• Welcome to Smashboards, the world's largest Super Smash Brothers community! Over 250,000 Smash Bros. fans from around the world have come to discuss these great games in over 19 million posts!

    You are currently viewing our boards as a visitor. Click here to sign up right now and start on your path in the Smash community!

Important Melee, Hacks, and You -- New Hackers Start Here, in the OP!

DRGN

Technowizard
Moderator
Joined
Aug 20, 2005
Messages
2,179
Location
Sacramento, CA
I'm using GCRebuilder and I'm trying to import a .hps file, but it tells me "File to import is too large". How can I make sure my files are the right size?
Many songs are not the same length as one another, so a different filesize is expected. Use DTW to do the import instead. Where did you read to use GCR?
 
D

Deleted member

Guest
Many songs are not the same length as one another, so a different filesize is expected. Use DTW to do the import instead. Where did you read to use GCR?
I was told that I could use it a while back and that DTW was for texture files only, but that turned out to not be the case lol. Still, thanks.
 

-Stavo-

Smash Rookie
Joined
Dec 22, 2014
Messages
15
Anyone know which file in the root folder pertains to stadium modes? multi man melee in particular?
 

Sam'sAwakening

Smash Cadet
Joined
Jan 20, 2016
Messages
52
Is there anyway to switch stage models around? Ex. exchange the jungle japes model with the Yoshi's Story model. I would like to add custom variants of stages without having to replace the original stage.
 

Punkline

Dr. Frankenstack
Joined
May 15, 2015
Messages
423
Probably, but my understanding is that it's easier to piggyback data. If you'd like to explore the subject, you'd probably find something in the new 'HSD' labeled functions in the latest CSM update.

I'm currently working on something based off of a conversation that DRGN DRGN and @Achilles1515 had in the sword trail colors thread, as well as some old notes about a structure that seems to index DAT files starting at static address 804318B8

I'm not sure but I think I can use it to create a sort of "dat collision" check that compares an existing address to the ranges of loaded DAT files.

I'm trying to see right now if I can develop it into a huge upgrade for the player subaction event system that allows extra event data to be kept in character files, or even costume files to create costume-specific moveset modifications.

Edit - Here's a little graphic (not to scale, of course)



The idea is to stuff a 4-byte string tag : pointer table at the foot of the file, allowing for extra allocations to be easily defined
 
Last edited:

UnclePunch

Smash Ace
Joined
Nov 9, 2014
Messages
673
Probably, but my understanding is that it's easier to piggyback data. If you'd like to explore the subject, you'd probably find something in the new 'HSD' labeled functions in the latest CSM update.

I'm currently working on something based off of a conversation that DRGN DRGN and @Achilles1515 had in the sword trail colors thread, as well as some old notes about a structure that seems to index DAT files starting at static address 804318B8

I'm not sure but I think I can use it to create a sort of "dat collision" check that compares an existing address to the ranges of loaded DAT files.

I'm trying to see right now if I can develop it into a huge upgrade for the player subaction event system that allows extra event data to be kept in character files, or even costume files to create costume-specific moveset modifications.

Edit - Here's a little graphic (not to scale, of course)



The idea is to stuff a 4-byte string tag : pointer table at the foot of the file, allowing for extra allocations to be easily defined
Cool stuff!

Not sure if this means anything for Melee but in Kirby Air Ride, all Kirby textures are stored in RdKirby.dat (its only loaded in once since it contains all of them). I put multiple versions of this .dat in the file system for alternate colors (ala 20XX). I also dug deep enough to where it checks if the .dat file was loaded in already when setting up each player and wrote a quick code to make it always think it wasn't loaded in, resulting in the game having 4 different RdKirby files in RAM. Surprisingly it worked without any hitches (even on console).

What I'm getting at is it should definitely be possible for the game to index everything correctly if it's told to load it at the right time.
 
Last edited:

tatatat0

Smash Journeyman
Joined
Jan 28, 2015
Messages
412
I was going to find the rest of these offsets but I got lazy.
More ice-climbers special attributes [tatatat0]:
0x3428-3433: something to do with neutral b initial vertical velocity on first neutral-b in air and climber spawn displacement
0X344C: aerial side-b both climber initial vertical momentum
0x3448: aerial side-b single climber initial vertical momentum
0x3458: grounded side-b turnaround speed?
 

Phuckyew

Smash Cadet
Joined
Apr 21, 2016
Messages
31
Is it possible to replace pikachu's thunder with falco's shine? I've tried both modifying the hex and using crazy hand. I can get the shine hitbox to come out, but not on frame one. Additionally, I become frozen in until I'm hit by an opponent or my own attack (which i'm trying to switch out). Any advice?
 

oscat

Smash Journeyman
Joined
Apr 29, 2014
Messages
240
Location
So Cal
NNID
drlnklngmars
3DS FC
0318-9801-6641
IllusoryLabyrinth - maintained by Steelia - A very old repository of ancient texture hacks. Some of these were never brought over to the boards, so you might be able to finally find a costume that has been, up until now, illusive.... Direct downloads of costumes there can be found here. You can also see demos of about all of those textures in the "__ Textures [SSBM]" videos here.
Are there any mirrors for these? Stacksmash.kontek.net doesnt seem to have the melee "STUFFZ" anymore and the site is acting up.
 
Last edited:

Dolla Pills

Smash Ace
Joined
Mar 9, 2015
Messages
894
Location
Connecticut
Is there a way I could edit the codes being added by 20xxte or something along those lines or is that strictly something for people more knowledgeable like Dan Salvato and Achilles?

Edit: for the memory card exploit so that I can use it on a GC
 
Last edited:

aldelaro5

Paper Mario P
Joined
May 20, 2013
Messages
9,724
Location
Canada, Quebec (or Rogeuport if you want)
NNID
aldelaro5
3DS FC
3050-7721-6617
DebugFast Dolphin - compiled by Dan Salvato - This is a special version of Dolphin, useful for reverse-engineering ASM code and functions from RAM. What's found can then be used to create new, advanced codes. In particular, this build allows you to break (pause) the game when specific points in RAM are read or written to. Usefulness level: Invaluable.
Hi, so I found this thread completely by accident (I do not follow in any way the ssbm hacking community) while researchign a completely unrelated topic (finding how to extract .dat files) and when I saw this in the OP and realised the thread was still somewhat active, I had to say something about it: it's very outdated.

