Home

Assembly modification 1

Requirements:
-Zsnes emulator
-ISDA(or another disassembler)
-Hex workshop(or another hex editor)
-Megaman X rom(US)
-Understanding of the 65c816
-Brain

 

Introduction
Here I will try to explain how to make a simple modification to the code in Megaman X. 
The modification will result in creating a cheat, but the goal is of course that you see how it's done.Some people might rate this as very simple, but that's the idea. 
Values/addresses with 0x before them are hexadecimal the rest are decimal


Step 1
First we'll need to pick something to modify. Asuming you already know Megaman X, let's modify the
code responsible for depleting the energybar. First we'll analyze it. Let's take a look:

If you'll count them, you will see that there are 16 stripes in the bar. Very often the value that's is stored in memory  is
the same as the value you count on the screen. But not always. Luckily in this case it's the same, as we'll see.


Step 2
Next we'll need to find the address in memory. There are 2 ways to do this. The easiest way is to use Zsnes. It's got an excellent built in cheat finder wich we can use to find the address. The idea is that you change the value you want to look for and zsnes will discard all addresses that did not change. Be sure to select 8 bits(1 byte) in this case. After a few searches Zsnes will have found the address, 0x7E0BCF. 0x7E is the bank address. Bank 0x7E contains memory in the Snes. The bank part is often omitted in addresses. You can also use hex workshop. For this to work you'll need at least 2 save states with different energy values. You can then do a compare(F6) to find the differences. This method is more time consuming, so I advise to use it only when you can't find the address using Zsnes. But when you've found the address using this method, you'll have a file offset in the save state. To convert it into an memory address you'll need to substract 3091 from it. So if correct you'll have 0x17E2, from wich you must substract 0xC13. This will also give 0x0BCF




Step 3
Now that we have the address, we need to find the code to modify. This is actually the most difficult part and what this is all about. When you get hit in the game your energy drops. There must be some program code wich makes sure this happens.
The most common way to do this is like this:
1-Get the current value from memory
2-Substract damage from the value
3-Store the value in memory

But it may also be done like this:
1-Load the damage value from memory
2-Substract it from the energy value in memory

And of course many other ways are possible, but the fact that the memory value of the energy must be altered remains. So to find the code we'll be looking for this address, in the rom file. Fire up hex workshop or any other hex editor that can search for hex values. Search for the hex string "CF0B" that's the address in reverse. Always reverse the address, that's the way the 65c816 stores them. As you'll see, you'll find quite a lot of instances in the file. You must be thinking that many can never be all related to the energy value. That's good thinking. There might be other reasons for the value "CF0B" to appear like graphics data, or text data. Whatever the reason, you can see what's code and what's not. To know what's code and what's not, you must know at least some instructions and their hex code. Here are a few, XXXX is the address:

 

Instruction Hex code What it does
LDA $XXXX ADXXXX Load memory value into the accumulator
STA $XXXX 8DXXXX Store accumulator into memory
STA #$XX A9XX Store value XX into accumulator *
SBC $XXXX EDXXXX Subtract memory with carry from the accumulator
SBC #$XX E9XX Substract XX with carry from the accumulator

* Depends on operation

Of course these are not all instructions, but most of the times they're used for this kind of things. So in our case we would be looking for 0xADCF0B and 0x8DCF0B. If you check all instances with ADXXXX and 8DXXXX you'll see that nowhere near  most of them a SBC intruction will be found. The only one you'll find is at 0x21F4B in the file  (ED0000) without a SBC-like instruction you can't lose energy. So this must be the one. Let's test it. Change the 0xED0000 to 0xEAEAEA. 0xEA = NOP(No OPeration)so that's 3 NOP intructions wich do excactly nothing (but waste time). Fire up zsnes and load the rom you just modded. If correctly done zsnes should say that the checksum is wrong, wich it is. Walk into the fist spikey you see, and surprise. It works. Next go fight the purple guy, hmmm not very good you're supposed to get whooped here. We'll fix that next time, then we'll take a look at how to hack in your own code.

 I know there is a lot more to explain, but I hope this will get you started. Try to learn as many instructions as you can and try to learn as much as you can about the 65c816 and the snes.

* One very cool and at the same time annoying feature of the 65c816 is the variable accumulator and index register size wich can be changed between 8 and 16 bits by setting or resetting certain bits of the processor status. This makes disassembling a  little more difficult. Make sure you understand this concept. ISDA allows you to set the status by pressing A and X.

Home