hacking on the Tim Burton's The Nightmare Before Christmas GBA game.
-
So @silentium pointed me at an old walkthrough on the wayback machine, so I'm continuing.
I got the next weapon, and it's so crap that I've reached Ghidra O'Clock just to see if I can make this gun better -
Foone🏳️⚧️replied to Foone🏳️⚧️ last edited by [email protected]
my theory: figure out where enemy health is in ram, set a watch on it, find out what code changes it, then use ghidra to understand that code, then patch the gun to do way more damage
-
My final problem with this generator could be solved by just shutting up and beating the game manually, but unfortunately, my brain thinks reverse engineering GBA games is more fun than playing them
-
so I'm gonna reverse engineer it more so I don't have to play it as much
-
arg. the addresses in the BizHawk ram watch system are segmented, and the addresses in the debugger are not!
-
it's like 16-bit DOS all over again!
-
so I gotta figure out which domain I'm in and then look up the memory map to figure out what the linear address is
-
fortunately this is trivial if you're using any segment other than the "combined WRAM" pseudo-segment, which does terrible merging of RAM segments to make cheats easier.
-
unfortunately that's exactly what I'm doing.
-
okay the enemy health is in IWRAM, at offset 5850h.
And according to GBATEK, the memory address for IWRAM is...nonexistent! there's no such thing as IWRAM!
-
at least according to GBATEK.
SEE, the GBA has two main rams: on-chip and on-board.
-
but what you call these two are... inconsistent.
-
BizHawk uses IWRAM and EWRAM, as does corrupt.wiki.
GBATEK says "WRAM - On-chip Work RAM" and "WRAM - On-board Work RAM".
mGBA internally calls them "iwram" and "wram". -
so whatever. iwram aka WRAM - On-chip Work RAM is at 0x03000000.
so 0x03005850 is the address I need to watch. -
080B5AEA writes it. BINGO
-
wee, dynamic code flow! they're passing jumps around in objects. that's no fun
-
Graham Sutherland / Polynomialreplied to Foone🏳️⚧️ last edited by
@foone you just reminded me of the time I tried to reverse engineer Steinberg Wavelab to extract realtime playback data from it, only to discover that they use a really weird event driven programming system where every event causes pretty much every object involved in that event to be reallocated at a new address, making it impossible to form a static pointer chain. if this was an intentional act of copy protection I am impressed.
-
Foone🏳️⚧️replied to Graham Sutherland / Polynomial last edited by
@gsuberland yikes! that doesn't sound... fast? optimal? it sounds like a bad idea just on general principles
-
@foone I mean wavelab itself is a bad idea, I cannot count how many times I used to have it eat people's projects in the radio studios
@gsuberland -
Foone🏳️⚧️replied to Foone🏳️⚧️ last edited by [email protected]
EWRAM:62F is the current weapon. You can set it to values of weapons you don't have, and it'll let you fire them