Basically, I contributed to Dolphin A LOT on the debugger in a span of around 6 months starting from like summer/fall of last year. The reason is exactly what this quote is saying: you needed to build Dolphin yourself in a debug or debugfast config (debug is MUCH slower, debugfast has the debug symbols, but with optimisation on compilation) to have a feature called MemCheck or MC. Basically, you might know this already, but MC are ESSENTIAL to reverse engineer games as you can break when the game is reading or writting to an address or region. The other reasons I was motivated to contribute is foir a very long time, if you picked the lattest version, build it in debugfast, MC would simply not work and it was even prone to crash, so this instability lead me to just attempt to fix these and the debugfast problem because it was jsut annoying.

And I actually did. The following Pull request link made MC supported in every builds for reasons described in my first comment:

https://github.com/dolphin-emu/dolphin/pull/4203

In fact, I pretty much fixed everything that was unstable with the debugger. No more crashes, I fixed some breakpoints simply not hitting, added some features like seeing different convenient formats for the registers etc....

If you want to see the fulll list of my contributions as most of them are related to the debugger, you can follow this link: https://github.com/dolphin-emu/dolphin/pulls?page=2&q=is:pr+author:aldelaro5+is:closed They are quite documented so I thinkt hey tell everything you need to know.

The point is this: you NO longer need to use debugfast for the purpose the OP is saying, ever. In fact, you coudl litterally get the lattest dev revision (don't pick stable 5.0, this was before the changes) and it would just work (just pass it -d when runnign Dolphin to enable the debug tools).

In fact, you have a lot of reaosns to upgrade, I actually improved the performance of Memcheck (now named Memory Breakpoint) by quite a lot, I tested it, it's a huge difference at least on my end. I also made the logs system a bit better so you can now log you MP without breaking (might be usefull to monitor frequency of function calls for example).

Oh and as for why this took so long FYI, it's really because the debugger is a very specific use case of dolphin and it;s kinda low priority, I just happen to be interested in reverse engineering games and I was disappointed at the quality of the debugger so I went ahead and fixed it. Do note, it's been a while I used it so idk if anything broke since a couple of months ago, but I would try to do something if I notice it doesn't work.

On a side note, idk if you guys know this because this is VERY recent, but are you using a ram search like Cheat Engine to monitor and edit the RAM of dolphin? if you do, please consider this note I added in my TASVideos thread on a tutorial on setting up and suing CE with Dolphin:

EDIT: as of Dolphin 5.0-3981, it will randomnise the start address on every platform (Windows and Linux) so you CANNOT use the recommended method I talk about in this post, but you can use the "Alternative method to get the START address" section to have it work, however, as I say in this section, it is also more annoying to use so if you cannot endure to use it, use AT MOST Dolphin 5.0-5977.
http://tasvideos.org/forum/viewtopic.php?t=17735 <- there is a workaround after this note too that someone pointed out, you can try it, but I haven't tested it.

I am working on making a new RAM search for Dolphin actually (there's a lot of problems with using CE that a lot of people including me are annoyed by it, but the ASLR issue made me start the project). This is not going to be part of Dolphin btw, it's going to be external like CE, but it could do assumptions on how it work so it would be much less painful to use.

Sorry for the very lengthy post, but I felt I reealy needed to keep a thread of interest like this one updated, there's just a lot that happened with Dolphin that you might want to know. While I am there, I am open for any questions you might have on using the Dolphin debugger and/or CE. I am assuming you are using CE because it's litterally the only good RAM search that can support big endian memory, with extensions, not even MHS has that support.
 

DRGN

Technowizard
Moderator
Joined
Aug 20, 2005
Messages
2,179
Location
Sacramento, CA
Hi, so I found this thread completely by accident (I do not follow in any way the ssbm hacking community) while researchign a completely unrelated topic (finding how to extract .dat files) and when I saw this in the OP and realised the thread was still somewhat active, I had to say something about it: it's very outdated.

Basically, I contributed to Dolphin A LOT on the debugger in a span of around 6 months starting from like summer/fall of last year. The reason is exactly what this quote is saying: you needed to build Dolphin yourself in a debug or debugfast config (debug is MUCH slower, debugfast has the debug symbols, but with optimisation on compilation) to have a feature called MemCheck or MC. Basically, you might know this already, but MC are ESSENTIAL to reverse engineer games as you can break when the game is reading or writting to an address or region. The other reasons I was motivated to contribute is foir a very long time, if you picked the lattest version, build it in debugfast, MC would simply not work and it was even prone to crash, so this instability lead me to just attempt to fix these and the debugfast problem because it was jsut annoying.

And I actually did. The following Pull request link made MC supported in every builds for reasons described in my first comment:

https://github.com/dolphin-emu/dolphin/pull/4203

In fact, I pretty much fixed everything that was unstable with the debugger. No more crashes, I fixed some breakpoints simply not hitting, added some features like seeing different convenient formats for the registers etc....

If you want to see the fulll list of my contributions as most of them are related to the debugger, you can follow this link: https://github.com/dolphin-emu/dolphin/pulls?page=2&q=is:pr+author:aldelaro5+is:closed They are quite documented so I thinkt hey tell everything you need to know.

The point is this: you NO longer need to use debugfast for the purpose the OP is saying, ever. In fact, you coudl litterally get the lattest dev revision (don't pick stable 5.0, this was before the changes) and it would just work (just pass it -d when runnign Dolphin to enable the debug tools).

In fact, you have a lot of reaosns to upgrade, I actually improved the performance of Memcheck (now named Memory Breakpoint) by quite a lot, I tested it, it's a huge difference at least on my end. I also made the logs system a bit better so you can now log you MP without breaking (might be usefull to monitor frequency of function calls for example).

Oh and as for why this took so long FYI, it's really because the debugger is a very specific use case of dolphin and it;s kinda low priority, I just happen to be interested in reverse engineering games and I was disappointed at the quality of the debugger so I went ahead and fixed it. Do note, it's been a while I used it so idk if anything broke since a couple of months ago, but I would try to do something if I notice it doesn't work.

On a side note, idk if you guys know this because this is VERY recent, but are you using a ram search like Cheat Engine to monitor and edit the RAM of dolphin? if you do, please consider this note I added in my TASVideos thread on a tutorial on setting up and suing CE with Dolphin:



http://tasvideos.org/forum/viewtopic.php?t=17735 <- there is a workaround after this note too that someone pointed out, you can try it, but I haven't tested it.

