News: 11 March 2016 - Forum Rules, Mobile Version
Current Moderators - DarkSol, KingMike, MathOnNapkins, Azkadellia

Author Topic: fceux help  (Read 966 times)

joe73ffdq

  • Full Member
  • ***
  • Posts: 184
    • View Profile
fceux help
« on: March 11, 2018, 07:58:40 am »
I didnt phrase the question correctly in the last topic, so I will try this again.

I am trying to figure out how to find special equipment options in DW2, but to no avail, I keep running through miles of hex, and not finding anything.

The methods I tried are zero page (A5), with possible RAM locations, but there are several that could be possible. Then I tried to search with compare (C9), and the item ID#, but the other item ID numbers are not in the same locations. Then the text displayed with these items are not even anywhere to be found, which I am assuming would be LDA (A9) with that text.

While using fceux, what is the correct way to look for code. Can I work off of a save state, or should I load from a regular save. Which of the many options in fceux will yield the results I need.

Here are the items and corresponding text.

13 : Water Flying Clothes - reduces breath and magic damage by 1/2
1b : Erdrick's Armour - reduces breath and magic damage by 1/4
18 : Magic Armour - reduces magic damage ONLY (not breath attacks) by 1/4
12 : Clothes Hiding - increases character evasion, but unsure as to how much
30 : Dragon's Bane - reduces effectiveness of enemy Stopspell and Sleep from 3/8 to 3/16
2F : Gremlin's Tail - increases effectiveness of enemy Stopspell and Sleep from 3/8 to 3/4
0c : Sword of Destruction - Increases critical hit rate from 1/64 to 1/8, and 1/4 chance of freezing your character
17 : Gremiln Armour - 1/4 chance of freezing your character
1f : Evil Shield - 1/4 chance of freezing your character

71 : --, too, was cursed.
0d : A tremendous blow!
42 : No movement was possible, for the curse had frozen --'s body.

Psyklax

  • Hero Member
  • *****
  • Posts: 607
    • View Profile
    • Psyklax Translations
Re: fceux help
« Reply #1 on: March 11, 2018, 09:22:33 am »
I see the problems you have with phrasing questions. :laugh: The thread title ain't exactly clear either. But I'll see what I can do.

You mention an awareness of assembly instructions, yet you never said anything about using the debugger. I don't really understand what you're trying to do. You say "find special equipment options" then list some items with hex codes, so I don't understand what you're looking for.

I hacked DW2 already, so I know a little about the insides. You mentioned save states and battery saves - there isn't really a difference. Both are saving what's in RAM at that moment, except the battery save only keeps what's between $6000 and $7FFF, rather than the whole lot.

"Looking for code" means looking for it while the game's running - how the hell are you gonna find it otherwise? Like, do you know where these items are kept in RAM? I'd guess in the $6000 range rather than zero page, given that that'd get saved to the cartridge SRAM. So you find it in the hex editor, right click and set a write breakpoint, then when you get an item you'll see the code that deals with it.

It's hard to tell you much more because, as you and I already said, your request is a little hard to fathom. :)

joe73ffdq

  • Full Member
  • ***
  • Posts: 184
    • View Profile
Re: fceux help
« Reply #2 on: March 11, 2018, 05:20:57 pm »
Thank you for your reply  :beer:

Instead of trying to describe the failed methods I am doing, I will just state specifically what I am trying to do.

#1 - Remove the curse from Sword of Destruction, Gremiln Armour, and Evil Shield
#2 - Find the damage reduction rate for Water Flying Clothes, Erdrick's Armour, and Magic Armour
#3 - Transfer the effects of Dragon's Bane to a piece of equipment to save inventory space

From what I can tell, and I am pretty sure of this, is the effects in battle for all 9 of these items is in bank 5 (10000-14000). The initial equipping of the cursed items, and the message telling you that you are cursed, is likely in bank 7 (18000-1c000).

Once I figure this last part out, then I can organize the rest of the data I have, and DW2 will have almost everything FFHackster can do, minus map editing and sprite data.

