News: 11 March 2016 - Forum Rules
Current Moderators - DarkSol, KingMike, MathOnNapkins, Azkadellia, Danke

Author Topic: [PSX - Tekken 3 MOD] Anyone with hex editing experience?  (Read 2291 times)

Vins98

  • Jr. Member
  • **
  • Posts: 5
    • View Profile
[PSX - Tekken 3 MOD] Anyone with hex editing experience?
« on: February 08, 2018, 10:07:40 am »
Hi guys, I was doing some random reverse-engineering on Tekken 3 for the PSX. I found out what the addresses of movesets and select screen names are, and how to edit/swap them. For example, I can make Jin kicking the opponent before the battle starts, or I can give him Ogre's moveset without using cheats.
Everything okay so far, but I need some help to understand the structure of the records. I post some photos of what I actually got so far. (There are many explainations on the images, so please open both to get a clear idea).
Screenshot 1: http://i65.tinypic.com/2hnv2bq.png
Screenshot 2: http://oi66.tinypic.com/10nvqz4.jpg
Now what I'm asking you is just a little help to understand better the structure of the records and maybe how to find/edit the names in the actual battle.
Thank you so much, and I'm glad to share my work with such a great community.
« Last Edit: February 08, 2018, 11:51:32 am by Vins98 »

Valendian

  • Jr. Member
  • **
  • Posts: 42
    • View Profile
Re: [PSX - Tekken 3 MOD] Anyone with hex editing experience?
« Reply #1 on: February 15, 2018, 03:38:18 pm »
Nice choice to take on Tekken 3.Shows good taste. I did notice that those data structures have a variable length string of text. This usually means that the name is the last thing in the structure you already noticed those names are zero filled to a four byte alignment. Nulls like these are used to mark the end of text. Now you have a note that indicates that the structure begins four bytes later.I would question that.
Not sure if it helps but have you tried to count up all the names and search for that number. You will likely find a descriptor in the header.

Keep fuzzing those bytes

weissvulf

  • Sr. Member
  • ****
  • Posts: 324
  • Good news! An anomaly solved the enigma.
    • View Profile
Re: [PSX - Tekken 3 MOD] Anyone with hex editing experience?
« Reply #2 on: February 15, 2018, 05:22:33 pm »
Nice stuff! Here's what little I know:
PS1 data is almost always aligned to 32bit chinks. Because of that, if you use HxD hex editor, and set the view to 'byte group size=4', you'll be able to spot patterns easier.

Like Valendian said, the 00s after the names are 'end-text' markers, filled to the next 32bit boundary. You can usually write over these 00s with more text, as long as you leave at least one 00 at the end. Other than the names and their fill, there are three 4byte chunks left. Keep in mind, the PS1 is little endian, meaning byte order is reversed.

If the variable length names are at the end of the structure (like Valendian says), the entries would look like this:

F4210280 044A 0404 0404 020B.....594F5348 494D4954 53550000..YOSHIMITSU
0C220280 051E 0505 0505 090C.....4E494E41 00000000...............NINA
20220280 0647 0606 0606 040D.....48574F41 52414E47 00000000..HWOARANG

The PS1 memory addresses usually end in 0x80 (aka have the highest bit set), so the first 4 bytes are a RAM address. The converter tool HERE should help you locate where these addresses are pointing to. EDIT: I checked, and they are pointers to the character names. That verifies that the names are listed at the END of each structure.

That leaves 8 bytes. They are likely NOT full memory addresses, but maybe 'relative' addresses to look up combat moves in a table. They are probably 1 or 2 bytes long (not 4) but I have seen such tables use 1bit tags. There's an obvious pattern counting up by 1 for each new character (04 > 05 > 06 etc)- perhaps progressing through a table list of moves. I would try to edit them, 1byte or 2bytes at a time and see what changes.
« Last Edit: February 15, 2018, 07:29:26 pm by weissvulf »

Valendian

  • Jr. Member
  • **
  • Posts: 42
    • View Profile
Re: [PSX - Tekken 3 MOD] Anyone with hex editing experience?
« Reply #3 on: February 15, 2018, 09:03:25 pm »
The PS1 memory addresses usually end in 0x80

Just to expand this a little:
pointers which refer to cached memory are in the 2 MB range:
    0x80000000 (00 00 00 80) - 0x801FFFFF (FF FF 1F 80)
Tune you eye to see 80 in the third column of a 4 byte word, it's and important signature for a pointer.

