Kodewerx

Our culture has advanced beyond all that you could possibly comprehend with one hundred percent of your brain.
It is currently Sun Jan 19, 2020 9:43 am

All times are UTC - 8 hours [ DST ]


Forum rules





Post new topic Reply to topic  [ 126 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next
Author Message
 Post subject:
PostPosted: Tue Apr 17, 2007 8:59 pm 
Offline
Kommunist
Kommunist
User avatar

Joined: Mon Oct 02, 2006 7:47 am
Posts: 336
Location: Amish Redneck Country, PA
Title: Crazy Snake
The World is Not Enough

Hi-Res Enabler
FF000204 0000
F10A9240 2400
-Only about 15 codes can be used. Don't bother with any of the level specific codes, as that stuff is random in hi-res. The misc assembly hack (like Infnite ammo/Health for all levels) are the way to go. Also, any long code that uses 804x addresses shouldn't be used.

The following codes will work with or without the expansion pack. A couple are ravamps of my previous hacks, cause I was sort of an ASM n00b when I first hacked this game.

Enable All Difficulties
810194E8 2402
810194EA 0002
810194EC A062
810194EE 76C7
-All Levels code still required to active the levels. This just activates all the difficulties. Should be savable.

Start All Levels With Full Armor (Revised)
81065498 3C04
8106549A 42C8
810654AC AE64
810654AE 0060

Infinite Armor
81071588 3C01
8107158A 42C8
8107158C AE41
8107158E 0060

Have All Guns and Infinite Ammo
81070A56 9821
81070A60 0013
81070A6C 3C02
81070A6E 0100
81070A70 3442
81070A72 0064
81070A78 AE42
81070A7A 01FC
-They won't show in inventory until you scroll through them with the A button during the game. Change weapon and change back to refill ammo, or use the other Infnite Ammo code with it.

Infinite Ammo In Reserve (For Weapons That Actually Use Reserves)
81064958 3405
8106495A 0064
8106495C A505
8106495E 01BC

_________________
Be a real programmer. Program without the .SHIT Framework.
Check out my movie collection
Quote:
<ThePhantom> What, would you prefer I keep track of it with fucking binary shifting, like you probably did? Hell no.
<ThePhantom> A hedgehog's asshole could understand my code, N-O-B-O-D-Y B-U-T Y-O-U C-A-N U-N-D-E-R-S-T-A-N-D Y-O-U-R-S
<Parasyte> Nobody has to understand it
<Parasyte> Plus, bitwise shifting owns
<Parasyte> A lot
<ThePhantom> Nobody has to understand it?
<Parasyte> Correct...
<ThePhantom> Write code like it's for your job, ass. :P
<Parasyte> No way.
<ThePhantom> Either provide fucking documentation or don't write it like a deranged circus chimp on crack.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Apr 18, 2007 10:02 pm 
Offline
Kommunist
Kommunist
User avatar

Joined: Mon Oct 02, 2006 7:47 am
Posts: 336
Location: Amish Redneck Country, PA
Title: Crazy Snake
Holy fuck this game's programming sucks. You can't even get through 2 levels on any emulators without the game randomly rebooting. This one code came with some help from Ugetab. I wish anyone luck hacking the same effect in lo-res. Goddamn game.

Turok Rage Wars

Enable All Cheats (Hi-Res)
81721304 1000

_________________
Be a real programmer. Program without the .SHIT Framework.
Check out my movie collection
Quote:
<ThePhantom> What, would you prefer I keep track of it with fucking binary shifting, like you probably did? Hell no.
<ThePhantom> A hedgehog's asshole could understand my code, N-O-B-O-D-Y B-U-T Y-O-U C-A-N U-N-D-E-R-S-T-A-N-D Y-O-U-R-S
<Parasyte> Nobody has to understand it
<Parasyte> Plus, bitwise shifting owns
<Parasyte> A lot
<ThePhantom> Nobody has to understand it?
<Parasyte> Correct...
<ThePhantom> Write code like it's for your job, ass. :P
<Parasyte> No way.
<ThePhantom> Either provide fucking documentation or don't write it like a deranged circus chimp on crack.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu May 03, 2007 11:17 am 
Offline
Kommunist
Kommunist

Joined: Wed Dec 06, 2006 12:04 pm
Posts: 3
I have looked for several times in many Web sites and I have not found any code for the game International Track & Field 2000 for N64. Viper, you can create some codes for this game?


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu May 03, 2007 5:31 pm 
Offline
Kommunist
Kommunist
User avatar

Joined: Tue Oct 10, 2006 8:49 pm
Posts: 78
Location: California
Good God. That game runs EXTREMELY slow in PJ64 v1.6 - think molasses on a cold day in January. The PJ64 team recommends PJ64 v1.4, but if you're going to try to run this in v1.6, I recommend using Rice 6.1.

International Track & Field 2000 (U)

Long Jump - Fake Power Meter Modifier (Lo-Res)
811E0576 ????

0190 is close to full. Note that this only changes what the meter shows, and doesn't actually reflect your character's speed. With the initial warning in mind, does anyone want to try to hack something useful? ;)

_________________
I'm a procrastinator, but I'll worry about that problem later...

Image


Top
 Profile  
Reply with quote  
PostPosted: Tue May 29, 2007 4:54 am 
Offline
Kommunist
Kommunist
User avatar

Joined: Fri Mar 23, 2007 11:51 am
Posts: 184
Location: manchester,England
can some one make like a super kook shot code (hooks to anything from far away) fot orcarana of time i woukld realy like that

_________________
dlong wrote:
Silly lemma, lies are for Runes.


Image


Top
 Profile  
Reply with quote  
PostPosted: Tue May 29, 2007 7:07 am 
Offline
*Female Hacker
*Female Hacker
User avatar

Joined: Sat Oct 21, 2006 9:54 am
Posts: 1656
Location: Who cares?
Title: Female Hacker!!!
deku shrub wrote:
Can some-one make like a Super Hook Shot code (hooks to anything from far away) for Orcarina of Time I woukld really like that.