I am working on making a new RAM search for Dolphin actually (there's a lot of problems with using CE that a lot of people including me are annoyed by it, but the ASLR issue made me start the project). This is not going to be part of Dolphin btw, it's going to be external like CE, but it could do assumptions on how it work so it would be much less painful to use.

Sorry for the very lengthy post, but I felt I reealy needed to keep a thread of interest like this one updated, there's just a lot that happened with Dolphin that you might want to know. While I am there, I am open for any questions you might have on using the Dolphin debugger and/or CE. I am assuming you are using CE because it's litterally the only good RAM search that can support big endian memory, with extensions, not even MHS has that support.
Thanks for the info!

Punkline Punkline (who uses CE)

So the RAM start randomization (is it truly random, or game dependent?) was introduced in build 5.0-3981, and then later removed in 5.0-5977? What was the point of it?

Also, what build was MemCheck first added to main? (I see that your commit was merged on Sept. 10, 2016, but I don't know where that falls on the build timeline.)
 

aldelaro5

Paper Mario P
Joined
May 20, 2013
Messages
9,724
Location
Canada, Quebec (or Rogeuport if you want)
NNID
aldelaro5
3DS FC
3050-7721-6617
Thanks for the info!

Punkline Punkline (who uses CE)

So the RAM start randomization (is it truly random, or game dependent?) was introduced in build 5.0-3981, and then later removed in 5.0-5977? What was the point of it?

Also, what build was MemCheck first added to main? (I see that your commit was merged on Sept. 10, 2016, but I don't know where that falls on the build timeline.)
no the builds version number are the lattest stable release number followed by the number of commits since that stable release so 5.0-3977 is 4 commits before 5.0-5981 so the randomnisation was INTRODUCED in 5.0-3981, the lattest dev build that DID NOT had the randomnisation was 5.0-3977.

....I jsut relaised, I typoed the version number again, 5.0-5977 doesn;t exist sorry.

so let me be very clear

Lattest dev version BEFORE the randomnisation: 5.0-3977
First dev version to have the randomnisation: 5.0-3981.

I typoed this the second time lol sorry about that :)

As for the nature of the randomnisation, let me esplain.

Newer OS got a new security feature called ASLR (no, it has nothign to do with the closer to mics video :). Essentially, this feature will randomnise the location of executables int he RAM, this helps to protect against a buffer overflow. However, programs that wants to support this feature needs to be PIE compliant (position independant executable). The program has to be made in such a way that it can be compiled with PIE support and so, it will support ASLR if the OS supports it.

Now, you probably get the idea: Dolphin began to be PIE compliant since Dolphin 5.0-3981. In fact, here's the exact PR:

https://github.com/dolphin-emu/dolphin/pull/5271

As for why, well Dolphin is an ever evolving project so it's nice to ahve it support it and as devs, more security is better :)

Now, before I explain HOW it randomnises and how it impacts CE, I need to explain something very important: the CE setup you have to use (lke one of the methods I describe in the TASVideos thread I linked above), it is and has been VERY VERY fragile and only worked because of luck (unless you use the pointer method).

Basically, since you are ONLY searchign through the emulated RAM, you want to know where it starts in the emu process, you could then limit the range of the ram search and only search the gc memory. The thing is, that start address, due to a lot of circumstances put together, got very stable. On Linux, it was litterally hardcoded to 0x2580000000 because they couldn't exactly ask to have a mapping (something about error handling being complciated) and it ends with 0x80000000 because it just happens to be the first virtual address of the gc ram. On Windows, they asked the OS to give them the first available ram mapping that woudl be huge enough so it's not guaranted to be the same, but in practice and for unknown reaosns, it always seemed to be 0x7fff0000. I really do not know why it did this, but I do know some users did not had it stable, it would change a lot.

So, for complete luck, it was possible to use CE WITHOUT using any pointers. The pointer method btw, is you check the log of Dolphin (I made one available in every build that tells you what the start address is). With this start address, you use CE's pointer scan feature and you find a pointer within Dolphin that points to the start. The problem is one: it;s super fragile, it will not be the same pointer for each version of Dolphin so if you ever want to change version, you have to recalculate your ENTIRE table.....yikes. Two: it;s painful, you have to bind every addresses you find with that pointer meaning you have to compute using a hex calculator the difference between your address and the current start. I used this method for a year, it's terrible and I was so glad when I foudn out the new method.

So, about PIE, it is NOT game dependant, it is completely up to your OS, Dolphin and you cannot possibly predict the address. I tested on my arch linux AND on a Windows 10 vm, yeah, it is random, the only thing I noticed in common was it ends with 0000.

But you can know it by checking the log Mi and Memmap on notice level (pass Dolphin -l or -d). The other way is you can check the patterns in the mapping info of Dolphin's process like on Linux, you cat the file /proc/[pid]/maps where pid is the current pid of Dolphin.

The point is, CE CANNOT figure out on its own the start on its own without something like a fancy script or the pointer method. This was the last thing I needed to hear before I start my own RAM search since if I do this, I can make assumptiosn on how Dolphin work and you wouldn't have to deal with the start address EVER.

If you want more info, I wrote a blog post some time before I started the project about my frustration with using CE and Dolphin, this isn't the msot aggravating problem, the most annoying one is actually you can't track dynamic memory.

https://aldelaro5.wordpress.com/2017/06/19/the-annoyance-when-no-ram-search-works-with-an-emulator/

As for the first build where the MemCheck was first supported on every build, it is 5.0-583

https://dolphin-emu.org/download/dev/a15b3fda6e5c56388989704dfa82f3b029101843/

HOWEVER I DO NOT RECOMMEND TO USE THIS BUILD FOR REVERSE ENGINEERING!!!

I did A LOT after this build, I would recommend minimum 5.0-3023, but as I just said, you can go up to 5.0-3977 if you don't want to deal with the pointer method. There is small improvements actually that happened after 3023 that were msotly not mine, but after thsi build, I considered the debugger to be "stable". So you can go between these 2 version and you shoudl be fine.

btw., in case you notice new stuff that mgith interest you on using the debugger, might as well link the TASVideos thread I made on using the debugger (I don't teach PowerPC, but I link some ressources to do so, honestly, I only learned it in 3 days, it's such a simple ASM tbh.

http://tasvideos.org/forum/viewtopic.php?t=18555

I am sorry if the whole thign with versions sounds confusing, but believe me, it's nothing like it was before when I found where the debugger got broken (it's a mess, it got broken somewhere, got semi fixed, got broken again compeltely and it maintained this way from since somewhere in 4.0).