The MIPS CPU strictly enforces alignment of data. The instruction set requires that 4 bytes words lie on a 4 byte boundary, likewise for halfs (2 bytes). However small data like a byte may just happen to be 4 byte aligned. You can use a debugger to verify the size of data once you know where it lives in RAM. Place a Break-Point on read/write. You will see one of the following assembly instructions:
  4 byte word ... LW/SW (load/store)
  2 byte half ... LH/LHU/SH
  1 byte ... LB/SB
(Just be mindful that memory transfers will use word copies for byte arrays).

If you are using a debugger then the bytes are right their ready to be fuzzed, you can save/reload state and the turn around time is instant. You can lean on the hex editor for searching the save state. There is a fixed difference between the save state offset and RAM address, for pSX at least (doesn't compress the save states).

Vins98

  • Jr. Member
  • **
  • Posts: 5
    • View Profile
Re: [PSX - Tekken 3 MOD] Anyone with hex editing experience?
« Reply #4 on: February 27, 2018, 06:22:57 am »
Well guys,first of all thank you for your precious help.
I found out something using No$PSX (it's the debugger I like the most).
When a character is being loaded the CPU reads an address (I'd like to understand WHERE it comes from) which points to the TEKKEN.BNS file. When it comes to Hex-editing that file tho, there are just a couple of strings, probably from the credits or copyright stuff.
Then I got that the specific address loaded was an offset. I went to that offset on the TEKKEN.BNS file and I found out that it was a typical TIM graphics header.
I tried using TIMView and found all the textures of the game (that was previously known, as there are tons of texture mods for Tekken 3). The big problem is that yes, I found the character names, but they are fixed length (for example 31x74) and if you try to fit a larger size, you'll obv mess up all the offsets that the game loads.
So actually I got the structure, I got where the files are and an editor, but theorically if I don't find where the offsets are stored we could never edit the game properly.

Valendian

  • Jr. Member
  • **
  • Posts: 42
    • View Profile
Re: [PSX - Tekken 3 MOD] Anyone with hex editing experience?
« Reply #5 on: February 28, 2018, 04:56:46 am »
Following pointers is a difficult task. It requires a lot of detective work. I find that you can use the stack as a cookie trail. If the pointers are read in one place then used in another, then there is likely to be a function call where the pointer is passed as an argument. Break on memory read/write to the data and save state. Then search the save state for the pointer. You are hoping to see a few occurrences near each other. This area is the stack (and is typically found at top of memory 801Fxxxx).
The stack grows down so the occurence with the highest address is the place where the pointer was read. Break on write to that address and you are within the function that reads the pointer. Locate the start of this function and step through it until the pointer is read. Its a lot of work following pointers but it pays off.

STARWIN

  • Sr. Member
  • ****
  • Posts: 440
    • View Profile
Re: [PSX - Tekken 3 MOD] Anyone with hex editing experience?
« Reply #6 on: February 28, 2018, 09:36:31 am »
ho-hum, if the cpu loads an address you already know what you want to follow backwards. this isn't usually a difficult task if i got the situation right..

if what determines it is in a register, you check the earlier executed asm until you see where it gets that value.

if it is hardcoded (instructions that generate the value, or values loaded from cd rom), then you found the spot.

otherwise it uses other values to create this value (like for example taking n:th value in a table, which combines the address of the table base and n). you can document the knowledge read to a text file and keep going backwards.

if it uses a temp value from ram (not something read from the cd rom) you can usually trace it backwards by having a save state slightly before this exact point in the game, set a write breakpoint on the desired location, load the earlier savestate and run. this works well unless it reuses the same spot many times earlier (if just a few times, run it until you see the familiar value), which often happens with stack locations and sometimes elsewhere (if the earlier savestate is too far away).

