CT075 Posted March 9, 2012 Share Posted March 9, 2012 (edited) i swear im not a noob The code is ASMC 0x079AF4 R0 - 0x02025848 No idea. R1 - 0x08079AF5 The offset of the routine called by the event, probably. R2 - 0x00000000 Unused R3 - 0x02025898 ??? R4 - 0x02025848 ??? R5 - 0x08CB9E30 ??? R6 - 0x0202589E R7 - 0x08B90E48 R8 - 0x08B90E4C R9 - 0x00000000 R10 - 0x00000000 R11 - 0x03007D9C R12 - 0x00000001 r13 (sp) - 0x03007D9C r14 (lr) - 0x0800D38D r15 (pc) - 0x08079AF4 I'd log the other two routines to see what they did, but I'm lazy. Go get it yourself if it's that important t'ya. Main routine 08079AF4 B500 push {r14} @ Obvious enough. 08079AF6 F00CF8C1 bl #0x8085C7C @ See below 08079AFA 4807 ldr r0,=#0x202BBF8 @ Contains main game mode. 08079AFC 2102 mov r1,#0x2 @ R1 = 0x02 08079AFE 7EC0 ldrb r0,[r0,#0x1B] @ Load current route: R0 = 0x03 (Hector mode) 08079B00 2802 cmp r0,#0x2 @ False (0x02 = Eliwood mode) 08079B02 D100 bne #0x8079B06 @ If the main lord is Eli, make R1 0x1 (char ID of Eliwood?) 08079B04 2101 mov r1,#0x1 @ R1 = 0x1 08079B06 1C08 mov r0,r1 @ Now R0 = 0x2 (If it's not Eliwood mode, it's obviously Hector mode!) 08079B08 F79EF914 bl #0x8017D34 @ Either this or the next branch command calls the promotion routine with 08079B0C 2100 mov r1,#0x0 @ R1 = 0 08079B0E F7B3F8BB bl #0x802CC88 @ the lord of choice as the first parameter. 08079B12 BC01 pop {r0} @ - Return. 08079B14 4700 bx r0 @ / Routine at 0x08085C7C 08085C7C B500 push {r14} @ Guess 08085C7E 4811 ldr r0,=#0x8CC2C60 @ Offset of something? 08085C80 F77EFDF4 bl #0x800486C @ wat 08085C84 4810 ldr r0,=#0x8CC2CE8 @ Again, with a different number? 08085C86 F77EFDF1 bl #0x800486C @ Probably graphics. 08085C8A 4810 ldr r0,=#0x8CC2C00 @ no idea 08085C8C F77EFDEE bl #0x800486C @ it goes to the same place 08085C90 480F ldr r0,=#0x8CC2D38 @ ^ 08085C92 F77EFDEB bl #0x800486C @ ^ 08085C96 480F ldr r0,=#0x8CC2D98 @ ^ 08085C98 F77EFDE8 bl #0x800486C @ ^ 08085C9C 4B0E ldr r3,=#0x3002870 @ No clue what that is 08085C9E 1C19 mov r1,r3 @ whee 08085CA0 313C add r1,#0x3C @ R1 += 0x3C 08085CA2 203F mov r0,#0x3F @ R0 = 0x3F 08085CA4 780A ldrb r2,[r1] @ Load a value from there (on read: 0xFF) 08085CA6 4010 and r0,r2 @ On read: 0xFF & 0x3F = 0x3F (force into last 6 bits) 08085CA8 7008 strb r0,[r1] @ ...Store 0x3F into memory? 08085CAA 3108 add r1,#0x8 @ R1 += 8 (R1 = 0x030028B4) 08085CAC 2200 mov r2,#0x0 @ R2 = 0 08085CAE 2010 mov r0,#0x10 @ R0 = 16 08085CB0 7008 strb r0,[r1] @ Store 0x10 eight bytes after that... 08085CB2 1C18 mov r0,r3 @ Now R0 shares a value with R3? 08085CB4 3045 add r0,#0x45 @ R0 += 0x45 (= 0x03002B5) 08085CB6 7002 strb r2,[r0] @ Store a zero there...? 08085CB8 3001 add r0,#0x1 @ R0 += 1 08085CBA 7002 strb r2,[r0] @ Store a zero right after that? 08085CBC F7C4F9C0 bl #0x804A040 @ bleah 08085CC0 BC01 pop {r0} @ Return 08085CC2 4700 bx r0 Judging from this, I'm assuming that all the routine does is check which mode it is, and call the regular promotion routine with Eliwood or Hector as the first parameter accordingly. I should probably do some more testing, but it shouldn't be too hard to replicate. Edited March 9, 2012 by Camtech Quote Link to comment Share on other sites More sharing options...