And as for my RAM search, I am aiming to solve most of the problem CE has. IMO, a ram search shoudl be convenient and painless to use, I can say that so far, I am programming the watcher and it's going very well, if you are interested, I can post my github repos once I release the first beta version :) (it is going to be open source for sure, MIT license to be exact).
 
Last edited:

Punkline

Dr. Frankenstack
Joined
May 15, 2015
Messages
423
In fact, I pretty much fixed everything that was unstable with the debugger. No more crashes, I fixed some breakpoints simply not hitting, added some features like seeing different convenient formats for the registers etc....
I need to grab this. My MC breakpoints have been screwed up for awhile now. Thank you~

I made a post a while back that covered some things I stumbled upon in the cheat engine forums. I don't know if they'll work the same in this new dev version, but I'll check it out later tonight.

I've been using Cheat Engine non-stop since I found this baby, which eliminates most of the memory search issues when used with those custom data types (and the mem_mapped regions checked)

- http://cheatengine.org/temp/emurpm.zip
- http://www.cheatengine.org/forum/viewtopic.php?p=5501811

Step 3 - GALE01 (in A Minor)
Download emurpm.zip (an addon written by Dark Byte) and extract its contents into the autorun folder of your Cheat Engine directory.

This adds an indispensable menu item called “Emulator Memory” to the main menu bar, which allows you to adjust the base memory address used by Cheat Engine when looking at a process. I’ve only recently learned about this, and using CE without it is a sort of hell.

In every case I’ve seen of 64-bit Dolphin 4.0+ the base address for logical cached RAM appears to be represented by 0x7FFF0000 in Cheat Engine. There are other possible ranges that can be used, but I’ve found some of them to be inconsistent and haven’t had any trouble with this location across versions--so I assume it is the start of the logical cached region.

Try these settings if you’re using Dolphin 4.0+


If you’re using an older version of Dolphin, the address we’re looking for doesn’t even appear to be static and must be referenced with a pointer. You might have luck with settings similar to what I use for this old fastlog build, which I often rely on for memory check breakpoints and live browsing of the disassembler. If this doesn’t work, you’ll have to hunt for the appropriate pointer by studying GALE01 locations via scan (or update Dolphin.)


Now, if you choke your scan to a range of 0x80000000 to 0x81800000 from the settings in the main window, you should find the one GALE01 to rule them all when performing the search from the previous step :



Note that you might get some garbage GALE01 locations within this choked range--which are normal--so long as the first result is 0x80000000
---

this isn't the msot aggravating problem, the most annoying one is actually you can't track dynamic memory.
Can't agree more. I had an old MCM project I zapped back to life recently in order to copy some select pointers (in a little-endian format, to be read by CE) to a space in start.dol in order to navigate through player skeletons and learn more about HSD objects.

I have to say, it'd be incredible to have the ability to navigate pointers in a memory watch somehow using Dolphin... I managed to do some cool things with my DOL mod that allowed it to interface with Cheat Engine by exploiting the dropdown records feature:


By using a data syntax to manipulate the code, I was able to sort of puppet it from the cheats table in Cheat Engine. I could describe some form of navigation syntactically, and then save it as a labeled record in one of cheat engine's saved XML cheat table files.

My project was based on this really cool Lua script started by Yoshifan -- https://github.com/yoshifan/ram-watch-cheat-engine

I can share the old thing if anyone's interested, but it's sloppy and contains some pretty ... adventurous code. I'd have to clean it up, but it should run fine in the latest version of MCM.
UnclePunch UnclePunch @rmn DRGN DRGN @Achilles1515 @SinsOfApathy

---

I've been seriously digging the graphical memory view feature lately, which lets you assign groups of 4 bytes to an RGBA color that ignores the A channel. It's really great for instantly visualizing the locality of pointer addresses, and their neighbors. There's a setting for dither color as well, lol.

The combination of the advanced scan tools, the feature-rich RAM watch, the animated memory view, and the graphical memory view has made CE+Dolphin really great for scuba diving.
 
Last edited:

aldelaro5

Paper Mario P
Joined
May 20, 2013
Messages
9,724
Location
Canada, Quebec (or Rogeuport if you want)
NNID
aldelaro5
3DS FC
3050-7721-6617
I need to grab this. My MC breakpoints have been screwed up for awhile now. Thank you~

I made a post a while back that covered some things I stumbled upon in the cheat engine forums. I don't know if they'll work the same in this new dev version, but I'll check it out later tonight.

I've been using Cheat Engine non-stop since I found this baby, which eliminates most of the memory search issues when used with those custom data types (and the mem_mapped regions checked)

- http://cheatengine.org/temp/emurpm.zip
- http://www.cheatengine.org/forum/viewtopic.php?p=5501811



---



Can't agree more. I had an old MCM project I zapped back to life recently in order to copy some select pointers (in a little-endian format, to be read by CE) to a space in start.dol in order to navigate through player skeletons and learn more about HSD objects.

I have to say, it'd be incredible to have the ability to navigate pointers in a memory watch somehow using Dolphin... I managed to do some cool things with my DOL mod that allowed it to interface with Cheat Engine by exploiting the dropdown records feature:


By using a data syntax to manipulate the code, I was able to sort of puppet it from the cheats table in Cheat Engine. I could describe some form of navigation syntactically, and then save it as a labeled record in one of cheat engine's saved XML cheat table files.

My project was based on this really cool Lua script started by Yoshifan -- https://github.com/yoshifan/ram-watch-cheat-engine

I can share the old thing if anyone's interested, but it's sloppy and contains some pretty ... adventurous code. I'd have to clean it up, but it should run fine in the latest version of MCM.
UnclePunch UnclePunch @rmn DRGN DRGN @Achilles1515 @SinsOfApathy

---

I've been seriously digging the graphical memory view feature lately, which lets you assign groups of 4 bytes to an RGBA color that ignores the A channel. It's really great for instantly visualizing the locality of pointer addresses, and their neighbors. There's a setting for dither color as well, lol.

