Romhacking.net

Romhacking => ROM Hacking Discussion => Topic started by: ACmod on September 14, 2016, 01:00:47 am

Title: Armored Core Balance / Patch Mod?
Post by: ACmod on September 14, 2016, 01:00:47 am
So I'm a long-term fan of the Armored Core series and have been really entrenched/involved in the franchise for over a decade now. Often times we talk about ways to improve/balance the games. Because of the huge amount of customization in these games (they have tons of stats and parts to equip) they often have a lot of poorly balanced parts that are either not very useful or make certain mechanics easily abused.

Later PS3 era games had the ability to get publisher patches to fix these things, but the PS2 games don't have that. Ideally I would modify Armored Core Last Raven Portable or Armored Core Last Raven (for PS2). The PS2 version lacks multiplayer but has dual analog support, the PSP version has no dual analog support but has multiplayer.

What tools would I need to modify in-game values such as the stats of individual parts of a PSP or PS2 game?

The entire goal here is to create a more ground-based, weighty, high-consequence style of fighting and increase variety between weapons and tactics by affecting their existing in-game stats. I already have an fairly extensive list of precise stat changes to make, but I have no coding ability to implement this "patch" to the game.

I know a mod like this would be well received by the community and would definitely bring a lot of interest back to this franchise. The crux is that I want to take the stats/game design benefits that From Software learned from the PS3 games (including Dark Souls) and implement them into their PS2 games.

Unfortunately, this is not a PC game and I'm not sure if releasing it as a "PC mod" would be legal. The publishers (Agetec) however no longer release or support the game, so I'm not sure if it would be taken down  or not.
Title: Re: Armored Core Balance / Patch Mod?
Post by: BlackDog61 on September 14, 2016, 01:10:04 pm
About tools and methods (and the fact that this thread is more or less a duplicate of your other post http://www.romhacking.net/forum/index.php?topic=22701 - but I'd keep this one which is more phrased like a personal project):
- Please read the "getting started" section on this site. There's a lot you can learn there, even if it doesn't say "PS2" or "PSP", the techniques once files are available will be similar to even SNES era games. Every game is different and you will have to explore a lot to get there (unless there's an existingt community around this game, which is an uncommon thing).
- You're trying to do something which is a bit on the tough side. Typically, to rebalance a game, you need to find, understand and modify its internal data structures - assuming most of what you want to do is already in data (instead of code). There's a good chance you'll need to change code too (which means ASM and some mid-to-advance skills to be learnt). I'm saying this so you can prepare yourself for a significant learning in front of you, and therefore take enough time to learn, and poke around, and learn, etc.

Others will probably have more precise ideas when you define some good examples of what you'd like to change. (Are we talking attack values, capabilities, looks...?)
Title: Re: Armored Core Balance / Patch Mod?
Post by: ACmod on September 14, 2016, 02:13:20 pm
Basically, parts in game that you equip all have individual stats. I'd like to change the stats of individual parts so that they have different attack/ammo/defense values.I don't see this as being much more complex than, say, translating english text to Japanese text in-game. Many PSP games have issued fan patches that translate the text, however I can't find any information on the tools used to modify it.

So far all I can do is try to de-encode the AC.BIN file in UMDgen that seems to contain the game information, but it's a wall of unreadable text. If I decode the eboot.bin file using JIS-Shift I can get a few legible words out of it, so I assume that's the encoding they used. That doesn't work for the AC.Bin file, however. All the other game files are audio or video resources, so I assume AC.BIN is where the game data is.

I can also try to identify the values in Cheat Engine to create a CWCheat for it, but I can't identify individual part values/addresses and the ones I can identify (such as total defense, which is a character stat added up from multiple parts you equip) don't seem to change when I apply a cheat to them.

I wanted to avoid posting this as personal project since the rules for that board say you need some real progress, and so far all I've managed to do is learn a bit more but not make any actual changes to the game.

I've made some progress with discussing the various tools to use (here: https://www.reddit.com/r/vitahacks/comments/52qyth/tools_for_making_a_community_patch/ ) it seems like there's an unpassable wall between having a binary and being able to read it. If that's true, how do people release translation patches?

In this case it wouldn't be strictly text assets, but the "ammo" and "power" and "defense" etc. stats of each item/weapon in the game. All of those stats are displayed as text in the game, however. It seems like audio and video resources are stored in their own format separately (there are distinct folders for them filled with .at3 and .pmf files)

Opening the AC.bin file in hex view shows that almost every line is 2 values followed by lots of 00s. Here's the first few lines of the file:
01 00 00 00 00 00 00 00 89 00 00 00 1F 00 00 00
02 00 00 00 1F 00 00 00 05 00 00 00 02 00 00 00
03 00 00 00 21 00 00 00 05 00 00 00 02 00 00 00
04 00 00 00 23 00 00 00 02 00 00 00 01 00 00 00

a bit further down the file it turns into lines like this for the remainder of the file, before going to all 00s near the end.
69 A4 67 B8 DD 54 58 58 24 2C C0 CE A2 06 F0 BE
61 4B 43 C0 F5 15 ED 6A DB 73 73 59 C4 72 15 9C
9D 42 82 59 76 EF 3D D5 53 D3 5E 96 63 B7 79 32
DC AF 45 45 FA F1 CF 67 08 EA 17 FF 7A FE E9 2C

So my question is how do I determine how and what to edit to change the in-game values for those parts?

For example, one weapon has an attack power of 3050. 3050 is not used as a stat for any other part in the game, so converting to hex (BEA) and searching for that yeilds a lot of results that I can sift through but I have no idea how to tell which results correspond to that weapon or not.



EDIT:

I think what I'm basically looking for is a game decompiler/disassembler for PSP files, or some way to read/organize assembly code, right? I've found a few examples of such a thing online but they usually have broken links/downloads and are from 2007 or so, such as: http://forums.qj.net/psp-development-forum/116729-release-psp-easy-disassembler.html

Or, ideally, pre-compiled source code for the game.
Title: Re: Armored Core Balance / Patch Mod?
Post by: NoOneee on September 14, 2016, 03:41:38 pm
PPSSPP has a memory viewer and a debugger/disassembler you can try to use. There's also this, but I've never tried it: http://wololo.net/talk/viewtopic.php?f=5&t=31832
The EBOOT.BIN file is an encrypted ELF file, so you won't be able to do anything useful changing it before decryption. You can use the "Dump decrypted EBOOT.BIN" feature of PPSSPP to decrypt it, or use the Deceboot utility I've posted here on this site.
I've never even looked at this specific title, but if AC.bin is a huge file containing all the game data, it probably starts with a table containing the position and size of each "sub-file". The PSP processor is "little endian", so it is likely that the 3050 is stored as "EA 0B" instead of "0B EA", so maybe you should search for that. It is possible that the value is compressed or encrypted somehow, which can make your job much harder.
Title: Re: Armored Core Balance / Patch Mod?
Post by: ACmod on September 14, 2016, 03:54:08 pm
Thanks for the massively helpful post.

AC.bin seems to be the only file that isn't a media (.at3 or .pmf) within the ISO, other than the boot/eboot files, so yeah, I would assume most of the game data is found there.

I've tried running the PPSSPP disassembler but I'm not sure how to navigate it or get useful information out of it, though it seems quite useful if I can figure out how it works.

Could you explain more about the table you are referring to? Could that be the hex code that is formatted like such:


01 00 00 00 00 00 00 00 89 00 00 00 1F 00 00 00
02 00 00 00 1F 00 00 00 05 00 00 00 02 00 00 00
03 00 00 00 21 00 00 00 05 00 00 00 02 00 00 00
04 00 00 00 23 00 00 00 02 00 00 00 01 00 00 00

It starts off like that for many lines. If so, how do I read that table?

