Assembly Hacking

From Wiki - GameHacking.org

Jump to:navigation, search

Assembly hacking is the art of editing a compiled program. Without the source code, and without notes from the source code, one has to deduce almost everything about the underlying code, and how it works with RAM.

Assembly hacking, or ASM hacking, is the process of modifying a game's code instead of its data. This requires reverse-engineering the relevant portion of the game.

There are several emulators that can aid one in creating a modification for a game. Games for console systems fall into the category of compiled programs, and generally, the source code is unavailable for these games.

The use of making an assembly hack for a game can be found with the Nintendo Entertainment System (NES) Game Genie.

The codes that are entered into an NES Game Genie represent single-byte assembly hacks. Any assembly hack that could be done with a change of 3 bytes or less is possible to implement with a single Game Genie. The SNES Game Genie allows up to 5 codes, and 5 bytes of change. While this makes the possible usage of codes very limiting, it didn't prevent single-byte invincibility and infinite lives codes from appearing that could make it unnecessary to use additional codes.

For more modern assembly hacking of the same systems, emulators that support 50 or more codes for any given game aren't uncommon. The ROMs have been turned into files that can be patched with all the changes needed to give the game a script in a new language. Emulators that aid in the process of making assembly hacks have appeared for many different emulated systems. The effect is that more people are now capable of starting their own projects, and existing projects can be modified and/or repaired more easily.

Contents

Emulators

NES

FCEU

FCEUX-main.png

FCEUX is the most up-to-date version of the FCEU* line of builds. It has taken several lines of FCEU offshoots and combined them into a single application. Even I(ugetab) have had the opportunity to contribute code, changes and fixes to it. If you were having trouble with any games while using FCEUXDSP, you can try FCEUX. If FCEUX has trouble with games, you can report the issue and, if someone gets interested in fixing it, you may end up seeing it repaired. It is currently compatible with FCEUXDSP's debugger files. If you want to use FCEUXDSP, see below.

FCEUXDSP is the result of an emulator first developed by Parasyte called FCEUD, which was then picked up by bbitmaster and renamed to FCEUXD, and finally adopted as FCEUXD SP.

Setting breakpoints in ROM/RAM

Tools>Debug

In the breakpoint window, 'Add' the Executable address or Memory address you want.
ROM is 8000-FFFF
RAM is 0000-07FF, 6000-7FFF
0800-3FFF is mirrored from some part of RAM.
4000-4015 can be breakpointed if working on an NSF. If you want to use this to deal with NSFs, FCEUX is currently the best option.

'Hex Editor' is a memory viewer/modifier.

SNES

Geiger's SNES9X Debugger

This emulator can be found at Geiger's Crypt.

Setting breakpoints in ROM/RAM

Open ROM, Click 'Breakpoints'
In the breakpoint window, enter the Executable address or Memory address you want.
Standard RAM: 7E0000 - 7FFFFF
SA1 RAM: 400000-407FFF, 303000-303FFF
HiROM - C00000 - FFFFFF
LoROM - 808000-BFFFFF (**0000 - **7FFF doesn't exist)

If you use the SA1 logger with an SA1-using game, and wish to find an address that changed an address in RAM, you can see if the conversion chart on the SA1 page shows you the address to search for in the log file.

FuSoYa's SNES9X SuperFX Instruction Logger

This emulator can be found here.

This emulator allows you to log SuperFX instructions being used by the emulator.

Press the NumLock button to start/stop logging.

Instructions will be logged to sfx_trace.txt, in the folder with the emulator.

Here's an example on how to interpret the results:
00:e834 40 ldw (r0) r0=$0058 SRAM=00:5AAE
00:e835 64 sub r4 r0=$0055 CY=1

First line Loads Word (SRAM=00:5AAE) to (r0). In Geiger's SNES9X Debugger, this is address 705AAE in the RAM viewer. In ZSNES, you can find this in a save-state at 0x4127F + 0x5AAE (= 0x46D2D). The result of this operation is on the same line.

Second line subtracts (r4) from (r0). This next result is on the same line as well. This can be coded out to give you Infinite Health in Doom, but it won't work as a Game Genie code. The file address would be either 6835 or 6A35. Only one address of those 2 will be 0x64.

Genesis

Regen Debugger Build

This emulator can be found here

Downloads :

Windows:

   Regen 0.972
   Regen 0.972 SSE2*
   Regen 0.972D++
  • P4 and up except AthlonXP

++Includes debuggers for hacking ROM's

Linux:

   Regen/GTK+ 0.95

Backup: Regen 0.95 Debugger

If you've used FCEUXDSP, Geiger's Snes9x, BGB, Nemu08, pSX, or pretty much any other active debugger, you'll realize that this is along the same lines of those debuggers. This is certainly what Genesis hackers have been waiting for when it comes to a user friendly debugger.

It runs Genesis, Game Gear, and SMS files, but only debugs Genesis at the moment. Use #Emukon if you want to hack Game Gear or SMS.

Gens Tracer

This emulator can be found here.

No breakpoints, but adequate tracing. A guide has been written on the specific usage of the emulator.

The idea is that you can trace-log writes to and reads from memory, and you can also log all commands, and determine what's happening from the full log, by using what you find from the hook logging.

HazeMD

This emulator can be found at this address.

Backup: HazeMD

This emulator is harder to get setup to use a ROM, but comes with a MAME-style debugger. MAME's debugger is well known for being so powerful, considering the number of systems it can be used with when compiled into a build of MAME. The Gens tracer tends to have slightly better compatibility, while the HazeMD emulator has more potential for cheat codes, already having a Cheat system designed to handle multiple CPUs, which could be used for 32x game ROM hacks, and RAM hacks.