The combination of the advanced scan tools, the feature-rich RAM watch, the animated memory view, and the graphical memory view has made CE+Dolphin really great for scuba diving.
See, it's really nice that you got this dedicated to make CE more usable on Dolphin.

The problem is obviosuly that it's a ram search, its purpose is to make memory browsing easier then having to setup a really fancy debugger (which I bet you can if you build dolphin in debugfast because you have all the symbols). If this is what it takes to actually use very basic feature like resolving pointer addresses, then there's just a big problem there.

How I see a ram search is its ram watch should really be like one of those from typical debugger you woudl see, the onyl difference is you search to find the addresses instead of knowing them right away because you have the source code.

This highlights why I am actually ready to start a project in c++ from scratchm it became ridiculous at this point. Like, the main problem comes from the fact that these features are used by MANY games, not jsut ssbm, heck I personally had problems with TTYD (battle memory only) and super mario sunshine which seems to store everything of importance in dynamic memory which just sucks to work with. I mean, it shoudl be easy, you find the pointer (using dolphin debugger or memory scan or whatever), you find an important address relative to it (same procedure) and you just add the address saying it's address is bound to a pointer and after resolving it, add a certain offset. It's EASY to automate that.

Another problem that you certainly don't have to worry about, but is very annoying for wii games is the concept of MEM2 in dolphin. You see, the GC only uses the MEM1 region which is a 24mb if ram that goes from 0x80000000 to 0x81800000 which I am sure you are familiar with. However, the Wii has this same region + another one called MEM2, a 64mb area that goes from 0x90000000 to 0x94000000. CE cannot have 2 ranges limiters and the ram in between is either irrelevant or innacessible. This is again, another problem.

All in all, it all comes down to what CE was deisgned for: hack x86 programs. However, our pc that uses x86 has caracteristics that CE made assumptions on jsut it was made for it like using little endian and requiring an extension to use big endian, they assume you would always be searching in all of the process RAM because they assume the layout woudl be the same etc.... It was clearly not designed to search a subpart of a process that is not x86 (it's powerpc), that has a completely custom layout and is in big endian.

To me, that was enough reasons to just start from scratch and not have any problems like this ever. To be clear, I am not critisizing CE, it's probably the best x86 RAM search you can find, on par with MHS, but MHS doesn't have lua support and it doesn't have any way to have big endian support (also, CE is open source, but it's in delphi......which I did used it at school in my clases and.....ugh it's a terrible language). What I am saying is that CE wasn't the right program for the job here so it was only inevitable that we have so many problems.

Btw, so far on that, it's going well, I can read the ram in nicely formated text and I just got the edit value feature working with reverse formatting :)
 

Punkline

Dr. Frankenstack
Joined
May 15, 2015
Messages
423
To me, that was enough reasons to just start from scratch and not have any problems like this ever.
This sounds really awesome. It’d be great to have a tool designed to support big-endian data and powerpc from its foundation rather than through a silly dance of workarounds like I’ve been doing with CE.

I may need to clarify that I only meant to share how I’ve been getting by with CE in the meantime. It’s all gum and shoelaces, but my point was that--ultimately--the payoff showed me how valuable of a (broken) feature pointer navigation is. It’s really kind of frustrating that the whole thing is caused by something as simple as stuff being read in the wrong direction.

The emurpm addon I’ve been using only alters cheat engine’s perceived starting address for scans, and this PIE randomizing thing sounds like it will complicate things. If I’m not mistaken, this super old 3.0 fastlog build has a similar thing going on, right? The start address is inconsistent, but I was able to find a (static?) pointer that seemed to work.

My dol mod example was (to your point) extremely cumbersome to put together and use. Very helpful at the time; but otherwise cryptic and not worth the trouble of setting up in most cases after that. I frankly don’t ever use it, and just use CE for its slightly more featured scan tools, and memory view windows.

It was however a means of getting around having to use a calculator just to check all the dynamic bones, models, textures, etc in a character on the stage. I could just scrub an ID field with a hotkey to browse pointers that were hidden away in an indexed structure.

The point I guess I was trying to make; tools like these can be all the difference... especially with the help of MC breakpoints. I’m really excited to hear about your project. If you’re designing things from scratch, I may be able to make a few suggestions about things that I believe even CE is missing in its default scan tools.

Keep us updated, if you can! This is great stuff.
 

Punkline

Dr. Frankenstack
Joined
May 15, 2015
Messages
423
I can't find the teching frame data memory locations in the 1.02 spreadsheet. Someone knows where it is?
I just spotted these:
Code:
internal player data offsets:
0x680    byte    Number of frames since last heavy L/R press.
0x684    byte    stores the count of 0x680 at the time of pressing heavy L/R.
It looks like there's one of these for every button.

The game appears to check 0x680 to see if it's below 20, and 0x684 to see if it's above 28 when making a tech timing window.
 
Last edited:

aldelaro5

Paper Mario P
Joined
May 20, 2013
Messages
9,724
Location
Canada, Quebec (or Rogeuport if you want)
NNID
aldelaro5
3DS FC
3050-7721-6617
This sounds really awesome. It’d be great to have a tool designed to support big-endian data and powerpc from its foundation rather than through a silly dance of workarounds like I’ve been doing with CE.

I may need to clarify that I only meant to share how I’ve been getting by with CE in the meantime. It’s all gum and shoelaces, but my point was that--ultimately--the payoff showed me how valuable of a (broken) feature pointer navigation is. It’s really kind of frustrating that the whole thing is caused by something as simple as stuff being read in the wrong direction.

The emurpm addon I’ve been using only alters cheat engine’s perceived starting address for scans, and this PIE randomizing thing sounds like it will complicate things. If I’m not mistaken, this super old 3.0 fastlog build has a similar thing going on, right? The start address is inconsistent, but I was able to find a (static?) pointer that seemed to work.

My dol mod example was (to your point) extremely cumbersome to put together and use. Very helpful at the time; but otherwise cryptic and not worth the trouble of setting up in most cases after that. I frankly don’t ever use it, and just use CE for its slightly more featured scan tools, and memory view windows.

It was however a means of getting around having to use a calculator just to check all the dynamic bones, models, textures, etc in a character on the stage. I could just scrub an ID field with a hotkey to browse pointers that were hidden away in an indexed structure.