What do I need to do in fceux. I brought up RAM viewer, and equipped the cursed items over and over, and then kept hitting load state. Then I would look for patterns with C9 compare, and didnt see anything conclusive enough, except narrowing it down to the likely range of 11500-13300. I also cant figure out this breakpoint thing. I dont understand how to work it.

Last note here. I was contemplating posting in the help wanted section, so I can receive some help unearthing all the critical code in this game. Once I can figure out this part with the equipment, I will finish up the documents I am working on. I have treasure, battle formations, enemy zones, and possibly item drops. That will be on top of what I have here. https://www.dropbox.com/preview/Public/DW2.notes.zip, if you want to look over it.

If all of this is ever completed, then I would make a request for someone to make a map editor, as DragonWarriorX editor for DW2-4 doesnt work.

5 years now of basic hacking skills, and I am still a noob at looking for data. If it wasnt for AlexKC over on Gamefaqs, and Gameboy9 on my DW2 thread from 2 years ago, then most of this data woulnt have been found  :beer:

Final thought. I want to thank the community here for all the help I have received  :)  I know I can be frustrating at times, and I easily get flustered, no matter how much information is provided. I can picture people scratching their heads when they read my posts. PTSD and anxiety make it hard to focus and concentrate, but that isnt anyones problem except mine, so a massive thank you to all who have helped through the years  :beer: :beer: :beer:

KingMike

  • Forum Moderator
  • Hero Member
  • *****
  • Posts: 6389
  • *sigh* A changed avatar. Big deal.
    • View Profile
Re: fceux help
« Reply #3 on: March 11, 2018, 10:14:24 pm »
If the items presumably have an effect when the character is equipped, have you found the RAM addresses which store what items the character CURRENTLY has equipped? (ignored the saved file)
I would try setting a read Breakpoint for those RAM addresses, rather than to look for ASM instructions that you are apparently assuming will be in the code.

This is assuming that those effects actually are hard-coded to certain ID values, and you have determined already they aren't part of item data like price, etc.
Quote
Sir Howard Stringer, chief executive of Sony, on Christmas sales of the PS3:
"It's a little fortuitous that the Wii is running out of hardware."

Psyklax

  • Hero Member
  • *****
  • Posts: 607
    • View Profile
    • Psyklax Translations
Re: fceux help
« Reply #4 on: March 12, 2018, 02:43:38 am »
Allow me to go into a bit of detail. It seems to me that your problem is that you've learnt a lot of assembly instructions, but don't actually know how assembly works. Once you get over that fundamental problem, you may make progress. :)

You say things like "look for patterns with C9 compare", which make no sense to me, then say you don't understand how breakpoints work. All those instructions, such as CMP, LDA and so on, are what the CPU reads and obeys. CMP for example takes a value from somewhere and compares that to what's in the Accumulator, and sets flags accordingly. Also, you say "the message telling you that you are cursed, is likely in bank 7". Likely? How do you not know? If you're reading the file using a table, it should be plain to see. But even if not, it's easy to find.

I'll explain. The NES puts graphics on the screen using the PPU, which stores both the graphics and the on-screen position of the graphics (plus the palette info) in its own RAM. The CPU cannot directly access this RAM, but by reading and writing to a set of registers, it's able to put stuff there. So when some text needs to be written on-screen, the CPU finds it in the ROM and sends it to the PPU through a register. Often the game assembles the text in the CPU's own RAM first before blasting it to the PPU in one go.

So, knowing this, we can reverse engineer to find any piece of text in any game: if you see a message on-screen, it came from somewhere, right? Let's use DW2 as an example, and I wanna find the text for "Thou hast defeated the Enemies".

I win a battle, text pops up, I pause. Go to Name Table Viewer to see where in memory this text begins. I hold the mouse over the capital T and it's at $2265; go there in Hex Editor (View-PPU Memory). Right-click on the address and "Add write breakpoint for address 2265", so that the game stops at the moment it writes to that address (with our capital T). Note that there's $37 stored there, so that's what we're looking for.

Go back with save state (or just win another battle), and pay attention when the last enemy dies (the debugger will be stopping a few times because of all the times it's writing other text, so you can disable the breakpoint by double-clicking it when you don't need it). With the breakpoint enabled, I click Run a few times until I see $37 appear in the Accumulator (see the A, X and Y windows in the Debugger - A means Accumulator). I see that $C0AA is the instruction to store whatever letter is needed to the PPU's RAM. Looking above, I was right: the text comes from the CPU's RAM rather than directly from the ROM.