if it uses a value that is given as a parameter to the function you are reading (either via register or stack), you can often step out and check what was immediately sent that way before it was called. stepping out once or twice and making a breakpoint before the current call is also one way to get the earlier savestate.

edit: if you need to search the savestate for some reason, you can set them to "raw" format in no$psx file options.
« Last Edit: February 28, 2018, 09:59:14 am by STARWIN »

weissvulf

  • Sr. Member
  • ****
  • Posts: 324
  • Good news! An anomaly solved the enigma.
    • View Profile
Re: [PSX - Tekken 3 MOD] Anyone with hex editing experience?
« Reply #7 on: February 28, 2018, 07:04:16 pm »
Quote
The big problem is that yes, I found the character names, but they are fixed length (for example 31x74) and if you try to fit a larger size, you'll obv mess up all the offsets that the game loads.
You're talking about the text-graphics which hold the names that you mentioned earlier, right?

Answering your question depends on how the name-graphics are stored so I dug into it a little. On my copy, the names aren't standard TIMs so they don't show up in a TIMviewer scan. They are 16 tall by varying length. The header is non-standard and missing some info such as the palette, but I think I recognize the 'image header' block which contains 'image data+header size', 'VRAM load coordinates' and 'width/height" For example, the name PAUL (16x32) in TEKKEN3.BNS at 0x86CE4C has 0C010000 50000000 08001000.
0C010000 = 0x100 image data size + 0xC image header size
5000 0000 = image load coordinates
0800 = width, in 4BPP TIMs multiply this by 4 to get pixels-per-row = 8x4 = 32 pixels
1000 = height 16 pixels

None of that information is likely to be of much help. There is room in VRAM for longer name-images, but if the game is using a custom loader, there's no telling how it handles the data. It's not just a matter of making room for more image data, you also have to see that the data is loaded and displayed properly.

Vins98

  • Jr. Member
  • **
  • Posts: 5
    • View Profile
Re: [PSX - Tekken 3 MOD] Anyone with hex editing experience?
« Reply #8 on: March 18, 2018, 09:47:31 am »
Thanks everybody for the help and the hints you gave me. I'm gonna dig a little more on the game data and with debuggers using breakpoints and savestates too.

As I already said, btw, I got that the images are stored in TIM files, and I already understood that from the header. The problem is that I tried to manually export the names and it seems corrupted (missing palettes or something so) but you can clearly see the name, maybe because that's totally custom, using a custom loader that automatically places the correct palette for every "name". As you said it's probably using a custom TIM structure.

Stockage

  • Newbie
  • *
  • Posts: 1
    • View Profile
Re: [PSX - Tekken 3 MOD] Anyone with hex editing experience?
« Reply #9 on: November 07, 2018, 03:17:49 pm »
Hello, sorry for replying on this so old topic but it helped me to find some interesting stuff I'd like to share.

Actually, I found a list of address starting at 0x00088508. Each address points to a player structure (name, moveset, map, etc...) and some of them are pointed several times. After some analysis, I found that a player is defined by 4 addresses (and so 4 player structures) like this :
Code: [Select]
Addr1(4b) Addr2(4b) Addr3(4b) Addr4(4b)Addr1 is the P1 player structure, Addr2 is the P2 player structure, Addr3 is the Gold player structure (if exists) and Addr4 is mostly unused. In fact, the last one is only used for Tekken force fighters who actually are the same player with 4 skins.
There's also weird things in this list like Nina (who has no Gold skin) that has Anna player structure address for Addr3 and Addr4 or like the last player of the list who has no name. I've no idea why...

