News: 11 March 2016 - Forum Rules
Current Moderators - DarkSol, KingMike, MathOnNapkins, Azkadellia, Danke

Author Topic: SMB Infinite Lives HEX?  (Read 1058 times)

Alpdrucken

  • Jr. Member
  • **
  • Posts: 17
    • View Profile
SMB Infinite Lives HEX?
« on: June 30, 2019, 11:57:28 am »
Good evening, I'm creating my first SMB hack and I'd like to have infinite lives. I found two different cheats online to do that: 075A 08 and 075A 06 so I tried to write 08 or 06 at the address 075A, but they both don't seem to work. Is there a way to make it work?
Thanks a lot :)

KingMike

  • Forum Moderator
  • Hero Member
  • *****
  • Posts: 6923
  • *sigh* A changed avatar. Big deal.
    • View Profile
Re: SMB Infinite Lives HEX?
« Reply #1 on: June 30, 2019, 03:27:15 pm »
That's probably a RAM cheat, not a ROM address.

You would need to find the ROM address of the code which writes to that RAM address and change it.
"My watch says 30 chickens" Google, 2018

Alpdrucken

  • Jr. Member
  • **
  • Posts: 17
    • View Profile
Re: SMB Infinite Lives HEX?
« Reply #2 on: June 30, 2019, 03:58:33 pm »
Thanks for the reply. Any idea how to approach this?

Cyneprepou4uk

  • Full Member
  • ***
  • Posts: 191
  • Самый лысый ромхакер
    • View Profile
Re: SMB Infinite Lives HEX?
« Reply #3 on: June 30, 2019, 05:31:00 pm »
Just curious, how exactly did you write at this address?
I am the baldest romhacker
NES Romhacking Guide

Alpdrucken

  • Jr. Member
  • **
  • Posts: 17
    • View Profile
Re: SMB Infinite Lives HEX?
« Reply #4 on: June 30, 2019, 05:44:44 pm »
I used HxD and wrote over the adress I mentioned.

FAST6191

  • Hero Member
  • *****
  • Posts: 2611
    • View Profile
Re: SMB Infinite Lives HEX?
« Reply #5 on: June 30, 2019, 06:26:07 pm »
Thanks for the reply. Any idea how to approach this?

Two main ways, both not trivial but something I could see a determined person that is vaguely familiar with tech make proper headway in for something like this.

1) Recreate a gameshark/action replay/whatever RAM cheats were called in your region.

2) Hardcode the cheat in.

Possible alternative. If there is a save or savestate editor then you can edit then you can grab that, edit it to include 99 lives and even more continues and carry on never really having to worry about it, or if it comes to it then the time take to redo it back to 99 lives should be far less than it took you to get there. I am seldom in a position where I care to play a game when I don't have cheats thanks to a flash cart, cheat device or emulator but I can see where people might be limited.

Anyway more explanations of the methods.

1) You find some point in the game that runs all the time (vblanks are common for this) and add an instruction to write to that area. For something like lives it should not matter if you die if 60 times a second said lives counter is set to 99.

2) You find what writes to this area and change it from something that subtracts to something that adds.


Downsides of those methods.
1) is quite a bit harder if you are new to all this, unless someone does it all for you (possible with super mario brothers as people do like it).
Maybe not for lives but for life counters then even 60 times a second can be too little, and the in normal in game invincibility cheat might be better than it. Basically if a blow does 200 damage and your character only has 100 health then it might do the damage, do the "dead or not" check and go from there before the game writes it back to 100.

2) Lives might be in one part of RAM but many things might write to it, and you would need to find them all (or do something else). Super Mario is actually one of the examples I often give here (though what a given version of mario will do might vary). Death reasons include pits, crushing for those automove levels (maybe not in SMB but in later ones it can be), time out, environmental hazards, enemies, poison mushrooms (maybe not in this but in later games)
The something else part from before is maybe change one to an add instead of a subtract -- if jumping in a pit is an assured one up then change the jumping in a pit thing and leave the others (or change the ones you can be bothered to find).
You can also do this if the game will not respond if something is frozen -- if a game needs you to get below a certain health, time or whatever for something to happen in it then being able to refill rather than freeze can be nice. Many would probably try to make a button activation code but that is actually difficult.

