News:

11 March 2016 - Forum Rules

Main Menu

Megaman X2 / X3 Password Predicament

Started by TDOMMX, February 18, 2016, 04:54:27 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

TDOMMX

February 18, 2016, 04:54:27 AM Last Edit: February 18, 2016, 05:07:18 AM by TDOMMX
Hi, everyone.  I've been wracking my brain trying to find the last remaining piece in a puzzle I'm extremely close to solving.  I'm wondering if anyone with Super Nintendo ROM debugging or disassembly skills might be able to help me find that final piece:

As you can tell from my handle, I'm a longtime Megaman X fan.  Over the past few years, I've been trying to completely crack the password schemes for Megaman VII, Megaman X, Megaman X2, and Megaman X3.  I'm well aware of the password cracks on Miranda Paugh's The Mega Man Home Page, but I wanted to try my hand at cracking the password schemes on my own, both as a personal exercise and to ensure that I fully understood every observation and conclusion that I'd reach rather than take someone else's work for granted.  Skip ahead to this past week, I've succeeded in not only cracking the codes, but I've created a password generator for each game that has proven to be 100% accurate with the hundred upon hundreds of passwords I've recorded over the years.  Suffice to say, I'm quite proud of myself. 8)

It's been a long-held belief within the Megaman community that the password systems did not record the "100% completion" bonus for each game -- the Hadouken for Megaman X, the Shoryuken for X2, and the Hyper Chip (a.k.a. "the Gold Armor") for X3 -- in the games' password systems.  Having isolated the variables that store these items within each password, I can quite confidently say that this belief is decidedly untrue.  Furthermore, by a sheer stroke of luck, I learned that the completion bonus flag is reset if a game-specific button combination is not held down as the player presses Start to confirm their password entry (which would explain why so many of us believed that the passwords never recorded these bonuses in the first place).

I'm beginning to ramble a bit, so I'll cut right to the chase.  In Megaman VII, entering the password 1415-5585-7823-6251, then holding the L and R buttons as you press Start enables Versus Mode.  In Megaman X, entering 3673-2177-2487, then holding the L, R, X, and Down buttons as you press Start allows you to start the game at Sigma Palace Stage 1 with all weapons, Heart Tanks, Armor Parts, and Sub-Tanks, and with the Hadouken already available.  I haven't figured out the appropriate button combinations for Megaman X2 and X3; I'm hoping someone with the necessary skill can dive into the game's assembly and figure out what special inputs the password algorithm checks for in hopes of finding the corresponding "unlock codes" for X2 and X3.  While I'm formally trained as a programmer, I'm completely out of my depth when it comes to assembly...

As for the other games in the series:

In Megaman X2, the password 8377-8113-6822-7652 starts you at X-Hunter Stage 2 (Serges' Stage) with all weapons, Heart Tanks, Armor Parts, Sub-Tanks, Zero Parts, and the Shoryuken flag set.  Without the unlock code, the Shoryuken bit is reset the same way the Hadouken bit is reset in the original Megaman X without its code.  Note that none of the passwords given in-game allow you to start beyond X-Hunter Stage 1; I just experimented with a handful of values that served a specific purpose a quarter of the way through the game (i.e.: tracking the current location of the three X-Hunters), then went completely unused after the eight boss Mavericks were defeated. 8)

As for X3, the password 8367-8683-6772-3873 starts you at Doppler Town Stage 1 (unfortunately, X3's password scheme cannot save progress through the Doppler Stages...), but with every weapon, Heart Tank, Armor Part, Sub-Tank, Ride Armor Change, and Zero's Z-Saber, and with the Hyper Chip flags set.  It also leaves Bit, Byte, and Vile alive and available for a rematch; this is an interesting paradox seeing as killing Vile is a prerequisite to receiving the Z-Saber.  As with the Hadouken and the Shoryuken, all four Chip flags are reset if the unlock code is not entered.

Thanks for hearing me out, and thanks in advance to anyone who can help me figure out the unlock codes for Megaman X2 and X3.  I figure that asking someone who knows what they're doing to dive into the code would be much more efficient than attempting to brute-force every possible button combination on my own.
This is TDOMMX signing out.

Seihen

#1
February 18, 2016, 06:39:42 PM
I know this is a really boring answer, but depending on the complexity involved in tracing the ASM code and debugging of the password system here, I almost wonder if it could possibly be faster to just try to brute force it, possibly using savestates and tools. Enter the password, savestate, then press a combination of buttons and press start. If nothing's unlocked, reload your savestate. SNES9x allows you to map savestate loading to a controller input, so it might not even take very long.

