a breakpoint on the BEQ instruction
  
• I made a list of all the addresses BEQ $R0, $R0, XXXX appeared (because $R0 is always 0, so this is an unconditional jump)
  
• I took the most commonly appearing instruction on the list; which was 'beq $r0, $r0, 0x80003BCC' and disassembled the memory at that address.

LW RA, 0x0014 (SP)
ADDIU SP, SP, 0x0018
JR RA
NOP
NOP


• I decided to place my hook here, and place my stub in some empty ram at 0x80170000. I set my hook up as

.org 0x80003BCC
j 0x80170000
nop

• Next, I wrote the code for my stub, and added the code that used to be were my hook was to the end of it

.org 0x80170000
_start:
  lui $k0, 0x8011
  ori $k0, $k0, 0xA5FE
  lwi $k1, 0x0140
  sh $k1, 0 ($k0)

  lw $ra, 0x0014 ($sp)
  addiu $sp, $sp, 0x0018
  jr $ra
  nop


• Then I assembled it to a gameshark code

81003BCC 0805
81003BCE C000
81003BD0 2400
81170000 3C1A
81170002 8011
81170004 375A
81170006 A5FE
81170008 3C1B
8117000A 0000
8117000C 377B
8117000E 0140
81170010 A75B
81170012 0000
81170014 8FBF
81170016 0014
81170018 27BD
8117001A 0018
8117001C 03E0
8117001E 0008
81170020 2400
81170024 2400

• Set a breakpoint on 0x80003BCC (where my hook was)

and voila! Link had max health ^_^

[Deleted]

experiment #1: Finding the DMA Transfer Function

I asked both sakura and DeathBasket if they knew where the function was the transferred files from rom to ram. They both said they didn't know exactly since they don't work with 1.0 ( U), but DB pointed out that I could try setting a breakpoint on a file and see what happens.

So, I did a search for address of one of the textures in one of link's display lists to figure out where he was at in ram; then I set a breakpoint on that address and reset the game. It instantly popped up a breakpoint at 0x80002ECC. I was pretty sure this is what I was looking for since there where 7+1 'sw' instructions back to back right where the breakpoint was (separated by a bne looping it); meaning it was storing something in 32-byte blocks (sw = store word; word = 4 byte; 4*8=32) I backed up until I found the start of the function at 0x80002E80.

DeathBasket also pointed out that for the debug rom, the DMA transfer function was at 0x80000BFC; the arguments were a0, a1, and a2 with the c definition being
void DMARomToRam(u32 rom_addr, u32 ram_addr, int siz);

[Jason777]

Nice to see you getting into assembly! You can shorten the max health code a little bit...

Hook:

.org 0x80003BD4
j 0x80170000


Routine:

.org 0x80170000
_start:
addiu $k1, r0, 0x0140
lui $k0, 0x8011
sh $k1, 0xA5FE ($k0)
jr $ra


[Deleted]

thanks

I've had prior experience in other assembly languages, so its not too hard for me to understand; though mips does have it's quirks which I'm struggling to get used to...

Anyway, I just located the segment table and what I believe is a memory pool for file allocation a minute ago.

• 0x80120C38 - segment table
  
• 0x8011DC44 - possible memory pool? (not the actual start)

I managed to find them by

• Searching for value in ram that's link's hierarchy
  
• Subtracting it's offset in the zobj to figure out the location of link's zobj in ram
  
• Setting a breakpoint on link's hierarchy
  
• Going to a different scene (which caused the breakpoint to occur)
  
• Searching for link's ram address - 0x80000000 in ram

Btw, I've been going into detail about how I find the stuff I'm getting because I'm hoping this thread might help other people who want to learn how to mod Zelda games which aren't very well documented. The rom I've been working with thus far is the 1.0 ( U) rom

EDIT:

also, forgot to mention I figured out how to check controller input yesterday.$801C84B4 control pad %{abzstgfh 00qwikjl} HALFWORD
  a = a button b = b button
  z = z trigger s = start button
  q = l trigger w = r trigger
  t = d-up button g = d-down button
  f = d-left button h = d-right button
  i = c-up button k = c-down button
  j = c-left button l = c-right button
$801C84B6 analog stick x-axis BYTE
$801C84B7 analog stick y-axis BYTE
To figure this out, I:

• Converted the first line of the gameshark code for 'press L to fly' (which is a D0 conditional instruction) to a ram address
  
• Pretty much just kept pressing keys and observing the changes in memory until I knew where everything was

[Jason777]

Nice thinking Once you start getting into this area of hacking, you start wishing that you had kept a document of every single GS code you've ever laid eyes on.