Fixed a lot...

_________________
Image
Chat with our AI here...
Don't blame me if it's offline temporary, it's fixed fast, because that's the fault of the hoster...
I changed the link in my sig image too...


Top
 Profile  
Reply with quote  
PostPosted: Tue May 29, 2007 7:59 pm 
Offline
Krew (Admin)
Krew (Admin)
User avatar

Joined: Sun Oct 01, 2006 9:26 pm
Posts: 3765
Title: All in a day's work.
viewtopic.php?f=2&t=2239

_________________
I have to return some video tapes.

Feed me a stray cat.


Top
 Profile  
Reply with quote  
PostPosted: Sun Jun 03, 2007 12:10 am 
Offline
Kommunist
Kommunist
User avatar

Joined: Tue Oct 10, 2006 8:49 pm
Posts: 78
Location: California
Space Station: Silicon Valley has Infinite Health codes for each type of animal, but it doesn't have an Infinite Health code that works for every type of animal. This needs to be remedied. Hint, hint.


I'd try it myself, but the game doesn't seem to feel like loading in Nemu in XP SP2.

_________________
I'm a procrastinator, but I'll worry about that problem later...

Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Jun 06, 2007 7:45 am 
Offline
Komrade
Komrade

Joined: Tue Mar 27, 2007 10:18 am
Posts: 1328
Jet Force Gemini doesn't load in Nemu either. I used Project 64/Cheat Engine to hack the ASM.

004D5280 holds MIPS PC for the start of the current routine (not the current PC)

004D52E8 - GPRs
004D53D0 - SP
004D53E0 - RA

3AD70000 - RDRAM

^Project 64 v 1.6 addresses while using a recompiler core.

_________________
Image


Top
 Profile  
Reply with quote  
PostPosted: Thu Jun 14, 2007 7:10 pm 
Offline
Kommunist
Kommunist
User avatar

Joined: Tue Oct 10, 2006 8:49 pm
Posts: 78
Location: California
Zeld, we needed you back when GSC.com was awesome. :(

Anyway, this is just plain weird. Nemu won't run SS:SV, Shadows of the Empire, Super Smash Bros., Earthworm Jim 3D, any of the Rush games, Blast Corps, PD and a whole lot more if I load the ROM file normally.

But it will inexplicably load and run (!) them if I create a Zip archive consisting of a single ROM and then load the archive. You know what that means, don't you? ;)


Space Station: Silicon Valley (U)

Infinite Health for All Animals and EVO
812B3B1C 2400
8135C20C 2400

Sometimes your character's health will drop to almost nothing, but you won't die if you do anything that would hurt you, like running into an electrified fence.


If you want to have hard-to-kill enemies that can be revived just by running into them, try:
812B3B1C 2402
812B3B1E 007F


EDIT: How about an Infinite Health code where your health bar doesn't drop?

Infinite Health for All Animals and EVO
812B3B1C 01E0
8135C20E 0000

_________________
I'm a procrastinator, but I'll worry about that problem later...

Image


Top
 Profile  
Reply with quote  
PostPosted: Thu Jun 21, 2007 3:46 pm 
Offline
Krew (Admin)
Krew (Admin)
User avatar

Joined: Sun Oct 01, 2006 9:26 pm
Posts: 3765
Title: All in a day's work.
I remember hacking that game years ago. It was a lot of fun at the time. And using the beta animals was pretty cool.

_________________
I have to return some video tapes.

Feed me a stray cat.


Top
 Profile  
Reply with quote  
PostPosted: Mon Jun 25, 2007 10:26 pm 
Offline
Komrade
Komrade
User avatar

Joined: Tue Mar 27, 2007 6:23 pm
Posts: 1354
Location: Mario Raceway, 1509.831, 217.198, -564.429
Title: Mario Kart 64 Hacker
Yeah, pretty good game that's usually overlooked, but damn, did they bugtest it at all?

Problem with hacking it is the game just swaps which animal you're controlling, so if you have infinite health for the current animal, and you jump in another one, now you no longer have it and the one you just abandoned does (so he gets up and starts killing you). A universal infinite health code will make enemies invincible. Does your code avoid this?

_________________
Image 143
HyperNova Software is now live (but may take a few tries to load) currently down; check out my PSP/DS/Game Boy/Windows/Linux homebrew, ROM hacks, and Gameshark codes!


Top
 Profile  
Reply with quote  
PostPosted: Tue Jun 26, 2007 3:50 pm 
Offline
Kommunist
Kommunist
User avatar

Joined: Tue Oct 10, 2006 8:49 pm
Posts: 78
Location: California
I agree: it was a very good/cool game that got overlooked for some reason or another, both in sales and hacking. Apparently, DMA's next big release - Grand Theft something, where you could jack cars and stuff - took a lot of attention away from SS:SV. Which is a shame, because I would rank it up there with some of Rare's games.

Using my code does not give you invincible zombie enemies, although it used to. ;) I got around that by changing the amount of health you lose when hit to 0, which doesn't apply to enemies, for some reason. Different routines, maybe?

Also, I just realized that I'll probably need to add to that code, unless DMA was nice and programmed the game so that the routines used for levels also applied to bonus levels, the final level, and the Asteroid level. Dunno why I forgot to check those. :|

_________________
I'm a procrastinator, but I'll worry about that problem later...

Image


Top
 Profile  
Reply with quote  
PostPosted: Tue Jun 26, 2007 4:01 pm 
Offline
Komrade
Komrade
User avatar

Joined: Tue Mar 27, 2007 6:23 pm
Posts: 1354
Location: Mario Raceway, 1509.831, 217.198, -564.429
Title: Mario Kart 64 Hacker
That reminds me, there was one level I never made an instant win code for, because it required switching animals. :-/

_________________
Image 143
HyperNova Software is now live (but may take a few tries to load) currently down; check out my PSP/DS/Game Boy/Windows/Linux homebrew, ROM hacks, and Gameshark codes!


