Guideline about debugger

If you are having problems finding or using cheats for an Emulator (particularly MAME/MESS) or have found a trick that you wish to share this is the place to do it. But please read the Cheat FAQ first.
Post Reply
zakria
Posts: 293
Joined: Thu May 18, 2006 4:20 pm
Been thanked: 4 times

Guideline about debugger

Post by zakria »

I find some stage select ram cheats with debugger in rom cheats.This way i find sucessfully wp ram cheat, 1,w but When I tried to find select next stage rom cheat in battle circuit(batcir) i am not succeed.FF5934 is stage ram cheat.After first boss died,I start wp FF5934, 1,w and set on only this watch point.Check please http://imgur.com/VLeEG4Z
This cheat not work then i start wp FF5934, 1,r and set on these 9 watch points after first boss die.Check please http://imgur.com/a/f6Tjy
I check these watch points but i never select next stage or select second stage rom cheat.Please guide me senior rom hackers with debugger how i can find select next stage rom cheat in batcir?
zakria
Posts: 293
Joined: Thu May 18, 2006 4:20 pm
Been thanked: 4 times

Re: Guideline about debugger

Post by zakria »

Pugsy,Old cheat engine Select current level and select next level cheats mask are different.301 and 303 writes but xml version both cheats are same and works for select current level not for next level.I want make select next level rom cheat.Rom cheat for select next level BA588 or BA58C but their values are new for me.I only need to guide how writes.522D D934 and 426D D93A,how i writes them for working select next level rom cheat in battle circuit(batcir)?
User avatar
Pugsy
Posts: 3638
Joined: Fri Aug 17, 2001 12:59 am
Location: North Wales, UK.
Has thanked: 1 time
Been thanked: 12 times
Contact:

Re: Guideline about debugger

Post by Pugsy »

All that is a bit confusing....
I think the question is

how do I change
ba588 addq.b #1, ($26cc,a5)
to something like
ba588 move.b #1, ($26cc,a5)


The simple answer is that you can't addq.b uses four bytes and move.b uses 6 bytes, but there is a way to do it.

Find a blank place in memory
copy the code from the subroutine at ba588 to this blank memory:- either copy it all or copy some of it and use a jmp/bra to run the rest of it.
install a JMP or BRA at ba588 to jump to this routine that you copied into blank memory
Pugsy

Servicing your cheating needs since 1985 8)

Grab the latest cheat collection:
MAME 0.259 XML cheat collection (6 OCTOBER 2023) from http://www.mamecheat.co.uk or direct from:-
https://mega.nz/file/q4dHGZ6K#i-EUiqIjH ... KMz7hnbTfw (ZIP Archive 3.76MB)
zakria
Posts: 293
Joined: Thu May 18, 2006 4:20 pm
Been thanked: 4 times

Re: Guideline about debugger

Post by zakria »

Thanks Pugsy,I will try.
User avatar
Abystus
Posts: 521
Joined: Sun Jul 23, 2006 6:53 am
Has thanked: 3 times
Been thanked: 22 times

Re: Guideline about debugger

Post by Abystus »

I've written a little tutorial to further expand on what Pugsy said above. I hope this make things a bit clearer for you Zakria. There are several ways to do this, but they all follow the same format (hook to custom routine, do what you need to do, replicate original instruction(s), return to hook location). This method is primarily used when you need more space for your modifications than what is given at the location you need to modify.

The Problem:

We need to write a value to an address in RAM, but the instruction (6 bytes): move.b #$?, (-$26CC,a5) is longer in length than the existing instruction (4 Bytes): addq.b #1, ($26cc,a5). Since there is no space for our new modification, we'll have to create space elsewhere.