The point I guess I was trying to make; tools like these can be all the difference... especially with the help of MC breakpoints. I’m really excited to hear about your project. If you’re designing things from scratch, I may be able to make a few suggestions about things that I believe even CE is missing in its default scan tools.

Keep us updated, if you can! This is great stuff.
I actually can now, but first, I need to clarify something.

The endianness isn't the onyl reasons for the pointers to not work, the other reasons is obviously ce thinks that a pointer that has 80000000 as its value is a pointer to 0x80000000 in Dolphin's PROCESS, it can't really offset these in the emulated memory and even then (at least 75% of the games are like this, the others have custom memory mapping) it can't guess that what we actually want is the address without the first bit (the one that does the 8 at the beginning) + the current start..... So basically CE has aboslutely no idea how poitners work in Dolphin.

Also, for the old debugfast build, I did foudn this thread while searchign a way to help fix the debugger in newer version (I didn't actually did the fix, but I bisected which helped to find where it broke and how the dev could fix it). Unfortunately, I never used CE with it because.....the build was sooooo old at the time I didn't bother.

Now as for my progress well, I am extremely commited to this rn because I have university starting in like a month and a half so I want to have the watch and the scanner done enough so I am satisfied before I release my code. The first beta release I will do initially as well as the code release is going to have the initial implementation of the scanner and the watch (I won'r do a viewer at first, but I am DEFINTELY doing a viewer eventually, I used ce enough to get how usefull it is).

I am ONLY doing the watch rn because once I got the watch logic and the formatting logic, the scanner is going to be easier because it would use the same formatting, it jsut will read ram like crazy to do filters.

So far, I have support for all integer types (byte, halfword, word) as well as float and double and finally string. I am also going to add array of bytes once I got the address filling form ready (it's not going to be hard to add stuff to my nsystem, I made it that way). I can continously poll the values, they are formatted nicely and I can also write back the value given the input is valid (I already put error mechanism in place). For pointers handling, this is going to be done after the address filling form.
Finally, it will support groups like CE, it's a ree structure.

Btw about the connection with Dolphin, before I do the scanner, I am going to handle this automatically. it will try on boot to hook (so, get the pid and the start address dynamically) and if it can't (like it's not running or the emu isn;t started), then the user will have to push a button to do it once ready. if Dolphin is running and the emulator ius started, then it's going to hook and this is when the watch magic happens. The idea is THERE IS NO LONGER GOING TO BE ANY NOTION OF START ADDRESS (it's jsut going to be there for diagnosing purposes tbh). The reason I can do this is I can know the start everytime even if it changes, but this also mean something super interesting: the address column can show you the ACTUALL virtuall addresses of the gc/wii, no more 7fff00000 which is awkward to interpret because really, you meant 80000000.

Even better, I can attempt to detect if the game running is a gc or a wii one so I can enable or disable the mem2 region accordingly. There is some rare cases where it's not possible to knwo that (some games have no id on both console, they are mostly wii though) so the user would be able to override that.

Other things I need to say, I decided to NOT implement file saving in the initial release because I rather wait for the project to be stable enough before this, this is actually really huge decision, I want a format easilly editable that will serve me for the longest time possible, ideally, no need to change it ever. it's obviosuly goign to be huge priuority when I initally release it though.

As for scripting......yeah, I don't think I can do it int he neare future tbh, I can see how it coudl be very requested, btu the reality is I have no idea how to do it.

oh and about macos......this too idk how to have support for it so unless someone is very interested to have it and implements my interface to talk to dolphin, I don't think it will happen.

That's my roadmap so far, I am tonight going to implement

I was about to implement the freeze feature tonight btw, here's a gif showing continuous polling I got this from Super Paper Mario, some addresses I knew :)


Btw, if there's a better thread to talk about this, pls let me know, I am not sure if this is the best thread for that :)

EDIT: Got the freeze to work....that was easy.
 
Last edited:

DRGN

Technowizard
Moderator
Joined
Aug 20, 2005
Messages
2,179
Location
Sacramento, CA
I found a statement from Satoru Iwata (President of HAL Labs, and later, Nintendo) that, "Ubisoft was named after Ubiquity because you wanted to be everywhere in the world and HAL was named as such because each letter put us one step ahead of IBM!" Lol, really? How random!

Also, this might be more well-known (since this website has been posted here before), but if you've ever wondered about their logo:

Inutamago (HAL Labs) logo.png

Inutamago -
An unexpected bond...
One that brings about the birth of something new.

A connection between people that leads to the unknown. Ideas coming together to form extraordinary combinations.
Keep these ideas close, keep them warm, and a new type of joy comes into the world - one we’ve never seen before.

Like a dog keeping eggs warm -
this is the symbol of HAL Laboratory.

[Interview with Masayoshi Tanimura and Inutamago’s creator Mr. Shigesato Itoi about the logo]


Incidentally, I found some super obscure game dev notes, on a description of Pichu (But this translation is so bad!):

There is a thing called "model change character" in Smavra .

Fourteen basic characters and five hidden characters are basic, but there are variations of characters in the corner of the character selection screen, appearing beyond the character frame.

During development, I thought that about 16 bodies would be Kanoyama no matter how hard they could do.
However, even if it says so, the customer wants to participate more characters, so ...

So, by creating a program and motion by making the killer motion and movement (motion) exactly the same as some kind of character Saving, different appearance and operation feel prepared different characters.
Like Luigi against Mario of the previous work.

Actually, it is not easy enough to say that it is very difficult to make a model and secure a character frame, and it is not easy enough to say that it is so easy for me to adjust the parameters (attack power or jumping force) Although it was.
However, if there are only "no" or "there" options, I thought that "there is better" is better and I twisted it.
(It is because there is no reason to increase the number of characters even if these are cut)

, we prepared "Pichu for Pikachu".
Actually playing, Pichu and Pikachu are quite different.

This time Smavra entrusted the weakest seat to Pichu.
Unlike pudding which was considerably weak at the last time, unlike pudding which was considerably strong depending on the ingenuity, there are physical handicaps that when numbered attacks are done, they suffer numbness and receive damage even by themselves.
Body weight is also the lightest among all characters, there is not much attack power on the whole.

Conversely, if you can win with this character it is quite cool.
If there is an Australian who uses this character in the top battle of the tournament, please applaud yourself.


