News: 11 March 2016 - Forum Rules, Mobile Version
Current Moderators - DarkSol, KingMike, MathOnNapkins, Azkadellia

Author Topic: [PSX - Tekken 3 MOD] Anyone with hex editing experience?  (Read 1053 times)

Vins98

  • Jr. Member
  • **
  • Posts: 5
    • View Profile
[PSX - Tekken 3 MOD] Anyone with hex editing experience?
« on: February 08, 2018, 10:07:40 am »
Hi guys, I was doing some random reverse-engineering on Tekken 3 for the PSX. I found out what the addresses of movesets and select screen names are, and how to edit/swap them. For example, I can make Jin kicking the opponent before the battle starts, or I can give him Ogre's moveset without using cheats.
Everything okay so far, but I need some help to understand the structure of the records. I post some photos of what I actually got so far. (There are many explainations on the images, so please open both to get a clear idea).
Screenshot 1: http://i65.tinypic.com/2hnv2bq.png
Screenshot 2: http://oi66.tinypic.com/10nvqz4.jpg
Now what I'm asking you is just a little help to understand better the structure of the records and maybe how to find/edit the names in the actual battle.
Thank you so much, and I'm glad to share my work with such a great community.
« Last Edit: February 08, 2018, 11:51:32 am by Vins98 »

Valendian

  • Jr. Member
  • **
  • Posts: 35
    • View Profile
Re: [PSX - Tekken 3 MOD] Anyone with hex editing experience?
« Reply #1 on: February 15, 2018, 03:38:18 pm »
Nice choice to take on Tekken 3.Shows good taste. I did notice that those data structures have a variable length string of text. This usually means that the name is the last thing in the structure you already noticed those names are zero filled to a four byte alignment. Nulls like these are used to mark the end of text. Now you have a note that indicates that the structure begins four bytes later.I would question that.
Not sure if it helps but have you tried to count up all the names and search for that number. You will likely find a descriptor in the header.

Keep fuzzing those bytes

weissvulf

  • Sr. Member
  • ****
  • Posts: 324
  • Good news! An anomaly solved the enigma.
    • View Profile
Re: [PSX - Tekken 3 MOD] Anyone with hex editing experience?
« Reply #2 on: February 15, 2018, 05:22:33 pm »
Nice stuff! Here's what little I know:
PS1 data is almost always aligned to 32bit chinks. Because of that, if you use HxD hex editor, and set the view to 'byte group size=4', you'll be able to spot patterns easier.

Like Valendian said, the 00s after the names are 'end-text' markers, filled to the next 32bit boundary. You can usually write over these 00s with more text, as long as you leave at least one 00 at the end. Other than the names and their fill, there are three 4byte chunks left. Keep in mind, the PS1 is little endian, meaning byte order is reversed.

If the variable length names are at the end of the structure (like Valendian says), the entries would look like this:

F4210280 044A 0404 0404 020B.....594F5348 494D4954 53550000..YOSHIMITSU
0C220280 051E 0505 0505 090C.....4E494E41 00000000...............NINA
20220280 0647 0606 0606 040D.....48574F41 52414E47 00000000..HWOARANG

The PS1 memory addresses usually end in 0x80 (aka have the highest bit set), so the first 4 bytes are a RAM address. The converter tool HERE should help you locate where these addresses are pointing to. EDIT: I checked, and they are pointers to the character names. That verifies that the names are listed at the END of each structure.

That leaves 8 bytes. They are likely NOT full memory addresses, but maybe 'relative' addresses to look up combat moves in a table. They are probably 1 or 2 bytes long (not 4) but I have seen such tables use 1bit tags. There's an obvious pattern counting up by 1 for each new character (04 > 05 > 06 etc)- perhaps progressing through a table list of moves. I would try to edit them, 1byte or 2bytes at a time and see what changes.
« Last Edit: February 15, 2018, 07:29:26 pm by weissvulf »

Valendian

  • Jr. Member
  • **
  • Posts: 35
    • View Profile
Re: [PSX - Tekken 3 MOD] Anyone with hex editing experience?
« Reply #3 on: February 15, 2018, 09:03:25 pm »
The PS1 memory addresses usually end in 0x80

Just to expand this a little:
pointers which refer to cached memory are in the 2 MB range:
    0x80000000 (00 00 00 80) - 0x801FFFFF (FF FF 1F 80)
Tune you eye to see 80 in the third column of a 4 byte word, it's and important signature for a pointer.

The MIPS CPU strictly enforces alignment of data. The instruction set requires that 4 bytes words lie on a 4 byte boundary, likewise for halfs (2 bytes). However small data like a byte may just happen to be 4 byte aligned. You can use a debugger to verify the size of data once you know where it lives in RAM. Place a Break-Point on read/write. You will see one of the following assembly instructions:
  4 byte word ... LW/SW (load/store)
  2 byte half ... LH/LHU/SH
  1 byte ... LB/SB
(Just be mindful that memory transfers will use word copies for byte arrays).

If you are using a debugger then the bytes are right their ready to be fuzzed, you can save/reload state and the turn around time is instant. You can lean on the hex editor for searching the save state. There is a fixed difference between the save state offset and RAM address, for pSX at least (doesn't compress the save states).