Outline of how to do it.

1) Find something that runs all the time. Find either where that code ends or something you can overwrite in it without it bothering the game as a whole, if you know what you are doing there are more methods you can use like jumping and optimising to gain space but let us not go there right away.
Super Mario is an exceptionally popular game and thus it has been fully documented unlike most games where you would be going in blind. Here you can consult the disassembly, find a constantly run routine and find where it is. Add your instruction that constantly writes a value to the lives location and go from there.
A disassembly is a big text of what each part of the game is doing. For the most part you can't assemble a disassembled work but the disassembled work will tell you where everything is in the ROM so you can edit that instead.

2) You will need a debugging emulator. Here you will set a break on write breakpoint (usually called bpw) on that memory location the cheat details. Load up a game and proceed to die. It will say hold up, something wrote here, here is what tried to do it and here are the 10 or so instructions that led up to that point.
Instructions if you are not familiar with the concept are what CPUs use to do their jobs in games. They are usually very simple things (even modern PCs are still simple when all is said and done, the NES stuff is even more so) that might have something you can describe in a line of mathematical notes be dozens of instructions long (usually a bit less but be prepared). Figure out what thing will do what you want (if you don't want it to subtract then figure out what takes away and change that, change the write back to always write a certain number instead, or stop the write back from ever happening* if it is a viable option for your chosen hack**)
As mentioned you might need to do it for pits, enemies, time, hazards and whatever else I am forgetting here and do it for all of them.

*deleting things is tricky so instead you need to make it waste some time instead. Some processors, or indeed assemblers, will have a so called No Operation aka NOP but other times you will have to invent something that functions as one.

**here it will probably be OK but other times you might need it to actually send back a value for something.

Alpdrucken

  • Jr. Member
  • **
  • Posts: 17
    • View Profile
Re: SMB Infinite Lives HEX?
« Reply #6 on: June 30, 2019, 07:00:50 pm »
Thanks for the reply, but I randomly found out how to do it:
I downloaded fceuxd and decoded the game genie code that gives infinite lives; fceuxd tells you which rom addresses might be affected, so i just edited the first one with the value it gave me and it worked :D
Here's a screen of the setting

FAST6191

  • Hero Member
  • *****
  • Posts: 2611
    • View Profile
Re: SMB Infinite Lives HEX?
« Reply #7 on: June 30, 2019, 08:39:03 pm »
Apologies for that one. Part of the "it is a really popular game" means you likely have game genie codes for it which are ROM patches, and will be doing one of the things mentioned above. GG codes as a whole are rarer than RAM ones as they take a bit of effort to make, vs most RAM stuff which you can train just about anybody to make things for most games in very short order and the stumbling blocks/aka defeating anti cheat are not beyond most people either.

As a general rule for older systems (newer ones can mean various things as names got bought and sold, and even things like save editors came on the scene, to say nothing of the nature of systems when you have the binary in the memory because a 2x CD drive does not have the best read speed or latency) then there are two types of cheats.

ROM based. Pretty much just Game genie.

Everything else. Whether it is action replay (AR), pro action replay (PAR), gameshark (GS), codebreaker (CB), most emulator stuff, Xploder.... it is probably going to be RAM thing or a save based thing for later systems. Occasionally as part of having them work (see master codes) they will have one or two lines available for ROM codes, mainly aimed at defeating copy protection so of limited options for this sort of thing. Likewise some iterations of the ROM patching stuff will have RAM patching options, though all the ones in the wild that I have seen are more limited than the equivalent system RAM only based things.

ROM codes by virtue of being ROM codes can be patched in trivially (CCCGP is a good tool here, though there are a few others). Later systems usually can patch in RAM codes easily enough (gabsharky, GBAATM, DSATM, I see some N64 stuff these days, 3ds stuff can do it by virtue of having the firmware always in memory and on and on and on) but trying to get a universal access or add in a lot of extra code to a system as limited as the older 8 and 16 bit affairs is a bit more difficult.

To round things off I should probably mention peek and poke for older systems.