Top
 Profile  
Reply with quote  
PostPosted: Wed Jun 27, 2007 3:46 pm 
Offline
Kommunist
Kommunist
User avatar

Joined: Tue Oct 03, 2006 9:26 pm
Posts: 14
If you're in the mood for DMA games, have a go at activating Body Harvest's Debug menu, it eludes me still..


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Nov 01, 2007 10:26 pm 
Offline
Komrade
Komrade

Joined: Tue Mar 27, 2007 10:18 am
Posts: 1328
One of the archetypes of N64 hacking seems to be that Goldeneye's use of the TLB makes hacking a bitch.

Unless Project 64 isn't emulating the TLB right, it looks like that's not even a problem. I wrote a test code that writes a known value to a static TLB address to see if it crashed, and it didn't. I've confirmed that ASM in the TLB, for Goldeneye at least, is always in the same place. Making ASM codes shouldn't be that hard, as such.

If it's REALLY a problem, you can always back up the EPC and use your own temporarily. The routine at the very beginning of the RDRAM is constant if you'd like to hook from it.

Here's the code I used to test writes to the TLB:

;TLB overwrite test
;Seems to work fine...
80000004
J 80400040

;K1 is free
80400040
LUI K1, $8040 ;Stack gen, lol :D
SW V0, $0000 (K1)
SW V1, $0004 (K1)
LUI V0, $7F06
LUI V1, $E444
ADDIU V1, V1, $0FF0 ;V1 = opcode at V0 + $7CCC
SW V1, $7CCC (V0)
LW V0, $0000 (K1)
J 8000000C
LW V1, $0004 (K1)

Trivia: The opcode there is SWC1 F4, $0FF0 (V0); V0 is the pointer to the beginning of Bond's data as loaded from 8007A0B0, and the offset $0FF0 is the horizontal angle that bullets will be released from Bond's gun. All writes to the address are done by this opcode (auto aim math is part of the routine I guess).

Edit: Wrote a simple code to read from TLB in a game that doesn't use it, and it caused an exception, so PJ 64 definitely emulated it properly. Direct overwrites of the TLB ftlol?

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject: Re:
PostPosted: Fri Nov 02, 2007 2:28 pm 
Offline
Komrade
Komrade
User avatar

Joined: Tue Mar 27, 2007 6:23 pm
Posts: 1354
Location: Mario Raceway, 1509.831, 217.198, -564.429
Title: Mario Kart 64 Hacker
Zeld wrote:
The routine at the very beginning of the RDRAM is constant if you'd like to hook from it.
Is this compatible with the Gameshark's code handler?

_________________
Image 143
HyperNova Software is now live (but may take a few tries to load) currently down; check out my PSP/DS/Game Boy/Windows/Linux homebrew, ROM hacks, and Gameshark codes!


Top
 Profile  
Reply with quote  
PostPosted: Sun Nov 04, 2007 10:19 am 
Offline
Kommunist
Kommunist
User avatar

Joined: Mon Oct 02, 2006 7:47 am
Posts: 336
Location: Amish Redneck Country, PA
Title: Crazy Snake
No fuckin way! You actually got a TLB write to work, Zeld? Everytime I tried that, the address was never mapped at the time the routine was trying to write it. Maybe PJ64 just handles TLB misses properly? Nemu will probably crash, but maybe I'll have a look.

_________________
Be a real programmer. Program without the .SHIT Framework.
Check out my movie collection
Quote:
<ThePhantom> What, would you prefer I keep track of it with fucking binary shifting, like you probably did? Hell no.
<ThePhantom> A hedgehog's asshole could understand my code, N-O-B-O-D-Y B-U-T Y-O-U C-A-N U-N-D-E-R-S-T-A-N-D Y-O-U-R-S
<Parasyte> Nobody has to understand it
<Parasyte> Plus, bitwise shifting owns
<Parasyte> A lot
<ThePhantom> Nobody has to understand it?
<Parasyte> Correct...
<ThePhantom> Write code like it's for your job, ass. :P
<Parasyte> No way.
<ThePhantom> Either provide fucking documentation or don't write it like a deranged circus chimp on crack.


Top
 Profile  
Reply with quote  
PostPosted: Sun Nov 04, 2007 10:58 am 
Offline
Komrade
Komrade

Joined: Tue Mar 27, 2007 10:18 am
Posts: 1328
HyperHacker wrote:
Zeld wrote:
The routine at the very beginning of the RDRAM is constant if you'd like to hook from it.
Is this compatible with the Gameshark's code handler?

I thought GS usually hooked from 80000180? I'm talking about hooking from 80000004. :P

Viper wrote:
No fuckin way! You actually got a TLB write to work, Zeld? Everytime I tried that, the address was never mapped at the time the routine was trying to write it. Maybe PJ64 just handles TLB misses properly? Nemu will probably crash, but maybe I'll have a look.

I myself am still skeptical that it will work on real hardware, but here's exactly what happened:

Using an interpreter core for both games I tested this on, one of which was GoldenEye and the other of which was a game that does not even use the TLB as far as I know (Mischief Makers), I wrote a code to write to the TLB of GE and another to read from the TLB for Mischief Makers.

GoldenEye played fine, and Mischief Makers threw an exception.

I still can imagine emulation deficiencies, but it really looks like writing to the TLB is fine.

If that won't work on real hardware, then like I said, temporary EPC. Store the regular EPC, set your own, execute the code, and then set it up so that your exception handler and the rest of your code both restore the status and EPC registers regardless of whether the write is successful or not. It takes a bit more programming, but if it works, that's all that matters, right?

At the very least, the ASM of GE is always loaded to the same area even if it isn't always active, so if the previous paragraph has some sense to it, hacking the TLB ASM won't be too painful. I imagine other games that use the TLB won't be as friendly, though.

