Help Thread: ASM & Disassembly

NewDenverCity · Sep 8, 2015

GoGoJJTech said:
It would not. What that'd do is load the dword at r0's location into r1. That's what the [] is for.

So I'd want ldr r1, r0?

C me · Sep 8, 2015

Still stuck on the fly thing. In these times I wish I was hacking FireRed :( .

If no one knows the routine location, I guess I'll make a script with multichoiceboxes and warps.

Joexv · Sep 8, 2015

C me said:
Still stuck on the fly thing. In these times I wish I was hacking FireRed :( .

If no one knows the routine location, I guess I'll make a script with multichoiceboxes and warps.

Go to the fly asm offset in Fire Red and copy the bytes there(dont copy any offsets) and then search for thise bytes in emerald, this is a method Touched Senpai taught me. This should give you the offset that calls the fly routine.

C me · Sep 8, 2015

joexv said:
Go to the fly asm offset in Fire Red and copy the bytes there(dont copy any offsets) and then search for thise bytes in emerald, this is a method Touched Senpai taught me. This should give you the offset that calls the fly routine.

The routine is at 0x0C4EF8+1. I tried searching for it without the offsets but the when I tested the routines they did nothing (there was one that turned the player upside down, you can walk around but surfing, battling and warping crashes the game). I literally spent about 3 hours doing that. But nothing.

azurile13 · Sep 8, 2015

C me said:
The routine is at 0x0C4EF8+1. I tried searching for it without the offsets but the when I tested the routines they did nothing (there was one that turned the player upside down, you can walk around but surfing, battling and warping crashes the game). I literally spent about 3 hours doing that. But nothing.

Yeah, that won't work so well with pc relative instructions. Here's what you copied:

Code:

	push {lr}
	bl + 0x2EE
	mov r0, #0x2
	bl - 0x5024
	pop {r0}
	bx r0

That mov was the only notable non-address related thing that happened with what you copied. If you couldn't find the table, did you try with breakpoints? I would think that the things you knew should have worked.

NewDenverCity said:
So I'd want ldr r1, r0?

mov r1, r0

Blah · Sep 8, 2015

C me said:
The routine is at 0x0C4EF8+1. I tried searching for it without the offsets but the when I tested the routines they did nothing (there was one that turned the player upside down, you can walk around but surfing, battling and warping crashes the game). I literally spent about 3 hours doing that. But nothing.

Uhmm. Just find the HMs names table first. Then find the routines table from there, then find fly's routine, then somewhere there a task should be run for the map.

In fire red's case, a single register acted as a switch between the normal map and the intractable fly map. I don't recall all the details, but this is how I'd look for it.

C me · Sep 9, 2015

FBI agent said:
Uhmm. Just find the HMs names table first. Then find the routines table from there, then find fly's routine, then somewhere there a task should be run for the map.

In fire red's case, a single register acted as a switch between the normal map and the intractable fly map. I don't recall all the details, but this is how I'd look for it.

I can't find a HM name's table, only the move names table. What else can I use to add a break? And more importantly how?

Blah · Sep 9, 2015

C me said:
I can't find a HM name's table, only the move names table. What else can I use to add a break? And more importantly how?

It's rather simple. If you know where the move name's table is, reverse hex pointers to the move names in the table which are HMs (they need to be in order). Then look for it in a hex editor

C me · Sep 10, 2015

FBI agent said:
It's rather simple. If you know where the move name's table is, reverse hex pointers to the move names in the table which are HMs (they need to be in order). Then look for it in a hex editor

I don't know why I thought the strings would be in a table...

The fly string pointer is at 0x615CC8, what do I do with this number?

Blah · Sep 10, 2015

C me said:
I don't know why I thought the strings would be in a table...

The fly string pointer is at 0x615CC8, what do I do with this number?

https://bulbapedia.bulbagarden.net/wiki/HM#Hoenn

Order the HMs in the order of how the badges let you use them. I.e First Badge is Rock Smash -> then cut.

Then find the string pointers to these Moves in the order of badge usability. Then look for the small table you created in a hex editor.

C me · Sep 10, 2015

FBI agent said:
https://bulbapedia.bulbagarden.net/wiki/HM#Hoenn

Order the HMs in the order of how the badges let you use them. I.e First Badge is Rock Smash -> then cut.

Then find the string pointers to these Moves in the order of badge usability. Then look for the small table you created in a hex editor.

That is the table, it starts at 0x615CA0. Each entry is separated by 71 54 1B 08 until 0x615D0F.