Appearance condition:
Event game 37 "Legendary Pokemon" cleared.
Or you play matches of match game over 200 times.

... I think I have already noticed, you can make all the hidden characters appear even by repeating the number of battle games.
Although I am a little lazy instead of being easy, it is OK condition setting even if only a matchup is done.
I thought the talk on clone characters was interesting though.

Itaru Itaru Do you think you could make a better translation? Your English is a lot better than this. If you want to give it a try, you can find the original here.
 
Last edited:

Itaru

MasterGanon
Joined
Jun 25, 2014
Messages
279
Location
日本 茨城県
I found a statement from Satoru Iwata (President of HAL Labs, and later, Nintendo) that, "Ubisoft was named after Ubiquity because you wanted to be everywhere in the world and HAL was named as such because each letter put us one step ahead of IBM!" Lol, really? How random!

Also, this might be more well-known, but if you've ever wondered about their logo:

View attachment 134191

Inutamago -
An unexpected bond...
One that brings about the birth of something new.

A connection between people that leads to the unknown. Ideas coming together to form extraordinary combinations.
Keep these ideas close, keep them warm, and a new type of joy comes into the world - one we’ve never seen before.

Like a dog keeping eggs warm -
this is the symbol of HAL Laboratory.

[Interview with Masayoshi Tanimura and Inutamago’s creator Mr. Shigesato Itoi about the logo]


Incidentally, I found some super obscure game dev notes, on a description of Pichu (But this translation is so bad!):



I thought the talk on clone characters was interesting though.

Itaru Itaru Do you think you could make a better translation? Your English is a lot better than this. If you want to give it a try, you can find the original here.
"Smavra" means "smash bros". google translation is poor. haha.

OK. but, translation is hard work for me. So, I put a summary.

---------------------------------------------------------------------------------
スマブラには「モデル変えキャラ」というものが存在します。
In SSBM, there are characters which called”model changed character”.

基本キャラ14体、隠れキャラ5体というのが基本ですが、キャラ選択画面の隅にいるキャラのバリエーションがいて、キャラ枠を超えたところに出現してくるのです。
Basic character is 14, hidden character is 5, but there is more secret characters.

開発中は、作成可能なキャラ数はどんなにがんばっても16体ぐらいが関の山ではないかと思っていました。
が、そうは言ってもお客さんはより多くのキャラの参戦を望んでいるし・・・
In developing, we thought that we can make only 16 characters.
But, customers want more characters…

そこで、必殺ワザとモーション(動き)を何らかのキャラとまったく同じにすることでプログラムとモーションを作成する時間を節約、外見や操作感は異なるキャラクターを用意しました。
前作のマリオに対するルイージのように。
So, we decided to make character which has same animations, same attacks. They save time to programming.

・・・実はモデル作ったりキャラ枠を確保したりするのもとても大変なので言うほどカンタンではないし、誰よりパラメーター(攻撃力とかジャンプ力とか)を調整している私がめちゃくちゃ大変になるのはわかっていたのですが。
が、選択肢は「ない」か「ある」かしかないのであれば、「ある」ほうが絶対いいだろうと思い、ねじこみました。
(これらをカットしてもキャラが増やせるわけもないですから)
In fact, to make character is very hard work. But, we decided to do my best.


で、「ピカチュウに対するピチュー」を用意しました。
実際遊んでみると、ピチューとピカチュウとはかなり異なります。
Then, I made pichu against Pikachu.

今回のスマブラは、最弱の座をピチューに託しました。
前回、一応最弱としていたが、工夫次第では相当強かったプリンと異なり、電撃をおびた攻撃をおこなうと、しびれて自分もダメージを受けてしまうという、物理的なハンデがあります。
体重も全キャラの中でもっとも軽く、全体的には攻撃力もそんなにありません。
In SSBM, Pichu is the weakest character.
In SSB64, weakest character was jiggly puff but she was intermediately strong. But, pichu takes damage by electric attacks, and she is the lightest character.

逆に言えば、このキャラで勝てれば相当カッコいいです。
このキャラを大会の上位戦で使うような豪の者がいたら、拍手してあげてください。
So, you are very cool if you won with pichu.


出現条件:
イベント戦37「伝説のポケモンたち」をクリア。
もしくは対戦ゲームの試合を200回以上おこなう。
How to get pichu:
Win “Ivent 37” or do melee more than 200 times.

・・・もうお気づきだとは思いますが、対戦ゲームの回数を重ねるだけでも、全隠れキャラを登場させることができます。
カンタンなかわりにすこししんどくしていますが、対戦だけしかしないかたにもOKな条件設定です。
You can get pichu by only melee.
 

DRGN

Technowizard
Moderator
Joined
Aug 20, 2005
Messages
2,179
Location
Sacramento, CA
"Smavra" means "smash bros". google translation is poor. haha.

OK. but, translation is hard work for me. So, I put a summary.

---------------------------------------------------------------------------------
スマブラには「モデル変えキャラ」というものが存在します。
In SSBM, there are characters which called”model changed character”.

基本キャラ14体、隠れキャラ5体というのが基本ですが、キャラ選択画面の隅にいるキャラのバリエーションがいて、キャラ枠を超えたところに出現してくるのです。
Basic character is 14, hidden character is 5, but there is more secret characters.

開発中は、作成可能なキャラ数はどんなにがんばっても16体ぐらいが関の山ではないかと思っていました。
が、そうは言ってもお客さんはより多くのキャラの参戦を望んでいるし・・・
In developing, we thought that we can make only 16 characters.
But, customers want more characters…

そこで、必殺ワザとモーション(動き)を何らかのキャラとまったく同じにすることでプログラムとモーションを作成する時間を節約、外見や操作感は異なるキャラクターを用意しました。
前作のマリオに対するルイージのように。
So, we decided to make character which has same animations, same attacks. They save time to programming.

・・・実はモデル作ったりキャラ枠を確保したりするのもとても大変なので言うほどカンタンではないし、誰よりパラメーター(攻撃力とかジャンプ力とか)を調整している私がめちゃくちゃ大変になるのはわかっていたのですが。
が、選択肢は「ない」か「ある」かしかないのであれば、「ある」ほうが絶対いいだろうと思い、ねじこみました。
(これらをカットしてもキャラが増やせるわけもないですから)
In fact, to make character is very hard work. But, we decided to do my best.