Edit: Thought about it a bit more. I think there might be some cases where pushing Cause might be needed, too. Assuming there's ever a time that Cause is passed from one routine to another. I think it could be, as grotesque as that would be.

_________________
Image


Top
 Profile  
Reply with quote  
PostPosted: Sun Nov 04, 2007 12:03 pm 
Offline
Kommunist
Kommunist
User avatar

Joined: Mon Oct 02, 2006 7:47 am
Posts: 336
Location: Amish Redneck Country, PA
Title: Crazy Snake
I dunno. Nemu crashes, and PJ64 didn't seem to work even with it set to interpreter. This has always been my problem with GE/TLB hacks. Self-modifying code just doesn't get updated like it fucking should. Were you trying this on 1.6 or one of the 1.7 betas? I'm attempting to write 7F064BC0 340B0098 for Rapid Fire.

I think the main problem with TLB writing (and the reason Nemu crashes) is that the addresses aren't always mapped to anywhere. They're only mapped at certain times. You can see that if you set a BPX on 80000004 in Nemu and keep hitting go while watching a TLB address in the memory editor. What's pissing me off is there doesn't seem to be a way to determine if a particular address is mapped. There should be SOMETHING in the COP0 regs can tell us WTF is mapped, but I have yet to find it. EntryLo and EntryHi don't cut it, despite the fact they should have something to do with this.

_________________
Be a real programmer. Program without the .SHIT Framework.
Check out my movie collection
Quote:
<ThePhantom> What, would you prefer I keep track of it with fucking binary shifting, like you probably did? Hell no.
<ThePhantom> A hedgehog's asshole could understand my code, N-O-B-O-D-Y B-U-T Y-O-U C-A-N U-N-D-E-R-S-T-A-N-D Y-O-U-R-S
<Parasyte> Nobody has to understand it
<Parasyte> Plus, bitwise shifting owns
<Parasyte> A lot
<ThePhantom> Nobody has to understand it?
<Parasyte> Correct...
<ThePhantom> Write code like it's for your job, ass. :P
<Parasyte> No way.
<ThePhantom> Either provide fucking documentation or don't write it like a deranged circus chimp on crack.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Nov 04, 2007 3:02 pm 
Offline
Komrade
Komrade

Joined: Tue Mar 27, 2007 10:18 am
Posts: 1328
Well there's the TLB entries of PJ 64, but I don't know how those are accessed. If I did, I could view the regs of PJ 64 and determine the MIPS memory area that those entries are supposed to be at.

Anyhow, I was using PJ 64 1.6, and it worked fine. Would you prefer to try my alternative suggestion? Here's some incomplete source for testing that:

80000004
J 80400040

;K1 is free
80400040
LUI K1, $8040 ;Stack gen, lol :D
SW V0, $0000 (K1)
SW V1, $0004 (K1)
MFC0 V0, EPC
SW V0, $0008 (K1)
LI V0, ExceptionHandle
MTC0 V0, EPC
LUI V0, $7F06
LUI V1, $E444
ADDIU V1, V1, $0FF0
SW V1, $7CCC (V0)
ExceptionReturn:
LW V0, $0008 (K1)
MTC0 V0, EPC
LW V0, $0000 (K1)
J 8000000C
LW V1, $0004 (K1)
ExceptionHandle:
MFC0 V0, Status
SRL V0, V0, $4
MTC0 V0, Status
J ExceptionReturn
NOP

By the way, I think that source actually IS complete, but I wasn't able to get it to assemble properly in Renegade. I don't think Renegade has support for the pseudo instruction "LI". Pardon the inefficiency of the NOP at the end. I wasn't paying attention to making proper use of the delay slot.

For reference, if you needed to return to where you came from specifically for each part of the above routine, the EPC becomes PC+4 of the instruction that causes the exception.

In short, the only way I currently know of for determining whether a TLB offset is active or not is to just let it throw an exception and handle it yourself.

If this helps, here's two save state dumps of COP0 regs and TLB entries (note that the data is little endian formatted as PJ 64 directly dumps its data for savestates):

COP0 SS 1:
00000250 1f 00 00 00 0c 00 00 00 9f be 00 00 df be 00 00 .........¾..ß¾..
00000260 20 84 3f 00 00 00 00 00 02 00 00 00 00 00 00 00 .?.............
00000270 88 47 08 7f 51 be 13 25 00 40 08 7f 00 00 00 00 .G..Q¾.%.@......
00000280 01 ff 00 20 08 00 00 00 88 47 08 7f 00 00 00 00 .ÿ. .....G......
00000290 63 e4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 cä..............
000002a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002c0 00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 ........ÿÿÿÿ....

COP0 SS2:
00000250 1f 00 00 00 0a ed ff ff 1f e8 00 00 5f e8 00 00 .....íÿÿ.è.._è..
00000260 60 84 3f 00 00 00 00 00 02 00 00 00 00 00 00 00 `.?.............
00000270 14 c3 08 7f 39 31 ea 00 00 c0 08 7f 00 00 00 00 .Ã..91ê..À......
00000280 01 ff 00 20 08 00 00 00 14 c3 08 7f 00 00 00 00 .ÿ. .....Ã......
00000290 63 e4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 cä..............
000002a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002c0 00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 ........ÿÿÿÿ....

TLB SS1:
0000049c 01 00 00 00 00 00 00 00 00 00 00 c0 17 00 00 02 01 00 00 00 ...........À........
000004b0 01 00 00 00 00 e0 7f 00 00 00 00 70 1f 00 00 00 01 00 00 00 .....à.....p........
000004c4 01 00 00 00 00 00 00 00 00 a0 0c 7f 9f e7 00 00 df e7 00 00 ......... ...ç..ßç..
000004d8 01 00 00 00 00 00 00 00 00 c0 05 7f 9f e2 00 00 df e2 00 00 .........À...â..ßâ..
000004ec 01 00 00 00 00 00 00 00 00 c0 08 7f 9f e5 00 00 df e5 00 00 .........À...å..ßå..
00000500 01 00 00 00 00 00 00 00 00 00 08 7f 9f da 00 00 df da 00 00 .............Ú..ßÚ..
00000514 01 00 00 00 00 00 00 00 00 40 06 7f 1f d4 00 00 5f d4 00 00 .........@...Ô.._Ô..
00000528 01 00 00 00 00 00 00 00 00 40 03 7f 9f ce 00 00 df ce 00 00 .........@...Î..ßÎ..
0000053c 01 00 00 00 00 00 00 00 00 00 0b 7f 1f de 00 00 5f de 00 00 .............Þ.._Þ..
00000550 01 00 00 00 00 00 00 00 00 20 06 7f 9f c9 00 00 df c9 00 00 ......... ...É..ßÉ..
00000564 01 00 00 00 00 00 00 00 00 80 06 7f 9f d5 00 00 df d5 00 00 .............Õ..ßÕ..
00000578 01 00 00 00 00 00 00 00 00 a0 05 7f 1f dd 00 00 5f dd 00 00 ......... ...Ý.._Ý..
0000058c 01 00 00 00 00 00 00 00 00 c0 0b 7f 1f d9 00 00 5f d9 00 00 .........À...Ù.._Ù..
000005a0 01 00 00 00 00 00 00 00 00 e0 09 7f 9f ca 00 00 df ca 00 00 .........à...Ê..ßÊ..
000005b4 01 00 00 00 00 00 00 00 00 e0 07 7f 1f ea 00 00 5f ea 00 00 .........à...ê.._ê..
000005c8 01 00 00 00 00 00 00 00 00 e0 05 7f 9f dc 00 00 df dc 00 00 .........à...Ü..ßÜ..
000005dc 01 00 00 00 00 00 00 00 00 80 07 7f 9f c1 00 00 df c1 00 00 .............Á..ßÁ..
000005f0 01 00 00 00 00 00 00 00 00 40 08 7f 9f be 00 00 df be 00 00 .........@...¾..ß¾..
00000604 01 00 00 00 00 00 00 00 00 00 04 7f 9f e1 00 00 df e1 00 00 .............á..ßá..
00000618 01 00 00 00 00 00 00 00 00 20 0b 7f 9f d0 00 00 df d0 00 00 ......... ...Ð..ßÐ..
0000062c 01 00 00 00 00 00 00 00 00 60 07 7f 9f d8 00 00 df d8 00 00 .........`...Ø..ßØ..
00000640 01 00 00 00 00 00 00 00 00 c0 03 7f 9f c7 00 00 df c7 00 00 .........À...Ç..ßÇ..
00000654 01 00 00 00 00 00 00 00 00 80 08 7f 9f d7 00 00 df d7 00 00 .............×..ß×..
00000668 01 00 00 00 00 00 00 00 00 c0 07 7f 1f e2 00 00 5f e2 00 00 .........À...â.._â..
0000067c 01 00 00 00 00 00 00 00 00 e0 0b 7f 9f e8 00 00 df e8 00 00 .........à...è..ßè..
00000690 01 00 00 00 00 00 00 00 00 60 06 7f 1f e0 00 00 5f e0 00 00 .........`...à.._à..
000006a4 01 00 00 00 00 00 00 00 00 60 05 7f 1f d3 00 00 5f d3 00 00 .........`...Ó.._Ó..
000006b8 01 00 00 00 00 00 00 00 00 20 08 7f 9f db 00 00 df db 00 00 ......... ...Û..ßÛ..
000006cc 01 00 00 00 00 00 00 00 00 20 0c 7f 1f e7 00 00 5f e7 00 00 ......... ...ç.._ç..
000006e0 01 00 00 00 00 00 00 00 00 40 05 7f 9f d9 00 00 df d9 00 00 .........@...Ù..ßÙ..
000006f4 01 00 00 00 00 00 00 00 00 a0 09 7f 1f e1 00 00 5f e1 00 00 ......... ...á.._á..
00000708 01 00 00 00 00 00 00 00 00 e0 03 7f 1f c3 00 00 5f c3 00 00 .........à...Ã.._Ã..

