News: 11 March 2016 - Forum Rules
Current Moderators - DarkSol, KingMike, MathOnNapkins, Azkadellia, Danke

Author Topic: Where to start when hacking a DS game  (Read 489 times)

rodyt

  • Jr. Member
  • **
  • Posts: 6
    • View Profile
Where to start when hacking a DS game
« on: August 01, 2020, 01:41:02 am »
I want to modify a tactical turn-based RPG released for the Nintendo DS, Super Robot Wars K. In this game, there are certain characters that only appear as enemies and are thus unplayable. I want to be able to use and control these characters by ROM hacking the game.

I am reading "GBA and DS ROM hacking guide" by Fast6191, but am lost as to what to do next.

What should I do?


Idea
I began by performing a RAM search for the enemy's name and its stats, but I'm inexperienced and didn't find much of use.
I'm thinking that I somehow need to pinpoint the character's memory address and from there, I might be able to do something.
The game stores a list of all playable characters somewhere in memory as well as flags for them to check if they have been unlocked by the player yet.
If I could somehow find this table and add another value to it, which points to the enemy character's memory address, I might be able to get the game to think that the enemy character is unlockable too.



Other Issues
A topic on another forum about the game mentions other issues when trying to modify it:

1. The game sets a cap on the number of playable characters in the game
2. Using enemy characters in combat or deploying enemy units in certain scripted scenarios might cause the game to freeze
    2a. This means that I can only access the enemy character after I have finished a certain level.
3. Enemy characters do not have fixed stats like playable characters in this game do
    3a. This means that I have to manually assign the characters stats upon unlock

FAST6191

  • Hero Member
  • *****
  • Posts: 2894
    • View Profile
Re: Where to start when hacking a DS game
« Reply #1 on: August 01, 2020, 09:36:43 am »
The trouble with trying to control NPCs/enemies in game is there may be lacking data for them (either in towns or in battle) and you might get to then remake it all. Sometimes easier with 3d stuff but not always.

Anyway either a map editor or a character selection cheat would be the paths to look at, assuming a simple sprite swap is not going to do it which I doubt it will for this one.

Enemy name and stats search is likely only of use if you want to edit those with them as an enemy, saving that you write down their stats to insert when you remake them as a playable character.

2a. Depends what caused the issue. A freeze can be any number of things but usually either bad/incomplete data set or the game has some logic it tries to use but seeing something it does not expect it panics.

Back on topic.
Many times the characters and NPCs in a game like this (or fighting games) will be a normal character but never able to be selected in the normal menu or not ever set by the maps the devs make (save maybe a bonus map). For most normal purposes this means no playing as an enemy.
You then want to make a character selection cheat. Sometimes you can do this at a menu, sometimes you can do it at a menu but have to press select (no need to start a mission), sometimes you will need to select at a menu and start a mission/fight. You find this the same way you find most cheats -- search, change, search again, repeat, maybe throw in a round of keep it the same and search for what stayed the same to eliminate some things until you find it.
If you do have to set stats it might be a simple option of selecting available moves, stats and the selected character is little more than a trigger for what portrait to shove on screen.


Map hacks are just that and you then want to hack the map/scenario layout and go from there. Turn based strategy games are usually not so bad for learning to hack on, especially if some existing editors might be available or if the game allows you to save scenarios.

rodyt

  • Jr. Member
  • **
  • Posts: 6
    • View Profile
Re: Where to start when hacking a DS game
« Reply #2 on: August 01, 2020, 05:31:22 pm »
The man himself!  :o

Using your tips, I was able to modify one of my characters to turn into somebody else in the middle of a mission by modifying a value in memory (i.e. the value 33 in hex meant character A, changing to 34 meant character B, etc).
The issue arises in persisting these changes between individual levels, as once the level is exited, the character resumes to what it was before.

Playable characters are stored next to each other in memory. For example, 0x21CB730 is the flag to see if a certain character has been unlocked in the story already (where 0 == false, and 1 == true). The next playable character is offset by 80 in memory (or 50 in hex). So, the next character's unlock flag would be located at 0x21CB780. The character's attack, accuracy, etc. are likely stored contiguously to the unlock flag's address (i.e. 0x21CB781, 0x21CB782). The problem is in the first word of this paragraph, playable.

I have no idea where unplayable characters are stored (they seem to be stored elsewhere). I need to somehow find the location of these characters in memory and convince the game that they are in fact "playable", so they will show up in the characters list during intermissions. There isn't exactly anything I can use to input values and test for the addresses of these unplayable characters though, so I'm stuck on what to do next.

FAST6191

  • Hero Member
  • *****
  • Posts: 2894
    • View Profile
Re: Where to start when hacking a DS game
« Reply #3 on: August 02, 2020, 10:03:21 am »
If you have a character swap code then you have a wonderful start to figure things out. Alas you have just jumped into the deep end, which is to say assembly in your future here, and the only way forward if pushing random values into the game to see what happens only yields playable (or maybe playable that have already been loaded).

Unplayable may well be separate concepts entirely -- there are valid reasons to just gate things off and there are valid reasons to kick the unplayable characters to something else entirely. If the latter then you might have to settle for a sprite and stats hack (possibly also text) as more of a visual swap than a working within the engine unlock. The game itself can provide clues if you have things like bonus missions where you play as the other side as it were but still functionally as the same game but I assume you would have led with that one.

