News: 11 March 2016 - Forum Rules
Current Moderators - DarkSol, KingMike, MathOnNapkins, Azkadellia, Danke

Author Topic: How to find ROM Address  (Read 1174 times)

ilikesquareenix

  • Jr. Member
  • **
  • Posts: 3
    • View Profile
How to find ROM Address
« on: December 15, 2020, 05:17:42 am »
Hello! i want to make "unlimited continues hack" for SEGA's Snake rattle'n'roll. I found ff0bc0 address with Gens r57shell mod, "RAM SEARCH" utility. And now I don't know how to find the address in the ROM file.i am trying to do it with "M68k Debug" tool, but i can't find him.

FAST6191

  • Hero Member
  • *****
  • Posts: 3089
    • View Profile
Re: How to find ROM Address
« Reply #1 on: December 15, 2020, 08:58:36 am »
What you are effectively doing is hardpatching a cheat.

You have two main approaches.

1) In the vblank routine (or just some other routine that runs a lot) you set the continues number in RAM to some number. This means every frame it will set the continues number to whatever you tell it to. Thus you have infinite.

2) You set a break on read (or maybe break on write) to the RAM address you found. Whatever comes to read that number you then change to stop it subtracting one, or you tell it to ignore the results of the compare it will probably do to check whether you have any continues left (though this might see you go negative continues and be troubled that way if you don't also change the thing that removes it).

The third is kind of a combination of the two. Here you would do something like set the initial value to 99 or something and hopefully that would be enough. For this I would still set a breakpoint on the RAM location but boot the game up. Presumably fairly early on, or maybe after you started the game will will write the first value to it. If rather than 3 or whatever it is initially set to you put said 99 in then while it is not technically infinite then good enough for most purposes.

If doing 2) then do see about using continues every way you can -- I don't know the game but if there is a continue mid level, a continue caused by something else and a continue from something else again then they might do it a different way. Normally when I describe how to hardpatch cheats I might use infinite lives in a platformer -- enemies, falling off the level, hazards, time and pickups might all do different things.

FUTURA

  • Jr. Member
  • **
  • Posts: 31
  • Blast Processing!
    • View Profile
Re: How to find ROM Address
« Reply #2 on: December 15, 2020, 12:23:47 pm »
Hello! i want to make "unlimited continues hack" for SEGA's Snake rattle'n'roll. I found ff0bc0 address with Gens r57shell mod, "RAM SEARCH" utility. And now I don't know how to find the address in the ROM file.i am trying to do it with "M68k Debug" tool, but i can't find him.

I can do this for you. I have made IPS patch files for the Mega Drive/Genesis game ROM that can be applied permanently to the ROM file using Lunar IPS program, which you can get here: https://www.romhacking.net/utilities/240/

There are IPS patch files for each of the following options:

Start with 9 Lives and 9 Credits
Infinite Lives
Infinite Credits (Continues)
Infinite Time (Seconds)
Infinite Time (Minutes)
Almost Invincible after hit
Almost Invincible
Shark Never Comes

You can apply any or all of them to the main ROM itself. I only tested Infinite Credits which works fine in my PC emulator. The other cheats should work fine as well in that case.

It is important you read the README file for these IPS patches, so you know which version of the ROM the patches work with.

https://www.mediafire.com/file/11nlugf15mqgpdw/SRNR.zip/file

Enjoy!
« Last Edit: December 15, 2020, 01:07:30 pm by FUTURA »
Super Sonic Speed!

ilikesquareenix

  • Jr. Member
  • **
  • Posts: 3
    • View Profile
Re: How to find ROM Address
« Reply #3 on: December 16, 2020, 12:54:26 am »
Thank you very much! but I want to learn how to do it. Please tell me what program can I do infinite time, and how can I do it ?you can answer me with a private message
« Last Edit: December 16, 2020, 06:35:03 am by ilikesquareenix »

FAST6191

  • Hero Member
  • *****
  • Posts: 3089
    • View Profile
Re: How to find ROM Address
« Reply #4 on: December 16, 2020, 12:15:01 pm »
As above you are hardpatching a cheat.

You start by finding the RAM location (some might use saves but we will skip that for now) for the item you want or a related one*. Finding cheats is a field unto itself with much you can learn** but for the sake of having something https://web.archive.org/web/20080309104350/http://etk.scener.org/?op=tutorial
It is for the GBA but frankly it is not really any different whether you are on a vic20 or a modern PC, other than the modern PC maybe having things appear in different locations in memory where older stuff tends to be fixed.

*if I am doing an inventory cheat I will tend to make it for items I can easily buy, use and sell before turning around and using that info to locate the super rare only dropped one every 2000 battles end game sword or something.