Lastly, Is there any benefit to decrypting to EBOOT.BIN ELF file that would help make the AC.bin file less obsfucating or help me find what values to change to modify the items in the game?
Title: Re: Armored Core Balance / Patch Mod?
Post by: NoOneee on September 14, 2016, 04:22:51 pm
I'm just guessing here based on the information given and I could be terribly wrong. There are many ways they could have done a file table...

4 bytes: File ID (little endian)
4 bytes: File position (little endian)
4 bytes: Unknown field (little endian)
4 bytes: File size (little endian)

So the first line represents:

File ID: 1 (00 00 00 01)
File position: 0 (00 00 00 00) (bytes? sectors?)
Unknown field: 137 (00 00 00 89)
File size: 31 (00 00 00 1F) (bytes? sectors?)

The second line:
File ID: 2 (00 00 00 02)
File position: 31 (00 00 00 1F) (bytes? sectors?) (this seems to be the [previous file position + file size])
Unknown field: 5 (00 00 00 05)
File size: 2 (00 00 00 02) (bytes? sectors?)

Edit: You could try to decrypt and decompile/disassamble the EBOOT file with the tools linked on the post above, because it is very likely that the code to read the AC.bin file is located there. I believe that if you follow the instructions it should generate decompiled C code. I think Archaemic did this to figure out how to fix the slowdown in the PSP version of Final Fantasy Tactics. It won't be easy to understand though. I'm also not familiar with the PPSSPP disassembler, so I can't really help you with that.
Title: Re: Armored Core Balance / Patch Mod?
Post by: ACmod on September 14, 2016, 04:32:08 pm
Ah, that's cool. So now the question is what file ID corresponds to what values in-game so I can use the table to search for the position of that file ID? If so, that's great, it gives me a starting point at least to navigate with, though I'm not sure how I would figure out which file IDs correspond to which in-game values.

I was really hoping that editing a part's stats was going to be as simple as making an "infinite ammo" cheat for the game.  ::)

There is also a PS2 version of the game, though I don't think the disassembly tools for the PS2 are any easier than the PSP.

I'll try to decrypt the eboot file next, I'll post my results then.



EDIT: After decrypting the eboot it seems to be similarly impossible to read, aside from a few characters of "ELF" at the top. Scrolling down reveals some legible text but I have to read through the whole file of symbols to get there, so it might take a while. I'm reading it in Hex or ASCII view, but I could try other decoding methods Like JIS-Shift.


Here's an example of the few spots of legible text in the file, everything else is a few words here and there other than this big section:

I{±.CÒ>HûnY-éÛöÃQg‘¦Ì°©t Îzf¹a”Þñinvalid distance too far back㄀㄀㄀invalid distance code㄀㄀㄀invalid literal/length code㄀㄀㄀㄀㄀1.2.7㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀IHDR㄀IDAT㄀IEND㄀PLTE㄀bKGD㄀cHRM㄀gAMA㄀hIST㄀iCCP㄀iTXt㄀oFFs㄀pCAL㄀sCAL㄀pHYs㄀sBIT㄀sPLT㄀sRGB㄀tEXt㄀tIME㄀tRNS㄀zTXt㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀ÿ㄀㄀㄀ÿ㄀㄀㄀.㄀㄀㄀Potential overflow in png_zalloc()㄀㄀r.㄀㄀+0000㄀㄀㄀nc.
㄀㄀㄀㄀1.2.7㄀㄀㄀er)
㄀㄀㄀㄀libpng error no. %s: %s
㄀㄀㄀㄀libpng error: %s, offset=%d
㄀㄀㄀㄀libpng error: %s
㄀㄀㄀libpng warning no. %s: %s
㄀㄀libpng warning: %s
㄀Out of Memory!㄀㄀Overflow in png_memcpy_check.㄀㄀㄀heck.㄀㄀㄀lue㄀74.83㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀ìQ¸µøÔ@㄀㄀㄀㄀㄀jø@㄀㄀㄀㄀㄀㄀à?Limiting gamma to 21474.83㄀㄀Setting gamma=0㄀o zero㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀Image width or height is zero in IHDR㄀㄀㄀image size exceeds user limits in IHDR㄀㄀Invalid image size in IHDR㄀㄀Width is too large for libpng to process pixels㄀Invalid bit depth in IHDR㄀㄀㄀Invalid color type in IHDR㄀㄀Invalid color type/bit depth combination in IHDR㄀㄀㄀㄀Unknown interlace method in IHDR㄀㄀㄀㄀Unknown compression method in IHDR㄀㄀MNG features are not allowed in a PNG datastream
㄀㄀㄀Unknown filter method in IHDR㄀㄀㄀Invalid filter method in IHDR㄀㄀㄀pose.㄀㄀㄀ts.㄀ams.㄀㄀㄀㄀k.㄀㄀ile.㄀㄀㄀㄀t㄀㄀㄀.㄀㄀㄀tes.㄀㄀㄀㄀hunk.㄀㄀㄀Call to NULL write function㄀Write Error㄀Attempted to set both read_data_fn and write_data_fn in㄀the same structure.  Resetting read_data_fn to NULL.㄀㄀㄀㄀MNG features are not allowed in a PNG datastream
㄀㄀㄀Valid palette required for paletted images
㄀Unable to write international text
㄀No IDATs written into file㄀㄀Application was compiled with png.h from libpng-%.20s㄀㄀㄀Application  is  running with png.c from libpng-%.20s㄀㄀㄀Incompatible libpng version in application and library㄀㄀㄀㄀㄀㄀mall.㄀㄀㄀small.㄀㄀piled.㄀㄀png_write_info was never called before png_write_row.㄀㄀㄀zlib error㄀㄀Unknown row filter for method 0㄀Can't add Up filter after starting㄀㄀Can't add Average filter after starting㄀Can't add Paeth filter after starting㄀㄀㄀Unknown custom filter method㄀㄀㄀㄀Unknown filter heuristic method㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀p@㄀㄀㄀㄀㄀㄀à?㄀㄀㄀㄀㄀㄀ð?㄀㄀㄀㄀㄀㄀ @㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀y PNG㄀㄀㄀㄀㄀㄀㄀äÍ(㄀hÎ(㄀¤Î(㄀ÔÎ(㄀Ï(㄀@Ï(㄀|Ï(㄀㄀㄀㄀㄀lÔ(㄀|Ô(㄀ŒÔ(㄀œÔ(㄀¬Ô(㄀PÔ(㄀PÔ(㄀PÔ(㄀Unknown compression type %d㄀zlib error㄀㄀Invalid bit depth for grayscale image㄀㄀㄀Invalid bit depth for RGB image㄀Invalid bit depth for paletted image㄀㄀㄀㄀Invalid bit depth for grayscale+alpha image㄀Invalid bit depth for RGBA image㄀㄀㄀㄀Invalid image color type specified㄀㄀Invalid compression type specified㄀㄀Invalid filter type specified㄀㄀㄀Invalid interlace type specified㄀㄀㄀㄀1.2.3㄀㄀㄀Invalid number of colors in palette㄀Ignoring request to write a PLTE chunk in grayscale PNG㄀Invalid zlib compression method or flags in IDAT㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀jø@㄀㄀㄀㄀㄀㄀à?㄀㄀㄀㄀㄀㄀àAInvalid sRGB rendering intent specified㄀Empty keyword in iCCP chunk㄀Unknown compression type in iCCP chunk㄀㄀Empty keyword in sPLT chunk㄀Invalid sBIT depth specified㄀㄀㄀㄀Invalid cHRM white point specified㄀㄀white_x=%f, white_y=%f
㄀Invalid cHRM red point specified㄀㄀㄀㄀Invalid cHRM green point specified㄀㄀Invalid cHRM blue point specified㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀š™™™™™é?㄀㄀㄀㄀㄀㄀ð?㄀㄀㄀㄀
㄀㄀㄀cified㄀㄀㄀㄀㄀㄀Invalid number of transparent colors specified㄀㄀Ignoring attempt to write tRNS chunk out-of-range for bit_depth㄀Ignoring attempt to write 16-bit tRNS chunk when bit_depth is 8㄀Can't write tRNS with an alpha channel㄀㄀Invalid background palette index㄀㄀㄀㄀Ignoring attempt to write 16-bit bKGD chunk when bit_depth is 8㄀Ignoring attempt to write bKGD chunk out-of-range for bit_depth㄀Invalid number of histogram entries specified㄀㄀㄀zero length keyword㄀Out of memory while procesing keyword㄀㄀㄀invalid keyword character 0x%02X㄀㄀㄀㄀trailing spaces removed from keyword㄀㄀㄀㄀leading spaces removed from keyword㄀extra interior spaces removed from keyword㄀㄀Zero length keyword㄀keyword length must be 1 - 79 characters㄀㄀㄀㄀Empty keyword in tEXt chunk㄀Empty keyword in zTXt chunk㄀Unrecognized unit type for oFFs chunk㄀㄀㄀Unrecognized equation type for pCAL chunk㄀㄀㄀%12.12e㄀Unrecognized unit type for pHYs chunk㄀㄀㄀Invalid time specified for tIME chunk㄀㄀㄀㄀㄀㄀㄀Dî(㄀”ï(㄀Œî(㄀Àî(㄀,ï(㄀”ï(㄀`ï(㄀㄀㄀㄀㄀lî(㄀lî(㄀tî(㄀lî(㄀tî(㄀tî(㄀tî(㄀lî(㄀tî(㄀tî(㄀tî(㄀tî(㄀tî(㄀tî(㄀tî(㄀lî(㄀\yr=`c`0…uw…‡‚b„wSuuIIDF㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀\yr=`c`0~{t‰sˆw22222IIDDSceWaveMainEvf㄀㄀SceWaveMain㄀\yr=`c`0~{t…s…222222IIDD\yr=`c`0~{ty‡2222222IIDDSceGuSignal㄀lly ㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀de)㄀㄀㄀㄀㄀¼g)㄀㄀㄀㄀㄀¼g)㄀㄀㄀ ㄀ ㄀¼g)㄀㄀㄀㄀㄀m)㄀㄀㄀ ㄀ ㄀m)㄀㄀㄀€㄀€㄀m)㄀㄀ ㄀€㄀㄀m)㄀ ㄀€㄀㄀m)㄀ ㄀㄀m)㄀1.2.3㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀㄀   ㄀㄀㄀   ㄀㄀㄀
㄀㄀㄀
Title: Re: Armored Core Balance / Patch Mod?
Post by: NoOneee on September 14, 2016, 04:49:54 pm
EDIT: After decrypting the eboot it seems to be similarly impossible to read, aside from a few characters of "ELF" at the top. Scrolling down reveals some legible text but I have to read through the whole file of symbols to get there, so it might take a while. I'm reading it in Hex or ASCII view, but I could try other decoding methods Like JIS-Shift.
That's expected, ELF is a binary executable file. What I meant is that if you follow this instructions here (http://wololo.net/talk/viewtopic.php?f=5&t=31832) after decrypting you should be able to get some assembly code and/or decompiled C code. Flame replied to your other thread and he probably has more experience than me on this: http://www.romhacking.net/forum/index.php/topic,22701.msg318016.html#new
Title: Re: Armored Core Balance / Patch Mod?
Post by: STARWIN on September 14, 2016, 04:51:38 pm
I don't know anything. Given that:

1. If this works like PS1 cd images, a good way to work is to modify files extracted from the game image and then insert them back with some tool.

2. I'd guess what you want to modify is either in the main executable (eboot bin?) or AC.bin. Ideally they are not encrypted or processed in some way, because you'd have to figure out the details of that to modify something within otherwise.

3. I would not bother figuring out how AC.bin is constructed internally in your case, unless there is processing involved so that you have to.

4. Many of the parts or whatever seem to have rather exotic values as stats. If they are there in the binary like this, you might be able to find them by searching and looking around. CR-WB91LGL for example has a price of 98800c (in PS2 faq at least) which would most likely be stored as a 4 byte value of "F0 81 01 00". The other stats may very well be nearby if you find the spot.

5. Something like PPSSPP is most valuable not because of the disassembly but because of debugging. Better search for somewhat unique values as in above first.

Basically the same advice for the PS2 version, except replace PPSSPP with PCSX2's debugger (not sure if it is available conveniently somewhere these days).
Title: Re: Armored Core Balance / Patch Mod?
Post by: ACmod on September 14, 2016, 05:07:16 pm
I'm having trouble with the second and third steps on the wololo link. Where do I input this?

prxtool -o yourasmfile.asm -n psp.xml yourmodule.prx

In the windows command prompt? What do I put in for the names of the .asm and .prx files?

I want to thank you guys again for your help. I'll also try searching for longer values like Starwin suggested, though I'm not sure if the prices are going to be located near other stats such as attack power or weight.
Title: Re: Armored Core Balance / Patch Mod?
Post by: NoOneee on September 14, 2016, 05:13:56 pm
I'm having trouble with the second and third steps on the wololo link. Where do I input this?

prxtool -o yourasmfile.asm -n psp.xml yourmodule.prx

In the windows command prompt? What do I put in for the names of the .asm and .prx files?

I want to thank you guys again for your help. I'll also try searching for longer values like Starwin suggested, though I'm not sure if the prices are going to be located near other stats such as attack power or weight.

I've never done this so I can't help you too much, but yourmodule.prx should be eboot.bin (the decrypted one). The "yourasmfile.asm" is the output filename for the disassembled code, you can use any name you want. Keep psp.xml, I'm guessing this file is already included with the tools.
Title: Re: Armored Core Balance / Patch Mod?
Post by: STARWIN on September 14, 2016, 05:29:41 pm
Regarding stats, they may be stored as 4, 2 or 1 byte values, and different stats can take different amounts of space. All the stats of the same type, like weapon price, have the same length. Larger values aren't necessarily longer, but they have less 00 bytes (that many wrong search results may have). Like 255 can be stored as "FF" or "FF 00" or "FF 00 00 00" (least valuable byte first). If you get way too many search results, you can even assume that the values in the FAQ are stored in a sequence (many possible orders and value lengths, try the FAQ or stat view order on screen ingame first). Just merging 2 stats makes the value much more unique for a search.
Title: Re: Armored Core Balance / Patch Mod?
Post by: NoOneee on September 14, 2016, 06:03:12 pm
I've actually tried to get C code using:
prxtool.exe -w -o test.asm -n psp.xml EBOOT_DEC.bin
and:
basic-decompiler.exe test.asm > test.c

And unless I'm doing something wrong, the results were pretty much unreadable. :P
You'd probably have more luck trying to use the PPSSPP debug tools.
Title: Re: Armored Core Balance / Patch Mod?
Post by: ACmod on September 14, 2016, 06:09:14 pm
Okay, I finally managed to get PRX tools to work and now I have a .asm file of the EBOOT.BIN to work with. I'm currently compiling the program from the wololo link (basic-decompiler) though visual studio 2013 is giving me an error: error c3861: 'snprintf' identifier not found.

The PRX tool command I used was prxtool.exe -o decompiledeboot.asm -n psp.xml npuh10024.bin

(npuh10024.bin is the name of the decrypted eboot)

How did you compile the basic-decompiler.exe?
Title: Re: Armored Core Balance / Patch Mod?
Post by: NoOneee on September 14, 2016, 06:24:10 pm
Okay, I finally managed to get PRX tools to work and now I have a .asm file of the EBOOT.BIN to work with. I'm currently compiling the program from the wololo link (basic-decompiler) though visual studio 2013 is giving me an error: error c3861: 'snprintf' identifier not found.