Anyway break on read (bpr) or maybe break on write (bpw) to that area in something like no$gba debug and see what tickles it (if it changes between levels, and you don't simply want to make a cheat, then start the search before that/as one finishes and then watch it go). From there you can figure out its handling of things and whether you have scope to unlock things, or how much you might have to do as part of it.

rodyt

  • Jr. Member
  • **
  • Posts: 6
    • View Profile
Re: Where to start when hacking a DS game
« Reply #4 on: August 07, 2020, 11:26:18 pm »
Thanks for all the help so far.

I'm running into a bit of an issue. If I input certain Action Replay codes, I am able to modify parts of the character. However, if I use the game's save feature, and then I try to load from the save, I get all sorts of bugs, ranging from different characters being loaded to incorrect stats, to even the whole save file being corrupted. For example, I have character #0004 located at position (x,y), and after the save, it is character #003. Another character's HP, which should be 6000, is now ~18000 after loading from the save.

From my research, it seems that I need to do a "pointer scan" instead of modifying "dynamic" addresses, but as far as I can tell, there is no option to do this in DeSmuMe. What can I do next?

Another issue I run into a lot is trying to locate values in memory that I can't modify. For example, let's say a character's Max HP is 4000. There is no way for me to edit this value in-game. Using the RAM search feature, I can only narrow it down to about 100~200 values. It makes it quite time consuming to have to manually test each of these addresses. Any tips on how I can narrow down my options further?
« Last Edit: August 07, 2020, 11:43:30 pm by rodyt »

FAST6191

  • Hero Member
  • *****
  • Posts: 2894
    • View Profile
Re: Where to start when hacking a DS game
« Reply #5 on: August 08, 2020, 04:04:14 am »
Pointers you say.

General idea is old school games programming (and programming in general) had the programmer map out all that is going to happen in memory and play to that. Nightmare if you decide you want a bit more, and also have to handle removing things from memory if you want to use that for something else.
Compilers and higher level programming languages abstract this away so now the programmer says I need this much memory and the compiler gives it to them, and then release it, and maybe a bit more if needed later (failing to say you are done with memory, and programs asking for more and more is the basis of memory leaks or why most browsers gobble all the RAM).

The DS was very much in the latter approach to the world. This does however come with the downside that you can never be sure where something will land in memory as something else might have happened before. It can also be a type of anti cheat but I doubt it is here.

Anyway I am not sure what pointer finding tools are being used these days by DS cheat makers. Normally though you would feed them memory dumps/savestates, the location that you found the data in their respective runs and it would search for (while the data itself may change location there will eventually*) anything that pointed to the locations between the runs -- you can add 10 pages to a book which might change a lot of page numbers but if the chapter count is the same then the position in the contents page is still going to be the same and changing each time. You can do this manually if you really want, and you can play debugger too (the game does not know and might have to calculate every time).

*for the average intro to C programming type course one of the exam questions is often a monster pointer some 20 odd pointer to pointer to pointer deep. For the DS it is usually one and done but you might get to two, and I believe I once heard of three pointers deep.

That would also explain corrupted saves, odd stat restore and other characters being in places -- if all the characters are so much before or after the other and using roughly the same format then the cheat not knowing any better will possibly create a valid state, even if it is not the one you want. Added bonus here if they are that close/commonly that close together you might be able to simply open the memory up and watch -- human eyes trying to spot something shuffled 10 or so bytes forwards or back from the baseline is easier than getting a cheat program to do the searches.

Max health wise. Do be reasonably sure it is its own value -- many games will have a calculated value (think level times whatever, or constitution times whatever), though it might only calculate after battle, when loading the game in or upon level up. Assuming it is a standalone value then if you don't want to jump right into debugging then you might try either putting experience as 1 below a level and gaining that in battle or whatever, or changing equips or spells that change max HP (though you say there are none here) and searching accordingly. The example with pointers making things tricky above also demonstrates another common trait -- game values are usually stored near each other so look around where things are at and you might find something, I usually use it more for inventory cheats (the one rare pickup might be next to the common as dirt thing I get all the time) but it could also do something here. Might not be the case but if you are at max health then whatever that value is, if there is another value the same as that (and other characters have similar things) then you might have what you want.

Personally I would go for debugging, though it is a harder approach. Find the regular HP and then start doing potions/repairs. Might vary if a game allows you to infinitely use such things vs "they are already at full health", though in that case you might as well just set the HP to one below current max or something and have the best of both worlds. Somewhere in the instructions preceding the write to HP location will be some check on max health (be it to set a value or check if it is a "you are already at full HP" type scenario).

rodyt

  • Jr. Member
  • **
  • Posts: 6
    • View Profile
Re: Where to start when hacking a DS game
« Reply #6 on: August 09, 2020, 04:24:46 am »
Thanks for an amazing write-up. :)

After a little more trial-and-error, it seems that the memory location for the character is always located at the same address in memory across different saves. However, it appears that when I turn on cheats, and then save and load, the incorrect values are being written to each memory address.

You were correct about the part where the cheat accidentally creates a valid state. Particularly, in my case, replacing the character ID in memory with "002D" just happened to shift the values the right amount to maintain a valid state. However, it appears that after loading, the Current HP for every character on the battlefield has been "replaced" by the HP of the character located 2 IDs after its own ID. It's almost as if all the HP values were "shifted" somehow...

A valid game state is definitely the exception and not the norm, and I tried several more values, such as "000A" and "002E", which all created invalid save states that wouldn't even load. Other times, the game loaded properly, but the effect was much more subtle, such as changing the accuracy value of certain attacks.

I was unable to find some sort of pattern between the character ID value I replaced with, and the loaded game's state.