Of course, this gets daunting pretty quick, depending on how many buttons are used.

tvtoon

#2
February 19, 2016, 02:00:31 PM
I always wondered if those passwords could be given in-game. I think you can get something even better (last stage and stuff), if those details would get disclosed. :)

Anyway, you can try the "reverse-input" and complements methods, for the time being. ;)

justin3009

#3
February 19, 2016, 02:14:46 PM Last Edit: February 19, 2016, 02:56:26 PM by justin3009
X2
-------------
Code Select
$00/F2D3 C2 20       REP #$20                A:0100 X:00FE Y:0008 P:envMXdIZc
$00/F2D5 AD A8 00    LDA $00A8  [$06:00A8]   A:0100 X:00FE Y:0008 P:envmXdIZc
$00/F2D8 C9 10 C6    CMP #$C610              A:1000 X:00FE Y:0008 P:envmXdIzc
$00/F2DB E2 20       SEP #$20                A:1000 X:00FE Y:0008 P:envmXdIzc
$00/F2DD D0 05       BNE $05    [$F2E4]      A:1000 X:00FE Y:0008 P:envMXdIzc

It's checking 7E:00A8 (Buttons being pressed) and seeing if the value = $C610.  I'll figure out what values the buttons store and we should have it!

7E00A8 - Buttons being pressed
00 - Nothing
10 - R
20 - L
40 - X
80 - A


7E00A9 - Buttons being pressed
00 - Nothing
01 - Right
02 - Left
04 - Down
08 - Up
10 - Start
20 - Select
40 - Y
80 - B

7E:00A8 has to be 10
7E:00A9 has to be C6

The combo I can find is:
Down + Left + Y + B + R

Just make sure you're on the last password row BEFORE you hit and hold Y otherwise it won't work.


X3
------------------------
There's not an actual button press combination for X3 that I can see.. but this exists.

Code Select

$00/F25F A5 30       LDA $30    [$00:1E88]   A:0125 X:00FE Y:0008 P:enVMXdIzC
$00/F261 8D D7 1F    STA $1FD7  [$06:1FD7]   A:01FF X:00FE Y:0008 P:eNVMXdIzC
$00/F264 29 F0       AND #$F0                A:01FF X:00FE Y:0008 P:eNVMXdIzC
$00/F266 C9 F0       CMP #$F0                A:01F0 X:00FE Y:0008 P:eNVMXdIzC
$00/F268 D0 08       BNE $08    [$F272]      A:01F0 X:00FE Y:0008 P:enVMXdIZC

It's checking whatever password value is set at 7E:1E88 and storing it to 7E:1FD7 (Golden Armor value).  From what I can see, it's impossible for the value to actually store properly since anything else will end up just cutting it back to 0F as the final value.  Oddly though, the game does let you have 3 enhancement chips active.. which essentially might as well be the Golden Armor.  Kind of an iffy system but yeah.  There's no actual way to get the Golden Armor unlocked though through the password screen.
'We have to find some way to incorporate the general civilians in the plot.'

'We'll kill off children in the Juuban district with an infection where they cough up blood and are found hanging themselves from cherry blossom trees.'

TDOMMX

#4
February 20, 2016, 12:55:07 AM
Thanks for the in-depth response, Justin!  I can confirm that the Shoryuken unlock code works perfectly!  I hadn't realized that the Y button doubled as a code confirmation button when the "Start" option below the password was highlighted; I always used the Start button to confirm my passwords.

While I already knew about being able to equip three of the four enhancement chips at once in X3, I was hoping that there might be a legitimate way to retrieve the Hyper Chip /  Gold Armor from a password since the game actually provides you with the password I posted after you obtain the Hyper Chip legitimately.  Setting any of the bits in the upper nybble at 7E:1FD7 grants you the corresponding chip (0x10 = Energy Chip, 0x20 = Arm Chip, 0x40 = Body Chip, 0x80 = Leg Chip -- the lower nybble contains the bits for the four Ride Armor changes).  Interestingly, setting all four upper bits immediately enables the Hyper Chip palette -- no extra bits required (just a single press of the Start button).  That's what led me to think that an unlock code might be present.

Oh, well.  You can't win 'em all.  Since the Hyper Chip's capsule isn't exactly out of your way in Doppler Stage 1, it's no real loss -- I always snag it just before fighting Press Disposer / Godkarmachine O Inary, anyway.

Thanks again!
This is TDOMMX signing out.

DackR

#5
February 20, 2016, 10:43:57 PM
In case anyone is interested, I went ahead and made IPS patches for all the games in the MMX series so that a special key combination is not needed to make full use of the full power up passwords.

I didn't do Megaman 7 because it wasn't really necessary in that case.

Here ya go:
https://googledrive.com/host/0B7Lih2HxwoqqLS1nWmZXenFRbmkzcUtYcVpWMEN4dw/MMX_123_FullPowerup_Enabler_Patches.zip

I figured, why not, right?  :beer:
Print
Go Up Pages1
User actions