Vins98

  • Jr. Member
  • **
  • Posts: 5
    • View Profile
Re: [PSX - Tekken 3 MOD] Anyone with hex editing experience?
« Reply #4 on: February 27, 2018, 06:22:57 am »
Well guys,first of all thank you for your precious help.
I found out something using No$PSX (it's the debugger I like the most).
When a character is being loaded the CPU reads an address (I'd like to understand WHERE it comes from) which points to the TEKKEN.BNS file. When it comes to Hex-editing that file tho, there are just a couple of strings, probably from the credits or copyright stuff.
Then I got that the specific address loaded was an offset. I went to that offset on the TEKKEN.BNS file and I found out that it was a typical TIM graphics header.
I tried using TIMView and found all the textures of the game (that was previously known, as there are tons of texture mods for Tekken 3). The big problem is that yes, I found the character names, but they are fixed length (for example 31x74) and if you try to fit a larger size, you'll obv mess up all the offsets that the game loads.
So actually I got the structure, I got where the files are and an editor, but theorically if I don't find where the offsets are stored we could never edit the game properly.

Valendian

  • Jr. Member
  • **
  • Posts: 35
    • View Profile
Re: [PSX - Tekken 3 MOD] Anyone with hex editing experience?
« Reply #5 on: February 28, 2018, 04:56:46 am »
Following pointers is a difficult task. It requires a lot of detective work. I find that you can use the stack as a cookie trail. If the pointers are read in one place then used in another, then there is likely to be a function call where the pointer is passed as an argument. Break on memory read/write to the data and save state. Then search the save state for the pointer. You are hoping to see a few occurrences near each other. This area is the stack (and is typically found at top of memory 801Fxxxx).
The stack grows down so the occurence with the highest address is the place where the pointer was read. Break on write to that address and you are within the function that reads the pointer. Locate the start of this function and step through it until the pointer is read. Its a lot of work following pointers but it pays off.

STARWIN

  • Sr. Member
  • ****
  • Posts: 436
    • View Profile
Re: [PSX - Tekken 3 MOD] Anyone with hex editing experience?
« Reply #6 on: February 28, 2018, 09:36:31 am »
ho-hum, if the cpu loads an address you already know what you want to follow backwards. this isn't usually a difficult task if i got the situation right..

if what determines it is in a register, you check the earlier executed asm until you see where it gets that value.

if it is hardcoded (instructions that generate the value, or values loaded from cd rom), then you found the spot.

otherwise it uses other values to create this value (like for example taking n:th value in a table, which combines the address of the table base and n). you can document the knowledge read to a text file and keep going backwards.

if it uses a temp value from ram (not something read from the cd rom) you can usually trace it backwards by having a save state slightly before this exact point in the game, set a write breakpoint on the desired location, load the earlier savestate and run. this works well unless it reuses the same spot many times earlier (if just a few times, run it until you see the familiar value), which often happens with stack locations and sometimes elsewhere (if the earlier savestate is too far away).

if it uses a value that is given as a parameter to the function you are reading (either via register or stack), you can often step out and check what was immediately sent that way before it was called. stepping out once or twice and making a breakpoint before the current call is also one way to get the earlier savestate.

edit: if you need to search the savestate for some reason, you can set them to "raw" format in no$psx file options.
« Last Edit: February 28, 2018, 09:59:14 am by STARWIN »

weissvulf

  • Sr. Member
  • ****
  • Posts: 324
  • Good news! An anomaly solved the enigma.
    • View Profile
Re: [PSX - Tekken 3 MOD] Anyone with hex editing experience?
« Reply #7 on: February 28, 2018, 07:04:16 pm »
Quote
The big problem is that yes, I found the character names, but they are fixed length (for example 31x74) and if you try to fit a larger size, you'll obv mess up all the offsets that the game loads.
You're talking about the text-graphics which hold the names that you mentioned earlier, right?

Answering your question depends on how the name-graphics are stored so I dug into it a little. On my copy, the names aren't standard TIMs so they don't show up in a TIMviewer scan. They are 16 tall by varying length. The header is non-standard and missing some info such as the palette, but I think I recognize the 'image header' block which contains 'image data+header size', 'VRAM load coordinates' and 'width/height" For example, the name PAUL (16x32) in TEKKEN3.BNS at 0x86CE4C has 0C010000 50000000 08001000.
0C010000 = 0x100 image data size + 0xC image header size
5000 0000 = image load coordinates
0800 = width, in 4BPP TIMs multiply this by 4 to get pixels-per-row = 8x4 = 32 pixels
1000 = height 16 pixels

None of that information is likely to be of much help. There is room in VRAM for longer name-images, but if the game is using a custom loader, there's no telling how it handles the data. It's not just a matter of making room for more image data, you also have to see that the data is loaded and displayed properly.

Vins98

  • Jr. Member
  • **
  • Posts: 5
    • View Profile
Re: [PSX - Tekken 3 MOD] Anyone with hex editing experience?
« Reply #8 on: March 18, 2018, 09:47:31 am »
Thanks everybody for the help and the hints you gave me. I'm gonna dig a little more on the game data and with debuggers using breakpoints and savestates too.

As I already said, btw, I got that the images are stored in TIM files, and I already understood that from the header. The problem is that I tried to manually export the names and it seems corrupted (missing palettes or something so) but you can clearly see the name, maybe because that's totally custom, using a custom loader that automatically places the correct palette for every "name". As you said it's probably using a custom TIM structure.