Just for fun, click Add, type $C0AA as address, select Execute (because it's an instruction) and click OK. Now every time you click Run, you'll see a letter appear on the screen, because this is the command that occurs every frame that needs a letter on-screen. Anyway, back to work. If you go to $300 in RAM, and keep clicking Run, you'll see that what the game does is put the PPU address at $300 and $301, and the value to put there at $302, every frame (the devs wanted each letter to scroll slowly, I guess, rather than appear instantly). The NES's RAM is between $0 and $7FF, so it gets here from somewhere in ROM. Question is, where?

Well, right-click $302, write breakpoint, Run. Oh snap, the address and value come from $7 to $9... well, how did they get THERE? Right-click $9, write breakpoint, Run. Christ, it's coming from around $6000, which is cartridge RAM. Go again...

Eventually I figured out it gets the text from $B52F in ROM, and using its nifty text handling routine, it writes it out in RAM before putting it on the screen, thereby not needing to put manual line breaks in the code, but DW2 is a bad example since Japanese games don't usually bother with that. :D Anyway, I have to go now, but I just recommend reading this and trying to understand how the CPU works:

https://www.dwheeler.com/6502/oneelkruns/asm1step.html

I'll be back later and can give you some more advice about your specific requests.

joe73ffdq

  • Full Member
  • ***
  • Posts: 184
    • View Profile
Re: fceux help
« Reply #5 on: March 12, 2018, 04:53:49 pm »
Thank you for all the info. I didnt know to right click to set a break point, uggh...

I tried a few things, and sort of got it working. I set a breakpoint at $22ac, and when I equipped any of the cursed items it brought up $c1c5 and $c0aa. In battle, it didnt matter if I was frozen or not, $c038 and $c0aa came up. I dont understand how this is supposed to help yet, but with more effort I can figure it out.

With the whole c9 compare thing, let me explain. Lets take 0c : Sword of Destruction for example. If I want to disable the curse, then I would have to change the 0c to something else in the battle routine, which is in the range of 11500-13300. The logic I am using here is based on something in DW1. Erdricks armor is 1c in DW1. Whether it is damage reduction, sleep and stopspell resist, or healing from walking, there is a c9 1c. If I change the 1c to 10 for example, then half plate armor will carry those attributes instead of Erdricks armor. I am looking for a c9 with all those 9 items in DW2, to change the item they are assigned to. As far as the text being in bank 7, I am thinking that because who can equip what is at 1a300, then I would find an a9 42 for the text 42 : No movement was possible, for the curse had frozen --'s body. That is what the whole c9 logic is all about. I never took the time to change any of the c9 xx in the 11500-13500 range, because there are too many possibilities, and not all of the 9 items appear in similar locations. I was looking for a5 zero page options by viewing RAM, but again there were too many potential options.

So yeah, in summary here, I am taking what I know in DW1, and doing a c9 search in HxD, and not finding anything conclusive, even though I am sure of the ballpark area. There should be a c9 xx for each item, a9 xx for the text, and a9 xx for the effects (resist % for sleep, stopspell) or (damage reductions for WFC, Erdricks and magic armor).

Hopefully that clarifies what I am trying to do, and in the meantime I will keep trying to learn the options in fceux.

Thank you very much for the breakdown of what to do, and hopefully it will lead me to learning how to unearth more code  :beer:

KingMike

  • Forum Moderator
  • Hero Member
  • *****
  • Posts: 6389
  • *sigh* A changed avatar. Big deal.
    • View Profile
Re: fceux help
« Reply #6 on: March 12, 2018, 05:51:36 pm »
There should be a c9 xx for each item, a9 xx for the text, and a9 xx for the effects (resist % for sleep, stopspell) or (damage reductions for WFC, Erdricks and magic armor).
Only "should be" if the game was programmed in the way that you want it to be.
True that the code to check the item is "likely" to be in the same bank, but it doesn't HAVE to be. I've worked on a few games that work contrary to that ideal situation.
Definitely you will want to learn breakpoints.

