NES| Need help figuring out how to move sprite to different spot on title screen

Started by MortalPixel, November 02, 2015, 11:02:18 PM

Previous topic - Next topic

MortalPixel

Hey, so this is the first time I'm posting, so please go easy on me.

I've been working on a Rom hack for a while. It started out as some basic sprite editing and text edits, but I started getting really into it, and I've been working on a custom title screen.

Right now, I've run into a snag because I can't figure out how to position an animated sprite on the title screen. I could just erase it... but I want it to actually still be a part of the screen but in a different location.

Can anyone give me some advice?

I've been using Fceux to get values and HxD as my hex editor. TileMolestor and some other programs.

The game is Mother 1/Earthbound Zero.

This is the first game I've actually hacked and I started getting my chops into the hacking scene. So I'm sure what I'm doing is very basic but I want to learn to get more into modifying data and other things.

KingMike

Practically every NES game (at least that I've seen) uses a $100 byte page of RAM (often page $02xx) store sprite data.
Each sprite is 4 bytes: Y, tile#, attributes, X.

I would use FCEX tracer. First, go to the titlescreen and see if you can eyeball in RAM where the sprite is (assuming there's only a few sprites on screen. Any unused sprite should have a Y value (that would be addresses $0x00, $0x04, $0x08, etc.) >= E0 (because that's effective off the bottom of the screen, thus invisible).
Say you found the sprite was at address $0240 and the Y-coordinate was 0x50.

I never did figure out FCEUX conditional breakpoints. It'd probably speed it up, but I do it the slow way:
What I would do is use the Trace Logger to log to file while the game is loading the sprites, then I'd look for where $0240 first = 0x50 (I think the exact string in the trace dump to search would be like @ $0240 = #$50.
That would get the next time it reads after the address has already been set.
So following that point, I delete everything beyond in the text file.
I find the LAST point where $0240 is written to (using a STA command), and then trace backwards from that until reaching where it reads from (usually a LDA) a ROM address ($8000+) and figure out what that maps to.
"My watch says 30 chickens" Google, 2018

MortalPixel

So I was able to find this in the FCEUX hex editor:

When I modify the highlighted section in A (as in freeze that value) the sprites stop moving.
All the values in the B section stop flickering through the sprite tiles for that sprite.



Edit: I just realized this was showing the memory portion. So this is the loaded information.

However, I can't find the location in my normal hex editor to actually do a modification.

I think the values next to the changing values might be the control codes for the location on the screen though. So I've made a bit of progress but I can't figure it out.

It was so much easier modifying the background tiles then the sprite layer stuff.

KingMike

Okay, now let's break it down how you find the answer.

That $0210 area is suspicious. Especially if you look at the first 4 sprite entries (that is, the first 16 bytes at that spot)
Notice that for sprite 1 ($0214-0217), the Y ($0214) is the same as sprite 0 ($0210) and the X ($0217) is +8 (right one tile) from sprite 0 ($0213), Sprite 2 will be +8 in the Y ($0218) and +0 in the X ($021B), sprite 3 will be +8 in the Y ($021C) and X ($021F).

So now open the debugger menu and click Breakpoint. You want a WRITE on the CPU. CPU address $0210. You know it's going to write the value 0x57 from that. So reset the game and get to the title screen. (click Run when the debugger window opens to skip other writes) As it's about to load the title screen, notice when it tries to write the value 0x57.

0F:FC94:B1 C4     LDA ($C4),Y @ $96CD = #$00
0F:FC96:18        CLC
0F:FC97:65 CA     ADC $00CA = #$4F
>0F:FC99:9D 00 02  STA $0200,X @ $0210 = #$F0

STA means it's trying to STore A to $0210 (the @ $0210 part), and A is 0x57. So it's probably the right value.
That LDA above is reading from $96CD. That is a ROM area, so we can figure out what ROM address that maps to.
I think you can just open FCEUX's hex editor, scroll to $96CD and click "Go to here in ROM" or something. Else look at the data and do a hex search for data in the ROM. Either way it comes to $2B6DD.
Looking at the data it's 00. Interesting data but not a 0x57, so that means RAM address $00CA is probably something we should look for. (because it's reading from the table at $2B6DD, adding the value at $CA)

So, let's reset the game and set a new breakpoint for WRITE on $00CA.


0F:FC35:A5 CA     LDA $00CA = #$00
0F:FC37:30 0C     BMI $FC45
0F:FC39:79 03 03  ADC $0303,Y @ $03E3 = #$4F
>0F:FC3C:85 CA     STA $00CA = #$00

Adding from address $03E3. That's a RAM address.
Needs another breakpoint.


0A:9E89:A9 00     LDA #$00
0A:9E8B:8D E1 03  STA $03E1 = #$00
0A:9E8E:8D E4 03  STA $03E4 = #$00
0A:9E91:8D E5 03  STA $03E5 = #$00
0A:9E94:A9 50     LDA #$50
0A:9E96:8D E2 03  STA $03E2 = #$50
0A:9E99:A9 4F     LDA #$4F
>0A:9E9B:8D E3 03  STA $03E3 = #$4F

LDA #$ means it's reading an IMMEDIATE, or in this case hard-coded value. So we just need to find this code in the ROM and change the #$50 (X) and #$4F (Y).
We come to $29EAA for the #$4F, so that #$50 is going to be at $29EA5.

Though as it turns out, Mother displays a static frame of the earth in the tilemap, behind the spinning globe sprite.
So you'll have a tilemap to find and edit (if you haven't already) or you'll have two earths.

I recall EarthBound had some hacking protection on the title screen (the cause of the infamous "piracy" screen), but I'm assuming you know that already. :)
"My watch says 30 chickens" Google, 2018

Dr. Floppy

QuoteI recall EarthBound had some hacking protection on the title screen (the cause of the infamous "piracy" screen), but I'm assuming you know that already.

And if he doesn't, pacific instructions on how to do absolutely nothing of interest are only a PM away.

Mr. Mike- I'm in the process of editing an article on (FCEUX) Conditional Breakpoints. It's ultimately about establishing a relationship between two parties which exists during "true positive" snaps, but not the false positive ones. Here's an image from the piece: Life is pain.

KingMike

"My watch says 30 chickens" Google, 2018

Dr. Floppy


MortalPixel

Thanks for the help KingMike, I'll try this out tomorrow when I get a chance.
I also already did all the background tiles, it was a lot easier than this. I actually deleted the animation sprites for a while so I can see the background without any interference and then loaded them back into their old spots.

Also Dr. Floppy I am aware of the antipiracy thing and had already patched that out before I started messing with the tiles.

I plan to play through it after all the edits and see if anything is broken / a piracy screen pops up.

Thanks again for the help guys and patience, If I get this working I'll let you guys know.