Rings of Power - Infinite HP & MP

[Whipon]

I played a bit with Rings of Power on the Genesis. I was looking for a way to have Infinite HP & MP. The problem I found is the following:

If you do a write WP in HazeMD when someone hits you in battle you'll get this:

Code:

03B3AC: 670C                       beq     $3b3ba
03B3AE: 206E FFF8                  movea.l (-$8,A6), A0
03B3B2: 302E FFF6                  move.w  (-$a,A6), D0
03B3B6: 9168 001C                  sub.w   D0, ($1c,A0)
03B3BA: 2F2E FFF8                  move.l  (-$8,A6), -(A7)

If I change the sub at 03B3B6 I get Infinite HP. But the enemies also obtain this effect. The same happens with MP:

Code:

037DC6: 600C                       bra     $37dd4
037DC8: 206E FFF0                  movea.l (-$10,A6), A0
037DCC: 3028 001E                  move.w  ($1e,A0), D0
037DD0: 906E FFF4                  sub.w   (-$c,A6), D0
037DD4: 206E FFF0                  movea.l (-$10,A6), A0
037DD8: 3140 001E                  move.w  D0, ($1e,A0)
037DDC: 206E FFF0                  movea.l (-$10,A6), A0

Again if I change the move at 037DD8 with a branch my party and all the enemies have infinite mp.

So I was looking for an alternate way to hack the rom and poke the values in the following ram addresses:

FF0304:270F Buc Current HP
FF0306:270F Buc Current MP
FF043C:270F Obliki Current HP
FF043E:270F Obliki Current MP
FF04D8:270F Feather Current HP
FF04DA:270F Feather Current MP
FF05A8:270F Slash Current HP
FF05AA:270F Slash Current MP
FF0540:270F Alexi Current HP
FF0542:270F Alexi Current MP
FF0644:270F Mortimer Current HP
FF0646:270F Mortimer Current MP

I tried looking for a bunch of nops by tracing, but I could't find them nowhere.
So I tried to change some instructions with a JSR.
For example 2ED94: 4EB9 000F CF9C
I choosed 0FCF9C because it has a lot of zeroes. So in 0FCF9C I wrote:
FCF9C: 33FC 270F 0304

But the games allways freeze when I enter in battle. In one ocasion, the fight continued forever with me and the enemy with 0 HP.

Any suggestions, please?. Is the only code I need for the game. I found some new cool codes for it, but I'm missing this one.

Thank you n_n.

Whipon.

[Pugsy]

I tried looking for a bunch of nops by tracing, but I could't find them nowhere.
So I tried to change some instructions with a JSR.
For example 2ED94: 4EB9 000F CF9C
I choosed 0FCF9C because it has a lot of zeroes. So in 0FCF9C I wrote:
FCF9C: 33FC 270F 0304

But the games allways freeze when I enter in battle. In one ocasion, the fight continued forever with me and the enemy with 0 HP.

Only had a cursory look at the game (not really my sort of game), however if you are only poking 2ED94 & FCF9C: 33FC 270F 0304 it won't work...you've also got to replicate the code that you changed at 2ED94 and also need to do an RTS. So you'd need something like:-

2ED94: 4EB9 000F CF9C
FCF9C: 33FC 270F 0304
FCFA2: 3F30 0800 <--the code you changed at 2ED94
FCFA6: 3005 <--the code you changed at 2ED98
FCFA8: 4E75 <---an RTS

[Whipon]

Thank you very much Pugsy, I'll try it tonight and I'll post the results here.
If I manage to do it will be great!!!.
Whipon.

[Whipon]

I tried the method, and it worked very well. But the game seems to have a cheat protection of some kind. I'll explain me better:

I changed 03B3C6: 3039 00FF C37C => 4EB9 000F D0CC

This a trace of a clean rom:

Code:

03B3B6: sub.w   D0, ($1c,A0)
03B3BA: move.l  (-$8,A6), -(A7)
03B3BE: jsr     $37b82.l
037B82: link    A6, #-$4
037B86: movea.l ($8,A6), A0
037B8A: tst.w   ($1c,A0)
037B8E: bgt     $37d0a
037D0A: bra     $37c16
037C16: unlk    A6
037C18: rts
03B3C4: addq.w  #4, A7
03B3C6: move.w  $ffc37c.l, D0

03B3C6 is executed everytime somebody loose HP in a battle. I had to use this method because when I tried to use some instruction who is continuously executed the cheat protection appeared when you try to enter the Sorcerer's Academy at the beggining of the game.