TLB SS2:
0000049c 01 00 00 00 00 00 00 00 00 00 00 c0 17 00 00 02 01 00 00 00 ...........À........
000004b0 01 00 00 00 00 e0 7f 00 00 00 00 70 1f 00 00 00 01 00 00 00 .....à.....p........
000004c4 01 00 00 00 00 00 00 00 00 60 05 7f 1f c7 00 00 5f c7 00 00 .........`...Ç.._Ç..
000004d8 01 00 00 00 00 00 00 00 00 e0 02 7f 9f db 00 00 df db 00 00 .........à...Û..ßÛ..
000004ec 01 00 00 00 00 00 00 00 00 e0 01 7f 9f e1 00 00 df e1 00 00 .........à...á..ßá..
00000500 01 00 00 00 00 00 00 00 00 e0 04 7f 9f e8 00 00 df e8 00 00 .........à...è..ßè..
00000514 01 00 00 00 00 00 00 00 00 c0 05 7f 1f bf 00 00 5f bf 00 00 .........À...¿.._¿..
00000528 01 00 00 00 00 00 00 00 00 00 02 7f 9f cd 00 00 df cd 00 00 .............Í..ßÍ..
0000053c 01 00 00 00 00 00 00 00 00 40 03 7f 1f e3 00 00 5f e3 00 00 .........@...ã.._ã..
00000550 01 00 00 00 00 00 00 00 00 e0 0b 7f 1f e6 00 00 5f e6 00 00 .........à...æ.._æ..
00000564 01 00 00 00 00 00 00 00 00 00 03 7f 9f e3 00 00 df e3 00 00 .............ã..ßã..
00000578 01 00 00 00 00 00 00 00 00 e0 0a 7f 1f c6 00 00 5f c6 00 00 .........à...Æ.._Æ..
0000058c 01 00 00 00 00 00 00 00 00 c0 08 7f 1f e8 00 00 5f e8 00 00 .........À...è.._è..
000005a0 01 00 00 00 00 00 00 00 00 c0 07 7f 1f d7 00 00 5f d7 00 00 .........À...×.._×..
000005b4 01 00 00 00 00 00 00 00 00 a0 09 7f 1f c8 00 00 5f c8 00 00 ......... ...È.._È..
000005c8 01 00 00 00 00 00 00 00 00 c0 06 7f 1f cb 00 00 5f cb 00 00 .........À...Ë.._Ë..
000005dc 01 00 00 00 00 00 00 00 00 40 0b 7f 9f cf 00 00 df cf 00 00 .........@...Ï..ßÏ..
000005f0 01 00 00 00 00 00 00 00 00 20 05 7f 1f d1 00 00 5f d1 00 00 ......... ...Ñ.._Ñ..
00000604 01 00 00 00 00 00 00 00 00 60 02 7f 1f e9 00 00 5f e9 00 00 .........`...é.._é..
00000618 01 00 00 00 00 00 00 00 00 a0 03 7f 1f e4 00 00 5f e4 00 00 ......... ...ä.._ä..
0000062c 01 00 00 00 00 00 00 00 00 80 08 7f 9f df 00 00 df df 00 00 .............ß..ßß..
00000640 01 00 00 00 00 00 00 00 00 e0 03 7f 9f d6 00 00 df d6 00 00 .........à...Ö..ßÖ..
00000654 01 00 00 00 00 00 00 00 00 c0 03 7f 9f dd 00 00 df dd 00 00 .........À...Ý..ßÝ..
00000668 01 00 00 00 00 00 00 00 00 80 02 7f 9f c8 00 00 df c8 00 00 .............È..ßÈ..
0000067c 01 00 00 00 00 00 00 00 00 00 04 7f 1f ce 00 00 5f ce 00 00 .............Î.._Î..
00000690 01 00 00 00 00 00 00 00 00 80 05 7f 1f ca 00 00 5f ca 00 00 .............Ê.._Ê..
000006a4 01 00 00 00 00 00 00 00 00 20 02 7f 9f bf 00 00 df bf 00 00 ......... ...¿..ß¿..
000006b8 01 00 00 00 00 00 00 00 00 40 07 7f 1f d5 00 00 5f d5 00 00 .........@...Õ.._Õ..
000006cc 01 00 00 00 00 00 00 00 00 80 06 7f 9f d5 00 00 df d5 00 00 .............Õ..ßÕ..
000006e0 01 00 00 00 00 00 00 00 00 60 07 7f 1f c3 00 00 5f c3 00 00 .........`...Ã.._Ã..
000006f4 01 00 00 00 00 00 00 00 00 80 07 7f 1f c2 00 00 5f c2 00 00 .............Â.._Â..
00000708 01 00 00 00 00 00 00 00 00 00 05 7f 1f d8 00 00 5f d8 00 00 .............Ø.._Ø..

Sorry about length. If you like, I can remove this crap after you get what you want from it (if anything).

I didn't scroll up through the MIPS of the TLB area I disassembled far enough to see where its base may have been, so I'm not exactly sure which of those entries contains an address that potentially corresponds to the TLB area I was working with.

Edit: Nemu won't even RUN GE for me. What settings should I be using? O_o

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject: Re:
PostPosted: Sun Nov 04, 2007 5:17 pm 
Offline
Komrade
Komrade
User avatar

Joined: Tue Mar 27, 2007 6:23 pm
Posts: 1354
Location: Mario Raceway, 1509.831, 217.198, -564.429
Title: Mario Kart 64 Hacker
Zeld wrote:
In short, the only way I currently know of for determining whether a TLB offset is active or not is to just let it throw an exception and handle it yourself.
It might be worth looking at how one goes about mapping a TLB offset. If nothing else, maybe there's a common routine the game uses to do it that you could hook to set a flag, or one that only ever runs when it's active. I've never worked with TLB before so this might not make any sense, but I would think determining the current mapping is similar to changing it.

_________________
Image 143
HyperNova Software is now live (but may take a few tries to load) currently down; check out my PSP/DS/Game Boy/Windows/Linux homebrew, ROM hacks, and Gameshark codes!


Top
 Profile  
Reply with quote  
PostPosted: Sun Nov 04, 2007 6:26 pm 
Offline
Kommunist
Kommunist
User avatar

Joined: Mon Oct 02, 2006 7:47 am
Posts: 336
Location: Amish Redneck Country, PA
Title: Crazy Snake
Quote:
LI V0, ExceptionHandle


Uh, it'd be LI V0, $xxxxxxxx. Load Immediate. That works in Renegade.

Goldeneye on Nemu... I'm not sure if INIs have anything to do with it. Try using a Jabo/Rice plugin though. The graphics won't be pretty, but it'll run enough to hack most things. When the Dam loads for me, I can't see much besides my gun, but that's enough.

To do your own exception handler, you'd have to hook the game's internal one (80000180) to keep it from crashing on TLB misses. I was thinking of something simple, like hooking the handler, checking if K1 is 80400000, and ERET if it is. In theory, it should work because K1 is only that value while your custom routine is running. It gets changed right after returning to 8000000C.

Just a thought....

80000180
LUI K0, $8040
J 80400100
nop

80400100
BEQ K0,K1,TLBmiss
nop
J 700101A0; address the exception handler goes to normally
nop
TLBmiss:
ERET
nop


Another simple error return would be to check if ErrorPC is > 80400000, since it's a 4 meg game.