Psyklax method may be a bit more complex (I try to avoid tracing PPU writes on the NES if I can avoid it, at it is more work). And unnecessary since I don't think you want to find the text itself anyways. It would only be printing AFTER it has already found that you are holding the equipment, which is what I think you want anyways.
Since the effect is based on equipment, just find where in RAM your equipment is first. I'm sure Cheat making tutorials will help on that. Go to towns and buy random crap (doesn't matter what it is) and equip it and watch what values change before and after until you find out what those RAM addresses are (somewhere in the range of $0 to $7FF for console RAM or $6000-7FFF for the cart RAM. Though I would suspect the former first, given that the game was originally written without SRAM on the Famicom.) Since you seem to know the item IDs already, maybe that shouldn't be too hard. Go into FCEUX hex editor and search the CPU RAM for your equipment item IDs. (I would guess that a character's equipment would be stored in RAM together in the same order it is listed on the screen.) But if you know item IDs, then changing one around a few times while using the Cheat search for equal/not equal should quickly turn up the result.
Then once you have a RAM address, you can go to the Debugger, click Breakpoints, Add Breakpoint, CPU, Read, enter the address (I think that's what the steps are). Then when the game comes to the time to check if it should apply the effect, the debugger will show you the address of the instruction (though in CPU address form, but once you have that it's not hard to convert to a ROM address), and if it is a C9 0C, you'll know EXACTLY where it is without "too many possibilities".
Quote
Sir Howard Stringer, chief executive of Sony, on Christmas sales of the PS3:
"It's a little fortuitous that the Wii is running out of hardware."

joe73ffdq

  • Full Member
  • ***
  • Posts: 184
    • View Profile
Re: fceux help
« Reply #7 on: March 12, 2018, 10:58:20 pm »
Here is what I discovered, and it still doesnt narrow down my search

7d - 07 to 01 for cursed Sw/Ar/Sh
95 - Displays the last thing equipped
96 - Flashes equip upon initiation, and then be reverts to original value
60d0 - 02 to 01 for cursed Sw/Ar/Sh
60d1 - 02 to 01 for cursed Sw/Ar/Sh
60d9 - 2d to 0c for cursed Sw/Ar/Sh

These are the RAM locations where changes occurred when equipping the cursed sword, Armor, and Shield. 96 shows every equippable item. I tried my usual search in HxD, with none of the following yielding anything useful. The favorable items : WFC, Erdricks Armor, and Magic Armor, all show no RAM changes.

A5 : 7d, 95, 96
85 : 7d, 95, 96
d060
d160
d960

No ID#'s anywhere in the vicinity of these searches.

Im thinking it might be in a bitmask form with 29-AND or 69-ADC, with 01,02,04,08,10,20,40,80. The only problem with this idea, is that there are 9 items and not 8.

With all that, maybe someone can lead me in a direction I am not thinking of.


////////////////////


I feel like such a bone head right now. In my notes I have this...

Each Party Member Gets 2 Hits With Any Weapon, Instead of Only With The Falcon Sword
1227a : 04 > 00 - AAVXZZGA

12274/75 : a9 49 - Falcon Sword

Item ID# + x40 = the item is equipped

I tried item # 05 club and changed 12275 from 49 to 45, and sure enough the club became the weapon to hit twice.

So the item ID# is found with a9 and not c9. Im not sure about the other equipment yet, but I did have the 11500-13300 range accurately assumed. I will post what I find tomorrow when I get back to this.


////////////////////


Made more progress, but now I cant find the text display on screen.

From 125f3-12695 is where the cursed sword, armor, and shield are. The two in battle texts are there also. Now I can uncurse these three items, just by changing the one text that freezes your character. The only problem now, is text #71 for out of battle, which I cannot find at all. When equipping them, it still displays that you are being cursed, even though the in battle effect can be completely removed.