** for instance there is a reason the vast majority of games you see a "moon jump" cheat for will have a double jump/jump in air feature. If you find where the game stores the "double jump has already happened" flag and set it always be "has not yet happened" you get infinite double jumps and away you go. Most of the rest will be where you can have some jump/speed stat set ridiculously high or a gravity feature in the game itself rather than hardcoded every frame you move this much/speed up by this much).

Anyway from there you have RAM location(s) for what you want. As most systems don't allow you to edit RAM, or doing so is just annoying you met why converting it to something you can hardpatch as a ROM might be a better plan.

For newer systems then there are tools that will attempt to automatically patch things. These sorts of things are often harder, considered impossible short of AI or a lot of effort, to have as an automated tool for older systems though -- newer stuff in many ways is often a lot simpler to older stuff, has a lot more spare resources and might even have some things that make it even easier to work with. General cutoff here is anything older than the GBA or anything 16 bit and older will probably not see automated tools for this one and thus anybody that wants to do this will have to get their hands dirty, and even on the likes of the PS1 and N64 you will struggle to find tools as nice as some of those which later systems get.

As above you have two methods

1) You recreate what the average action replay/codebreaker/gameshark/... does and inject a small piece of code that runs every frame (every frame on most systems will be a dedicated point in a game's operation to do things, typically this will go under the name vblank as in vertical blank which covers when things can happen for a screen but also useful for simple cheats). This is also why some infinite health or whatever cheats might still see you be able to be one shot killed by a super powerful weapon -- if it takes all your health at once, or your health does not recover in time as it has to wait until next frame.
Find the vblank routine and do a simple memory write (will vary between systems as to what goes here -- some will have a dedicated method or two, others will be able to do it directly from normal instructions) to the RAM location. You can also do some more complicated logic in this like only when below a certain amount then set it high, or do things to work around crashes if you have cheats enabled but if you have them on with the opening credits or a certain point it crashes.

2) You edit the game itself.
Somewhere in the game will be a programming construction that runs something like
During vblank (or some other period, might be an interrupt)
Read health
IF health = 0 then jump to death routine
ELSE return to game.

There will be another for mana if casting a spell, bullets for a gun, potions if using those, money in a shop...
If you know the location from the RAM you you get a debugging emulator (don't know what we are suggesting for the megadrive/genesis right now -- they tended not to be as well developed as the NES, SNES, GBA, DS and PC but still had something) and use breakpoints (possibly watchpoints) to monitor that area. Typically you will want break on read (bpr in most emulators) for things that you care about reading -- things like do you have enough money to buy this. For things that you care about decreasing (say lives when you die, HP when you get hit, mana when you do a spell, bullets...) you will probably be looking more at break on write.
There are other types of breakpoints (break one execute for example) but that is what the help files of such things are for.
Anyway set a breakpoint on the RAM address you found with a cheat search. Anything that reads or writes (depends what you set) that location will see the emulator say "hold up something just read/wrote this area" and list all that came before it. Part of this might be an addition or a subtraction and you can change that to be something you want, or just nothing at all (see "NOP" -- short for no operation, you basically overwrite an instruction with another that does nothing at all other than waste a cycle).
Other times will be something like above where it is IF ELSE, though in most assembly languages it will be a compare (CMP) and then a jump or a goto depending upon the results of the check. Here you can make it ignore the compare and always take the good path. While not strictly what you will be doing here then imagine if you had a save you edited, the save however contains some complicated maths function it does to make sure it is not changed from what the game originally wrote. You could find this complicated function out and replicate it, or you could edit the game so when it does this function and compares the result to what it expects then you basically make it always take the "it's fine" path even when it is not. Bonus there is the game next time it saves will probably fix the checksum/hash for you and thus make your edited save appear perfectly valid.
This also sees you never have to die, maybe even never have to have a hit register (and thus no knockback, no stopping firing, no reset of combo...) if you go back far enough.


-----


Infinite time is often a tricky thing to do in games as games might also use the time to decide behaviours in game (plenty of games might trigger something with only so many minutes to go, or simply only move enemies when the timer is changing), or letting it go over a limit might put you in a situation the game never expected (if the game only ever expects there to be 10 minutes on the clock then letting it go over might start overwriting more important things) but this is also where editing a ROM might prove to be easier by being able to dodge these. Other times people will do things like press this key combo to reset time, do this in game action to reset time or similar.
Never the less the basic approach is much like anything else in that you find the time location via the same thing you would use to find a health number/bar (do nothing else in the game but let time go on, search for a change, let time go on, search for a change...) and from there you figure out what goes and how you might twist it to your purposes.