_________________
Be a real programmer. Program without the .SHIT Framework.
Check out my movie collection
Quote:
<ThePhantom> What, would you prefer I keep track of it with fucking binary shifting, like you probably did? Hell no.
<ThePhantom> A hedgehog's asshole could understand my code, N-O-B-O-D-Y B-U-T Y-O-U C-A-N U-N-D-E-R-S-T-A-N-D Y-O-U-R-S
<Parasyte> Nobody has to understand it
<Parasyte> Plus, bitwise shifting owns
<Parasyte> A lot
<ThePhantom> Nobody has to understand it?
<Parasyte> Correct...
<ThePhantom> Write code like it's for your job, ass. :P
<Parasyte> No way.
<ThePhantom> Either provide fucking documentation or don't write it like a deranged circus chimp on crack.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Nov 05, 2007 9:40 pm 
Offline
Komrade
Komrade

Joined: Tue Mar 27, 2007 10:18 am
Posts: 1328
Viper wrote:
Quote:
LI V0, ExceptionHandle


Uh, it'd be LI V0, $xxxxxxxx. Load Immediate. That works in Renegade.


I noticed that Renegade basically treats labels as values. Errors I've had in the past with Renegade indicated that "ExceptionHandle" would parse as "$xxxxxxxx", so I used ExceptionHandle's value as the immediate by typing the label in place of the immediate.

Upon disassembling the assembly, it looks like what's happening is your assembler treats LI as a single instruction when determining what address a label that is the target of a branch is at.

J 00400040
.ORG 00400040
LUI $k1,8040
SW $v0,0000($k1)
SW $v1,0004($k1)
MFC0 $v0,EPC
SW $v0,0008($k1)
LUI $v0,8040
ORI $v0,$v0,0080 ;As you can see here, the value is close, but it should actually be 0x0084.
.ORG 00400060 ;Not sure why this org is here. O_o
MTC0 $v0,EPC
;org 80400060; this is where it REALLY is
LUI $v0,7F06
LUI $v1,E444
ADDIU $v1,$v1,0FF0
SW $v1,7CCC($v0)
;org 80400070; the last jump is off by 4. It should have pointed to here. Why was it off? LI treated as one instruction, I'd guess
LW $v0,0008($k1)
MTC0 $v0,EPC
LW $v0,0000($k1)
J 0000000C
LW $v1,0004($k1)
;org 80400084; what ExceptionHandle should have pointed to. I guess I should have typed a NOP after the LI instruction and manually removed the NOP line from the resulting assembly?
MFC0 $v0,Status
SRL $v0,$v0,4
MTC0 $v0,Status
J 0040006C
NOP

As for the rest of your post, interesting stuff.

I'm curious if the above will work after it is mended, though.

81000004 0810
81000006 0010
81400040 3C1B
81400042 8040
81400044 AF62
81400046 0000
81400048 AF63
8140004A 0004
8140004C 4002
8140004E 7000
81400050 AF62
81400052 0008
81400054 3C02
81400056 8040
81400058 3442
8140005A 0084
81400060 4082
81400062 7000
81400064 3C02
81400066 7F06
81400068 3C03
8140006A E444
8140006C 2463
8140006E 0FF0
81400070 AC43
81400072 7CCC
81400074 8F62
81400076 0008
81400078 4082
8140007A 7000
8140007C 8F62
8140007E 0000
81400080 0800
81400082 0003
81400084 8F63
81400086 0004
81400088 4002
8140008A 6000
8140008C 0002
8140008E 1102
81400090 4082
81400092 6000
81400094 0810
81400096 001C
81400098 2400

See if that still crashes? Anyhow, that use of LI works, but it confuses Renegade's PC. Update plox? Being able to load PC values immediately would be pretty useful (for me at least; seems like I'm always grafting new data tables into games I hack). It's already "supported", why not fix the bug and let it work?

_________________
Image


Top
 Profile  
Reply with quote  
PostPosted: Tue Nov 06, 2007 7:56 am 
Offline
Kommunist
Kommunist
User avatar

Joined: Mon Oct 02, 2006 7:47 am
Posts: 336
Location: Amish Redneck Country, PA
Title: Crazy Snake
The problem with the increment was caused when I added the ability to write to emulator. It started calling a function twice and that's where it checked to see if it needed to do the extra increment. I knew it worked at one time. Ah well. That's all I could handle messing with for now. That VB6 code is confusing as shit after not looking at it for so long.

Renegade v1.68b

_________________
Be a real programmer. Program without the .SHIT Framework.
Check out my movie collection
Quote:
<ThePhantom> What, would you prefer I keep track of it with fucking binary shifting, like you probably did? Hell no.
<ThePhantom> A hedgehog's asshole could understand my code, N-O-B-O-D-Y B-U-T Y-O-U C-A-N U-N-D-E-R-S-T-A-N-D Y-O-U-R-S
<Parasyte> Nobody has to understand it
<Parasyte> Plus, bitwise shifting owns
<Parasyte> A lot
<ThePhantom> Nobody has to understand it?
<Parasyte> Correct...
<ThePhantom> Write code like it's for your job, ass. :P
<Parasyte> No way.
<ThePhantom> Either provide fucking documentation or don't write it like a deranged circus chimp on crack.


Top
 Profile  
Reply with quote  
PostPosted: Fri Jan 11, 2008 4:52 pm 
Offline
Krew (Admin)
Krew (Admin)
User avatar

Joined: Sun Oct 01, 2006 9:26 pm
Posts: 3765
Title: All in a day's work.
Writing directly to the TLB has always worked. I suggested to IceMario that he attempt to add a new code type to N64 GS to support writing to any memory address, but of course it never happened. Hell, I still have the doc I wrote for him explaining how the TLB works and how to translate between physical and virtual memory addresses. In fact, it's probably been added to EnHacklopedia, but I'll still post it here for shits and giggles.


Attachments:
TLB Stuffs.zip [2.45 KiB]
Downloaded 184 times

_________________
I have to return some video tapes.

Feed me a stray cat.
Top
 Profile  
Reply with quote  
PostPosted: Fri Jan 11, 2008 7:58 pm 
Offline
Kommunist
Kommunist
User avatar

Joined: Mon Oct 02, 2006 7:47 am
Posts: 336
Location: Amish Redneck Country, PA
Title: Crazy Snake
Parasyte wrote:
Writing directly to the TLB has always worked. I suggested to IceMario that he attempt to add a new code type to N64 GS to support writing to any memory address, but of course it never happened. Hell, I still have the doc I wrote for him explaining how the TLB works and how to translate between physical and virtual memory addresses. In fact, it's probably been added to EnHacklopedia, but I'll still post it here for shits and giggles.


You've shown that shit plenty of times. It doesn't mean much to most of us. We've been messing with this for years man. I think it's time you show us the right way to do it on Goldeneye, since noone else has ever figured out how to make it work. This fucking game only has the routines mapped while they're executing or some shit, so it's bloody difficult to hook somewhere and actually write the address without causing a goddamn exception.

p.s. Why don't you do something real slick with it, like fix the moon jump so you don't have to fall off shit?

_________________
Be a real programmer. Program without the .SHIT Framework.
Check out my movie collection
Quote:
<ThePhantom> What, would you prefer I keep track of it with fucking binary shifting, like you probably did? Hell no.
<ThePhantom> A hedgehog's asshole could understand my code, N-O-B-O-D-Y B-U-T Y-O-U C-A-N U-N-D-E-R-S-T-A-N-D Y-O-U-R-S
<Parasyte> Nobody has to understand it
<Parasyte> Plus, bitwise shifting owns
<Parasyte> A lot
<ThePhantom> Nobody has to understand it?
<Parasyte> Correct...
<ThePhantom> Write code like it's for your job, ass. :P
<Parasyte> No way.
<ThePhantom> Either provide fucking documentation or don't write it like a deranged circus chimp on crack.


Top
 Profile  
Reply with quote  
PostPosted: Fri Jan 11, 2008 8:15 pm 
Offline
Krew (Admin)
Krew (Admin)
User avatar

Joined: Sun Oct 01, 2006 9:26 pm
Posts: 3765
Title: All in a day's work.
Yeah, I was never able to do that, but I guess since I do have GSCC2k2 and GoldenEye, it would not be impossible to find. To be honest, though, it might be even more fun porting Kwurdi to N64 for just such a problem.

_________________
I have to return some video tapes.

Feed me a stray cat.


Top
 Profile  
Reply with quote  
PostPosted: Tue Feb 12, 2008 11:19 pm 
Offline
Kommunist
Kommunist
User avatar

Joined: Tue Oct 10, 2006 8:49 pm
Posts: 78
Location: California
On a different track, I've found out a few things:

1) The beta version of 40 Winks (E) for the N64 (it was only released for the PSX) has hit the 'Net. Search Google for "Past to Present 40 Winks" for the download link. It needs codes...

2) ...and it needs to run in Nemu. Apparently, it thinks it's running on a foreign console. My attempts at bypassing the "THIS GAME WAS NOT DESIGNED FOR USE ON THIS SYSTEM" screen have met with failure.

3) After spending many hours hacking Turok 3's cheat system, I've concluded that the "mystery cheats" are Rare-style red herrings. There are roughly 50 cheat combinations that the game checks for, but it claims to recognize only about a dozen and a half of them ("recognition" depends on a certain byte's value). Using Tile Molester, I didn't see any unfamiliar cheat tiles, nor did I see any space for extra tiles to be loaded. Unless I'm seriously off-track, I think we can put this one to rest.

4) Also on the subject of Turok 3, the debug menu's fate looks worse each time I crack open Nemu. I'm not willing to write this one off yet, though.

To get 40 Winks' beta running good in PJ64, open Project64.rdb and paste the following:
Code:
[ABA51D09-C668BAD9-C:58]
Internal Name=40 WINKS
Good Name=40 Winks (E)
RDRAM Size=8
Counter Factor=2
Save Type=First Save Type
CPU Type=Interpreter
Self-modifying code Method=Check Memory Advance
Reg Cache=Yes
Use TLB=Yes
Delay SI=Yes
Audio Signal=Yes
SP Hack=No
Use Large Buffer=No
Linking=On
Status=Interpreter only
Core Note=
Plugin Note=[video] errors:menus

(Config by Clements)

_________________
I'm a procrastinator, but I'll worry about that problem later...

Image


Top
 Profile  
Reply with quote  
PostPosted: Wed Feb 13, 2008 7:59 am 
Offline
Kommunist
Kommunist
User avatar

Joined: Mon Oct 02, 2006 7:47 am
Posts: 336
Location: Amish Redneck Country, PA
Title: Crazy Snake
Icy Guy wrote:
2) ...and it needs to run in Nemu. Apparently, it thinks it's running on a foreign console. My attempts at bypassing the "THIS GAME WAS NOT DESIGNED FOR USE ON THIS SYSTEM" screen have met with failure.


Same here. Fuckin dumbass region blocks.

_________________
Be a real programmer. Program without the .SHIT Framework.
Check out my movie collection
Quote:
<ThePhantom> What, would you prefer I keep track of it with fucking binary shifting, like you probably did? Hell no.
<ThePhantom> A hedgehog's asshole could understand my code, N-O-B-O-D-Y B-U-T Y-O-U C-A-N U-N-D-E-R-S-T-A-N-D Y-O-U-R-S
<Parasyte> Nobody has to understand it
<Parasyte> Plus, bitwise shifting owns
<Parasyte> A lot
<ThePhantom> Nobody has to understand it?
<Parasyte> Correct...
<ThePhantom> Write code like it's for your job, ass. :P
<Parasyte> No way.
<ThePhantom> Either provide fucking documentation or don't write it like a deranged circus chimp on crack.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 126 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next

All times are UTC - 8 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group