Just two more
Edited by VincentASM, 12 January 2010 - 10:30 AM.
FE10: Radiant Dawn Hacking Notes
Started by
VincentASM
, Jan 03 2010 12:25 PM
184 replies to this topic
#21
VincentASM
-
- Administrator
Heartbunny little sister
- Gender:Male
- Location:UK
- Favorite Fire Emblem Game:New Mystery of the Emblem
Posted 12 January 2010 - 10:29 AM
Added info on buddy supports and terrain (Chapters 7 and 8).
Just two moreeasy chapters to do and I'll be done with most of the FE10Data file.
Just two more
#22
Solais
-
- Member
Thunder beads.
- Gender:Not Telling
- Location:Haeven
- Favorite Fire Emblem Game:Sacred Stones
Posted 12 January 2010 - 12:18 PM
With the thing all busted into files, it should be pretty feasible to decompile the game, right? Someone ought to.
#23
VincentASM
-
- Administrator
-
Heartbunny little sister
- Gender:Male
- Location:UK
- Favorite Fire Emblem Game:New Mystery of the Emblem
Posted 12 January 2010 - 12:36 PM
By decompile, do you mean extract all the files from the disk image? I'm not really good with technical terminology ^^;;;
#24
Solais
-
- Member
-
Thunder beads.
- Gender:Not Telling
- Location:Haeven
- Favorite Fire Emblem Game:Sacred Stones
Posted 12 January 2010 - 12:38 PM
Haha, no. I'm saying that SINCE we can extract all the files form the disc image (which I've seen done with DS games and the like before), it should theoretically be easy to decompile the game.
As in, disassemble it in such a way that it could actually be assembled again, at which point the functions could start being rewritten in a higher level language and allow for complete reinvention of the game.
As in, disassemble it in such a way that it could actually be assembled again, at which point the functions could start being rewritten in a higher level language and allow for complete reinvention of the game.
#25
VincentASM
-
- Administrator
-
Heartbunny little sister
- Gender:Male
- Location:UK
- Favorite Fire Emblem Game:New Mystery of the Emblem
Posted 12 January 2010 - 05:37 PM
Aha, I see. I didn't think of that.
Although that reminds me of Japanese or Chinese hackers (I can't remember which) who compiled a MIDI to GBA format converter, probably based off leaked code from Nintendo (and IS?). Although they did a fine job, it didn't seem nearly as good the real thing. There was an ELF file in the leaked FE sound data that had all the songs from FE8 in GBA format compiled using Nintendo's own converter, sounding like in the actual game.
Basically I'm worried that us going backwards, trying to decompile the game, won't be the same or at least, exceedingly tricky. Of course, I'm not the one trying this, so maybe it's easier than I'm imagining ^^;;;
In any case, I added some more notes, up to Chapter 14.
Although that reminds me of Japanese or Chinese hackers (I can't remember which) who compiled a MIDI to GBA format converter, probably based off leaked code from Nintendo (and IS?). Although they did a fine job, it didn't seem nearly as good the real thing. There was an ELF file in the leaked FE sound data that had all the songs from FE8 in GBA format compiled using Nintendo's own converter, sounding like in the actual game.
Basically I'm worried that us going backwards, trying to decompile the game, won't be the same or at least, exceedingly tricky. Of course, I'm not the one trying this, so maybe it's easier than I'm imagining ^^;;;
In any case, I added some more notes, up to Chapter 14.
Edited by VincentASM, 12 January 2010 - 05:38 PM.
#26
Solais
-
- Member
-
Thunder beads.
- Gender:Not Telling
- Location:Haeven
- Favorite Fire Emblem Game:Sacred Stones
Posted 12 January 2010 - 07:27 PM
All of the executable code should be in a single file, or group of files, such that it is distinguishable from non executable code, which would help immensely. This way it would be known that treating the entirety of such files as code is correct, where in games without file systems that lump everything together, you have to treat everything as code, including the data that isn't, to get a full disassembly, which seems like it could cause problems. Or you'd have to have the code be traced; something like an emulator taking every possible branch in the code to ensure that only actual code is disassembled would be involved (this has actually been attempted with moderate success for a SNES game; probably Super Mario World).
If indeed it's easy to differentiate code from data via the file system then it should greatly simplify the process of taking just the disassembly of actual code and recreating references to what is not code for building purposes. If you get to a point where you can pass the result to an assembler and have it actually build a working ISO (presumably no different than the original game down to the last bit, or at least precisely the same functionally) then you can do what I mentioned and wrap all of the assembly code with a higher level language and start rewriting confusing functions in that language or add your own functions (also in that language, though if you're kinky and awesome you could write it in assembly anyway for optimization purposes!). At that point, you've become a god of that game, at like, Nintendo's level.
Or perhaps that's some twisted, far-fetched fantasy of mine. *shrug*
Funny side note, I'm also the guy who considered writing assembly code for NSMBWii to communicate over WiFi and design a simple interface for sharing input between remote consoles for purposes of online multiplayer.
If indeed it's easy to differentiate code from data via the file system then it should greatly simplify the process of taking just the disassembly of actual code and recreating references to what is not code for building purposes. If you get to a point where you can pass the result to an assembler and have it actually build a working ISO (presumably no different than the original game down to the last bit, or at least precisely the same functionally) then you can do what I mentioned and wrap all of the assembly code with a higher level language and start rewriting confusing functions in that language or add your own functions (also in that language, though if you're kinky and awesome you could write it in assembly anyway for optimization purposes!). At that point, you've become a god of that game, at like, Nintendo's level.
Or perhaps that's some twisted, far-fetched fantasy of mine. *shrug*
Funny side note, I'm also the guy who considered writing assembly code for NSMBWii to communicate over WiFi and design a simple interface for sharing input between remote consoles for purposes of online multiplayer.
#27
VincentASM
-
- Administrator
-
Heartbunny little sister
- Gender:Male
- Location:UK
- Favorite Fire Emblem Game:New Mystery of the Emblem
Posted 14 January 2010 - 01:12 PM
If you've looked within NSMBWii, then do you have a good idea if the code and data is easy to differentiate (at least for that one game)? Or is there some hurdle that I'm missing (like, wildly guessing here, knowledge of the assembly code)?
In any case, I tried what you suggested a while back and expanded one of the individual files. I've only checked the chapter of the file that I changed, so not sure if the the next chapter works, but it seems expanding is completely fine (so the pointers don't mess up or anything). I managed to make one of the shops point to the expanded space ^^
Also, this means I managed to figure out scripting in the end (well, editing the script files). It turns out I was reading some of the pointers wrongit's always the easy stuff that you get wrong. I'll probably try and break apart the Epilogue of FE10 before posting some results.
EDIT
Notes for the CFINAL.cmb file found in the /Script directory.
For some reason, these files use a mixture of reversed and non-reversed pointers. Reversed pointers (GBA/DS style) seem to be the norm and point straight to the address without any extra offsets (eg. B8 07 points to 0x7B8). Non-reversed pointers seem to be called by a 38 or 1D byte and point an address offsetted by +2C (eg. 01 58 points to 0x184.
Most of the labelled commands are pretty easy to work out, although I don't have the patience to work out how the scripts are laid out exactly.
From what I can make out, it seems Soren doesn't need to be alive to see his special Epilogue (he just needs to be recruited). Pelleas's survival also doesn't seeem to matter. I haven't really looked into the arguments in great depth though.
Interestingly, it seemed Soren was going to fight Tauroneo in Part 3 Chapter 14. I think they swapped that with Pelleas in Chapter 13 though.
In any case, I tried what you suggested a while back and expanded one of the individual files. I've only checked the chapter of the file that I changed, so not sure if the the next chapter works, but it seems expanding is completely fine (so the pointers don't mess up or anything). I managed to make one of the shops point to the expanded space ^^
Also, this means I managed to figure out scripting in the end (well, editing the script files). It turns out I was reading some of the pointers wrong
EDIT
Notes for the CFINAL.cmb file found in the /Script directory.
Spoiler -
For some reason, these files use a mixture of reversed and non-reversed pointers. Reversed pointers (GBA/DS style) seem to be the norm and point straight to the address without any extra offsets (eg. B8 07 points to 0x7B8). Non-reversed pointers seem to be called by a 38 or 1D byte and point an address offsetted by +2C (eg. 01 58 points to 0x184.
Most of the labelled commands are pretty easy to work out, although I don't have the patience to work out how the scripts are laid out exactly.
From what I can make out, it seems Soren doesn't need to be alive to see his special Epilogue (he just needs to be recruited). Pelleas's survival also doesn't seeem to matter. I haven't really looked into the arguments in great depth though.
Interestingly, it seemed Soren was going to fight Tauroneo in Part 3 Chapter 14. I think they swapped that with Pelleas in Chapter 13 though.
Edited by VincentASM, 15 January 2010 - 10:10 AM.
#28
VincentASM
-
- Administrator
-
Heartbunny little sister
- Gender:Male
- Location:UK
- Favorite Fire Emblem Game:New Mystery of the Emblem
Posted 20 January 2010 - 05:14 PM
Thanks to shadowofchaos, I managed to get a hacked copy of FE10 working. Unfortunately my good PC just died again, so I didn't get to do much testing : /
Some stuff that I got to work...
Changing the army data proved pretty easy. I couldn't get Wiiscrubber to replace a file larger than the original though, maybe I need to erase some useless files first.
However, I did get to mess around with different characters, classes and weapons. For some reason, Edward as a Sniper doesn't seem to work properly; During battle, he stands like he's crucified and doesn't seem to attack the enemy o__o
Also, for randomness, I made Alondite an E Rank sword and gave it to Cleric!Mist.
Next, I tried to change the pacifist tables so the bandits wouldn't attack Micaiah and Edward. That didn't seem to work. It did work when I changed Micaiah's pacifist table to stop her attacking the bandits though. How odd.
Didn't get time to see if the Biorhythm, Terrain and Weapon Triangle editors work.
Some stuff that I got to work...
Changing the army data proved pretty easy. I couldn't get Wiiscrubber to replace a file larger than the original though, maybe I need to erase some useless files first.
However, I did get to mess around with different characters, classes and weapons. For some reason, Edward as a Sniper doesn't seem to work properly; During battle, he stands like he's crucified and doesn't seem to attack the enemy o__o
Also, for randomness, I made Alondite an E Rank sword and gave it to Cleric!Mist.
Next, I tried to change the pacifist tables so the bandits wouldn't attack Micaiah and Edward. That didn't seem to work. It did work when I changed Micaiah's pacifist table to stop her attacking the bandits though. How odd.
Didn't get time to see if the Biorhythm, Terrain and Weapon Triangle editors work.
Edited by VincentASM, 20 January 2010 - 05:16 PM.
#29
VincentASM
-
- Administrator
-
Heartbunny little sister
- Gender:Male
- Location:UK
- Favorite Fire Emblem Game:New Mystery of the Emblem
Posted 23 January 2010 - 03:20 PM
Completed the notes. I'll probably make a downloadable version later.
#30
Solais
-
- Member
-
Thunder beads.
- Gender:Not Telling
- Location:Haeven
- Favorite Fire Emblem Game:Sacred Stones
Posted 24 January 2010 - 04:15 PM
The strange pattern of endianness/offsetting going on with the pointers, if I had to guess, is related to the different cores of the Wii. The direct little endian pointers might be being passed to the Starlet, which I'm fairly certain does the IOS stuff (like handling disc reads), and considering that it's an ARM core like what the GBA/DS use, I would expect the Starlet to be little endian. The Wii's main processor, the PowerPC, is big endian. I'm not sure what you're looking at here, but if the little endian pointers are pointing to data that is loaded in the RAM and the big endian pointers are to data within a file such that the whole thing will already be in the RAM when it is utilized, then there's your explanation: data coming off the disc needs little endian pointers and data already off the disc needs big endian pointers.
Though it's entirely possible Intelligent Systems or whoever designed a wonky struct to hold array indices and treat the files as byte arrays (as any file pretty much is one), and these indices are stored as big endian as they are not actually "pointers" (which could then be stored with a different endianness as they are a different data type? Although that's still weird). The offsetting is confusing me too, though. I can only think it would do that to point past meta data; i.e. the first 0x2C bytes are actually related data, but not the data itself; rather, data about the data that follows. Or perhaps 0x2C bytes at the beginning of a block of data/file is where the meta data is and the offset is applied with 0x2C as the base address as such. Something to look into.
I've only ran NSMBWii with my USB Gecko active. I didn't dump the file system or do any ISO hacking.
Though it's entirely possible Intelligent Systems or whoever designed a wonky struct to hold array indices and treat the files as byte arrays (as any file pretty much is one), and these indices are stored as big endian as they are not actually "pointers" (which could then be stored with a different endianness as they are a different data type? Although that's still weird). The offsetting is confusing me too, though. I can only think it would do that to point past meta data; i.e. the first 0x2C bytes are actually related data, but not the data itself; rather, data about the data that follows. Or perhaps 0x2C bytes at the beginning of a block of data/file is where the meta data is and the offset is applied with 0x2C as the base address as such. Something to look into.
I've only ran NSMBWii with my USB Gecko active. I didn't dump the file system or do any ISO hacking.
#31
VincentASM
-
- Administrator
-
Heartbunny little sister
- Gender:Male
- Location:UK
- Favorite Fire Emblem Game:New Mystery of the Emblem
Posted 24 January 2010 - 04:28 PM
I think you're right that the offset might be do with meta deta or something similar. The relevant data appears to start after 0x2C. I've noticed a similar case with some other FE9/10 files (which are typically offset by 0x20 instead).
The little and big-endian pointers can be found in the same files. It does seem a little wonky o__o
I forget which endianess is which, but the non-reversed pointers (in the script files) point to stuff within the "database". The reversed pointers point to labels at the very top (the header?) (as opposed to labels at the bottom for non-reversed pointers).
The little and big-endian pointers can be found in the same files. It does seem a little wonky o__o
I forget which endianess is which, but the non-reversed pointers (in the script files) point to stuff within the "database". The reversed pointers point to labels at the very top (the header?) (as opposed to labels at the bottom for non-reversed pointers).
#32
VincentASM
-
- Administrator
-
Heartbunny little sister
- Gender:Male
- Location:UK
- Favorite Fire Emblem Game:New Mystery of the Emblem
Posted 27 January 2010 - 03:02 PM
Been messing around with FE9 a little.
I was using GameCube Rebuilder. which seems to work a bit better than GCTool for editing files. The best part is that once you've rebuilt a ISO, you can also replace files with larger ones (up to a limit of 2KB per file, but that's enough for the files I'm working with).
I haven't done anything too complicated yet, just swapping classes and items. Annoyingly the army/disposition data is compressed (unlike in FE10/11), but I suppose it's just one more step...
Female Bishop (Elincia)
Female Heron (Leanne)
Generic Heron (discoloured palette)
There's a lot of unused stuff compared to FE10/11, but most of them don't fully work (which is to be expected) or most people already know about them (eg. the S Rank weapons, Bright Bow, Devil Axe).
I can't remember right now if there were any FE9 mysteries to solve. Maybe I could test Lethality (again) to see if it runs off Critical/2.
I was using GameCube Rebuilder. which seems to work a bit better than GCTool for editing files. The best part is that once you've rebuilt a ISO, you can also replace files with larger ones (up to a limit of 2KB per file, but that's enough for the files I'm working with).
I haven't done anything too complicated yet, just swapping classes and items. Annoyingly the army/disposition data is compressed (unlike in FE10/11), but I suppose it's just one more step...
Female Bishop (Elincia)
Female Heron (Leanne)
Generic Heron (discoloured palette)
There's a lot of unused stuff compared to FE10/11, but most of them don't fully work (which is to be expected) or most people already know about them (eg. the S Rank weapons, Bright Bow, Devil Axe).
I can't remember right now if there were any FE9 mysteries to solve. Maybe I could test Lethality (again) to see if it runs off Critical/2.
Edited by VincentASM, 27 January 2010 - 03:05 PM.
#33
Solais
-
- Member
-
Thunder beads.
- Gender:Not Telling
- Location:Haeven
- Favorite Fire Emblem Game:Sacred Stones
Posted 27 January 2010 - 04:07 PM
Formulas for damage, defense and probable things like criticals and assassinations are best defined by interpreting actual game code. Do you not have a way of doing that?
If the little endian (reversed) pointers point to within the header, that header might well be meta data for that file used by the file system which I guess would be on the Starlet. The fact that the pointer has a leading byte that isn't actually part of the pointer would hint that the related bytes are passed as a command/argument(s) style byte string to the IOS, perhaps. Much like how reading from the NDS card involved writing B7 AA AA AA AA 00 00 00, with the AAs as the address, to the MAC I/O registers to get data from that address on the card into related MAC I/O registers, which can then be polled to copy data from the card to the RAM. I could be completely wrong, but I've done some work that made the IOS less transparent back when I was trying to make my own version of what turned out to be Gecko OS, and I've seen how the IOS very closely resembles the DS's system for accessing separate media.
I guess I shouldn't say "the" IOS as the IOS used by a Wii game varies from game to game, and even based on how the user is running their application (it seemed to me that the USB Loader works by overriding the game's desired IOS with one that causes disc reads to become USB reads).
Relevant link - confirms my understanding of the IOS, too.
2 Kilobytes seems like a strange and measly limit for expanded files.
If the little endian (reversed) pointers point to within the header, that header might well be meta data for that file used by the file system which I guess would be on the Starlet. The fact that the pointer has a leading byte that isn't actually part of the pointer would hint that the related bytes are passed as a command/argument(s) style byte string to the IOS, perhaps. Much like how reading from the NDS card involved writing B7 AA AA AA AA 00 00 00, with the AAs as the address, to the MAC I/O registers to get data from that address on the card into related MAC I/O registers, which can then be polled to copy data from the card to the RAM. I could be completely wrong, but I've done some work that made the IOS less transparent back when I was trying to make my own version of what turned out to be Gecko OS, and I've seen how the IOS very closely resembles the DS's system for accessing separate media.
I guess I shouldn't say "the" IOS as the IOS used by a Wii game varies from game to game, and even based on how the user is running their application (it seemed to me that the USB Loader works by overriding the game's desired IOS with one that causes disc reads to become USB reads).
Relevant link - confirms my understanding of the IOS, too.
2 Kilobytes seems like a strange and measly limit for expanded files.
Edited by Xeld, 27 January 2010 - 04:07 PM.
#34
James Bond
-
- Member
-
I've got License to Kill...not very persuasive huh?
- Gender:Male
- Location:Originally from: Athens, Greece, Current base of Operations: Sveti Stefan, Monetenegro
- Favorite Fire Emblem Game:Genealogy of the Holy War
Posted 27 January 2010 - 04:19 PM
Does anyone know where are the pointers to the forging items (Iron Sword,Steel Sword,etc...) in the shopitem.bin, please?
#35
VincentASM
-
- Administrator
-
Heartbunny little sister
- Gender:Male
- Location:UK
- Favorite Fire Emblem Game:New Mystery of the Emblem
Posted 27 January 2010 - 04:38 PM
Nah, I'm afraid I don't. The best I can do is rely on (semi) large-number statistics, like hitting bandits 50-100 times.Formulas for damage, defense and probable things like criticals and assassinations are best defined by interpreting actual game code. Do you not have a way of doing that?
Well, I suppose it's only the first version of the program. From what I can tell, what they did was space every single file in the ISO by 2 KB. Probably not the most elegant method, but they did mention it was only good for minor edits.2 Kilobytes seems like a strange and measly limit for expanded files.
Could you upload the file? I'm using the JP version, which you might not be using. Forging data varies per chapter, so you're going to be looking at a lot of pointers.Does anyone know where are the pointers to the forging items (Iron Sword,Steel Sword,etc...) in the shopitem.bin, please?
If you're not in a hurry, I'll probably look into it tomorrow.
#36
James Bond
-
- Member
-
I've got License to Kill...not very persuasive huh?
- Gender:Male
- Location:Originally from: Athens, Greece, Current base of Operations: Sveti Stefan, Monetenegro
- Favorite Fire Emblem Game:Genealogy of the Holy War
Posted 27 January 2010 - 04:42 PM
I am not in a hurry really you can do it whenever you are able to...thanks...
#37
James Bond
-
- Member
-
I've got License to Kill...not very persuasive huh?
- Gender:Male
- Location:Originally from: Athens, Greece, Current base of Operations: Sveti Stefan, Monetenegro
- Favorite Fire Emblem Game:Genealogy of the Holy War
Posted 27 January 2010 - 04:57 PM
We ll I managed at last here it is.
#38
VincentASM
-
- Administrator
-
Heartbunny little sister
- Gender:Male
- Location:UK
- Favorite Fire Emblem Game:New Mystery of the Emblem
Posted 27 January 2010 - 05:00 PM
Oh yeah, are there any specific chapters you want to edit?
#39
James Bond
-
- Member
-
I've got License to Kill...not very persuasive huh?
- Gender:Male
- Location:Originally from: Athens, Greece, Current base of Operations: Sveti Stefan, Monetenegro
- Favorite Fire Emblem Game:Genealogy of the Holy War
Posted 27 January 2010 - 05:05 PM
The final chapter of the 1st part and the 3rd chapter of part 3(If it is possible)...thanks again...
Edited by roxas210, 27 January 2010 - 05:05 PM.
#40
VincentASM
-
- Administrator
-
Heartbunny little sister
- Gender:Male
- Location:UK
- Favorite Fire Emblem Game:New Mystery of the Emblem
Posted 28 January 2010 - 01:21 PM
Alright, instead of actually modifying the separate pointers in the forge, it's probably more convenient to re-point Chapter 1-F and 3-3's forges to a later forge in the game (I assume you just want to have all available weapons to forge).
I'm not sure at which point you get to forge every weapon, but I'm guessing Chapter 4-5 (the last chapter before entering the tower) should be okay.
If this is all you want to do, then:
Go to the address 0x11EA4 and change the pointer 00 00 4E CC to 00 00 97 EC. This will change the Chapter 1-F forge to use the data from Chapter 4-5.
Go to the address 0x11EEC and change the pointer 00 00 68 1C to 00 00 97 EC. This will change the Chapter 3-3 forge to use the data from Chapter 4-5.
Unfortunately I don't have a far enough save to test that this works. I'm fairly confident that it should though. Also, remember that this probably only affects the forge in (NA) Easy mode.
If you want to try different chapters, scroll down to 0x123CC and look up their labels (bearing in mind the Prologues are counted as 01, so Chapter 1 is 02 and etc.). Then locate the beginning of the label, convert that address into a pointer and subtract 123CC from it (this only applies for the bottom half of the file). Eg. FSHOP_ITEMS_C0406 (FSHOP stands for forging shop I guess) starts at 0x12676, so the pointer for it is 12676 - 123CC = 00 00 02 AA. Run a hex search for the pointer, and the pointer to the left of it should point to the forging data (in this case it's 00 00 97 EC).
I'm not sure at which point you get to forge every weapon, but I'm guessing Chapter 4-5 (the last chapter before entering the tower) should be okay.
If this is all you want to do, then:
Go to the address 0x11EA4 and change the pointer 00 00 4E CC to 00 00 97 EC. This will change the Chapter 1-F forge to use the data from Chapter 4-5.
Go to the address 0x11EEC and change the pointer 00 00 68 1C to 00 00 97 EC. This will change the Chapter 3-3 forge to use the data from Chapter 4-5.
Unfortunately I don't have a far enough save to test that this works. I'm fairly confident that it should though. Also, remember that this probably only affects the forge in (NA) Easy mode.
If you want to try different chapters, scroll down to 0x123CC and look up their labels (bearing in mind the Prologues are counted as 01, so Chapter 1 is 02 and etc.). Then locate the beginning of the label, convert that address into a pointer and subtract 123CC from it (this only applies for the bottom half of the file). Eg. FSHOP_ITEMS_C0406 (FSHOP stands for forging shop I guess) starts at 0x12676, so the pointer for it is 12676 - 123CC = 00 00 02 AA. Run a hex search for the pointer, and the pointer to the left of it should point to the forging data (in this case it's 00 00 97 EC).
Edited by VincentASM, 28 January 2010 - 01:29 PM.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