I cant figure out the break point thing, which leads me to c1c5, but there is no 71 there. Weird how there was no options to find 71 anywhere in the rom. a9, a2, a0, 09, 29, 69, and c9. None of the immediate options yield this ID#
« Last Edit: March 13, 2018, 07:41:04 am by joe73ffdq »

Disch

  • Hero Member
  • *****
  • Posts: 2584
  • NES Junkie
    • View Profile
Re: fceux help
« Reply #8 on: March 16, 2018, 12:43:41 am »
I'm very late to the game, but I'm going to chime in to somewhat reiterate what Psyklax said.

So the item ID# is found with a9 and not c9.

^  This quote is kind of nonsense.  You seem to fundamentally have the wrong idea about how assembly works, and are looking for specific instructions opcodes in hopes that they'll be some kind of magic bullet that will lead you to the solution you're looking for.

That's not how it works.  Programming concepts cannot be understood by only looking at a single instruction.  It takes several instructions to really do anything.  It's no wonder you're staring at pages of hex and not getting anywhere.

You need to understand the code.  You're not looking for a single opcode, or a single instruction, you're looking for an ENTIRE ROUTINE.  10, 15, maybe 20 instructions... maybe even more.  A big block of code that does a bunch of stuff in sequence to perform an in-game effect.  That's what you need to find.... instead of just hoping the game uses a CMP immediate somewhere, and hoping you can change the immediate value to something else to get the desired effect.


Don't look at hex.  Looking at hex is very rarely useful, and usually only pays off when you already know what kind of pattern you're looking for.  You don't know what you're looking for (or at least, you don't know what it will look like) so looking at a page of hex is going to get you nowhere.

Get a disassembler.  Run DW2 through it.  Look at the code.  Read it.  Understand it.  Get a handle on what the code is actually doing.  Disassemblies are great because you can see the code structure AND you can jot down notes right in there.

FCEUX can help narrow down what part of the code you need to be looking at -- but once you're in the area, you have to read the code.

Psyklax

  • Hero Member
  • *****
  • Posts: 607
    • View Profile
    • Psyklax Translations
Re: fceux help
« Reply #9 on: March 16, 2018, 04:11:36 am »
Thanks, Disch. :thumbsup:

Here's a simple example for you to try, to get the idea of how you find stuff in code. Let's say I wanna get infinite lives in Gradius on the NES. Simple, basic example.

First thing I do is use the RAM Search to find where the lives are stored in RAM. Start the game, die, click "Less Than" "Previous Value". Die, click, die, click. Oh look, something changed three times and is now zero, and is in zero page (from $00 to $FF), so that must be where the lives are. Of course, I could just go Hex Editor, right-click $20 and Freeze Address, but that would defeat the point of my tutorial. :)

So instead, let's right-click $20 and add a Write Breakpoint - now the debugger will stop on any instruction that writes to $20, whether with a store command, increment, decrement or whatever. Carry on playing and die one more time.

Bam, the debugger stops the game at Program Counter $979F: DEC $20,X. So that decrements - reduces by one - the address at $20, plus whatever's in the X register (which is currently nothing). The lives counter was at zero, so decrementing it flips it round to $FF, so surely something triggers the Game Over at that point.

Edit the Breakpoint on the right so that it breaks on Read as well as Write - because the game probably looks to see if it's gone below zero and wrapped around. It stops next at $97C1 with LDA $20,X, which of course is loading whatever's in $20 into the Accumulator (the A register). The next instruction is BMI $97F1, which means Branch on Minus. What does that mean? It means that if the Negative flag is set (which it was because $20 went below zero), it jumps to the location shown. Otherwise it just carries on doing what it does for the next life: sending you back to a checkpoint, stealing your hard-earned powerups and so on.

So, the simple way to get infinite lives would be to ignore this check, no? Just carry on playing regardless of what's in $20. Alternatively, you could change that DEC instruction from earlier so that it doesn't decrement $20. Either way, we'll have infinite lives. Let's do the latter.