Psyklax

  • Hero Member
  • *****
  • Posts: 1066
    • View Profile
    • Psyklax Translations
Re: SMB Infinite Lives HEX?
« Reply #8 on: July 01, 2019, 08:51:30 am »
I'll just chime in to explain what the hack is doing here.

Your lives are stored at $75A in RAM, which is what that first cheat you had referred to. The thing you're doing with the Game Genie code is changing a DEC $75A to a LDA $75A. What does this mean?

Well, DEC is used to DECrement the value at a particular address, in this case $75A. So if you just started a game, it goes from 02 to 01. LDA is used to LoaD a value from an address into the Accumulator - a register used to do almost every kind of calculation in the CPU - and typically something is done with it after that. In this case, the next instruction is BPL $91E9, which means to Branch to the continuing routine if the Negative flag is not set. In other words, if the last operation ended up staying above zero, then branch. Normally losing your last life will cause 00 to wrap around to FF, which will set the Negative flag, and the BPL will not branch. By loading your lives instead of decrementing them, it will never go below zero. Of course you could change BPL to BMI and have one life if you need extra challenge. :)

So hopefully that helps you to understand what's going on, and if you set a read and/or write breakpoint in the debugger for 075A and click Step Into when it breaks, you can see what the game does with your lives counter, and maybe this tiny explanation will get you interested in learning 6502 assembly - it's not as hard as it seems. ;)

Alpdrucken

  • Jr. Member
  • **
  • Posts: 17
    • View Profile
Re: SMB Infinite Lives HEX?
« Reply #9 on: July 01, 2019, 10:14:18 am »
I'll just chime in to explain what the hack is doing here.

Your lives are stored at $75A in RAM, which is what that first cheat you had referred to. The thing you're doing with the Game Genie code is changing a DEC $75A to a LDA $75A. What does this mean?

Well, DEC is used to DECrement the value at a particular address, in this case $75A. So if you just started a game, it goes from 02 to 01. LDA is used to LoaD a value from an address into the Accumulator - a register used to do almost every kind of calculation in the CPU - and typically something is done with it after that. In this case, the next instruction is BPL $91E9, which means to Branch to the continuing routine if the Negative flag is not set. In other words, if the last operation ended up staying above zero, then branch. Normally losing your last life will cause 00 to wrap around to FF, which will set the Negative flag, and the BPL will not branch. By loading your lives instead of decrementing them, it will never go below zero. Of course you could change BPL to BMI and have one life if you need extra challenge. :)

So hopefully that helps you to understand what's going on, and if you set a read and/or write breakpoint in the debugger for 075A and click Step Into when it breaks, you can see what the game does with your lives counter, and maybe this tiny explanation will get you interested in learning 6502 assembly - it's not as hard as it seems. ;)

Thanks for the reply! Really interesting stuff! I was in fact noticing that if I set the number of lives to 0 or a number higher than 199 I can still get a game over. So there is a way to set the lives to 0 (just for aesthetic purposes) but not get game over after a death? Is it by changing BPL $91E9 to something like BRA? and if yes, how would i write that in hex? Also I haven't messed around with the other rom addresses listed above except the first one (31E9, 51E9, 71E9). What do those do? FInally, is there a way to shorten the death time?
« Last Edit: July 01, 2019, 11:13:05 am by Alpdrucken »

Psyklax

  • Hero Member
  • *****
  • Posts: 1066
    • View Profile
    • Psyklax Translations
Re: SMB Infinite Lives HEX?
« Reply #10 on: July 03, 2019, 05:09:48 am »
So there is a way to set the lives to 0 (just for aesthetic purposes) but not get game over after a death? Is it by changing BPL $91E9 to something like BRA? and if yes, how would i write that in hex?

First of all, there is no such operation as BRA, so I'm not sure what you're asking here. Maybe you mean JMP, which means to jump to another place in the code, rather than branch, which is going down a path, but specifically one that is relative to the current position (and not far away). You could use a branch instruction based on a value that you know will be always true (6502 assembly has no "branch always" operation).

Are you saying you want the lives to be zero on-screen but you have infinite lives? Well, sure, that's two different things. First, do what you're already doing: AD in $11E9, which means the game will never subtract lives. Second, go to $84C in the ROM.