Gameboy

BGB

This emulator can be found here

Load a ROM, and right-click the screen.
Other>debug mode enabled: to enable debugging
Other>debugger to enter the debugger

Setting breakpoints in ROM/RAM
In the debugger window:
Debug>breakpoints for execution breakpoints
Debug>access breakpoints for read/write breaks.

Visual Boy Advance Tracer

See #Visual_Boy_Advance_Tracer_2

PC Engine / Turbo-Grafx 16

PC-Engine/ Turbo GrafX-16 Cheat Pack By GameMasterZer0

Mednafen

This emulator can be found here

Esc = Exit Mednafen (Careful about it)

To use F12 to quit, and not the ESC key, edit this in mednafen.cfg:


";Exit"
"command.exit keyboard 293~keyboard 27"


To this:


";Exit"
"command.exit keyboard 293"


F5 = Save State
F7 = Load State
0-9 = Select Save Slot

F10 = Reset
F11 = Hard Reset (Power Switch style)

Alt + D = Toggle Debugger

In Debugger:
Alt+1 = CPU debugger view
Alt+3 = Memory editor
R = Run
S = Step
Return = Goto Address(If on code)/Edit(If on register) (Type new values after original, press enter. Quicker.)
Space = Set/Unset Execution Breakpoint
Shift + Return = Edit watch address
Shift + R = Edit Read Breakpoints
Shift + W = Edit write breakpoints
Shift + O = Opcode Breakpoints (Enter EA for "NOP", etc. Use 6502 ASM table mainly)

See included Debugger.html file for complete command list

Game Gear

Emukon

This emulator can be found here.

Backup: Emukon 1.05

This is basically a friendlier style of Logging Debugger the way I tend to use it, with Breakpoints to help figure out how code you find operates. I've used it to at least as much success as I've used the Hook_log debuggers, only this was more boring because I didn't have to fight with the emulator as much.

You can use a combination of Breakpoints and Log Files to debug games.

Breakpoints have their own management window, or you can right click lines in the debugger.

To use the log files effectively, you should focus on a single byte with a known effect, get to about where the setting you're looking for will change, go to the Debugger > Debugger menu, enable it if needed, then click the Clear Log button if you want a fresh start, and the Log button to start logging. Get the thing changed that you want, and then look under the DebugLogs folder for the game you're working on, and search the text logs for the address you want to check, whether it's the execution address by some chance or the memory address. Breakpoints and Logging work well together to discover the execution path to a piece of code.

It's not as exceedingly simple as some other debuggers, but it's quite useful, and it's my first choice for hacking Game Gear as well as SMS.

Master System

Emukon

See Game Gear section: #Emukon

Gameboy Advance

Visual Boy Advance Tracer

This emulator can be found here.

This emulator uses the Hook Log system. Those familiar with the hook_log Genesis or N64 emulators should have little trouble adapting to this system.

Note that it has also been used to good effect for a small number of gameboy games that BGB doesn't support. Ugetab used this for GBS ripping, but with full code logging, and a save-state near when something changes, you could just as effectively search for a memory address in trace.log. Mind that while GB assembly doesn't pile up as quickly as GBA or N64, and it is still necessary to be relatively close to the change before activating logging, if you don't want to have to use a special text editor to open an enormous log file.

Visual Boy Advance

This emulator can be found at this address.

Windows - SDL is required. Unfortunately, no cheat device exists that can change the assembly, so hacking it is more a matter of patching the ROM, and less a matter of using it for simple cheats. Not documented.

Playstation

PCSX 1.5 With Debugger

This emulator is available here.

Press F11 to enter the debugger. On-screen aids should be apparent.

PSX

This emulator can be found at this address.

This can be a decent debugging alternative if a game doesn't work well in the above emulator.

PCSX Agemo debugger

This emulator can be found here.

It could be favorable for some tasks, compared to the other debuggers.

N64

Nemu64

This emulator can be found here

Setting execution breakpoints
Plugins>Debugger: Commands...
To set a break on execution, go to the line that you want to break on, and click in the vertical bar to the left(<) of the address you want to breakpoint.

Setting breakpoints in RAM
Plugins>Debugger: Memory...
Enable the read and/or write check boxes, and right-click the memory space you want to set, unset, or change an access breakpoint on.

Some games don't run in Nemu, so you may have to switch to this hook_log based emulator if you want the codes. The 1964 tracer can be useful, which is available here.

The hook_log system is a little bit more demanding to use than a visual debugger, but with compatibility issues, it's better than lucky to have a second usable debugging emulator. The save-states can be decompressed, and loaded in their decompressed form if needed

An issue with this emulator is that not all instructions are logged, but it's still worth knowing about for the fact that many instructions are logged, and it can be used with write logging.

Project64 debug build binary

This emulator can be found here.

This version of the emulator has better support for games than Nemu64, and Ugetab used this tool in combination with nemu64 to edit USFs, as well as make a few codes that people using only a single emulation tool were having extremely hard struggles with.

Saturn

Yabause

This emulator can be found here.

This is one of the few Saturn emulators out there.

Wonder Swan

Cygne Tracer

This emulator can be found here.

A decent Tracing program.

Oswan Tracer

This emulator can be found here.

This is just another hook-log tracer.

Playstation 2

[The current author is too lazy to write this, but will get around to it later if no one else does]

External links

General

Small bits and concepts

The complete Gems list. The list is in several parts.
First you have the Intel and Motorola Gems, below any hardware specific Gems
(ie. graphic card, sound card, or computer specific like the Amiga).

Credits by Stork