Go to $979F in the Hex Editor, and we see the opcodes for that DEC instruction: D6 20. Right-click, Go Here in ROM File (because we're looking at RAM) and let's change D6 to A9, which is LDA #$xx, and look at it again in the debugger (type 979F in the Seek To box if necessary). Now you see it's LDA #$20, which just loads the Accumulator with the value $20, which is then replaced two instructions later by $00, so it practically does nothing. You could obviously replace D6 20 with EA EA (two NOP - No Operation - instructions) but this is simpler. Now you have infinite lives. :)

Now that's a very simple example, but hopefully you can see how instructions work a little bit, and how to use Breakpoints. You can do it for anything: if you know where special items in DW2 are kept, like armour, you can set a Read Breakpoint on that address (or group of addresses) then get into a fight, and see what happens when you take damage. Presumably, the game checks to see what armour you have or something. I don't know without looking specifically - every game is different. Like Disch said, one instruction won't tell you the whole story. You need to step through the code, learn the principles of how assembly works. Then maybe you'll get somewhere. :)

joe73ffdq

  • Full Member
  • ***
  • Posts: 184
    • View Profile
Re: fceux help
« Reply #10 on: March 16, 2018, 10:43:36 pm »
Thank you for all the help guys  :beer:

I am making some progress on learning how this works. I have some RAM locations mapped out, and I learned how to set breakpoints with more success.

7d, 96, 9b, 6f8-6ff, and 60c8, are the specific areas effected by equipping a cursed item. I found some other stuff in RAM also, but this is hard, because so many other things change.

Now I just need to learn how the code works.

LDA - ad xx xx
STA - 8d xx xx
JSR - 20 xx xx

LDA - a5 xx
STA - 85 xx

These seem to be the very first things to look for, and then try to learn the surrounding code. I finally used 6502d and made a rom map, and labeled a few things. Now I need to sort my flood of notes, and get them organized.

Am I right on those 5 op codes being the primary ones to look for first?

KingMike

  • Forum Moderator
  • Hero Member
  • *****
  • Posts: 6389
  • *sigh* A changed avatar. Big deal.
    • View Profile
Re: fceux help
« Reply #11 on: March 17, 2018, 02:23:56 am »
Note that each instruction has several different Addressing Modes. The instruction opcode (the first byte) indicates the instruction AND the addressing mode.

LDA $aabb would be an example of "Absolute Addressing".
That's AD bb aa in Hex. It means to LoaD (read) the A (accumulator) with the value from address $aabb. That's the CPU address. $0000-07FF is RAM, $6000-7FFF is SRAM, $8000-FFFF is a ROM bank.

STA $aabb (hex 8D bb aa) is the reverse, it STores A. Note that you can only actually store to a RAM address. Trying to write to a ROM address is typically what activates the Mapper's functionality (since you can't actually write to ROM). You'd need to read a document on whatever mapper DW2 uses (MMC1?) to know what mapper writes do, but typically documents will denote things like "write to $8000-9FFF". That means that writing to any address between $8000 and $9FFF will have the same stated effect.

LDA $aa (with only one byte) is an example of "Zero Page" Absolute Addressing. It's like the above except that (like its name implies) the high byte is 0, so it's limited to an address between $0000 and $00FF.
That's A5 aa in Hex.
STA $aa (hex 85 aa) is again the reverse.

LDA #$aa (with the # in front) is an example of "Immediate". It means to load A with the specified value.

JSR $aabb (hex 20 bb aa). Jump to Subroutine. Makes the CPU run a function at $aabb. The CPU will automatically store the address to a part of RAM known as the "Stack". The called function will end with an "RTS" instruction ("Return from Subroutine") (hex 60).
Note that games can and will JSR to functions that will call another JSR. Those will nest, meaning that successive RTS instructions will close functions in the order of most recent first.
(the "Stack" is called that because it should be visualized as a stack of plates. When you make a stack of plates, you typically when adding a plate to the stack add it to the top (people don't usually insert a new one five plates down), and when you remove one you remove the top one.
Imagine if those plates had numbers written on them and maybe that is you can imagine the RAM Stack.)