で、「ピカチュウに対するピチュー」を用意しました。
実際遊んでみると、ピチューとピカチュウとはかなり異なります。
Then, I made pichu against Pikachu.

今回のスマブラは、最弱の座をピチューに託しました。
前回、一応最弱としていたが、工夫次第では相当強かったプリンと異なり、電撃をおびた攻撃をおこなうと、しびれて自分もダメージを受けてしまうという、物理的なハンデがあります。
体重も全キャラの中でもっとも軽く、全体的には攻撃力もそんなにありません。
In SSBM, Pichu is the weakest character.
In SSB64, weakest character was jiggly puff but she was intermediately strong. But, pichu takes damage by electric attacks, and she is the lightest character.

逆に言えば、このキャラで勝てれば相当カッコいいです。
このキャラを大会の上位戦で使うような豪の者がいたら、拍手してあげてください。
So, you are very cool if you won with pichu.


出現条件:
イベント戦37「伝説のポケモンたち」をクリア。
もしくは対戦ゲームの試合を200回以上おこなう。
How to get pichu:
Win “Ivent 37” or do melee more than 200 times.

・・・もうお気づきだとは思いますが、対戦ゲームの回数を重ねるだけでも、全隠れキャラを登場させることができます。
カンタンなかわりにすこししんどくしていますが、対戦だけしかしないかたにもOKな条件設定です。
You can get pichu by only melee.
Thanks!

I wonder why they initially thought they could only make 16 characters. I wouldn't think they would say that based on a technical standpoint; maybe that's just what was originally planned or discussed with Nintendo.

Some of the translations are pretty funny. For example, Pichu's Up-B was translated to simply "Soup". And look at this table of moves for Ganondorf, lol:
upload_2017-12-1_8-25-56.png
 

Itaru

MasterGanon
Joined
Jun 25, 2014
Messages
279
Location
日本 茨城県
Last edited:

SinsOfApathy

Smash Journeyman
Joined
Feb 24, 2015
Messages
474
NNID
Psion312
Is there any way to inject codes to a melee save file by using dolphins debugger?

I have been reading http://wparam.com/ssbm/makesave.html but can't seem to figure out a way to do it without gcnrd and a broadband adapter/gc.
Months behind on the response here, but wParam was just using Gecko as a memory debugger. If you use the memory debugger in Dolphin, just going to 8045D850 is the start of the nametags in the memory card and you can start writing the buffer overflow there. Then at 8045D930 is where you can begin your code for patching.

I scrapped the code I had (or rather, changed the focus from being on injecting code currently), but basically it would look something like this if you just wrote directly to Dolphin's memory region:

Code:
if (GetAsyncKeyState(VK_INSERT) < 0) {
for (int i = 0; i < 0xD4; i++) {
char* addr = reinterpret_cast<char*>(nametagRegion + i);
*addr = 'D';
}
//Write the original stack trace
uint32_t* addr = reinterpret_cast<uint32_t*>(nametagRegion + 212);
*addr = _byteswap_ulong(0x804EE8F8);
//Write the address of our injected code
addr = reinterpret_cast<uint32_t*>(nametagRegion + 216);
*addr = _byteswap_ulong(0x8045D930);

//And here is where is where I'd load a file into memory to patch my actual code
//Something like memcpy(&myFile, reinterpret_cast<char*>(patchStart), myFile.length);
}
 
Last edited:

nickultra

Smash Cadet
Joined
Jul 30, 2016
Messages
27
Can someone explain this to me:
Mario's Up-Tilt:
Base KB: 26
KB Growth: 125

Falcon's Knee:
Base KB: 24
KB Growth: 100

Up-Tilt > Knee???

I find this a consistent problem. For instance Falco's Bair feels a lot stonger than Fox's in game, yet they have the exact same KB? What am I missing here.
 

AxelShaped

Smash Rookie
Joined
Jan 20, 2018
Messages
10
NNID
abdan60
How do I edit the blue sky of Big Blue, I can’t find what it looks like and I need to give it a Stardust Speedway Texture. I really need the answer before I release my Modpack.
 
Last edited:

AxelShaped

Smash Rookie
Joined
Jan 20, 2018
Messages
10
NNID
abdan60
Is there a stage editor tool I missed or program? I really would like to make some stages for my modpack and I like making stages in stage creators in Brawl and Wii U but in Melee I can now make the stages look like their counterpart, I could make a Castle LoLoLo stage for Kirby fans or a Legal Pokefloats if I follow the camera.
 
Last edited:

AxelShaped

Smash Rookie
Joined
Jan 20, 2018
Messages
10
NNID
abdan60
Am I in the wrong thread? All I need for now are the sky’s of stages so I can finish them and post them online. I just need a photo of the skyboxes on Wizard so I can know what it looks like or what textures or near it.
 

velkurotic

Banned via Warnings
Joined
Oct 2, 2018
Messages
1
it is possible to add a character space
I know it would be extremely difficult
but I want to know if there is possibility
 

The Cape

Smash Master
Joined
May 16, 2004
Messages
4,478
Location
Carlisle, PA
So I am attempting to find the physical body/hitbox of the Goombas that spawn in Adventure1. Anyone have any idea where those may be?

Edit: Found
 
Last edited:

TDRR

Smash Journeyman
Joined
Sep 18, 2017
Messages
286
Location
Venezuela
Is there any newer stage collision (and possibly model) documentation or tutorial?
 

The Cape

Smash Master
Joined
May 16, 2004
Messages
4,478
Location
Carlisle, PA
Is there any newer stage collision (and possibly model) documentation or tutorial?
31EAC:
Left edge bottom: C2A27333 (-81.224998)
Battlefield left edge top: C2AB0000 (-85.5)
Difference: 4.275002

31EB4:
Right Edge bottom: 42A27333 (81.224998)

Right Edge top: 42AB0000 (85.5)
Difference: 4.27002

Edges of BF verticals:
-7.5: C0F00000
31EB0
31EB8

Bottom of BF verticals (middle):
-39.07: C21C496C
Left Side: 31EF0
Right Side: 31F00

This was some coordinates found by UnclePunch in GrNBa (Battlefield) and some digging around with it I did to find more info. You can see in the first my first shot at changing the infamous battlefield ledges.


https://youtu.be/PL4T0OEZTnE
 
Top Bottom