News: 11 March 2016 - Forum Rules
Current Moderators - DarkSol, KingMike, MathOnNapkins, Azkadellia, Danke

Author Topic: Dragon Warrior 1, 2 & 3 Hacking Discussion  (Read 141060 times)

Chicken Knife

  • Sr. Member
  • ****
  • Posts: 434
    • View Profile
Re: Dragon Warrior 1, 2 & 3 Hacking Discussion
« Reply #280 on: August 01, 2020, 11:45:58 am »
Quote
How to make 150% exp

1. Find ram address (wiki, cheats, search)
2. Save game before killing monster
3. Put 'Write' breakpoint on addr
4. Play game. Trigger.
5. Add code (lda - lsr - ... - sta)
I just read that wrong, my bad. It's a good alternate case that could help me figure out how to remove the 25%

Quote
I think he means "how do I prevent debugger from breakpoint at this spot again in future?"
Yes, that is the goal, but I was really asking about what the input on the screen looks like. There are two sections, a left box allowing for two bytes and a right box allowing for two bytes. I haven't used the right box yet. Am I filling that one now?

Quote
But again, another teaching failure.
It feels like you are very inclined to torment yourself over the smallest things that no one else is bothered by. I'm definitely impressed by your hacking knowledge, and it is helpful. I don't want to see you beat yourself up over some unrealistic standard of perfect teaching. Trust me, even if I had the most perfect teacher in the world, I would still not get it at times. I've already demonstrated that a ton of times, but I'm not gonna let that torment me.


The final challenge of a game is the game itself.

storall

  • Jr. Member
  • **
  • Posts: 31
    • View Profile
Re: Dragon Warrior 1, 2 & 3 Hacking Discussion
« Reply #281 on: August 01, 2020, 12:32:21 pm »
The part I dislike about giving bad advice is that it creates more confusion, which wastes everyone's time, and turns me into a grumpy cat trying to undo that mistake. Repeat enough times and it becomes an annoying something I want fixed before I get old.


Part of this problem here is that I'm the one just lazy enough to not post good pictures of what I'm doing. Which would help a lot.

--------------------

Quote
There are two sections, a left box allowing for two bytes and a right box allowing for two bytes. I haven't used the right box yet. Am I filling that one now?

If we are not talking about the 'Add Breakpoint' box, then ignore this next part.

Because it's just 1 value, I still use the left box only. If we had to block a range of addresses, then we use the right side.

Let's say I want to forbid $03:8000-9FFF because I hate that stopping on that code.
- Left box = 8000
- Right box = 9FFF
- Forbid = yes
- Condition = K==#3


If it's some other debugger feature, could you upload a picture or what step you're getting held on?

Chicken Knife

  • Sr. Member
  • ****
  • Posts: 434
    • View Profile
Re: Dragon Warrior 1, 2 & 3 Hacking Discussion
« Reply #282 on: August 02, 2020, 02:29:59 pm »
4 clicks for 1 forbid breakpoint
https://i.imgur.com/tQokfqt.gif
This animation was great. I didn't know I could right click the lines of code on the left hand side.

Let's say I want to forbid $03:8000-9FFF because I hate that stopping on that code.
- Left box = 8000
- Right box = 9FFF
- Forbid = yes
- Condition = K==#3
So the right box is a range. That should have been intuitive to me.

Quote
1. Find ram address (wiki, cheats, search)
2. Save game before killing monster
3. Put 'Write' breakpoint on addr
4. Play game. Trigger.
5. Add code (lda - lsr - ... - sta)
I'm trying to work on tracking down the gold or xp values so I can write my breakpoint. According to the data crystal ROM map, I know exactly how all the attributes of a monster including XP and gold are stored. I was expecting to be able to take the sequence of bytes stored in those addresses, search in RAM while in battle, and find the tables there arranged the same way. Sadly, the game doesn't seem to work that way. I can't figure this out, and the RAM map doesn't have any of this. Any tips on how I can figure out where to put my RAM breakpoints?
The final challenge of a game is the game itself.

Cyneprepou4uk

  • Sr. Member
  • ****
  • Posts: 474
  • I am the baldest romhacker
    • View Profile
Re: Dragon Warrior 1, 2 & 3 Hacking Discussion
« Reply #283 on: August 02, 2020, 02:47:57 pm »
You sure there is nothing at datacrystal about gold and exp addresses for dw3 in ram map? Because I can clearly see it is written here


Quote
I didn't know I could right click the lines of code on the left hand side.