The PRX tool command I used was prxtool.exe -o decompiledeboot.asm -n psp.xml npuh10024.bin

(npuh10024.bin is the name of the decrypted eboot)

How did you compile the basic-decompiler.exe?
When you see those "Makefile" files, you probably need to compile with gcc/g++. I don't know how to compile it on Visual Studio. I'm on Windows right now, so I've used the mingw-w64 compiler to compile a 32 bit windows executable (https://sourceforge.net/projects/mingw-w64/?source=typ_redirect).
You'd normally just need to type "make" in the command line to compile, but that resulted in a .exe that complains about a missing DLL. I had to change the
LDFLAGS=
to
LDFLAGS=--static
In the Makefile to just bundle the required library in the executable file.

But you don't really need to do all this, the C code really is unreadable/seems wrong. I had to include the "-w" flag in prxtool because it doesn't seem to output complete disassembly without it. Maybe I'm missing something, or that post at wololo is wrong and prxtool don't really like ELF files.
Title: Re: Armored Core Balance / Patch Mod?
Post by: ACmod on September 14, 2016, 06:37:09 pm
So if the Eboot.bin file is useless, whats the process I need to go through in order to use the PPSSPP debugger to identify the values I need to change?

This reply: http://www.romhacking.net/forum/index.php/topic,22701.msg318016.html#msg318016 helps explain the disassembly view better, but it's not clear how that connects to:

Quote
4. Many of the parts or whatever seem to have rather exotic values as stats. If they are there in the binary like this, you might be able to find them by searching and looking around. CR-WB91LGL for example has a price of 98800c (in PS2 faq at least) which would most likely be stored as a 4 byte value of "F0 81 01 00". The other stats may very well be nearby if you find the spot.

^ Something like this where I can actually search for specific values.

Also, doing a search through AC.bin for "F0 81 01 00" yields no results.
Title: Re: Armored Core Balance / Patch Mod?
Post by: flame on September 14, 2016, 06:44:12 pm
For example, one weapon has an attack power of 3050. 3050 is not used as a stat for any other part in the game, so converting to hex (BEA) and searching for that yeilds a lot of results that I can sift through but I have no idea how to tell which results correspond to that weapon or not.
1) Finding what you want to change
2) Changing permanently what you want to change (patching) OR cheat making (changing temporarily, i.e., at runtime, what you want to change)

A lot of GOOD questions on here will fall into one of those categories. "How do I find where the thing I want to change is." This sometimes worded as "cannot find" and that's OK wording too I think. The other one is "how do I change the thing I want to change" but the problem is a lot of people haven't found where the thing they want to change is yet (those are poor requests I think).

I can't really tell you how to go about it because this is Romhacking. The basic idea is:
1) Try something that is likely to work
2) If it worked, stop. If not, go to step 1
And you can look at NightCrawler's romhacking manifesto too if you like. That is definitely worth a read in my book.

I recommend people start on PSP romhacking by cheat making, because it can help you understand how PSP memory and instructions work.
If there is money in the game, try making a money cheat and if there is player health, try making a player health cheat. Finally, if there is a player attack stat value that's displayed on the screen, that would be a good target for a cheat as well. Those will help people interested in the game and will help you learn romhacking, I think.

1) Download and install unchecky.
2) Download and install Cheat Engine. You can uninstall unchecky at this point if you like.
3) Do the Cheat Engine Tutorial. This is one of the VERY BEST TUTORIALS in all of romhacking. HIGHLY recommended. It is a pretty fun tutorial too. When you are done you will understand why Cheat Engine is a popular program and why people like making cheats. You probably only need to do tutorials 1 and 2 for this. Note: The last two tutorials, 7 and 8 I think, are pretty tough and probably (almost certainly) not needed for this level of hack that you're doing (even I cannot do them) so don't worry if you don't get it. Especially the last one. Wow that one is difficult. The timers for entry on the later tutorials are pretty tight too, I think they could be extended to like 10 seconds and still be the same challenge.
4) Follow this tutorial: Using PPSSPP and Cheat Engine to make cheat codes: http://forums.ppsspp.org/showthread.php?pid=94016
I used this one for other games and I can confirm it works.

Cheat Engine is great at memory searching. PPSSPP has a basic memory search function that works. Cheat Engine is a power user memory searching tool; you'll be able to find what you need much quicker using it.

To prove that you've learned, tell us the addresses for player health, player attack and player money that you found. At this point you'll be at main step (2) above: how do I change what I need to change. At this point we can go over making and publishing the cheats which is a quick activity and then move on to whatever else you need to do.

Can you enlighten as to whether the goal is "I want to rebalance the game" or "I want to cheat"?
Title: Re: Armored Core Balance / Patch Mod?
Post by: ACmod on September 14, 2016, 06:53:57 pm
The goal is to permanently change stats of parts (items) in the game in the form of a "balance fix" for the game. I would like to compile that into a new .ISO, or a cheat, or a patch file that can be applied to an existing .ISO so the game plays identically as "vanilla" but with altered item stats so that more items are useful in competitive play.

Basically, every stat of the player  character is the result of a combination of 10 or so parts. So "Player Health" is the combined health of 4 equipped items (Head, Arm, Core, Legs, each with their own "health" value). However, a good 50-75% of the head/core/legs/arms parts are not useful in the game because it is poorly balanced and a few parts are overwhelmingly dominant (such as having really high health but also really high speed)

I can probably make a cheat that makes player health always 9999. However that doesn't solve the problem that the individual parts are unbalanced.

I went through all the steps you suggested (already installed cheat engine, already did the tutorial, already tried to find values (and even found the values for current 'defense' by searching values while equipping/unequipping parts and tried to change it with a cheat, but no result) prior to joining this forum and found that after a day or so of searching the RAM through cheat engine for the addresses to create a cheat out of, none of them made an impact on the gameplay at all.

All the "working" cheats I can find are such things like "infinite ammo" or "infinite money" but do not actually change the stats of the items themselves. This is why I thought doing a rom hack and trying to change the game binaries (where I am sure stats for each item are stored) would work instead.

A good analogy would be a game where players could equip an weapon with "12 strength". I don't want to change the player's attack power/strength when attacking, I want to change the weapon's stats so it had "13 strength" instead.


I'm asking a "1" question: How do I find those values to  change? I definitely want to change them permanently if possible through a patch.
Title: Re: Armored Core Balance / Patch Mod?
Post by: flame on September 14, 2016, 07:03:13 pm
A good analogy would be a game where players could equip an weapon with "12 strength". I don't want to change the player's attack power/strength when attacking, I want to change the weapon's stats so it had "13 strength" instead.
I play a lot of RPG games and the player's attack stat, which is displayed in many games, is simply the character's STR stat plus the weapon's ATK. I don't know how this game works though. Is weapon attack value used unmodified, because the chassis doesn't factor in to how hard a missile hits, for example?

Anyway, in RPGs, this calculation:
character STR + weapon ATK
is being performed somewhere. Either when you change weapons, when you choose to look at the player attack stat, or upon entering combat. Somewhere is MUST be calculated, otherwise how does the game know. So if you know this address where the player attack value is, you can make a cheat of it, or you can set a memory write breakpoint on it and backtrace the code to see where it loads the weapon attack value to add to the character STR value...and then we end up having answered question (1) above: where is the thing I need to change. It is clear that you are still trying to answer this question.

You did find some values, right?
Well there's some kind of problem with PPSSPP and Cheat Engine, I talked about it at cheat engine forums without response.
1) Say the address where the defense value is (we can make cwCheat out of it to confirm if it's working)
2) In the Cheat Engine match list if you R-click and choose change value, it will change. The regular change value will not work, not sure the reason.
Title: Re: Armored Core Balance / Patch Mod?
Post by: STARWIN on September 14, 2016, 07:17:21 pm
What flame mentioned is the surefire way. The debugger and breakpoints part, that is. It can take a day or two to get comfortable with the debugger. There are many causal chains you can figure out, like the STR+ATK example that flame mentioned. Another one would be entering a screen where the weapon values are shown.. search for the values in RAM and see where they come from. The better you know the game the easier it is to come up with something.

However on the alternative path, searching the binary..

I hope you searched in hex mode and not in text mode. You should also search from the decrypted eboot bin (if i understand correctly that it is the main executable - the main exe can definitely contain arrays of weapon data and such). If you really find nothing after some tries, there is a risk that the binary files are processed somehow, which would be a pain because it basically maps the easy value at runtime to some binary mess in the game image.
Title: Re: Armored Core Balance / Patch Mod?
Post by: flame on September 14, 2016, 07:26:19 pm
For PSP games information like this is loaded from resource files. Those are in the USRDIR folder. However, sometimes they are in the game's executable, the EBOOT.
These resource files are TINY. All of the item information for Nayuta no Kiseki is in a 4kB file that's present in the game's memory throughout the entire runtime (it loads on boot from resource files). That's not a massive hit because PSP has 32MB of main memory (minimum) to work with and all the database files together are probably around 100kB.
I worked on Last Ranker. The compressed database files are always resident. The game decompresses them when you open the menu and clears them when the menu is closed.
Different games are different. You can see where that data is coming from and trace it back. Once you trace it back to the UMD, you can then look for those byte patterns and find the file in which that data is located.

Also in PPSSPP, you can uncheck "Run on Load" and then reset the game. If the data is present at this time in the memory, then you can be sure the data is coming from the EBOOT.
Title: Re: Armored Core Balance / Patch Mod?
Post by: ACmod on September 14, 2016, 07:39:38 pm
How the stats in the game work:

This video shows the garage (customization/build) interface: https://www.youtube.com/watch?v=xP0o6_-rRpI

here is another video that helps explain.  https://www.youtube.com/watch?v=xSp2ZcjxVa4

Side note: The "E/D/C/B/A/S" rankings are actual numbers, the letters are just an easier view mode that you can toggle back and forth from (and you see that in the first video). Almost every stat in-game is visible from the menu.

Text explanation of how they work:

Short explanation: There's no "base" character stats. Every stat is based on the combination of your parts equipped, so unlike an RPG there's no leveling up. You progress by unlocking new parts (one of the problems is that most of the parts you unlock are useless because the stats are not very well balanced).

Long explanation:

The "player" is comprised ENTIRELY of a set of parts, which affect every in-game stat. Such as:

Head
Core
Arms
Legs
Booster
FCS
Generator
Radiator
Inside Weapon
Extension Weapon
Back Left Weapon
Back Right Weapon
Arm Left Weapon
Arm Right Weapon
Optional parts (these are "special" items that seem to modify stats of the whole character)

Within each category all parts have unique stats. For example, every "head" part has the following stats:
Head
>AP (Health)
>Weight (affects your total weight and speed, as well as approaches the weight cap limit for your legs)
>Energy Drain (affects the rate that your energy bar recharges)
>Def Shell (adds to your Defense vs "shell" damage)
>Def Energy (adds to your Defense vs "energy" damage)
>Cooling (affects how fast your "heat" bar decreases. This is a moving rate, so if you are taking 1000 heat per frame and you have 1000 ?>cooling per frame, your heat bar will not move)
>Stability (affects stagger when taking damage or falling, based on how heavy of an attack you get. This leads me to believe there's a >"hidden" weapon stat for impact force/stagger since not every weapon staggers the same)
>etc. (there are 15 stats for each head part, these are just a few).

The heads vary only by the different stats they have and 3d model. So you can compare two head parts purely by the 15 stats that make them up. One might have more weight but less energy drain, etc.

Some of the stats (like AP, cooling, weight, etc.) is also found in other categories and contribute to your total AP (health). So head AP + core AP + arm AP + leg AP = TOTAL AP (which, in the expanded stats view, is on the right hand side of the garage where your "character" stats are)

Another example of how stats work is radars. Some Heads have radars (and heads without radars will have "0" or "None" for the stat). But there are also back radars. They BOTH share the same set of stats "like 'scanning interval") and influence the same radar during gameplay. I believe that when having both, it replaces the weaker one with the stronger one for each stat, or may treat it cumulativley (I can test in-game to find the exact formula/relation, but that gives you at least an idea of how two parts can share the same stat)

How weapons work:

So if a grenade launch does 3050 damage, then every shot does "3050" damage. The resulting loss of health when it hits someone is reduced by a % based on the defense of whatever it hits. So if they have 1250 defense it reduces the health loss from 3050 to 1525. The damage of one weapon is not influenced by anything else in the game. The only way that the damage from a weapon will change is by changing the defense of the target being hit, or the one exception below:

There are one or two parts you can equip that increase the damage of a weapon, but it doesn't actually change the weapon's stats. For example, when you equip an energy-based weapon (say 500 damage) and equip a special optional part, it boosts all energy based weapon damage by 7%. The energy-based weapon does NOT get a stats increase, however in-game when you fire it will do "535" damage before defense reduction. You can also see one character stat  ("total firepower, which is attack x ammo") will increase by 7% when you do this.



Does that explain things better? There are no base "character" stats. All the character stats are taken from the composition of the items equipped.


What's in the ISO:

The file system for the ISO looks like such:

Sysdir
>OPNSSMP.BIN (Size: 48)
>EBOOT.BIN (size: 4192640)
>BOOT.BIN (size: 4192292)
>Update
>>PARAM.SFO (size: 0)
>>EBOOT.BIN (size: 8388608)
>>DATA.BIN (size: 100663296)
USRDIR
>AC.BIN (size: 226551808)
>>bgm
>>>(contains many .at3 audio files, total size: 8192)
>>movie
>>> (contains many .pmf video files, plus a subfolder with more video files, total size: 2048)

Cheat engine on PPSSPP

Also cheat engine needs a few settings changed to work with PPSSPP and only works with v1.0.1 I believe. http://www.cheatengine.org/forum/viewtopic.php?p=5543519&sid=7688791ddfdfc0b147a6ce19109aa4c5

If you want to run the game in PPSSPP you also need a workaround cheat for CWcheats, here:

_G Armored Core: Last Raven Portable
_C1 Hang Workaround
_L 0xE0010003 0x002BB274
_L 0x202BB274 0x34070001
_C0 Hang Workaround [Disable]
_L 0x202BB274 0x28A70003
Title: Re: Armored Core Balance / Patch Mod?
Post by: STARWIN on September 14, 2016, 07:46:39 pm
One more thing. Search the ps2 game for these values too. If you do find the spots and they aren't compressed or whatever, you can mod the stats without touching a debugger at all. You can search over the whole ps2 image (sees all files and more, but some values won't be visible because of technical stuff) or extract data/exe files and search from them (most things visible but possibly many files, can avoid searching large audiovisual data to avoid false hits). I haven't extracted/inserted files from/to ps2 images but internet says that cdmage works for ps2 too, so here: http://www.lpthe.jussieu.fr/~talon/bin-cue/CDmage1-02-1B5.exe (edit: internet says that cdmage won't work for dvd images as well, so if that is true, some other tool needed)
Title: Re: Armored Core Balance / Patch Mod?
Post by: NoOneee on September 14, 2016, 07:51:01 pm
2) In the Cheat Engine match list if you R-click and choose change value, it will change. The regular change value will not work, not sure the reason.
Offtopic, but this may be because of the dynamic recompilation. The value is also probably somewhere else in the memory as a regular PC variable. You can try disabling the dynamic recompilation to see if it solves the issue. actually nvm, I read it wrong.
Title: Re: Armored Core Balance / Patch Mod?
Post by: ACmod on September 14, 2016, 08:00:51 pm
To clarify on my previous post, I want to edit those individual stats.


So, for example, every head has a "weight" stat. I want to go in and change the "weight" value (and other values) of most of the heads to balance them out so that more of them are useful in gameplay.
Title: Re: Armored Core Balance / Patch Mod?
Post by: flame on September 14, 2016, 08:12:30 pm
(http://datacrystal.romhacking.net/wikid/images/9/90/Armored_Core-_Last_Raven_Portable_Garage.jpeg)
Okay, so try searching for the head AP value 909 in Cheat Engine + PPSSPP. Results? If no results then this is gonna be really tough and I can't solve it. All of those numbers should be there in the memory. If there are a lot of results, change the head and search again for 909 to narrow it down. Finally, R-click on matches and change the value. You might need to swap heads before the value will change on-screen. If the value changes back to 909 immediately, then try setting a write breakpoint on that address to see what's happening.

Maybe a more detailed tutorial is needed but feel free to try this yourself.
I will give it a try as well.
Title: Re: Armored Core Balance / Patch Mod?
Post by: ACmod on September 14, 2016, 08:19:23 pm
Yeah, I've tried that already with a few parts to no avail.

I can search for total defense (1593 in that screenshot) and isolate a a few values. Each time I equip a new part (say, moving it to 1600) all these values move to 1600. However, every time I do this process the number of values I get that are changing varies dramatically (I've gotten only "2" that match and I've also gotten "12" that match).

On top of that, writing a cheat that changes all of those values to something else doesn't do anything when activated. This is what leads me to think that the part values aren't actually stored in RAM but character stats (on the left) are. This is problematic since a cheat would only change the "equipped" value not the value of the part (setting ammo to "50" will make the equipped weapon always have 50 ammo no matter what), most likely, but I haven't even gotten a cheat to work that far.

I will keep troubleshooting though, you guys have been extremely helpful, far more than any other community I have asked about this. At the very least, I've learned a lot.

EDIT: Trying that exactly with one head gives me about 20 results, I'll try to manually change them in real time. Before I was just finding the address and writing a cheat, then applying the heat.
Title: Re: Armored Core Balance / Patch Mod?
Post by: flame on September 14, 2016, 08:29:05 pm
It's time now to use your time travel powers.
1) Change heads to something else
2) Save state
3) Change to the "909" head (CR-XXXXXX)
4) Find the value 909 (the address where it is)
5) Set a write breakpoint on that address
6) Load state
7) Change to the "909" head
Voila!
It's possible this won't work either, but it is likely to.
That's the "basic pointer" tutorial from cheat engine tutorial. If it does work, you can backtrace to see where is the pointer stored that points to where this part's data is.

Going back to the basic "909" searching, look in the memory to see if you see some of the other values near there where the value is found, like 197 for example.
Title: Re: Armored Core Balance / Patch Mod?
Post by: ACmod on September 14, 2016, 09:07:14 pm
I'm having some trouble figuring out how the breakpoints work but I'm going back through the tutorial and trying to sort it out. I'll reply again when I can test it on the game itself.

edit: it doesn't help that apparently cheat engine 6.5.1's Points tutorial (step 6) seems to have wrong instructions. The page information doesn't match up to what other guides say to do also, so I'm a bit lost on what the proper procedure is or why each step needs to be completed. I'll try finding another set of articles to explain how to use it without working through the tutorial.

What exactly is a breakpoint or a pointer? I had no problem up through step 5 but step 6 can't be completed even when I follow a guide to complete the tutorial.
Title: Re: Armored Core Balance / Patch Mod?
Post by: flame on September 14, 2016, 10:31:20 pm
Breakpoint: https://en.wikipedia.org/wiki/Breakpoint
In practice, a breakpoint consists of one or more conditions that determine when a program's execution should be interrupted.
Execution breakpoint: Stop when the program counter gets to this address.
Memory breakpoint: Stop when the memory at this address is read or is written to.
Memory breakpoints can be set such that they trigger only on read or only on write.

At 0x090D4FA0 I found AP value for CR-H695 (this is a head). This was upon starting a new game (and repeatable). It might be different for loaded games with large parts inventories. You could try finding the others, they're probably around. If you look below this you see some other heads.

I set my breakpoint on this and found this gets written on initial load of the game. This looks like ZLIB or GZIP algorithm. Those are the same...sort of. Isn't GZIP a wrapper for ZLIB algorithm? So that's good news...I guess? The bad news is those values are stored in that big archive file most likely (and as expected). EDIT: I saw the "classic" ZLIB header 78 9C, so that's the compression ID for you.

(https://s11.postimg.org/wpnexugwz/Untitled.jpg) (https://postimg.org/image/u8bnqkx0f/)
So I have matched 0x890C4FA0.
Now to get cwCheat addr I do 0x890C4FA0 - 0x887F0000 = 0x8D4FA0
To get PSP virtual address you just add 0x8800000. 0x890C4FA0 - 0x887F0000 + 0x8800000 = 0x90D4FA0 unless my math is off
cwCheat addrs use a BASE of 0x8800000. For example, if you're constant writing address 0, that's actually PSP virtual address 0x8800000.

Now you go to PPSSPP debugger, click in the memory view, CTRL+G, paste in that address and inspect it to verify that indeed it's the entry for this head part.
Questions? I just did this by guess and check, several wrong guesses at first.

A response to my earlier question was posted over at cheat engine forums that I didn't notice until now: http://www.cheatengine.org/forum/viewtopic.php?t=594040&sid=6f3a4facc55fcfd88b627bdd30bee31c Due to this it will make guess and checking faster in the future.

Here is my cwCheat code for:
_C0 Starting head part CR-H695 MAX AP
_L 0x108D4FA0 0x0000FFFF

You really don't want to make huge numbers of cheat codes or even one cheat code with lots of lines, but it's a start at least.
Title: Re: Armored Core Balance / Patch Mod?
Post by: BlackDog61 on September 15, 2016, 12:58:07 pm
Also a side note that you'll want to search for values in hexadecimal, little endian. Not decimal. (Wikipedia is your friend to understand either of these words. ;) )
Title: Re: Armored Core Balance / Patch Mod?
Post by: flame on September 15, 2016, 01:45:29 pm
The game stores these values, that you want to change, in half-words. Cheat Engine calls this "2 bytes" it's the same thing. Just to show you how the pattern-matching algorithm works in my brain, those values can be greater than 255 and all of them are less than 65535, so half-word and word are the only possibilities.

Cheat Engine does not support big-endian searching. There is a feature request to add it so I guess it's up to the developer. Little-endian only for now. That's fine. R4000 runs in little-endian mode on PSP. You don't have to worrry about endianness much when working on PSP. About the only time is converting from numbers to hex manually.

I gotta get better at writing tutorials, huh. I'll try putting the PPSSPP + Cheat Engine tutorial on Data Crystal.
Title: Re: Armored Core Balance / Patch Mod?
Post by: ACmod on September 15, 2016, 02:48:12 pm
Breakpoint: https://en.wikipedia.org/wiki/Breakpoint
In practice, a breakpoint consists of one or more conditions that determine when a program's execution should be interrupted.
Execution breakpoint: Stop when the program counter gets to this address.
Memory breakpoint: Stop when the memory at this address is read or is written to.
Memory breakpoints can be set such that they trigger only on read or only on write.

At 0x090D4FA0 I found AP value for CR-H695 (this is a head). This was upon starting a new game (and repeatable). It might be different for loaded games with large parts inventories. You could try finding the others, they're probably around. If you look below this you see some other heads.

I set my breakpoint on this and found this gets written on initial load of the game. This looks like ZLIB or GZIP algorithm. Those are the same...sort of. Isn't GZIP a wrapper for ZLIB algorithm? So that's good news...I guess? The bad news is those values are stored in that big archive file most likely (and as expected). EDIT: I saw the "classic" ZLIB header 78 9C, so that's the compression ID for you.

(https://s11.postimg.org/wpnexugwz/Untitled.jpg) (https://postimg.org/image/u8bnqkx0f/)
So I have matched 0x890C4FA0.
Now to get cwCheat addr I do 0x890C4FA0 - 0x887F0000 = 0x8D4FA0
To get PSP virtual address you just add 0x8800000. 0x890C4FA0 - 0x887F0000 + 0x8800000 = 0x90D4FA0 unless my math is off
cwCheat addrs use a BASE of 0x8800000. For example, if you're constant writing address 0, that's actually PSP virtual address 0x8800000.

Now you go to PPSSPP debugger, click in the memory view, CTRL+G, paste in that address and inspect it to verify that indeed it's the entry for this head part.
Questions? I just did this by guess and check, several wrong guesses at first.

A response to my earlier question was posted over at cheat engine forums that I didn't notice until now: http://www.cheatengine.org/forum/viewtopic.php?t=594040&sid=6f3a4facc55fcfd88b627bdd30bee31c Due to this it will make guess and checking faster in the future.

Here is my cwCheat code for:
_C0 Starting head part CR-H695 MAX AP
_L 0x108D4FA0 0x0000FFFF

You really don't want to make huge numbers of cheat codes or even one cheat code with lots of lines, but it's a start at least.

This seems like a huge step in the right direction, I just need to catch up and figure out how to get there. The cheat works when loading up a new game, however:

Once you enter a mission (gameplay), the head's AP resets (total AP in the left hand corner is back to what it would be if the cheat was not actie) and upon exiting the mission the values in the garage are all reset back to their original values. Re-enabling the cheat in-game does not reset it.

Here's what I'm thinking:

So Step 1: Follow that procedure for the stat I need to change
Step 2: Find out how to make the change persist in gameplay (perhaps there is an AP stat for the part in the garage, and then another AP stat for "equipped part" when you enter a mission)
Step 3: Incorporate all the changes into a cheat
Step 4: (?) use the cheat's addresses to incorporate the changes into a hacked ROM
 
Is it possible to use the Cheat engine information to identify what values in the ISO binaries contribute to these states? For example, if the ISO has an entry for "CR-H69S" AP, is it possible to identify which lines of hex need to be changed using the cheat that modifies it? I know PPSSPP can load the entire ISO into system RAM so could the PPSSPP disassembly check to see which ISO values are being read for certain in-game values being displayed on screen?
Title: Re: Armored Core Balance / Patch Mod?
Post by: flame on September 15, 2016, 04:00:24 pm
Those values are in that huge (200MB?) archive file.
Also you are not going to find it in plain text - it is compressed.

I recommend offzip by Luigi Auriemma. What offzip is doing:
1) Look for ZLIB header
2) Try decompression
3) If it works (complete compressed stream with terminator), output file (otherwise no action)
4) Go to (1) and keep going until whole file is searched.

I think RHDN has offzip in the utilities section.

After that, search through the extracted files using wmxEdit. CTRL+SHIFT+F is the "find in files" function.
----------------------
Cheat Engine operates on memory. It can't help you find where in the file image the data you need to change is.
Title: Re: Armored Core Balance / Patch Mod?
Post by: ACmod on September 15, 2016, 05:41:17 pm
Yeah, AC.BIN is the 200mb file.

I'll return to those instructions once I'm confident in how to use Cheat Engine to identify where the addresses I need to change for each part is, and how to change the part values in gameplay (not just in the garage). But at least now I have a gameplan and learning to do, and it seems possible to accomplish.

September 16, 2016, 12:41:27 am - (Auto Merged - Double Posts are not allowed before 7 days.)
I'm trying to figure out how you identified 0x890C4FA0 as the address for the 809 AP head, now. Isolating the addresses (by equipping and unequipping the head and then doing 'next' scan) I get these four every time, none of which match that:

(http://i.imgur.com/blWMjO8.png)

I get those same 4 regardless of the save state of the game (both with new game and with all parts unlocked.) How would I narrow down those 4 more? And how did you narrow down to only 890C4FA0?

EDIT: Now I can't seem to replicate the 4 addresses showing up again. hm.
Title: Re: Armored Core Balance / Patch Mod?
Post by: flame on September 16, 2016, 07:25:30 am
It's pointers. The game is either moving data around, loading data (not too likely) or uncompressing data and then clearing the uncompressed version once it's not needed anymore.

I found the following chain
[09CB30D4] + 0x10 Get the value at that address and add 0x10
[] + 0x10 Get the value at the address from the previous step and add 0x10
[] + 0x508 Get the value at the address from the previous step and add 0x508
[] + 0x198 ...
[] + 0x20
This address is start of the entry for that first head. From here you can offset to find the specific value you need.
I am pretty sure the whole chain only works when you are in garage mode.

I need to translate this website: http://wikiwiki.jp/cwcheat/?CODE%A4%CE%B8%FA%B2%CC
Just this part: multi pointer(0.2.2REVA以降)
It says how to make a multi-pointer cheat that will work for something like this.
I know some Japanese but that one looks rather complicated.
If there is English documentation of it, that will work too, but there isn't.

I did a manual check of it and it worked even after completing a battle. The final address ended up being different than it was before the battle.

This is really complicated, I suggest you switch to looking at changing the ISO. This is actually the most complicated example I've ever seen thus far. Falcom games load "database" data on startup and then never move or unload it, so it's easy to make cheats. When you enter battle it sets a pointer to all of the battle data (otherwise it's zero) so it's easy to make cheats that affect battle as well - this is the "simple pointer codes" 0x6 at the above link.
-------------------------
OK, I kind of half got it at least.
I'm not really expecting you to be able to replicate this but give it a shot.

offzip tutorial
1) make your project folder, mine I called ACLR (name does not matter)
2) make a folder "dumped" under this folder
3) use UMDgen and extract AC.BIN into your project folder
4) copy offzip.exe to your project folder
This tool is free. Download link: http://aluigi.altervista.org/mytoolz.htm
5) Hold left shift and R-click in your project folder. Choose "Open command window here"
6) Type the following: "offzip -a AC.BIN dumped 0 > output.txt"

There are not less than 5,215 files in here. Not to worry though, go to your trusty plaintext searching tools. offzip is a compressed searcher.
We know the first head part is CR-H695 so try searching for that. But I guess first we need to know about how to use our text searching tool.
(https://s13.postimg.org/mrgqnbplf/Clipboard01.jpg) (https://postimg.org/image/mrgqnbplf/)
Umm...I guess ask if you have questions? We want to search all 5,215 files in the dumped folder for CR-H695.

I found hits in 3 files:
006cc000.bnd 09880800.bnd 0c780800.bnd

The content looks the same in all the files.
The 09880800 and 0C780800 files have three copies of this data, not sure why. All three copies look the same. We can just change them all when that time comes to make sure the changes take effect.

I wanted to run a quick test, so I picked the first file which just has one copy of the data. The original AP value for CR-H695 is 809, that's 0x329. I changed this to 0xFFFF 65535 using a hex editor. It just randomly happens to be the case that the AP value is at offset 0x100 within each entry.

I saved the new file using a different filename in the project folder, and copied the original file into the project folder. I then ran xdelta and made a patch out of this. You don't really need xdelta for this because it's just two bytes, but whatever.

We need to make a new AC.BIN with our modified file.
"006cc000.bnd" this file is named after the offset in which it appears in the AC.BIN file. Let's now look at output.txt that got created when offzip was run. Search for 6cc000 and you see this:
  0x006cc000  25553321 -> 69981040 / 0x01f2a9a9 _ 1156 8:7:28:0:1:bd91e339
  0x01faa800  80 -> 800 / 0x01faa850 _ 523863 8:7:28:0:1:88ae04ef

There's key info we need here: The 0x6cc000 number (where is the compressed data), the 25553321 number (how big is the compressed data) and the 1faa800 number (where is the next file).