Blah · Sep 10, 2015

C me said:
That is the table, it starts at 0x615CA0. Each entry is separated by 71 54 1B 08 until 0x615D0F.

opeen debugger-> bpr 08615D0F 20 -> analyze routine when it breaks -> profit

Touched · Sep 10, 2015

FBI agent said:
opeen debugger-> bpw 08615D0F 20 -> analyze routine when it breaks -> profit

Break point on write for the ROM?

Blah · Sep 10, 2015

Touched said:
Break point on write for the ROM?

bpr*

He knows what I meant, hopefully :c

C me · Sep 10, 2015

FBI agent said:
bpr*

He knows what I meant, hopefully :c

I've only heard of bpr so I would have used it anyway :p

I've made the break twice and the attached images show you what I got the first and second time. I just used fly from one city to another.

Spoiler:

Blah · Sep 10, 2015

C me said:
I've only heard of bpr so I would have used it anyway :p

I've made the break twice and the attached images show you what I got the first and second time. I just used fly from one city to another.

Spoiler:

Now you open this in IDA or a disassembler like VBA's and go to this address. Then you analyze and put a break point at the start of the function or after, depending on how things seem to look. I don't have an Emerald ROM, or Emerald IDB, so I can't help further. Take a look at my ASM tutorial on backtracking if you're having further troubles.

From what I see it might be getting ready to call an string copy function or it may already be in one.

robinjea · Sep 18, 2015

Okaaay, so I've got a few questions about FBI's Routines (Hahaha. Sorry! :P)

First the Battle Frontier Routines.

Spoiler:

And next the HP Modifications per step routines.

Spoiler:

Routines by others:

JPAN's Number Box Input.

Spoiler:

Changing Fire Red intro rival sprites/names and texts depending on players gender

Spoiler:

Complex Number Picker by DavidJCobb

Spoiler:

That's all! Thank you! Sorry for the long post!

Blah · Sep 18, 2015

BlackWhiteRobin said:
Okaaay, so I've got a few questions about FBI's Routines (Hahaha. Sorry! :P)

First the Battle Frontier Routines.

Spoiler:

The Opponent Party Generation
Why does this happen? (Some of the trainer's Pokemon are already fainted even though I haven't even touched them yet.)

The Opponent Trainer Sprite Generation
Photo taken right after the battle in the first photo. The trainer sprite reverted to the original sprite the Trainer Class uses.

The Opponent Name Generation
Lastly, this one. I haven't implemented this yet because I didn't understand the table part. Up to how many names can a single sprite entry get?

And yes, I know FBI suggested a different approach (which is also not clear to me on how the name of the trainer would be randomized through trainerflags lol not really sure if I understood him) to go around the last routine, but I want to try this one.

And next the HP Modifications per step routines.

Spoiler:

HP Regeneration per Step
HP Removal per Step
(Well, since the removal routine was based on the regeneration routine, the problem I have is just probably the same.)
Okay, so the problem with these two routines is whenever I have a very healthy party, there's ain't a problem (no increase or decrease in HP) but whenever I have a party Pokemon that is not so healthy (1HP or more damage), the very next step I take, the game freezes. Am I the only one? And if so, what's wrong? O.O

Routines by others:

JPAN's Number Box Input.

Spoiler:

The Number Box Input
Okay, so I tested this with a very simple script.

Code:

#dynamic 0x800000 #org @start lock faceplayer msgbox @text callasm 0x(Number Box Routine + 1) release end #org @text = Hey. Wanna see some maths?

It works correctly and all in the first approach (le me approaches man and lets me choose le number up to 9 digits (000,000,000)) then if I entered 000,004,000 and approach the man again, he only lets me enter up to 4 digits (0,000) and if I enter 0,020 and approach him again, he only lets me enter up to 2 digits (00) and so on and on... Why iz dat? ._. Oh, and where is the value stored?

Changing Fire Red intro rival sprites/names and texts depending on players gender

Spoiler:

Changing Fire Red intro rival sprites/names and texts depending on players gender
Okaaay. Not really sure how to implement this because I think directions aren't clear enough (or maybe I'm just dumb :P). Oh did diegoisawesome ever post his version of the routine? If he did, mind linking me?

Complex Number Picker by DavidJCobb

Spoiler:

Complex Number Picker
This one had my patience then it died. ._. The number picker appears for a moment then suddenly disappears.