Jubby Posted March 9, 2012 Share Posted March 9, 2012 Does this mean you might be able to create a hack to make it work for any character? Quote Link to comment Share on other sites More sharing options...
CT075 Posted March 9, 2012 Author Share Posted March 9, 2012 That's why I'm looking into this~ Quote Link to comment Share on other sites More sharing options...
Onmi Posted March 9, 2012 Share Posted March 9, 2012 You're my favorite person ever! For now. I sorta feel like Lex Luthor looking in the mirror when he inhabited Wally Wests body in JLU (could I make a more nerdy sentence?) "I have no idea who this is" I have no idea what this means. Quote Link to comment Share on other sites More sharing options...
Nintenlord Posted March 9, 2012 Share Posted March 9, 2012 (edited) 08085C7E 4811 ldr r0,=#0x8CC2C60 @ Offset of something? 08085C80 F77EFDF4 bl #0x800486C @ wat 08085C84 4810 ldr r0,=#0x8CC2CE8 @ Again, with a different number? 08085C86 F77EFDF1 bl #0x800486C @ Probably graphics. 08085C8A 4810 ldr r0,=#0x8CC2C00 @ no idea 08085C8C F77EFDEE bl #0x800486C @ it goes to the same place 08085C90 480F ldr r0,=#0x8CC2D38 @ ^ 08085C92 F77EFDEB bl #0x800486C @ ^ 08085C96 480F ldr r0,=#0x8CC2D98 @ ^ 08085C98 F77EFDE8 bl #0x800486C @ ^ There's this cool tool used hex editor you can use in thease cases . From the looks of it, it looks like some sort of "scripting language", similar to event codes in structure. 0x800486C is probably some sort of execution routine. Judging from the offset, this is something Nintendo or IS supplies as a library, meaning it's probably quite general. 08085C9C 4B0E ldr r3,=#0x3002870 @ No clue what that is 08085C9E 1C19 mov r1,r3 @ whee 08085CA0 313C add r1,#0x3C @ R1 += 0x3C 08085CA2 203F mov r0,#0x3F @ R0 = 0x3F 08085CA4 780A ldrb r2,[r1] @ Load a value from there (on read: 0xFF) 08085CA6 4010 and r0,r2 @ On read: 0xFF & 0x3F = 0x3F (force into last 8 bits) 08085CA8 7008 strb r0,[r1] @ ...Store 0x3F into memory? Clears some bit flags in address 0x3002870 + 0x3C. Possibly related to previous use of "scripts". 08085CAA 3108 add r1,#0x8 @ R1 += 8 (R1 = 0x030028B4) 08085CAC 2200 mov r2,#0x0 @ R2 = 0 08085CAE 2010 mov r0,#0x10 @ R0 = 16 08085CB0 7008 strb r0,[r1] @ Store 0x10 eight bytes after that... 08085CB2 1C18 mov r0,r3 @ Now R0 shares a value with R3? 08085CB4 3045 add r0,#0x45 @ R0 += 0x45 (= 0x03002B5) 08085CB6 7002 strb r2,[r0] @ Store a zero there...? 08085CB8 3001 add r0,#0x1 @ R0 += 1 08085CBA 7002 strb r2,[r0] @ Store a zero right after that? 08085CBC F7C4F9C0 bl #0x804A040 @ bleah Either store values or set bits. In general, when studying what a certain memory region doesn, VBA with Memory Viewer and Automatic update is very beautiful. Add in the fact that you can edit the values to test them in VBA's memory viewer . That's how I discovered the meaning of many memory regions in FE7, including the Eliwood/Hector mode value the other routine uses. Also, you want something hard? Try figuring out how to get rid of ghost-vampire-dwarf (I nicknamed him Vlad) in Dwarf Fortress after atom-smashing the body... Edited March 9, 2012 by Nintenlord Quote Link to comment Share on other sites More sharing options...
Onmi Posted March 9, 2012 Share Posted March 9, 2012 Seal him in a coffin and blast him with the piledriver? it worked for Django Quote Link to comment Share on other sites More sharing options...
