Cursor Hacking and Advanced Tracing Written By Labmaster
Megaman Battle Network 4.5 Real Operations (J) - Unlock all Navis
Do not be put off by the fact that we are hacking a Japanese game, this tutorial contains many useful techniques for ASM hacking.
It is taken that you have read Kenobi GBA ASM tutorials, and have a working knowledge of THUMB assembly. You will need
VBA Normal (or H version)
VBA SDL (k or H version)
Goldroad (optional, for the custom ASM routines)
The GBA Technical Document
A MMBN4.5 ROM
The first step is to locate the actual address of the Navi Flags. We will be using a technique I like to call Cursor Hacking to obtain this. Cursor hacking basically involves using the address of a cursor value as a basis for an ASM trace. You could find the Navi Flags using the traditional not-equal searches, but in this case, the game had just come out, and I really did not want to wade through a game I did not understand to unlock some characters (not knowing how exactly this is accomplished) to get the code.
Load up the ROM in VBA. Start up a new game, and get up to the Navi Selection screen (for those unfamiliar with MMBN (or japanese), it\'s the screen where you can choose between 4 pictures). The point of cursor hacking, is to first try to find the value which holds the position of the cursor. So, do greater than searches when you move the cursor right, less than when it goes left, and equal when it\'s in the same spot.
Looking at the results, it\'s either 0200f55c or 0200fdc6. Freeze (using \'Add Cheat) the first address to 0, the second to 1. You\'ll see it goes to the first pic, and as the value is a 0-based index, it\'s the first address we are interested in.
Next, remove the cheats, make a savegame on the selection screen then load the ROM up in SDL. We are now going to snoop around the routine which writes the cursor value to try and find the flags. Stick a bpw on 0200f55c for 1 byte. Move the cursor and we\'ll break at 08039204. Take a look at the routine in VBA\'s (normal) Disassembler (THUMB mode).
tst rx, rx instructions are used to check if a byte is 1\'set\' or not. It\'s quite likely that the value loaded at 080391fc is important.
From your breakpoint, you\'ll see that r7 + r2 = 0201e80x, depending on which Navi you had the cursor over. Go into normal VBA, load up your Navi-select screen savestate, and goto 0201e800. You\'ll see that the first 4 bytes are set to \'01\', the remainder are \'0\'. And there\'s four Navi\'s that you can currently select...
Add 3201e804 0001 (CBA code). This sets the 5th byte to 0. Now try and select the 5th Navi - you won\'t see it, but it\'s there, and selectable.
However, these aren\'t the actual flags. If you reset the game, enable the codes then go to the selection screen, the Navi won\'t be there (even though you can \'select\' it). We\'ve only found an intermediate value, and whilst you may be tempted to use this as a code, it\'s not very impressive.
The game will write these bytes before the Navi screen is displayed, so switch back to SDL, disable any breakpoints, and reset the game. Get to the screen before the selction screen (a confirmation box, by the look of it) and stick a bpw on 0201e800 (the byte corresponding to the first Navi) for 1 byte.
This routine cycles through for each Navi (there is 22 of them, hence the cmp r5, #0x17). The two subroutines at the top check if you have got the Navi. The rest of the code just sets the corresponding byte to 1 or 0. To understand what is going on, we have to step through the routine.
Place a BT at 080394dc and let the game break. You now have two choices - manually enter n until you reach 080394f2, or, if you have my H version of SDL, enter in
lf 080394f2 traceout.txt /a
This automatically dumps the output into a file in the same directory as the ROM.
This is a very interesting routine, that Capcom have used in their Megaman/Rockman games since Battle Network 4. It is a form of tamper protection (and a strange one at that). In addition to the Navi flags, there are two other arrays in RAM - one at 02004800, and one at 0200a270. Each byte represents one Navi. The above routine loads the byte for the Navi in the 02004800 array, XORs that value by 0xE7, then compares it with the byte from the 0200A270 array. If they are equal, we are all sweet - if not, then the game assumes you have cheated and weird things happen
At the time I was hacking this game, I had a sneaking suspicion that the data in one of those arrays was important - if we modified it ourselves, it would cause all sorts of problems. If this was not the case, such an elaborate protection did not really make sense. Because of this, I wrote a rather elaborate ASM routine that hooked into one of the sound routines that ran in IWRAM, to fill the 0200a270 table based on the data at 02004800, so that everything was preserved.
As it turns out, the data didn\'t seem to be needed, so there is a much simpler solution. Simply use two slide codes, one for 02004800, one at 0200a270, and fill them with values such that when you XOR them together, the result is 0xE7.
Yet another tst instruction. Chances are this is testing the actual navi flags. If we take a look at our tracelog, we see that r3 is equal to 02004dc6.
So, that about wraps it up. With a little bit of experimentation, we find that the two halfwords at this address holds the flags for all navis
82004DC6 FFFF 82004DC8 FFFF
And that is it. Our final code is 42004800 0000 0000000B 0002 4200A270 E7E7 0000000B 0002 82004DC6 FFFF 82004DC8 FFFF
All trademarks are copyright their respective owners, all other content is copyright Codemasters Project