What the game does is load what we have in our lives counter at $75A, and adds one to it, before storing that in RAM in order to write it to the screen (because the game sees three lives as 02, but the graphic tiles of 0 to 9 go from 00 to 09). How to fix it at zero? There are a couple of approaches here, but the simplest is to change AD 5A 07 (LDA $075A) to A9 00 (LDA #$00). This always loads zero instead of the contents of the lives counter. Of course, we still have the adding instruction, plus this is just two bytes instead of three, so we can put a bunch of NOPs (no operation), so the new code goes from
AD 5A 07 18 69 01
to
A9 00 EA EA EA EA
but this is a bit ugly, maybe there's a simpler option? Well, as an early NES game, SMB doesn't use a memory mapper. Therefore, the entire game is accessible to the CPU all the time. So maybe if we just tell the game to load FF from ROM, it'll add 1 to it and become zero? A quick search finds an FF at $8008, so change AD 5A 07 to AD 08 80 (least significant byte first, which is why 08 comes before 80). With this two byte change, the game always loads FF, adds 1 to take it to 00, and puts it on the screen. Simple! :)

Also I haven't messed around with the other rom addresses listed above except the first one (31E9, 51E9, 71E9). What do those do?

They're irrelevant: the thing with Game Genie codes is that they find an address and put a new value there, but as I said about NES games, they use memory management controllers to swap the memory banks, meaning the address $91E9, for example, could refer to lots of different actual addresses in the ROM, depending on which bank is accessible at that moment. SMB doesn't use an MMC, so $91E9 will always be $11F9. Six-digit Game Genie codes don't include 'compare' bytes, where the Game Genie looks at that address and checks it's the correct one by comparing what it finds to the actual data: if it's looking for CE and find AD, it won't apply the patch, but if it finds CE, it will.

FInally, is there a way to shorten the death time?

Not sure what you mean by this - I assume you mean cut out the whole bit with your lives displayed - but anything is possible in ROM hacking. This is a bit more advanced, though. :)

Alpdrucken

  • Jr. Member
  • **
  • Posts: 17
    • View Profile
Re: SMB Infinite Lives HEX?
« Reply #11 on: July 03, 2019, 06:25:44 am »
Thanks a lot! That makes so much sense once I see how it should be done  :crazy:
Yea, since I'm doing a hard hack, I'd like to skip the falling animation when mario dies, just like what smw and smb3 hacks do, but after looking for it both online, in the cheat search and the disassembly I think there's no easy way to do it; I'd need an asm patch I suppose.There's no direct information about death animation in the disassembly afaik.
One last question: is it possible to remove the MARIO text on top, the points and coin number and icon?
« Last Edit: July 03, 2019, 07:05:30 am by Alpdrucken »

FAST6191

  • Hero Member
  • *****
  • Posts: 2611
    • View Profile
Re: SMB Infinite Lives HEX?
« Reply #12 on: July 03, 2019, 07:51:06 am »
An assembly hack would be the cleanest way to remove the animation (I should note again that Super Mario is a popular game and is one of the few to have received a fully commented disassembly https://gist.github.com/1wErt3r/4048722 ) but when doing speed hacks normally I occasionally like to chop out steps of animations if it is a list of them. Line 5636 being where I would start following the trail, though I should also note the word killed is used rather than player death (which also had things).

As for removing stuff on the top then it is probably not something you can overwrite in a tile editor too easily, at least not without causing other problems (overwrite the coin up there and it will probably lose the coin in the game, and similarly blank the text out and you will probably not have a nice level title card, princess in other castle text or warp pipe text).
Assuming an analogue hack (aka piece of electrical tape) is not going to cut it then it will take something a bit more in depth, and looking at the disassembly (several lines of note but 1636 is probably a good jumping off point) it appears this is not one of those games with a nice animation format.

Alpdrucken

  • Jr. Member
  • **
  • Posts: 17
    • View Profile
Re: SMB Infinite Lives HEX?
« Reply #13 on: July 03, 2019, 09:23:27 am »
A guy on another forum found it out for me: its on $3075 change 69 B2 to CD 91, $31A4 change E8 A4 0E C0 0B to A9 0B 85 0E 60

:) thanks again everybody

« Last Edit: November 11, 2019, 11:55:33 am by Alpdrucken »