Now, the player structure. It's defined by 12 bytes :
Code: [Select]
NameAddress(4b) U1(b) U2(b) U3(b) U4(b) U5(b) MoveSet(b) Map(b) Song(b)As said before in this topic, NameAddress is an address that points to the name (a 00 padded string). The name is not necessarily at the end of the structure and a same string can be used several times (like Jin or Xiaoyu).
MoveSet is a byte that define the moveset of the player structure (but it doesn't change the content of the command list).
Map is a byte that define the default player map. Don't try Tekken force fighter's map, it crash the game.
Song is a byte that define the song played during a fight against this player. You can set it to songs that are not used in fights (like menu or character select song).
U1 to U5 are still unknown value.
U1 is incremental from 0 and unique for each player and skin except for Ogre and True ogre who has the same.
U2 seems to be really specific. It's not incremental and some players has the same value (Nina and King, Tiger Julia and Crow, etc...).
I used to think U3 was a kind of difficulty property but don't know how to check it.

Here's a dump of my analysis script :
Code: [Select]
Type ?1 ?2 ?3 ?4 ?5 MS MA SG Name
-------------------------------------------------------------------------------
P1   00 20 00 00 00 00 00 07 PAUL
P2   00 20 00 00 00 00 00 07 PAUL
Gold 00 20 00 00 00 00 00 07 PAUL
Unk  00 20 00 00 00 00 00 07 PAUL
-------------------------------------------------------------------------------
P1   01 1a 01 01 01 01 01 08 LAW
P2   01 1a 01 01 01 01 01 08 LAW
Gold 01 1a 01 01 01 01 01 08 LAW
Unk  01 1a 01 01 01 01 01 08 LAW
-------------------------------------------------------------------------------
P1   02 13 02 02 02 02 05 09 LEI
P2   02 13 02 02 02 02 05 09 LEI
Gold 02 13 02 02 02 02 05 09 LEI
Unk  02 13 02 02 02 02 05 09 LEI
-------------------------------------------------------------------------------
P1   03 1e 03 03 03 03 0b 0a KING
P2   03 1e 03 03 03 03 0b 0a KING
Gold 03 1e 03 03 03 03 0b 0a KING
Unk  03 1e 03 03 03 03 0b 0a KING
-------------------------------------------------------------------------------
P1   04 4a 04 04 04 04 02 0b YOSHIMITSU
P2   04 4a 04 04 04 04 02 0b YOSHIMITSU
Gold 04 4a 04 04 04 04 02 0b YOSHIMITSU
Unk  04 4a 04 04 04 04 02 0b YOSHIMITSU
-------------------------------------------------------------------------------
P1   05 1e 05 05 05 05 09 0c NINA
P2   05 1e 05 05 05 05 09 0c NINA
Gold 12 24 05 12 13 11 09 18 ANNA
Unk  12 24 05 12 13 11 09 18 ANNA
-------------------------------------------------------------------------------
P1   06 47 06 06 06 06 04 0d HWOARANG
P2   06 47 06 06 06 06 04 0d HWOARANG
Gold 06 47 06 06 06 06 04 0d HWOARANG
Unk  06 47 06 06 06 06 04 0d HWOARANG
-------------------------------------------------------------------------------
P1   07 2e 07 07 07 07 03 0e XIAOYU
P2   07 2e 07 07 07 07 03 0e XIAOYU
Gold 07 2e 07 07 07 07 07 0e XIAOYU
Unk  07 2e 07 07 07 07 07 0e XIAOYU
-------------------------------------------------------------------------------
P1   08 21 08 08 08 08 0a 0f EDDY
P2   08 21 08 08 08 08 0a 0f EDDY
Gold 15 25 08 13 08 08 0a 1c TIGER
Unk  15 25 08 13 08 08 0a 1c TIGER
-------------------------------------------------------------------------------
P1   09 14 09 09 09 09 08 10 JIN
P2   09 14 09 09 09 09 08 10 JIN
Gold 09 14 09 09 09 09 07 10 JIN
Unk  09 14 09 09 09 09 07 10 JIN
-------------------------------------------------------------------------------
P1   0a 25 0a 0a 0a 0a 0c 11 JULIA
P2   0a 25 0a 0a 0a 0a 0c 11 JULIA
Gold 0a 25 0a 0a 0a 0a 0c 11 JULIA
Unk  0a 25 0a 0a 0a 0a 0c 11 JULIA
-------------------------------------------------------------------------------
P1   0b 24 0b 0b 0b 0b 01 12 KUMA
P2   14 2a 0b 15 0c 0b 01 12 PANDA
Gold 0b 24 0b 0b 0b 0b 01 12 KUMA
Unk  14 2a 0b 15 0c 0b 01 12 PANDA
-------------------------------------------------------------------------------
P1   0c 29 0c 0c 0d 0c 00 13 BRYAN
P2   0c 29 0c 0c 0d 0c 00 13 BRYAN
Gold 0c 29 0c 0c 0d 0c 00 13 BRYAN
Unk  0c 29 0c 0c 0d 0c 00 13 BRYAN
-------------------------------------------------------------------------------
P1   0d 39 0d 0d 0e 0d 0c 14 HEIHACHI
P2   0d 39 0d 0d 0e 0d 0c 14 HEIHACHI
Gold 0d 39 0d 0d 0e 0d 0c 14 HEIHACHI
Unk  0d 39 0d 0d 0e 0d 0c 14 HEIHACHI
-------------------------------------------------------------------------------
P1   0e 23 0e 0e 0f 0e 06 15 OGRE
P2   0e 23 0e 0e 0f 0e 06 15 OGRE
Gold 0e 23 14 14 15 0e 06 1b TRUE OGRE
Unk  0e 23 14 14 15 0e 06 1b TRUE OGRE
-------------------------------------------------------------------------------
P1   0f 37 0f 0f 10 09 02 16 MOKUJIN
P2   0f 37 0f 0f 10 09 02 16 MOKUJIN
Gold 0f 37 0f 0f 10 09 02 16 MOKUJIN
Unk  0f 37 0f 0f 10 09 02 16 MOKUJIN
-------------------------------------------------------------------------------
P1   10 3f 13 10 11 10 09 17 GUN JACK
P2   10 3f 13 10 11 10 09 17 GUN JACK
Gold 10 3f 13 10 11 10 09 17 GUN JACK
Unk  10 3f 13 10 11 10 09 17 GUN JACK
-------------------------------------------------------------------------------
P1   11 1c 11 63 12 13 0d 1a GON
P2   11 1c 11 63 12 13 0d 1a GON
Gold 11 1c 11 63 12 13 0d 1a GON
Unk  11 1c 11 63 12 13 0d 1a GON
-------------------------------------------------------------------------------
P1   12 24 05 12 13 11 09 18 ANNA
P2   12 24 05 12 13 11 09 18 ANNA
Gold 12 24 05 12 13 11 09 18 ANNA
Unk  12 24 05 12 13 11 09 18 ANNA
-------------------------------------------------------------------------------
P1   13 43 15 02 14 12 0e 19 DOCTOR B.
P2   13 43 15 02 14 12 0e 19 DOCTOR B.
Gold 13 43 15 02 14 12 0e 19 DOCTOR B.
Unk  13 43 15 02 14 12 0e 19 DOCTOR B.
-------------------------------------------------------------------------------
P1   0e 23 14 14 15 0e 06 1b TRUE OGRE
P2   0e 23 14 14 15 0e 06 1b TRUE OGRE
Gold 0e 23 14 14 15 0e 06 1b TRUE OGRE
Unk  0e 23 14 14 15 0e 06 1b TRUE OGRE
-------------------------------------------------------------------------------
P1   16 25 00 14 16 14 0f 01 CROW
P2   17 31 00 14 16 14 10 01 FALCON
Gold 18 22 00 14 16 14 11 01 HAWK
Unk  19 1b 00 14 16 14 12 01 OWL
-------------------------------------------------------------------------------
P1   00 00 00 00 00 14 0a 01
P2   00 00 00 00 00 14 0a 01
Gold 00 00 00 00 00 14 0a 01
Unk  00 00 00 00 00 14 0a 01

I'll let you know if I find something new :)