That is now enough so we write the pseudocode:
1) Make temporary AC.orig file with original file contents
2) Decompress the "6cc000" file (need the 25553321 number for this step)
3) Apply patch
4) Make the new AC.BIN file.
4A) Copy the first 6cc000 bytes
4B) Compress and then write the patched file
4C) Write zeros up until 1faa800
4D) Copy the rest from AC.orig

Now write the real code corresponding to the pseudocode:
http://pastebin.com/5Hga0vWG
Here is my xdelta test patch:
http://www.filedropper.com/006cc000

Now you have an AC.BIN (modified version) for testing use.

I don't have python code yet that can do ISO replacement so use UMDgen to put the file in. UMDgen tutorial for replace files with alignment:
1) Open the UMD ISO in UMDgen
2) Export file list
3) Replace files using drag & drop
4) Import file list
5) Write uncompressed ISO (use a different filename than the original UMD ISO)

Test in PPSSPP and....
(https://s9.postimg.org/4d4ddqewr/NPUH10024_00000.jpg) (https://postimg.org/image/4d4ddqewr/)

Whoops, still didn't work. I forgot to disable my cheats.
Let me change the other values and report back.
Title: Re: Armored Core Balance / Patch Mod?
Post by: ACmod on September 16, 2016, 12:02:00 pm
How did you find "09CB30D4" to start the chain? And where did you get "0x10, 0x508, 0x198..." etc? Those seem to be arbitrary.

And lastly, do you mean that I should look into changing the ISO as the final product (after figuring out what to change via cheat engine), or that I should give up on cheat engine entirely?
Title: Re: Armored Core Balance / Patch Mod?
Post by: flame on September 16, 2016, 01:10:23 pm
You just go backwards a lot of times.
The end of the chain is 0x90D4FA0 (where the value is). So set a write breakpoint there, then backtrace to see where that value was gotten, just keep doing that until the address value doesn't change anymore.
You can end up with a long chain doing it many times. Eventually you get to one that doesn't move around.

Those are address offsets. So the computer has "records" in its memory, some people call them "struct" though this is a C language-specific term. If the computer needs field #2, it will get it by the following formula: RECORD_BASE_ADDR + offset_to_field_2
That's what those offsets are. It's how computers "know" where data in their memory is.
A lot of the higher-level records in the memory have pointers as the record fields so the computer can find each record in the memory.

Take for example the "head parts data" record
At 0x100 in the record is the AP value.
If the computer wants to know the AP value for the record, it doesn't need to know where the AP value it. All it really needs to know is where the head parts data record is. Because if you know the record address, you can add 0x100, read the halfword there, and now you have the head AP value. So this one would be [record address] + 0x100.
Those higher stages are records that have other records within their data (as opposed to values like AP).

Yeah, because the memory structure is not that simple and if you just mess with file data directly you won't need to worry about it.
It will make your balance testing a little more difficult.
-------------------------------------------------------------------
So there was one file I was missing, 093ae800, which also had parts data in it. And that solved it. I also did all of them so it works perfectly now.
Here's my new program:
http://pastebin.com/wAx3jpCE
Here's a set of four patches, one for each of the files we need to change:
http://www.filedropper.com/aclr

Check out my super-powerful AC! At least it has a lot of AP anyway.
(https://s22.postimg.org/w70eyp2fh/NPUH10024_00001.jpg) (https://postimg.org/image/w70eyp2fh/)
Title: Re: Armored Core Balance / Patch Mod?
Post by: ACmod on September 16, 2016, 04:24:52 pm
This looks massively helpful. I'll try to edit the ISO next then, according to all of this info.

One thing though, in your gameplay/mission image it lists your AP at 7313 (top right corner), which is below what the normal AP is (unmodified). Does it drop when you take damage? If you set the AP of your head to 65535 then total AP should read "9999" at least, and maybe not even drop until you take ~55000 damage first.

I believe AP in the stock game ranges from 6500 to 9800 from minimum to maximum possible, and "max AP" cheats always put the value at 9999. So head+core+arm+leg = (809+2296+1794+3514 = 8413). If you raised the AP of the head to, say, 1009 , then the total AP should rise to 8613. I'll see if I can get your patch running and try it out on my end though to confirm.

EDIT: Wait I figured it out. Head AP at 65535 means 73139 AP. So it must just only list the first 4 digits, which would be 7313.

EDIT2: Haha, I didn't even notice the extra digit at the end there. I'm so used to seeing only 4 numbers that my brain ignored the 5th. Awesome, though. Thanks.

September 17, 2016, 03:14:24 am - (Auto Merged - Double Posts are not allowed before 7 days.)
Okay, so I've got some more time for this. What did you use for the Find/replace in multiple files? I don't have a tool for that. Normal windows search doesn't yeild anything either. Offzip doesn't open to a GUI.
Title: Re: Armored Core Balance / Patch Mod?
Post by: flame on September 17, 2016, 10:45:41 am
wxMEdit
https://wxmedit.github.io/

Once in the program:
CTRL+SHIFT+F to open find in files dialog box
Title: Re: Armored Core Balance / Patch Mod?
Post by: ACmod on September 17, 2016, 09:59:45 pm
I'm finding a lot of results for "0329" in 006cc000.bnd, but none in the other 3 files you mentioned. How many of them did you change? All of them? Doing find and replace nets 354 instances in just that file alone.


After that, I'm following you well up until this step:
Quote
2) Decompress the "6cc000" file (need the 25553321 number for this step)
Decompress which file, using what? By "6cc000" I assume you mean "006cc000.bnd". In that  case, I don't understand why it needs to be further decompressed, wasn't it already decompressed in the dumped folder?

In either case, this is what I'm doing:

I made no changes to the python script, and I have the following in the same folder:

AC.BIN (unmodified original one)
AC.orig (copy of AC.BIN, unmodified)
006cc000.bnd (modified version)
aclr_test_patcher.py

I then run aclr_test_patcher.py and I get this error:

Code: [Select]
Traceback (most recent call last):
  File "C:\Users\user\Desktop\ACLR ISO Project\aclr_test_patcher.py", line 24, in <module>
    subprocess.run(['xdelta', '-d', '-s', tempfilename, '006cc000.xdelta', patched])
AttributeError: 'module' object has no attribute 'run'
Title: Re: Armored Core Balance / Patch Mod?
Post by: flame on September 18, 2016, 12:15:43 am
There's a lot of stuff in 6cc000. It's a 48MB file.
I suggest searching for CR-H69S, which is the name of the 1st head part. If you are not finding it, switch encoding to Windows 1252 and try again.
With me so far? OK, now go 0x100 forwards from there and there is the AP value.

When you use Cheat Engine you just need to worry about the value that you're searching for. Cheat Engine coverts that value into the appropriate type of number depending on the search type you have selected, then searches for that value.

When you use a hex editor though, that all goes out the window. 0x329, yes, but little endian means LSB (least significant byte) first so the value you need is 29 03. When you use Cheat Engine, Cheat Engine is doing that conversion and you don't need to worry about it. When programming you might not have to worry about it either depending on the situation. You also need to worry about whether your value is byte, halfword or word. For example, 809 in halfword is 29 03 but in word it's 00 00 29 03.

It looks like 6cc000 has descriptions in Japanese so I guess you won't need to worry about it.
Title: Re: Armored Core Balance / Patch Mod?
Post by: ACmod on September 18, 2016, 12:38:08 am
EDIT: Success!

I was having trouble getting it to show up in the garage (but not gameplay) and figured out that you had modified a line in the JP dat file, I patched using your files, did a binary comparison, and then figured out I needed to search for the same context around 2903 in the JP dat file and found what you changed.

I'll try to edit some more values and I'll update or PM with questions, but I'm assuming that all part stats are stored in those same "blocks" of data following the name of each part, so if I have trouble messing with a stat, I can probably trial-and-error my way through it. I did some more searches and figured out how to edit part descriptions now, also, so that should help in case I change the stat in a way that makes the description inaccurate.