Two other very common instructions to watch for are PHA and PLA.
("Push Accumulator" and "Pull Accumulator") They will insert and remove, respectively, from the "Stack" (the same area mentioned in JSR).
Generally PHA will be used to "save" a value (since the Accumulator can only hold one value at a time, PHA is used when something is important enough to remember but not important enough to give it a more permanent storage) and PLA will be used to "restore" it. (as with JSR address, they can be only restored in the order of most-recent saved value first)

I you technically could (you could be that guy that lifts the stack of plates to get the fifth one down), but for simplicity of understanding the concept of a Stack let's say you can't. (You're a typical human who grabs from the top. :) )

As to using PHA/PLA to save/load values, compared to using LDA/STA to read/store to RAM, is kind of like how with emulators that give you the option to Save and Load savestates with specific filenames. But you use the Quick Save and Load for small progress when you don't care about the file location. PHA and PLA is like that "don't care" savestate slots vs. LDA/STA to a RAM address that has a definable purpose is like the "do care" savestates)
Quote
Sir Howard Stringer, chief executive of Sony, on Christmas sales of the PS3:
"It's a little fortuitous that the Wii is running out of hardware."

Psyklax

  • Hero Member
  • *****
  • Posts: 607
    • View Profile
    • Psyklax Translations
Re: fceux help
« Reply #12 on: March 17, 2018, 05:38:06 am »
You know, I already posted a relatively short document explaining everything you need to know about 6502 assembly, so it would be wise of you to read the whole thing. :)

When I'm hacking, I also refer to this to get the opcodes:
http://www.6502.org/tutorials/6502opcodes.html
Those two documents combined, along with stepping through some code, will help you to understand what's going on. You seem to be getting hung up on searching for opcodes rather than understanding what's actually happening. Just read those two documents and try to forget about searching for opcodes. :)

joe73ffdq

  • Full Member
  • ***
  • Posts: 184
    • View Profile
Re: fceux help
« Reply #13 on: March 19, 2018, 07:35:06 pm »
Finally figured out some key data, but not by my ability to understand code. I did look over all the 6502 instructions, and I can grasp some of it, but I easily get overwhelmed. Too many instructions linked to many places, and then I get lost knowing what I am looking for. I understand the immediates, and zero page a5 and 85, but from there I get lost. I need to take what I understand in DW2, and further learn how the code functions. Thinking of FF1 disassembly, and how to apply that knowledge to DW2.

I kept trying different things with break points, and it helped me find more RAM locations, but not so much with understanding more code then I can grasp. I ended up NOPing out large sections of code, and then FINALLY uncursed these items, and the dilemma I was facing.

Here is what I found with the specific break point that was key $7d, but it did not lead me to where I needed it. It did give just 2 stops, instead of several with other break points.

0F:F6B9:85 7D     STA $007D = #$07
0F:F6BB:8D C8 60  STA $60C8 = #$01
0F:F6BE:A9 04     LDA #$04
0F:F6C0:38        SEC
0F:F6C1:60        RTS ---

02:B6AE:85 7D     STA $007D = #$00
02:B6B0:AD C8 60  LDA $60C8 = #$00
02:B6B3:8D 9E 60  STA $609E = #$15
02:B6B6:85 7C     STA $007C = #$15
02:B6B8:18        CLC
02:B6B9:60        RTS ---


Here is the actual stuff I needed to find.

Battle options

125f8 : a9 4c - Sword of Destruction
12603 : a9 57 - Gremlin Armour
1260a : a9 5f - Evil Shield
1262d : a9 0d : A tremendous blow!
1268a : a9 42 : No movement was possible, for the curse had frozen --'s body


1862c/2f : 6f 46 57 5f - all 4 cursed items when equipping


Cannot be traded between characters when equipped

19b18 : c9 4c - Sword of Destruction
19b1c : c9 57 - Gremlin Armour
19b20 : c9 5f - Evil Shield
19b24 : c9 6f - Gremlins Tail

Applying as an item

1984e : c9 2f - Gremlins Tail
198d2 : a9 24 : -- put on the Gremlin's Tail.
198d6 : a9 25 : -- has already put on the Gremlin's Tail.

19844 : c9 30
198b7 : 22 - -- put on the Dragon's Bane.
198bb : 23 - -- has already put on the Dragon's Bane.


I have to admit that several people have tried to help over the last 5 years, and my brain just doesnt grasp the code sometimes. Disch and King Mike in particular, have offered plentiful advice, and clear direction many times.  :beer:

I made progress, and didnt burn myself out yet, so now maybe I can break more code  :thumbsup: