Super Smash Bros. 64 hacking

[vexiant]

Greetings, I figured I had no choice but to post the following here with the "Smash Workshop" category not having a suitable forum for me to do so on. The following data is comprised of ROM and RAM finds that I figured some on this message board would fancy. http://pastebin.com/tBuyskn3
The following was done by various members of an IRC called #.blank. Which can be found on the Rizon network. (Note, you you can trace RAM addresses to ROM though the DMA controller of course) You can find us here as well

=============================================================================================
Tools (To get started, at least)
The ROM addresses that you see can of course be worked with with a hex editor, however, you can also view the locations in MIPS source/disassembled code rather than ol' base16 strictly, at least.

Nemu64. An emulator that has tons of debugging features but hasn't been worked on in over a decade and is relativity buggy but is still, by far, your best option for the content I have displayed here.

For assembling gameshark codes in C
Tutorial applicable to the toolchain:
Setting it up

LemASM is an assembler/dissembler and ROM editor which also allows hex view
A better program than LemASM and could become your best friend

Renegade64 can hook to any N64 emulator and is a capable of assembling MIPS R4300i code to into gs code format, memory scanning and other things you can figure out on your own.
Source

There are tutorials below for everything I posted above!


==============================================================================================
Guides/Tutorials
Desire to learn how you can make use of this newly acquired knowledge? Here I give you a list that I compiled with practical, informative tutorials, guides, references, etc:

Every Nintendo 64 programming manual (excluding games, including 64DD). Excellent resource
R4000 manual
ISA
Opcodes (A lot more can be found by navigating back to the n64dev directory)

Want stuff with more layman's terms and hands on/practical?

These first two I assume will be of much avail for beginners.
Practical usage
An amazing MIPS course
First off, I recommend the above for everyone, noob or not. The former is the most "practical" guide of the bunch that I keep blabbing on about; the latter is a college course on MIPS. Those two should work perfectly.

Moreover, I still provided more links just in case.


SM64 Hello world with MIPS hacking
Introduction to LemASM
Learning basic debugging tool usage and a very basic introduction to assembly (Is also quite good)
A brief, but not well explained, tutorial for tracing basic arithmetic operations and making a gs out of assembly
An old practical, informative tutorial to Nintendo 64 hacking
In depth gameshark code creating guide
Practical OoT tutorial for making gameshark codes with c
Same as above, but for Super Mario 64 and more explanatory
Yet again more practical tutorials on some daily planner looking system


I cannot link to ROMs for legal reasons and the terms and conditions of this site. You can find them yourself easily through Google.

 

[tehz]

Wow. A lot of cool stuff in your text file. So much breath: animations, sounds, stages. I'll be stuck understanding this for weeks!

Next time I have a question, I'll have to pop in the IRC/forum and ask you guys.

Also, CajeASM is amazing. Best day of my life when I found that program, and I never had to manually update branch offsets again. I can't wait until he adds in the disassembler.

 

[vexiant]

Yes, feel free. So you're already acquainted with Nintendo 64 hacking? I'll go ahead and send you a private message to a lot of data finds for other games too. Be sure to keep me updated with your work!

 

[Komotonoto]

Yes, feel free. So you're already acquainted with Nintendo 64 hacking? I'll go ahead and send you a private message to a lot of data finds for other games too. Be sure to keep me updated with your work!

Hello, I know a bit of assembly and C and would like to mod ssb64. Would anyone be willing to help me get started? Please let me know. I have a skype account or if I should join your IRC channel let me know, thanks.

 

[Morin0]

I have a skype account or if I should join your IRC channel let me know, thanks.

This is a good opportunity to ask why you REMOVED me as a contact on Skype. Was I too society 4 u?

 

[vexiant]

Yeah, sure thing Komotonoto! When you come in, let them know you're not just some scrub if I'm not around, and they'll feel more inclined to help you. If no one is active and answering you, they're probably not ignoring you and are afk, so if that happens, just ask on the forums. A lot of these guides should help you out. My buddies and I are always more than happy to have new people around. Most of us program and hack more than just Nintendo 64 games. We've all done some GameCube work too, etc.

See you around!

 

[JusticeLazer]

Hey, I'm not sure if this is the best place to post my question, but I'm running into some issues. Now maybe I'm completely misunderstanding things and this is a stupid question. I'm just super confused right now. I've been reading this guide. Following it: I found the address for player 1's % in VS mode (800A4D74). I set a break on that command in Nemu and there's code at 800D7A48 which resets the % to 0 when you lose a stock. Just as an experiment I'm trying to make it so dying doesn't reset your %.

Setting 800D7A48 to all 0's in Nemu's memory viewer works as intended. The problem I'm having is I can't seem to find the code in LemAsm. Following the guide I mentioned earlier; I would subtract 80000400 from 800D7A48 and add 1000. Doing that gives me D8648. Editing that address in LemAsm to NOP doesn't seem to actually effect the address 800D7A48. Nemu shows it still having code after reloading the game. Can someone point out what I'm doing wrong?

Tl;dr: Found the memory address for a piece of code in Nemu, can't find where to edit in LemAsm.

 

[tehz]

Okay, so in SSB, the absolute location of something in RAM doesn't necessarily correlate with its location in the ROM (as I guess is the case for Mario Kart...?). Different files are loaded in the RAM at different times.

So, an easy way to find that instruction at RAM 0x800A4D74 would be to do something like this:

• Open up an ssb rom in a hex editor
• In Nemu, use the memory viewer to copy the actual machine code around 0x800A4D74 (so like I 'd do something like copy everything between A4DCC to A4D7C) when you know that 0x800A4D74 is the instruction you want
• Search for those copied bytes in the hex editor
• Hopefully, you'll find a match at a certain address/offset
• Goto that address in LemASM, change to a NOP or whatever
• Update CRC and test!

Good luck.

 

[JusticeLazer]

YES!!!!! Thank you so much for the quick response. At first I was having trouble finding matches in HxD, but I forgot to swap the bytes around. Why does the N64 do reverse the order anyway? Thanks again! Now hopefully I can take the next steps and learn how to do cool stuff haha.

 

[vexiant]

The above method is viable most of the time, but you can of course potentially encounter an identical instance. Base 16 (hexadecimal) is just a form of a less legible binary pattern to preform an action in comparison to MIPS after all (say that because identical events can sometimes be common between games). Moreover, the Nintendo 64 OS doesn't impose any default locations when it comes to where a code or data segment is located and this includes the main heap (arbitrarily allocated data), how many "threads" there are (one stack per thread. e.g. Ocarina of Time has four iirc) or anything in relation to memory management. With that said, some games also utilize the main CPU's (VR4300) memory management unit's (MMU) translation lookaside buffer (TLB). Some games will make use of this depending on their addressing mode or kernel user mode (all of Rare's games) and it can be a total pain when it comes to reverse engineering games or trying to type up assembly codes for 'em.
With the above said, I shall supply you with a tutorial that can be used on most Nintendo 64 games to trace RAM to ROM as long as it's within a code segment!


Locating RAM to ROM (and vise versa):

I will also go into detail about how to locate the start and end of the code segment in ROM! Note: Not all Nintendo 64 games use the same "code" file (again, as noted above). Nonetheless, "standard" functions are always in lower memory. By "standard functions," I mean functions that are within the code/text segment's within RAM. As stated in the "Memory Segment" category, things in higher memory are almost always arbitrarily located as well as mapped there through the TLB which makes it incredibly difficult to trace back to ROM.


Locating the start and end of a code segment

• To locate the start of the code/text segment's in RAM, you can do this one of two ways:

1.) If you're using Nemu64, you can utilize the "Show Rom Info" option I spoke of above to obtain the RAM entry point, breakpoint the address (which is
a pointer) of the entry point and it will take you to where the standard (libultra) functions start!