Image

The Plan of Action:
  1. Find an address to hook in the area of the instruction we want to modify (at least six bytes in length to hook with a JSR).
  2. Find an empty area in ROM (memory editor) to create a custom routine. This routine will be used to execute our own instructions, and also execute the original bytes we replace with our hook (call to the custom routine).
The Instruction We Need to Counteract:

Code: Select all

0BA588  addq.b #1, ($26cc,a5) [ 522D D934 ]
The Hook Location:

Luckily there are no instructions below 0BA588 that modify the stage address, so we are able to hook at any point between there and the end of the routine (rts). I chose the instruction at address 0BA598 as it has exactly the exact amount of bytes necessary for the hook. The hooking part will vary per game based on what instructions are in the area you need to hook into.

Code: Select all

0BA598  move.w #$c, (-$27E4,a5) [ 3B7C 000C D81C ]
The Custom Routine Location:

Open the memory editor (choose maincpu), and scroll until you see several 0000s or FFFFs in a row. I chose address 1DFF00 as it had more than enough room.

Image


The Cheat Structure:

Code: Select all

0BA598:
  4EB9 001D FF00  <-- jsr 1DFF00              | Call custom routine. This is usually called a "hook" as we are hooking into an existing routine to call custom code. 

1DFF00:
  1B7C ???? D934  <-- move.b #$?, (-$26CC,a5) | Write new stage value. 
  3B7C 000C D81C  <-- move.w #$c, (-$27E4,a5) | Replicate original instruction from hook location. 
  4E75            <-- rts                     | Return to hook location. 
The Final Cheat:

batcir.xml

Code: Select all

  <cheat desc="Select Next Stage">
    <comment>Enable before end of stage. Will not work on stage 8.</comment>
    <parameter>
      <item value="0x0000">Stage 1</item>
      <item value="0x0001">Stage 2</item>
      <item value="0x0002">Stage 3</item>
      <item value="0x0003">Stage 4</item>
      <item value="0x0004">Stage 5</item>
      <item value="0x0005">Stage 6</item>
      <item value="0x0006">Stage 7</item>
      <item value="0x0007">Stage 8</item>
    </parameter>
  
    <script state="run">
      <!-- Call to Routine 1 -->
      <action>maincpu.ow@0BA598=4EB9</action>
      <action>maincpu.ow@0BA59A=001D</action>
      <action>maincpu.ow@0BA59C=FF00</action>
  
      <!-- Routine 1 - Write New Stage Value And Restore Hooked Instruction. -->   
      <action>maincpu.ow@1DFF00=1B7C</action>
      <action>maincpu.ow@1DFF02=param</action>
      <action>maincpu.ow@1DFF04=D934</action>
      <action>maincpu.ow@1DFF06=3B7C</action>
      <action>maincpu.ow@1DFF08=000C</action>
      <action>maincpu.ow@1DFF0A=D81C</action>
      <action>maincpu.ow@1DFF0C=4E75</action>
    </script>
    
    <script state="off">
      <action>maincpu.ow@0BA598=3B7C</action>
      <action>maincpu.ow@0BA59A=000C</action>
      <action>maincpu.ow@0BA59C=D81C</action>
    </script>
  </cheat>
Bored? Watch some of my hacks here.
zakria
Posts: 293
Joined: Thu May 18, 2006 4:20 pm
Been thanked: 4 times

Re: Guideline about debugger

Post by zakria »

Abystus,Thanks a lot of these great cheats.Cheat is working very good.I really appreciate your work.
Pugsy,I want ask you it is possible to reload time over lost pose clean rom cheat in Art of fighting(aof).I find a cheat with this start 2 player game and ON this time over lost pose and then off and then finish this round now cheat active.You can check character make time over lost pose.

<cheat desc="time over lost pose">Cheat ON then off cheat (after active finish stage this ronund now cheat)
<script state="run">
<action>maincpu.pb@108421=09</action>
<action>maincpu.pb@109EAE=EF</action>
<action>maincpu.pb@109EAF=20</action>
</script>
</cheat>
Normal time over(finish this round now)not make any animation pose.I tried but not get any good clean rom cheat for reload time over lost.What your hacking experience says have any solution with debugger,is it make to good clean rom cheat with debugger for time over lost pose in Art of fighting?If you don,t mind,please must explain me in detail?
Post Reply