Then in 0FD0CC I wrote:

Code:

33FC 008C 00FF 0304 Buc - HP
33FC 2328 00FF 0306 Buc - MP
33FC 32C8 00FF 0302 Buc - Exp
33FC FFFF 00FF 0316 Buc - Spells
13FC 00FF 00FF 0318 Buc - Spells
33FC 008C 00FF 043C Obliki - HP
33FC 2328 00FF 043E Obliki - MP
33FC 32C8 00FF 043A Obliki - Exp
33FC FFFF 00FF 044E Obliki - Spells
13FC 00FF 00FF 0450  Obliki - Spells
33FC 008C 00FF 04D8 Feather - HP
33FC 2328 00FF 04DA Feather - MP
33FC 32C8 00FF 04D6 Feather - Exp
33FC FFFF 00FF 04EA Feather - Spells
13FC 00FF 00FF 04EC Feather - Spells
33FC 008C 00FF 0540 Alexi - HP
33FC 2328 00FF 0542 Alexi - MP
33FC 32C8 00FF 053E Alexi - Exp
33FC FFFF 00FF 0552 Alexi - Spells
13FC 00FF 00FF 0554 Alexi - Spells
33FC 008C 00FF 0574 Slash - HP
33FC 2328 00FF 0576 Slash - MP
33FC 32C8 00FF 0572 Slash - Exp
33FC FFFF 00FF 0586 Slash - Spells
13FC 00FF 00FF 0588 Slash - Spells
33FC 008C 00FF 0644 Mortimer - HP
33FC 2328 00FF 0646 Mortimer - MP
33FC 32C8 00FF 0642 Mortimer - Exp
33FC FFFF 00FF 0656 Mortimer - Spells
13FC 00FF 00FF 0658 Mortimer - Spells
3039 00FF C37C The replaced instruction at 03B3C6
4E75 rts

These codes gives infinite HP & MP, all the spells and max experience.
It worked very well. But when you get the second member of the party (Slash the Knight) and you try to use some spells the cheat protection appears again. The same happens when you get the third member (Feather the Archer).

I tried to find the subroutine of the cheat protectin tracing a clean rom and the hacked rom with HazeMD and then compare the traces of both, but I couldn't find it.

Here's an screenshot of the cheat protection:


Then you must press any button and the game restarts.

Its posibble to disable the cheat protection?. Or I'm doing something wrong?.
Thanks in advance!.

EDIT:
I have found one more problem: The game assigns a random ram address to your chars each time you start a new game. The first char, Buc, the sorcerer is the only char with suffers no changes in his addresses. The remaining 5 chars receive a random address between FF0400 to FF0B00. Surelly the guys at Naughty Dog have done a nice work. Now I'm looking for a way to make the game give you the same adresses allways, so I can poke them. If you can lend me a hand with this one, I'd really appreciatte it. Also, please, correct me If I'm doing something wrong. .
About the cheat protection: maybe is an error message, like a BSOD. I changed the code at 0FD0CC to only write at the HP & MP addresses and now doesn't appear so often. It keeps appearing sometimes.
Whipon

[Whipon]

I managed to understand the "cheat protection". It appears when you try to write to a ram address who is not in use in the game. The game recalculates the addresses of all your chars (except the first (sorcerer)). So if you try to poke any saved ram addresss from another playtime, it seems to crash the game and it shows you that nasty screen.

So I poked only the sorcerer's stats:

Invincible Buc,
00127A: 52B9 00FF 0010 => 4EB9 000F D0CC
0FD0CC:
33FC 008C 00FF 0304 33FC 2328 00FF 0306 4E75

I managed to boost all my chars experience with this one:

Quick Level Up,HT0A-BALV
002C516 B27C => 303C

I saved lots of typing with this one:
All the chars start with all the spells:
Start with all the spells,
0241A6: 11BC 0001 0800 => 4EB9 000F CFB4
0FCFB4:
21BC FFFF FF00 0800 4E75

Some misc ones:
Start with the Magic Leaf,
02CE2A 0C6E 0005 FFFE => 4EB9 000F CF84
0FCF84:
13FC 0001 00FF C343 0C6E 0005 FFFE 4E75

Infinite Gold, Water and Food,
00F3D4: 1A18 1C33 5000 => 4EB9 000F CF94
0FCF94:
33FC 7530 00FF C364 33FC 7530 00FF C366 33FC 3A98 00FF 02DE 1A18 1C33 5000 4E75

My new GG codes for this game

It would be great if I could poke the other chars HP & MP. I found the code in the game that sets your chars stats when you get them:

Code:

024074: addq.w  #2, A7
024076: move.w  D4, D1
024078: muls.w  #$34, D1
02407C: lea     $ff02d4.l, A0
024082: move.w  D0, (A0,D1.l)
024086: move.w  D4, D0
024088: muls.w  #$34, D0
02408C: lea     $ff02d4.l, A0
024092: move.w  D4, D1
024094: muls.w  #$34, D1
024098: lea     $ff02d0.l, A1
02409E: move.w  (A0,D0.l), (A1,D1.l)
0240A4: move.w  D4, D0
0240A6: muls.w  #$34, D0
0240AA: lea     $ff02cc.l, A0
0240B0: move.w  (A0,D0.l), D1
0240B4: lsr.w   #4, D1
0240B6: and.w   #$f, D1
0240BA: move.w  D1, -(A7)
0240BC: jsr     $31946.l
031946: link    A6, #$0
03194A: move.w  ($8,A6), D0
03194E: addq.w  #1, D0
031950: muls.w  #$3e8, D0
031954: unlk    A6
031956: rts
0240C2: addq.w  #2, A7
0240C4: move.w  D4, D1
0240C6: muls.w  #$34, D1
0240CA: lea     $ff02d6.l, A0
0240D0: move.w  D0, (A0,D1.l)
0240D4: move.w  D4, D0
0240D6: muls.w  #$34, D0
0240DA: lea     $ff02d6.l, A0
0240E0: move.w  D4, D1
0240E2: muls.w  #$34, D1
0240E6: lea     $ff02d2.l, A1
0240EC: move.w  (A0,D0.l), (A1,D1.l)
0240F2: move.w  D4, D0
0240F4: muls.w  #$34, D0
0240F8: movea.l D0, A0
0240FA: lea     $ff02e0.l, A1
024100: adda.l  A1, A0
024102: andi.w  #$ff00, (A0)
024106: move.w  D4, D0

But I don't know how to use it to hack the rom. I understand it calculates the address adding A0 to the efective address loaded. But with my actual my programing skills I can't use this data to achieve my goal u_u.
Thank you very much.
Whipon.

[Pugsy]

I do hate games like this....sort of RPG I guess? Without playing the game it's hard to give a proper solution. What you could try is finding if the enemy locations vary a lot or if they stick to a few locations (BP 3B3B6 and check the A0 register during battles), then change the code at 3B3B6 to jump to a separate routine - check the value of A0 (use compares and a branches) and if it's an enemy do the SUB. If it's not then either do nothing or poke the location it's trying to change via the indexed address.


BTW, it's does not sound to be a form of cheat protection it's just the mechanics of the game...dynamic memory allocation (RAM cheat addresses change between levels/games) is often one of the side effects of using a compiler rather than programming directly in assembler. Poking memory which may not hold what you think it holds will obviously often have undesired effects (crashing etc.)

[Whipon]

Yes Rings of Power is a very rare RPG.
I discovered that some addresses given to your party in an actual game can be given to enemies in a future game. I found this poking all the ram addresses i found in a previous search. Then when I tried to test them, some enemies had infinite HP & MP, also enemies that wasn't in the fight o_O (buggie HP,MP counters appeared). So maybe its imposible to distinguish enemy addresses from your party addresses.
Anyway I will try you method right now .

Thank you for your help .

Whipon.

[Whipon]

I put a BP on 3B3B6 (HP) and another one on 37DD8 (MP).
These are the values of the A0 registers when these instructions are executed:

A0 (Enemy)
FF02B4
FF031C
FF0350
FF0384
FF03B8
FF03EC
FF0420
FF0448
FF0454*
FF0488*
FF04BC
FF04F0

A0 (Your Party)
Buc
FF02E8

Slash
FF0558

Feather
FF0454

Alexi
FF0488

Obliki
FF0384

Mortimer
FF058C

Maybe there's more values for the enemies. And FF0454 & FF0488 are used sometimes for the enemy before you complete your party. But I tested the method given above 3 times. And the A0 registers for your party never changes. When someone looses HP or MP the value in the A0 register is the same for both instructions. So we'll found a static value to use in the hack ñ____ñ.
Now I'm playing with the rom triying to make good use of these addresses. If you figured already how to implement them, please let me know. I'm still learning 68k asm and most of my hacks are stealed instructions and subroutines from traces of the game. I need just a little example routine. Anyway I'm triying on my own .
EDIT:
I'm having problems replacing the SUB in 3B3B6 with a JSR:
03B3B6: 9168 001C 2F2E FFF8 => 4EB9 000F D0E4 4E71
0FD0E4:
9168 001C 2F2E FFF8 4E75

Using a 4E71 in 3B3BC freezes the game when you get hit. I tried 6000 and 6002 with the same results.

I just testing how to replace it to start the hacking process. The problem is I need 3 slots to the JSR and there's 2 instructions with 2 slots each one.
03B3B6: 9168 001C sub.w D0, ($1c,A0)
03B3BA: 2F2E FFF8 move.l (-$8,A6), -(A7)

I'll keep investigating n.n.

Thanks.

Whipon.

[Pugsy]

Like I say I haven't looked at the game indepth at all..

Regarding the problem with the JSR use 3 words for the JSR and put a NOP (4e71) in the other word. Don't forget before you do an RTS though you will need to replicate what you've removed....looking at the above code replicating "move.l (-$8,A6), -(A7)" may create some problems as it changes the stack so you may have to JMP rather than JSR and you will have JMP back to 3B3BE (not RTS).

[Whipon]

Thank you. I'll apply it right now.