15 replies to this topic

[CT075]

i swear im not a noob

The code is ASMC 0x079AF4

R0 - 0x02025848 		No idea.
R1 - 0x08079AF5			The offset of the routine called by the event, probably.
R2 - 0x00000000			Unused
R3 - 0x02025898			???
R4 - 0x02025848			???
R5 - 0x08CB9E30			???
R6 - 0x0202589E
R7 - 0x08B90E48
R8 - 0x08B90E4C
R9 - 0x00000000
R10 - 0x00000000
R11 - 0x03007D9C
R12 - 0x00000001

r13 (sp) - 0x03007D9C
r14 (lr) - 0x0800D38D
r15 (pc) - 0x08079AF4

I'd log the other two routines to see what they did, but I'm lazy. Go get it yourself if it's that important t'ya.

Main routine

08079AF4 B500     push    {r14}			@ Obvious enough.
08079AF6 F00CF8C1 bl      #0x8085C7C		@ See below
08079AFA 4807     ldr     r0,=#0x202BBF8	@ Contains main game mode.
08079AFC 2102     mov     r1,#0x2			@ R1 = 0x02
08079AFE 7EC0     ldrb    r0,[r0,#0x1B]		@ Load current route: R0 = 0x03 (Hector mode)
08079B00 2802     cmp     r0,#0x2			@ False (0x02 = Eliwood mode)
08079B02 D100     bne     #0x8079B06		@ If the main lord is Eli, make R1 0x1 (char ID of Eliwood?)
08079B04 2101     mov     r1,#0x1			@ R1 = 0x1
08079B06 1C08     mov     r0,r1			@ Now R0 = 0x2 (If it's not Eliwood mode, it's obviously Hector mode!)
08079B08 F79EF914 bl      #0x8017D34		@ Either this or the next branch command calls the promotion routine with
08079B0C 2100     mov     r1,#0x0			@ R1 = 0
08079B0E F7B3F8BB bl      #0x802CC88		@ the lord of choice as the first parameter.
08079B12 BC01     pop     {r0}			@ - Return.
08079B14 4700     bx      r0				@ /

Routine at 0x08085C7C

08085C7C B500     push    {r14}			@ Guess
08085C7E 4811     ldr     r0,=#0x8CC2C60	@ Offset of something?
08085C80 F77EFDF4 bl      #0x800486C		@ wat
08085C84 4810     ldr     r0,=#0x8CC2CE8	@ Again, with a different number?
08085C86 F77EFDF1 bl      #0x800486C		@ Probably graphics.
08085C8A 4810     ldr     r0,=#0x8CC2C00	@ no idea
08085C8C F77EFDEE bl      #0x800486C		@ it goes to the same place
08085C90 480F     ldr     r0,=#0x8CC2D38	@ ^
08085C92 F77EFDEB bl      #0x800486C		@ ^
08085C96 480F     ldr     r0,=#0x8CC2D98	@ ^
08085C98 F77EFDE8 bl      #0x800486C		@ ^
08085C9C 4B0E     ldr     r3,=#0x3002870	@ No clue what that is
08085C9E 1C19     mov     r1,r3			@ whee
08085CA0 313C     add     r1,#0x3C		@ R1 += 0x3C
08085CA2 203F     mov     r0,#0x3F			@ R0 = 0x3F
08085CA4 780A     ldrb    r2,[r1]			@ Load a value from there (on read: 0xFF)
08085CA6 4010     and     r0,r2			@ On read: 0xFF & 0x3F = 0x3F (force into last 6 bits)
08085CA8 7008     strb    r0,[r1]			@ ...Store 0x3F into memory?
08085CAA 3108     add     r1,#0x8			@ R1 += 8 (R1 = 0x030028B4)
08085CAC 2200     mov     r2,#0x0			@ R2 = 0
08085CAE 2010     mov     r0,#0x10		@ R0 = 16
08085CB0 7008     strb    r0,[r1]			@ Store 0x10 eight bytes after that...
08085CB2 1C18     mov     r0,r3			@ Now R0 shares a value with R3?
08085CB4 3045     add     r0,#0x45			@ R0 += 0x45 (= 0x03002B5)
08085CB6 7002     strb    r2,[r0]			@ Store a zero there...?
08085CB8 3001     add     r0,#0x1			@ R0 += 1
08085CBA 7002     strb    r2,[r0]			@ Store a zero right after that?
08085CBC F7C4F9C0 bl      #0x804A040		@ bleah
08085CC0 BC01     pop     {r0}			@ Return
08085CC2 4700     bx      r0