So you say you didn't know, huh?

Quote
You can double click on cpu address where it hits and add a corresponding checkmark.

Quote
Lets say your 0009 breakpoint got hit at 0F:89AB. Double click at 89AB. An "add breakpoint" window will be open, it'll already have 89AB and some condition written there, you just need to enable "forbid" checkmark and press OK.

Obviously you didn't do that for a second time. Or is my english that bad?  >:D
Should I bother to keep explaining anything in the future?
« Last Edit: August 02, 2020, 04:06:57 pm by Cyneprepou4uk »
iromhacker.ru - NES ROM hacking tutorials for beginners. Please use Google Translate browser extension

Chicken Knife

  • Sr. Member
  • ****
  • Posts: 434
    • View Profile
Re: Dragon Warrior 1, 2 & 3 Hacking Discussion
« Reply #284 on: August 02, 2020, 04:12:44 pm »
You sure there is nothing at datacrystal about gold and exp addresses for dw3 in ram map? Because I can clearly see it is written here
Total experience and gold values for the party are written there, not the experience and gold values for monsters that I was looking for. I was thinking that the algorithm that increases the monster reward values would fire off right after the monster values get read, but perhaps I could assign a write breakpoint to the character experience / gold address and backtrack.

Quote
Obviously you didn't do that for a second time. Or is my english that bad?  >:D
Should I bother to keep explaining anything in the future?
There goes your shitty tone again. Improve it, and I'll find hanging on your every word a great deal easier.
The final challenge of a game is the game itself.

Cyneprepou4uk

  • Sr. Member
  • ****
  • Posts: 474
  • I am the baldest romhacker
    • View Profile
Re: Dragon Warrior 1, 2 & 3 Hacking Discussion
« Reply #285 on: August 02, 2020, 04:24:19 pm »
Yeah, that's me who have to improve his attitude, coz I'm the one who needs help with hacks  >:D

Quote
Should I bother to keep explaining anything in the future?
I've got my answer.
iromhacker.ru - NES ROM hacking tutorials for beginners. Please use Google Translate browser extension

Chicken Knife

  • Sr. Member
  • ****
  • Posts: 434
    • View Profile
Re: Dragon Warrior 1, 2 & 3 Hacking Discussion
« Reply #286 on: August 02, 2020, 05:04:35 pm »
I've got my answer.
You helping here is up to you. I actually did read what you said, and it wasn’t clear to me that you were talking about the left panel. When I’m very foggy on something or overwhelmed with a new and complex program, I need things really spelled out.

But if you are going to stick around here, the expectation is that respectfulness is demonstrated no matter what. Even if you have things to teach and I have things to learn. Even if I’m slow with something. Even if I didn’t read something correctly. Most people understand that belittling language is never acceptable. Other people here have also pointed it out, and you recognizing how you come across at times and learning how to address the same things in a better way would be a big opportunity for your development. Therefore, if you do stick around, I will continue to help you recognize those opportunities.
« Last Edit: August 02, 2020, 05:25:19 pm by Chicken Knife »
The final challenge of a game is the game itself.

storall

  • Jr. Member
  • **
  • Posts: 31
    • View Profile
Re: Dragon Warrior 1, 2 & 3 Hacking Discussion
« Reply #287 on: August 02, 2020, 05:24:30 pm »
Chicken Knife's new problem is that he doesn't know the procedure of how to convert ROM address to CPU address.


Here's a really quick basic guide. Let's collect our data.

https://datacrystal.romhacking.net/wiki/Dragon_Warrior_III:ROM_map
- Slime EXP, 0x0032E4 = Experience (0-255) = $04

https://datacrystal.romhacking.net/wiki/Dragon_Warrior_III
- Mapper name: MMC1

https://wiki.nesdev.com/w/index.php/MMC1
- CPU $8000-$BFFF: 16 KB PRG ROM bank, either switchable or fixed to the first bank
- CPU $C000-$FFFF: 16 KB PRG ROM bank, either fixed to the last bank or switchable


1. $32E4 file - $10 header = $32d4
- MMC1 says we have $4000 banksize. $32d4 / $4000 = bank 0.
- $32d4 % $4000 = $32d4 offset

2. Our data is hiding at $8000-BFFF or $C000-FFFF
- 8000+32d4 = b2d4
- c000+32d4 = f2d4

3. Add 'Read' breakpoints
- I'll assume you know this by now
- Don't use K==#0 though; that only correctly works when using PC execute breakpoint

4. Note that you'll have to track down the real spot where it gives bonus points.
   It's not as straightforward as I thought and will take a thorough look at the trace log.