CT075 Posted March 9, 2012 Author Share Posted March 9, 2012 (edited) NL, I know what BL does >_> I didn't log it, but the function calls in the second routine basically do R5 = 0x3F for(;r5 > 0;r5--) { // some shit that i don't know } and those memory regions i'll look into later Edited March 9, 2012 by Camtech Quote Link to comment Share on other sites More sharing options...
Jubby Posted March 9, 2012 Share Posted March 9, 2012 Cam I <3 you so much right now Quote Link to comment Share on other sites More sharing options...
CT075 Posted March 11, 2012 Author Share Posted March 11, 2012 (edited) The memory thing is definitely graphics. Give me a few days and I'll make it work even better. EDIT: In case you're wondering how to do it yourself - Paste this anywhere that's halfword-aligned (aligned by 2) into your ROM: 00 B5 0C F0 C1 F8 07 48 02 21 08 1C 9E F7 14 F9 00 21 B3 F7 BB F8 01 BC 00 47 The bolded number is the unit to promote. Change it to whatever. Call an ASMC to where the B5 is, not where you pasted it. So like, if I pasted it to D80000, I'd call D80001. FUCK DAT Edited March 11, 2012 by Camtech Quote Link to comment Share on other sites More sharing options...
Nintenlord Posted March 11, 2012 Share Posted March 11, 2012 You'll need to take into account that BL instructions have limited range. The standard solution I use is: yadda yadda... ldr ri, =offsetYouWantToReallyGo + 1 bl jump yadda yadda... jump: bx ri where ri is any free register r0-r7. Quote Link to comment Share on other sites More sharing options...
CT075 Posted March 11, 2012 Author Share Posted March 11, 2012 (edited) yeah, I guess. THat explains why it wasn't working for me. What I"m trying to do is just modify that one instruction so that one could pass parameters into the ASMC and promote the given character. Edited March 11, 2012 by Camtech Quote Link to comment Share on other sites More sharing options...
Jubby Posted March 11, 2012 Share Posted March 11, 2012 EDIT: In case you're wondering how to do it yourself - Paste this anywhere that's halfword-aligned (aligned by 2) into your ROM: 00 B5 0C F0 C1 F8 07 48 02 21 08 1C 9E F7 14 F9 00 21 B3 F7 BB F8 01 BC 00 47 The bolded number is the unit to promote. Change it to whatever. Call an ASMC to where the B5 is, not where you pasted it. So like, if I pasted it to D80000, I'd call D80001. FUCK DAT So by the FUCK DAT did it not work? Quote Link to comment Share on other sites More sharing options...
Crimson Red Posted March 11, 2012 Share Posted March 11, 2012 @Jubby He has the right idea, he just needs to change it so it's more.... accessible or efficient, hard to find a good word for this. Anyhow, it shouldn't be difficult. It looks like he possibly edited some values in the RAM and got the promotion to work that way, then thought it should work in general afterwards, only to find out it's not that simple. I can't be sure since I don't think he told us but in general hacking ASM routines "live" is not always the same as hacking them in the ROM. Thus the general code should work with a little tweaking. Copying/pasting what he edited in won't work though, which is why he said "FUCK DAT" and scratched it out (so no one tries it, pretty much). That's my understanding of it, anyway, I'm only interpreting the information given in this topic because it seems slightly interesting. Quote Link to comment Share on other sites More sharing options...
CT075 Posted March 11, 2012 Author Share Posted March 11, 2012 (edited) Okay, here's what happened- What I posted was the exact code executed by the game, with a few unnecessary codes cut out. When I actually pasted it, it didn't work. That's why I scratched it out. Also, some of the commands used don't work if you paste them in the wrong place, which is what I'm working on right now. I'm also trying to get it so that you don't need to insert a new routine for every character. EDIT Hacking routines "live" works only partially. What I did was change one opcode in a hex editor, and it worked. But when I tried pushing further (copy/pasting, cutting out codes, etc.) it broke. Edited March 11, 2012 by Camtech Quote Link to comment Share on other sites More sharing options...
Jubby Posted March 11, 2012 Share Posted March 11, 2012 Right, I got the new character part :P But the memory dump thing didn't work was what I was trying to get at and no it did not I see. Thanks guys X3 Quote Link to comment Share on other sites More sharing options...
Crimson Red Posted March 11, 2012 Share Posted March 11, 2012 Sounds good, good luck getting everything to work efficiently. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.