Judging from this, I'm assuming that all the routine does is check which mode it is, and call the regular promotion routine with Eliwood or Hector as the first parameter accordingly.

I should probably do some more testing, but it shouldn't be too hard to replicate.

Edited by Camtech, 09 March 2012 - 03:39 PM.

[Jubby]

Does this mean you might be able to create a hack to make it work for any character?

[CT075]

That's why I'm looking into this~

[Onmi]

You're my favorite person ever! For now.

I sorta feel like Lex Luthor looking in the mirror when he inhabited Wally Wests body in JLU (could I make a more nerdy sentence?)
"I have no idea who this is"
I have no idea what this means.

[Nintenlord]

08085C7E 4811     ldr     r0,=#0x8CC2C60        @ Offset of something?
08085C80 F77EFDF4 bl      #0x800486C            @ wat
08085C84 4810     ldr     r0,=#0x8CC2CE8        @ Again, with a different number?
08085C86 F77EFDF1 bl      #0x800486C            @ Probably graphics.
08085C8A 4810     ldr     r0,=#0x8CC2C00        @ no idea
08085C8C F77EFDEE bl      #0x800486C            @ it goes to the same place
08085C90 480F     ldr     r0,=#0x8CC2D38        @ ^
08085C92 F77EFDEB bl      #0x800486C            @ ^
08085C96 480F     ldr     r0,=#0x8CC2D98        @ ^
08085C98 F77EFDE8 bl      #0x800486C            @ ^

There's this cool tool used hex editor you can use in thease cases . From the looks of it, it looks like some sort of "scripting language", similar to event codes in structure. 0x800486C is probably some sort of execution routine. Judging from the offset, this is something Nintendo or IS supplies as a library, meaning it's probably quite general.

08085C9C 4B0E     ldr     r3,=#0x3002870        @ No clue what that is
08085C9E 1C19     mov     r1,r3                 @ whee
08085CA0 313C     add     r1,#0x3C              @ R1 += 0x3C
08085CA2 203F     mov     r0,#0x3F                      @ R0 = 0x3F
08085CA4 780A     ldrb    r2,[r1]                       @ Load a value from there (on read: 0xFF)
08085CA6 4010     and     r0,r2                 @ On read: 0xFF & 0x3F = 0x3F (force into last 8 bits)
08085CA8 7008     strb    r0,[r1]                       @ ...Store 0x3F into memory?

Clears some bit flags in address 0x3002870 + 0x3C. Possibly related to previous use of "scripts".

08085CAA 3108     add     r1,#0x8                       @ R1 += 8 (R1 = 0x030028B4)
08085CAC 2200     mov     r2,#0x0                       @ R2 = 0
08085CAE 2010     mov     r0,#0x10              @ R0 = 16
08085CB0 7008     strb    r0,[r1]                       @ Store 0x10 eight bytes after that...

08085CB2 1C18     mov     r0,r3                 @ Now R0 shares a value with R3?
08085CB4 3045     add     r0,#0x45                      @ R0 += 0x45 (= 0x03002B5)
08085CB6 7002     strb    r2,[r0]                       @ Store a zero there...?
08085CB8 3001     add     r0,#0x1                       @ R0 += 1
08085CBA 7002     strb    r2,[r0]                       @ Store a zero right after that?
08085CBC F7C4F9C0 bl      #0x804A040            @ bleah

Either store values or set bits.

In general, when studying what a certain memory region doesn, VBA with Memory Viewer and Automatic update is very beautiful. Add in the fact that you can edit the values to test them in VBA's memory viewer . That's how I discovered the meaning of many memory regions in FE7, including the Eliwood/Hector mode value the other routine uses.

Also, you want something hard? Try figuring out how to get rid of ghost-vampire-dwarf (I nicknamed him Vlad) in Dwarf Fortress after atom-smashing the body...

Edited by Nintenlord, 09 March 2012 - 09:13 AM.

[Onmi]

Seal him in a coffin and blast him with the piledriver? it worked for Django

[CT075]

NL, I know what BL does >_>

I didn't log it, but the function calls in the second routine basically do

R5 = 0x3F
for(;r5 > 0;r5--)
{
  // some shit that i don't know
}

and those memory regions i'll look into later

Edited by Camtech, 09 March 2012 - 10:44 AM.

[Jubby]

Cam I <3 you so much right now

[CT075]

The memory thing is definitely graphics.



Give me a few days and I'll make it work even better.

EDIT:

In case you're wondering how to do it yourself -

Paste this anywhere that's halfword-aligned (aligned by 2) into your ROM:

00 B5 0C F0 C1 F8 07 48 02 21 08 1C 9E F7 14 F9 00 21 B3 F7 BB F8 01 BC 00 47

The bolded number is the unit to promote. Change it to whatever. Call an ASMC to where the B5 is, not where you pasted it. So like, if I pasted it to D80000, I'd call D80001. FUCK DAT

Edited by Camtech, 11 March 2012 - 12:22 PM.

[Nintenlord]

You'll need to take into account that BL instructions have limited range. The standard solution I use is:

yadda yadda...

ldr ri, =offsetYouWantToReallyGo + 1
bl jump

yadda yadda...


jump:
bx ri

where ri is any free register r0-r7.

[CT075]

yeah, I guess. THat explains why it wasn't working for me.

What I"m trying to do is just modify that one instruction so that one could pass parameters into the ASMC and promote the given character.

Edited by Camtech, 11 March 2012 - 12:46 PM.

[Jubby]

EDIT:

In case you're wondering how to do it yourself -

Paste this anywhere that's halfword-aligned (aligned by 2) into your ROM:

00 B5 0C F0 C1 F8 07 48 02 21 08 1C 9E F7 14 F9 00 21 B3 F7 BB F8 01 BC 00 47

The bolded number is the unit to promote. Change it to whatever. Call an ASMC to where the B5 is, not where you pasted it. So like, if I pasted it to D80000, I'd call D80001. FUCK DAT

So by the FUCK DAT did it not work?

[Burning Gravity]

@Jubby He has the right idea, he just needs to change it so it's more.... accessible or efficient, hard to find a good word for this. Anyhow, it shouldn't be difficult. It looks like he possibly edited some values in the RAM and got the promotion to work that way, then thought it should work in general afterwards, only to find out it's not that simple. I can't be sure since I don't think he told us but in general hacking ASM routines "live" is not always the same as hacking them in the ROM.

Thus the general code should work with a little tweaking. Copying/pasting what he edited in won't work though, which is why he said "FUCK DAT" and scratched it out (so no one tries it, pretty much). That's my understanding of it, anyway, I'm only interpreting the information given in this topic because it seems slightly interesting.

[CT075]

Okay, here's what happened-

What I posted was the exact code executed by the game, with a few unnecessary codes cut out. When I actually pasted it, it didn't work. That's why I scratched it out. Also, some of the commands used don't work if you paste them in the wrong place, which is what I'm working on right now.

I'm also trying to get it so that you don't need to insert a new routine for every character.

EDIT

Hacking routines "live" works only partially. What I did was change one opcode in a hex editor, and it worked. But when I tried pushing further (copy/pasting, cutting out codes, etc.) it broke.

Edited by Camtech, 11 March 2012 - 01:43 PM.

[Jubby]

Right, I got the new character part :P But the memory dump thing didn't work was what I was trying to get at and no it did not I see. Thanks guys X3

[Burning Gravity]

Sounds good, good luck getting everything to work efficiently.