5. It might be worthwhile doing this same procedure for Japan also and compare the logs.


edit: Read breakpoint tip

Since we know slime exp value is $04
- Address = $B2D4
- Read = yes
- Condition: $B2D4==#04

Then it won't bp on non-correct values.
« Last Edit: August 02, 2020, 07:04:00 pm by storall »

Cyneprepou4uk

  • Sr. Member
  • ****
  • Posts: 474
  • I am the baldest romhacker
    • View Profile
Re: Dragon Warrior 1, 2 & 3 Hacking Discussion
« Reply #288 on: August 02, 2020, 06:07:37 pm »
Quote
Most people understand that belittling language is never acceptable

I wasn't belittling you, I was pointing out that you don't try those things on practice, meaning that I was wasting my time. Because if you did, you would understand what I was talking about. But wasting time is my own fault coz I'm the one who decides to post.

But if you actually did try to see those things in debugger and couldn't find it, then you are a slowpoke who needs to get more experience with debugging and understanding basic nes stuff before going into mega hardcore hacking like changing name check and gold. And this is how my belittling looks like  >:D

Either way I'm done here. Oh, and refresh your memory
http://catb.org/~esr/faqs/smart-questions.html#answers
iromhacker.ru - NES ROM hacking tutorials for beginners. Please use Google Translate browser extension

storall

  • Jr. Member
  • **
  • Posts: 31
    • View Profile
Re: Dragon Warrior 1, 2 & 3 Hacking Discussion
« Reply #289 on: August 02, 2020, 08:06:49 pm »
Chicken Knife - a short diary in case you need another hint.


Encountered 1 Slime outside the castle.
- Saved state before slaying it.
- Report says 6 exp and 3 gold.

Load state and put breakpoint on Slime exp (04).
- On break, turned on trace logger.
- Noticed it had a rts and stepped out.
- It had a 24-bit write to range (-redacted-).
- Checked the RAM wiki https://datacrystal.romhacking.net/wiki/Dragon_Warrior_III:RAM_map but no match.
- Looked interesting so I put a 'Write' breakpoint on (-redacted-)
- Remember that it had a $04

Let the game continue.
- A breakpoint on (-redacted-).
- What's this? A $06 is being stored there. And it's 24-bit again.
- Again another rts so I floated out.
- Now I turned off the trace logger.
- A new area of code.

Time to think!
- So it had $04 and became $06.
- Interesting weird piece of asm but it looks like our bonus math.
- To test, I left-clicked the address I wanted to nop out.

  More specifically, it's that vertical blank column on the left side of address.
  Hover your mouse there and it says on bottom:
    leftclick = inline assembler
    rightclick = hexeditor

- Opened the 'Inline Assembler'. Entered the nop replacement (nop + enter).
  When it looked good, I hit 'apply.' Close box.
  - note: it's temporary and not permanent to rom.

Reload state.
- Now says I gained 4 exp and 3 gold.
- To be honest, I didn't believe it and checked the info stats afterward.
- 4 exp and 53 gold.

Well that's 1 done. Time to bake in asm fix.


edit: And likely I'll need to show you a picture. But that'd give away the answer so have to wait until you find the area.
« Last Edit: August 02, 2020, 11:30:34 pm by storall »

Chicken Knife

  • Sr. Member
  • ****
  • Posts: 434
    • View Profile
Re: Dragon Warrior 1, 2 & 3 Hacking Discussion
« Reply #290 on: August 03, 2020, 09:46:42 am »
@Storall, your posts regarding the steps you took with this process are clear and helpful! I really appreciate you taking the time to spell things out like this. There are a handful of points I'd like to ask for clarification on. I'd like to understand your process outline more completely before I perform the steps myself.

Here are the points to clarify:

Quote
Chicken Knife's new problem is that he doesn't know the procedure of how to convert ROM address to CPU address.
I've actually done a lot of converting ROM to RAM address (which I believe is the same as CPU address since CPU only interacts with RAM other than bank loading / switching) But I'm glad you took the time to discuss this, because it brings up an interesting point:

Quote
- CPU $8000-$BFFF: 16 KB PRG ROM bank, either switchable or fixed to the first bank
- CPU $C000-$FFFF: 16 KB PRG ROM bank, either fixed to the last bank or switchable
All the times I've had to calculate RAM address in my work on DQ1/DQ2/DQ3, I've only ever had to use the $8000-BFFF address range, never the $C000-$FFFF range. I'm glad to be reminded that data could also be stored in the $C000-$FFFF range, because I've become so unaccustomed to never dealing with that area. I've mostly dealt with these addresses for the script, and the script seems to never be stored there curiously.

Quote
2. Our data is hiding at $8000-BFFF or $C000-FFFF
- 8000+32d4 = b2d4
- c000+32d4 = f2d4
It seems like I had the right idea to search the RAM for the sequential bytes that store monster xp&gold, but where I probably failed was that this data wasn't loaded there yet, even though I was in battle when I checked. I'm guessing that the code executes a bankswitch command at some point just before it actually needs that monster reward data, probably because the rest of the time, the code is pulling from the bank that stores miscellaneous battle text. Therefore when I checked for those bytes, it wasn't loaded yet. But after I set these breakpoints, once I get the hit, if I then go check the RAM data, I should find the bytes there.

Quote
- Don't use K==#0 though; that only correctly works when using PC execute breakpoint
You said this in reference to setting the read breakpoint. I'm not sure what K==#0 means and would enjoy some further explanation here.

Quote
It might be worthwhile doing this same procedure for Japan also and compare the logs.
I was planning to do this.  :laugh: One of my tech savvy friends suggested that I could use a text editor compare function that would allow the program itself to compare the two sets of text. That sounds great, but I would probably not be able to achieve perfectly synced timing between the two different versions. I'll do it myself manually, and hopefully I will be able to differentiate between the stuff directly resulting from timing differences.

Quote
- Condition: $B2D4==#04
This sounds like a great tip. Thank you! I'll play with setting the condition.

Now I have some questions regarding your diary:

Quote
- Noticed it had a rts and stepped out.
I know that RTS is a return from subroutine. Two question, why did you react to that, and what does "stepped out" mean? When I get breakpoint hits, I typically only hit the "run" button to have the game go past the break. I see there are other options involving "stepping" but I don't really understand what those mean.

Quote
- Again another rts so I floated out.
Not sure what floated out means.

Quote
- Now I turned off the trace logger.
- A new area of code.

Time to think!
- So it had $04 and became $06.
- Interesting weird piece of asm but it looks like our bonus math.
- To test, I left-clicked the address I wanted to nop out.

  More specifically, it's that vertical blank column on the left side of address.
  Hover your mouse there and it says on bottom:
    leftclick = inline assembler
    rightclick = hexeditor

- Opened the 'Inline Assembler'. Entered the nop replacement (nop + enter).
  When it looked good, I hit 'apply.' Close box.
  - note: it's temporary and not permanent to rom.
I get a little lost here unfortunately. So you start off by analyzing the trace log you created for this second section of code that deals with writing the inflated slime exp. When you say you left clicked the address you wanted to NOP out, you are saying that you left clicked that CPU address on the left side of the debugger screen? If so, I didn't realize that I could rewrite code from that screen directly. Vertical blank column in the debugger? I probably need to be home and working with this to potentially see what you are referring to. It sounds like FCEUX actually has an assembler function. Very cool! It sounds like you just replaced existing bytes in the code with the NOP operations, which didn't require any expansion of the code. That sounds easy enough.

Ok, that's it for questions, and hopefully I'll be able to figure out what you covered in the last paragraph just by playing around. I'm pretty excited to try all this now.
« Last Edit: August 03, 2020, 09:53:41 am by Chicken Knife »
The final challenge of a game is the game itself.

storall

  • Jr. Member
  • **
  • Posts: 31
    • View Profile
Re: Dragon Warrior 1, 2 & 3 Hacking Discussion
« Reply #291 on: August 03, 2020, 10:29:09 am »
Quote
You said this in reference to setting the read breakpoint. I'm not sure what K==#0 means and would enjoy some further explanation here.

Let's say I want to place execute breakpoint at $07:C041.
- Address: C041.
- Execute: yes.
- Condition: K==#07. Meaning stop only at PC Bank 07.


In case of DW3, Slime EXP was at $00:B2D4 or $00:F2D4.
- Address: B2D4.
- Read: yes.

- Condition: K==#00. === If we do this though, it will only trigger when PC is bank 00. Which seems to be never during my debugging trial. It will not trigger when reading from $00:B2D4.
- Condition: $B2D4=#04. === This will trigger when reading from $B2D4 and when $B2D4 = 04 (slime exp value).


Quote
I'll do it myself manually, and hopefully I will be able to differentiate between the stuff directly resulting from timing differences.

I should do this also because I want to see what really got added to USA.


Quote
I know that RTS is a return from subroutine. Two question, why did you react to that, and what does "stepped out" mean? When I get breakpoint hits, I typically only hit the "run" button to have the game go past the break. I see there are other options involving "stepping" but I don't really understand what those mean.

I saw a short routine, meaning we came from somewhere else. So I clicked Step Over because I wanted to see in the registers what was happening. When I got out (rts), I saw an interesting clue from the asm code; I could tell what that meant and it looked important to investigate.


Quote
Not sure what floated out means.

"Floated out" = I clicked Step until I reached the rts and "jumped" somewhere else.


Quote
So you start off by analyzing the trace log you created for this second section of code that deals with writing the inflated slime exp.

Correct. Once I saw the $06 being written, I figured it was safe to stop. I read the asm code at the stop point and thought .. hmm .. interesting, it's 24-bit value.

Took a picture of my Castlevania 2 debugging session. The highlighted red box is where to click the mouse.


I'll explain more later.

abw

  • Hero Member
  • *****
  • Posts: 530
    • View Profile
Re: Dragon Warrior 1, 2 & 3 Hacking Discussion
« Reply #292 on: August 03, 2020, 05:19:23 pm »
Out of curiosity, where did you get that 25% number for extra gold and experience from? The English version appears to be adding different percentages for gold and experience, and neither of them is 25%.

- Condition: K==#00. === If we do this though, it will only trigger when PC is bank 00. Which seems to be never during my debugging trial. It will not trigger when reading from $00:B2D4.
One extra point here: if you know your data is in bank 0, you might like to set a T==#00 condition on a read breakpoint; the Debugger page of FCEUX's help file explains what T and K mean in the context of breakpoint conditions.

storall

  • Jr. Member
  • **
  • Posts: 31
    • View Profile
Re: Dragon Warrior 1, 2 & 3 Hacking Discussion
« Reply #293 on: August 03, 2020, 05:36:03 pm »
Quote from: abw
One extra point here: if you know your data is in bank 0, you might like to set a T==#00 condition on a read breakpoint; the Debugger page of FCEUX's help file explains what T and K mean in the context of breakpoint conditions.

Thank you! I completely missed that helpful bullet point.

Quote from: manual
Break only when accessing a data from bank 2 (the condiition is relevant when using with Read/Write-type breakpoints):

T==#2


I got lazy and read the abbreviated online wiki manual, which doesn't cover that one.
http://wiki.nesdev.com/w/index.php/FCEUX_debugger
(This page was last modified on 8 September 2012, at 07:27)


Quote from: abw
Out of curiosity, where did you get that 25% number for extra gold and experience from? The English version appears to be adding different percentages for gold and experience, and neither of them is 25%.

I wondered the same thing. :lol:

August 03, 2020, 06:47:50 pm - (Auto Merged - Double Posts are not allowed before 7 days.)
I hacked Slime to have base 256 exp. Got 342 after battle. Seems like 133%.
« Last Edit: August 03, 2020, 06:47:51 pm by storall »

Chicken Knife

  • Sr. Member
  • ****
  • Posts: 434
    • View Profile
Re: Dragon Warrior 1, 2 & 3 Hacking Discussion
« Reply #294 on: August 03, 2020, 11:46:43 pm »
@storall,
This is a heavy duty process and will clearly take me multiple days to sort out. Most of my time tonight was spent fiddling around with the debugger, which is something I've barely done up until now. I'm finally understanding all the step commands, how to use them to move through the code, understanding how everything I'm seeing matches up to the RAM storage, etc. I'm hoping that investing this time getting a feel for the system and looking up opcodes will improve recognition. At this point, I don't think I need more tips. I need more time to debug, log, document, learn and process all this. I'm clearly getting the sense that dealing with this code will be more complex than the ERDRICK comparison routine, and I want to be ready.

Quote
Out of curiosity, where did you get that 25% number for extra gold and experience from? The English version appears to be adding different percentages for gold and experience, and neither of them is 25%.
It would seem that "The Cutting Room Floor" site has finally let me down. It has otherwise proven itself to be quite reliable. https://tcrf.net/Dragon_Warrior_III_(NES)
"EXP and gold drops were increased by 25% in the North American version."

About FCEUX help, I have the latest version of FCEUX, I click the help menu, I select a topic, I click display, and nothing happens. That's been driving me crazy for a while. I've also found that HTML help site, but it really doesn't have much at all. I would love to figure out how to access the thorough HELP material. Pretty friggin' sad when you can't even figure out how to access the HELP documentation.
« Last Edit: August 04, 2020, 12:02:02 pm by Chicken Knife »
The final challenge of a game is the game itself.

storall

  • Jr. Member
  • **
  • Posts: 31
    • View Profile
Re: Dragon Warrior 1, 2 & 3 Hacking Discussion
« Reply #295 on: August 04, 2020, 12:09:26 am »
Quote
About FCEUX help, I have the latest version of FCEUX, I click the help menu, I select a topic, I click display, and nothing happens. That's been driving me crazy for a while. I've also found that HTML help site, but it really doesn't have much at all. I would love to figure out how to access the thorough HELP material. Pretty friggin' sad when you can't even figure out how to access the HELP documentation.

https://github.com/TASVideos/fceux
https://ci.appveyor.com/project/zeromus/fceux
https://ci.appveyor.com/project/zeromus/fceux/builds/34463273
https://ci.appveyor.com/project/zeromus/fceux/build/job/4kdrl5nrxt0duixe/artifacts
- download zip
- open file: fceux.chm


Quote
This is a heavy duty process and will clearly take me multiple days to sort out. Most of my time tonight was spent fiddling around with the debugger, which is something I've barely done up until now. I'm finally understanding all the step commands, how to use them to move through the code, understanding how everything I'm seeing matches up to the RAM storage, etc. I'm hoping that investing this time getting a feel for the system and looking up opcodes will improve recognition. At this point, I don't think I need more tips. I need more time to debug, log, document, learn and process all this. I'm clearly getting the sense that dealing with this code will be more complex than the ERDRICK comparison routine, and I want to be ready.

Very understandable! I think you are progressing. This problem is more complicated than ERDRICK.

Getting that read breakpoint to work for EXP is your major goal. Then I think the rest will slowly fall into place.

Cyneprepou4uk

  • Sr. Member
  • ****
  • Posts: 474
  • I am the baldest romhacker
    • View Profile
Re: Dragon Warrior 1, 2 & 3 Hacking Discussion
« Reply #296 on: August 04, 2020, 05:31:37 am »
Quote
That's been driving me crazy for a while

Unblock fceux.chm in file properties.

If you're looking for detailed debugger documentation, I've got most of it on my site.
https://iromhacker.ru/nes/ru/fceux/debug/debugger/1/index.html
iromhacker.ru - NES ROM hacking tutorials for beginners. Please use Google Translate browser extension

Chicken Knife

  • Sr. Member
  • ****
  • Posts: 434
    • View Profile
Re: Dragon Warrior 1, 2 & 3 Hacking Discussion
« Reply #297 on: August 05, 2020, 12:11:32 am »
I created savestates between the English and Japanese versions, both with only the hero killing 1 slime. I figured out the different RAM address of the Japanese version for the read breakpoint of the 04 value, and I created two nearly identical log files. Other than a very brief divergence that occurred right after the break, the below is where the English version really goes off into its own territory. I'm looking closely at it 1. because of the divergence, and 2. because I see 04 and then 06 getting loaded into the X register.

Code: [Select]
f37361  A:01 X:00 Y:01 S:CC P:nVUBdIZc                    $B4EB:B5 F7     LDA $F7,X @ $00F7 = #$04
f37361  A:04 X:00 Y:01 S:CC P:nVUBdIzc                    $B4ED:C9 FF     CMP #$FF
f37361  A:04 X:00 Y:01 S:CC P:nVUBdIzc                    $B4EF:F0 0E     BEQ $B4FF
f37361  A:04 X:00 Y:01 S:CC P:nVUBdIzc                    $B4F1:A9 FE     LDA #$FE
f37361  A:FE X:00 Y:01 S:CC P:NVUBdIzc                    $B4F3:95 F7     STA $F7,X @ $00F7 = #$04
f37361  A:FE X:00 Y:01 S:CC P:NVUBdIzc                    $B4F5:20 07 B7  JSR $B707
f37361  A:FE X:00 Y:01 S:CA P:NVUBdIzc                      $B707:E0 06     CPX #$06
f37361  A:FE X:00 Y:01 S:CA P:NVUBdIzc                      $B709:B0 12     BCS $B71D
f37361  A:FE X:00 Y:01 S:CA P:NVUBdIzc                      $B70B:AD F3 06  LDA $06F3 = #$FF
f37361  A:FF X:00 Y:01 S:CA P:NVUBdIzc                      $B70E:C9 FF     CMP #$FF
f37361  A:FF X:00 Y:01 S:CA P:nVUBdIZC                      $B710:F0 0B     BEQ $B71D
f37361  A:FF X:00 Y:01 S:CA P:nVUBdIZC                      $B71D:18        CLC
f37361  A:FF X:00 Y:01 S:CA P:nVUBdIZc                      $B71E:60        RTS (from $B707) ---------------------------
f37361  A:FF X:00 Y:01 S:CC P:nVUBdIZc                    $B4F8:90 05     BCC $B4FF
f37361  A:FF X:00 Y:01 S:CC P:nVUBdIZc                    $B4FF:D6 E2     DEC $E2,X @ $00E2 = #$03
f37361  A:FF X:00 Y:01 S:CC P:nVUBdIzc                    $B501:D0 DF     BNE $B4E2
(1 lines skipped)
f37361  A:FF X:00 Y:01 S:CE P:nVUBdIzc                  $B3B2:A2 02     LDX #$02
f37361  A:FF X:02 Y:01 S:CE P:nVUBdIzc                  $B3B4:20 DE B4  JSR $B4DE
(23 lines skipped)
f37361  A:FF X:02 Y:01 S:CE P:nVUBdIzc                  $B3B7:A2 04     LDX #$04
f37361  A:FF X:04 Y:01 S:CE P:nVUBdIzc                  $B3B9:20 DE B4  JSR $B4DE
(23 lines skipped)
f37361  A:FF X:04 Y:01 S:CE P:nVUBdIzc                  $B3BC:A2 06     LDX #$06
f37361  A:FF X:06 Y:01 S:CE P:nVUBdIzc                  $B3BE:88        DEY
f37361  A:FF X:06 Y:00 S:CE P:nVUBdIZc                  $B3BF:20 DE B4  JSR $B4DE
(7 lines skipped)
f37361  A:00 X:06 Y:00 S:CE P:nVUBdIzc                  $B3C2:AD 7C 04  LDA $047C = #$BE
f37361  A:BE X:06 Y:00 S:CE P:NVUBdIzc                  $B3C5:C9 6A     CMP #$6A
f37361  A:BE X:06 Y:00 S:CE P:nVUBdIzC                  $B3C7:90 DE     BCC $B3A7
f37361  A:BE X:06 Y:00 S:CE P:nVUBdIzC                  $B3C9:A2 06     LDX #$06
f37361  A:BE X:06 Y:00 S:CE P:nVUBdIzC                  $B3CB:A1 D6     LDA ($D6,X) @ $AF5B = #$E1
f37361  A:E1 X:06 Y:00 S:CE P:NVUBdIzC                  $B3CD:49 FC     EOR #$FC
f37361  A:1D X:06 Y:00 S:CE P:nVUBdIzC                  $B3CF:F0 0E     BEQ $B3DF
f37361  A:1D X:06 Y:00 S:CE P:nVUBdIzC                  $B3D1:CA        DEX
f37361  A:1D X:05 Y:00 S:CE P:nVUBdIzC                  $B3D2:CA        DEX
f37361  A:1D X:04 Y:00 S:CE P:nVUBdIzC                  $B3D3:10 F6     BPL $B3CB
f37361  A:1D X:04 Y:00 S:CE P:nVUBdIzC                  $B3CB:A1 D6     LDA ($D6,X) @ $AF0D = #$FA
(5 lines skipped)
f37361  A:06 X:02 Y:00 S:CE P:nVUBdIzC                  $B3CB:A1 D6     LDA ($D6,X) @ $AE6A = #$FA
(5 lines skipped)
f37361  A:06 X:00 Y:00 S:CE P:nVUBdIZC                  $B3CB:A1 D6     LDA ($D6,X) @ $ADC0 = #$30
(5 lines skipped)
f37361  A:CC X:FE Y:00 S:CE P:NVUBdIzC                  $B3D5:A2 06     LDX #$06
f37361  A:CC X:06 Y:00 S:CE P:nVUBdIzC                  $B3D7:B5 E2     LDA $E2,X @ $00E8 = #$02
f37361  A:02 X:06 Y:00 S:CE P:nVUBdIzC                  $B3D9:D0 04     BNE $B3DF
f37361  A:02 X:06 Y:00 S:CE P:nVUBdIzC                  $B3DF:C9 00     CMP #$00
f37361  A:02 X:06 Y:00 S:CE P:nVUBdIzC                  $B3E1:F0 07     BEQ $B3EA
f37361  A:02 X:06 Y:00 S:CE P:nVUBdIzC                  $B3E3:A9 DF     LDA #$DF
f37361  A:DF X:06 Y:00 S:CE P:NVUBdIzC                  $B3E5:2D 7F 04  AND $047F = #$D0
f37361  A:D0 X:06 Y:00 S:CE P:NVUBdIzC                  $B3E8:B0 05     BCS $B3EF
f37361  A:D0 X:06 Y:00 S:CE P:NVUBdIzC                  $B3EF:8D 7F 04  STA $047F = #$D0
f37361  A:D0 X:06 Y:00 S:CE P:NVUBdIzC                  $B3F2:A2 00     LDX #$00
f37361  A:D0 X:00 Y:00 S:CE P:nVUBdIZC                  $B3F4:A0 00     LDY #$00
f37361  A:D0 X:00 Y:00 S:CE P:nVUBdIZC                  $B3F6:20 1F B7  JSR $B71F
f37361  A:D0 X:00 Y:00 S:CC P:nVUBdIZC                    $B71F:20 07 B7  JSR $B707
(7 lines skipped)
f37361  A:FF X:00 Y:00 S:CC P:nVUBdIZc                    $B722:BD 73 04  LDA $0473,X @ $0473 = #$B0
f37361  A:B0 X:00 Y:00 S:CC P:NVUBdIzc                    $B725:B0 02     BCS $B729
f37361  A:B0 X:00 Y:00 S:CC P:NVUBdIzc                    $B727:30 50     BMI $B779
f37361  A:B0 X:00 Y:00 S:CC P:NVUBdIzc                    $B779:60        RTS (from $B71F) ---------------------------

There is nothing as intuitive for me here so far as what I found with the compare operations for the ERDRICK name, but I was already warned that this would be the case. There's also a decent chance I am not even close here.

Quote
- What's this? A $06 is being stored there. And it's 24-bit again.
I've tried to follow this clue and determine what a 24 bit range looks like. As I look through the code, I can't seem to find any operations with longer than a 16 bit range. Would an operation with a 24 bit operand look like four bytes together? That's what I've looked for.

I still feel like I'm not particularly close to solving this, but I have spent another several hours studying operations and learning about bitwise functions like AND, OR, etc. Hopefully I'm getting something out of spending time like this.

Also, a question about the inline assembler. Is there any real difference between inserting the NOP instructions there or just finding the corresponding bytes in a hex editor and just replacing them with EA? I'm curious.

The final challenge of a game is the game itself.

Cyneprepou4uk

  • Sr. Member
  • ****
  • Posts: 474
  • I am the baldest romhacker
    • View Profile
Re: Dragon Warrior 1, 2 & 3 Hacking Discussion
« Reply #298 on: August 05, 2020, 05:01:53 am »
24-bit means some game value (up to 16,7 million) is stored in 3 ram addresses, usually neighboring.

No difference between NOP and EA at all. But you can't undo inline assembler
iromhacker.ru - NES ROM hacking tutorials for beginners. Please use Google Translate browser extension

Euyira

  • Jr. Member
  • **
  • Posts: 14
  • I am not nice. :|
    • View Profile
Re: Dragon Warrior 1, 2 & 3 Hacking Discussion
« Reply #299 on: August 05, 2020, 08:39:50 am »
Quote from: Chicken Knife
2. because I see 04 and then 06 getting loaded into the X register.

I did not do exercise but from carefully reading thread you might be off.


Quote from: storall
- It had a 24-bit write to range (-redacted-).
      ..
- A breakpoint on (-redacted-).
- What's this? A $06 is being stored there. And it's 24-bit again.

@storall saw $04 write to RAM xx+0, xx+1, xx+2. And then $06 write to RAM xx+0, xx+1, xx+2. Posted log shows no $04 or $06 writes.


Quote from: Chicken Knife
1. because of the divergence

Did you accidentally skip past the answer? What did log look like at breakpoint when EXP was read?
« Last Edit: August 05, 2020, 09:40:52 am by Euyira »