2.) Moreover, you can open the ROM of your choice in a hex editor and navigate only 0x8 bytes in and copy the word found there. (A word is 32-bits long
XX XX XX XX)

• To locate the end of the code/text segment's in RAM: First, as also explained below, open a hex editor of your choice and navigate to 0x1000 and scroll down until the machine code ends, and take note of the address that it ends on as that is the end offset of the standard functions. Then: (End offset in ROM + RAM entry point) - 0x1000
• To trace a target RAM address from a MIPS JAL instruction in this segment:

Discovered RAM Address = (JAL instruction & 0xffffff) << 2
(Discovered RAM Address - RAM entry point) + 0x1000
"&" is a bitwise AND
"<<" is also a bitwise operator for left shift

Method to locating alternative code segments

• In order to locate a game's compiled main.c file, open up a hex editor and search for the ASCII text "RSP Gfx" as all ROMS have that string to specify what Microcode Library the game uses. If the game has a file table, then the ROM search will put you between the start and end address of a file table entry. That string is always found in the main code segment!
• If you've located the code segment, record the start address of it from the file table. Then, you must determine the RAM start address. See the tutorial on this page for methods.
• To get the RAM end address, simply subtract the start address from the ROM's file table from the end address from the ROM's file table. Then, add the difference to the RAM start address.
• If you have the ROM start address, RAM start address, and RAM end address, and have discovered code/text in RAM within the segment:

(Discovered RAM Address - code segment RAM start address) + code segment ROM start address

• To locate ROM to RAM, just swap RAM for ROM in the equation above: (Discovered ROM Address - code segment ROM start address) + code segment RAM start address

Note: I've only noticed yaz0 games having file tables, and the ones outside of that that also had them are: Super Smash Bros and Star Fox 64.


You can locate virtual addresses locations in ROM, but hence "virtual," you'd have to locate where they're loaded from. It's a whole complex process in itself though. The above method will suffice for now!


IN CONCLUSION! Soon there will be a Nintendo 64 hacking wiki that the .blank community is currently creating and smash content will be there. Feel free to drop by our IRC or post on our forums for the time being! irc.rizon.net #.blank

https://pb.ajf.me/index.php

Edit: Also, that tutorial is for hacking with Cheat Engine so you'll probably find this handy http://gamehacking.org/vb/threads/7270-Cheat-Engine-to-Nintendo-64-Converter

 

[Tarek701]

Oh, didn't know that thread exists. Just saying, if there are any remaining bugs in CajeASM, please report them to me. I'm currently fixing a lot of stuff for CajeASM v8.0 and I'm still searching for a way to make a proper disassembler in CajeASM without messing up everything.

Greetz,
Tarek701.

 

[mib_f8sm9c]

Just a heads up on this, me & SoundBlitz are gonna be working on this some. Long-term, we're gonna aim for some editors (ideally level, model & animation, but that's pretty long-term thinking). I think eventually we'll have a thread on .blank to cover our progress, but for now we only have one here.

Already been looking into the data and finding some model information (thanks Vexiant for the RAM to ROM guide!). Here's a pic of me rendering the 3 platforms from the Hyrule Castle.

EDIT: I try to avoid hype, this is still a long ways from anything remotely use-able, but this has me pretty excited at the moment.

 

[Zantetsu]

Just a heads up on this, me & SoundBlitz are gonna be working on this some. Long-term, we're gonna aim for some editors (ideally level, model & animation, but that's pretty long-term thinking). I think eventually we'll have a thread on .blank to cover our progress, but for now we only have one here.

Already been looking into the data and finding some model information (thanks Vexiant for the RAM to ROM guide!). Here's a pic of me rendering the 3 platforms from the Hyrule Castle.

EDIT: I try to avoid hype, this is still a long ways from anything remotely use-able, but this has me pretty excited at the moment.

This is awesome. I've always wanted modifications to stages, since there aren't a decent amount to choose from and only 1 is tournament legal. Looking forward to this.

 

[Gamerz31w]

Instead of copyrights infridgement/protection issues and maybe these very rules on forum I'm wondering why it's abandoned website?
http://earthbound64.blogspot.com/
btw I suggest to swap Link with Duster EB64 look,Samus with Kumatora and Hinawa EB64 look,Pikachu with N64DD look of Lucas and Claus.This blogspot is about hacking Quest 64.I hope game developers don't own copyrights protection on this game.