Decryption [FR]
Just for fun, I found the routine that generates the next "Security Key" in FR (U).
The Security Key (as named by Bulbapedia) is the
32
-bit integer that is used to encrypt the quantity of items in the bag and money, and possibly other things, in the RAM, using a simple xor. The security key can be found by getting the pointer at
0x0300500C
, and adding
0x0F20
to it. It will be at the resultant pointer.
The final step in its generation is calculated at
0x0804C13C
, where it is placed on
r4
. It will be recalculated every time the map changes, or you exit the bag (and possibly other times too). However, what I was actually interested in was a sort of auto-decryption.
By making the following change:
The Security Key will always be zero. Since xoring with zero is a no-op, the game's attempt to encrypt those values will do nothing. They'll just sit in memory, unencrypted.
Now, I realize this isn't a particularly useful find, but it might help people identify values when debugging.
Edit: Oh, and credit to DavidJCobb (or whoever he got it from), as I found the location of the pointer to the Security Key from his Fire Red RAM Map.
DMA Negation [FR]
I'm calling this "negation", rather than "disabling" because the game still continues to load and store the DMA-protected data, it's just that the next pointer will always be the same, so it stays in the same place.
Existing routines will continue to work, as the pointers to the DMA-protected data are still being written correctly, it's just that, since nothing moves, following them is unnecessary - you can just read from the DMA-protected data's new static locations.
The following table of offsets is copied from DavidJCobb's
Fire Red RAM Map, only with their new static locations:
To use this, all you need to do is:
Any old saves will have their data moved to its new static location as soon as the DMA routine is loaded, which happens quite often - at least each time a map loads. Any new saves will default to these locations and never deviate. After verifying that the given static locations are possible on a clean ROM, this essentially guarantees that disabling the DMA in this way will not cause problems.
Again, this is for Fire Red (U).
Misc
The amount of money the player has is stored at
[0x3005008] + 0x290
. It's encrypted by the security key.
A copy is stored at
0x02000490
, but changing it doesn't affect anything. I'm not certain if it's always at
0x02000490
, or if that was a consequence of my DMA Negation, as I didn't bother to check.