Oh on and a side note: Which one's is better to use, JPAN's Number Box Input or DavidJCobb's Complex Number Picker?

That's all! Thank you! Sorry for the long post!

Hey! For the frontier routine, it's a case which happens when the number is Pokemon on the newly generated team is less than the number of Pokemon you previously battled. To fix this, Callasm to 0x803DA35 right before every battle, OR edit the routine to call it. I recommend editing the routine if you know how.

For the table, it's just a table of 0xFF terminated strings side by side. Each name is 13 bytes. You specify how many names per sprite you want by changing Tsize here.

Code:

Tsize:
	.word 0x32

For the rival gender switching routine, you compile the first routine and paste the bytes to overwrite the bytes at 0x131248.
Then the second longer routine you compile and put at 0x790000.

For JPAN's routine, I'm too lazy to download his .zip and look, sorry :D

Looking at Davidjcobb's number picker, JPAN's has got to be better. Half his number picking is done from the script, which is slow. So figure that out and use it. If you want, you can pastebin his source code and link it here, then I can review it for you :)

NewDenverCity · Sep 18, 2015

Code:

.thumb
start:
 push {r0-r7, lr}
 ldr r0, =(0x20370D0) @x800D, holds the berry number
 ldrh r1, [r0] @r1 now holds the number held in x800D
 ldr r0, =(0x3005541) @may change later because I don't know if this is free
 add r0, r0, r1 @gets the address of the table
 mov r2, r0
 mov r1, r0
 add r2, #0x3
 add r1, #0x2 @r0 is the year pointer, r1 is the month, and r2 is the day
 ldrh r0, r3
 ldrb r1, r4
 ldrb r2, r5
 ldr r6, =(0x300553C)
 ldrh r7, [r6]
 cmp r3, r7
 blo x800D_1
 ldr r6, =(0x300553F)
 ldrb r7, [r6]
 blo x800D_1
 ldr r6, =(0x3005540)
 ldrb r7, [r6]
 blo x800D_1
 ldr r0, =(0x20370D0)
 mov r1, #0x0
 strh r0, [r1] 
 pop {r0-r7}
x800D_1:
 ldr r6, =(0x300553C)
 ldrh r7, [r6]
 strh r7, [r0]
 ldr r6, =(0x300553C)
 ldrb r7, [r6]
 strb r7, [r1]
 ldr r6, =(0x300553C)
 ldrb r7, [r6]
 strb r7, [r2]
 ldr r0, =(0x20370D0)
 mov r1, #0x1
 strh r0, [r1]
 pop {r0-r7, pc}

When I try to assemble this(it's a code of my own design), I get an error from the assembler. It tells me that lines 13, 14, and 15 are messed up. The exact error I get is 'invalid offset, value too big (0xFFFFFFFC)', which doesn't make any sense to me.

robinjea · Sep 18, 2015

FBI said:
Hey! For the frontier routine, it's a case which happens when the number is Pokemon on the newly generated team is less than the number of Pokemon you previously battled. To fix this, Callasm to 0x803DA35 right before every battle, OR edit the routine to call it. I recommend editing the routine if you know how.

For the table, it's just a table of 0xFF terminated strings side by side. Each name is 13 bytes. You specify how many names per sprite you want by changing Tsize here.

Code:

Tsize: .word 0x32

For the rival gender switching routine, you compile the first routine and paste the bytes to overwrite the bytes at 0x131248.
Then the second longer routine you compile and put at 0x790000.

For JPAN's routine, I'm too lazy to download his .zip and look, sorry :D

Looking at Davidjcobb's number picker, JPAN's has got to be better. Half his number picking is done from the script, which is slow. So figure that out and use it. If you want, you can pastebin his source code and link it here, then I can review it for you :)

Oh my gosh. FBI actually responded to my question. I'm at awe. O.O Thank you for the first parts! ^U^

As for the last part of your reply, I'd guess it was JPAN's source code you wanted me to pastebin right? Well, here it is. https://pastebin.com/dxpEFdWb

EDIT: Oh. I forgot to ask. In the Frontier Opponent Party Generation Routine, how do I make it so that it generates constant number of Pokemon (let's say, I want it to generate 3 Pokemon the whole time), should I remove the "genAmount" section? And if so, what would I replace it with?

P.S. The Pokemon can't be generated with random level each right? (Or did I guess wrong?)

Help Thread: ASM & Disassembly

More options

NewDenverCity

C me

Creator of Pokemon League Of Legends

Joexv

ManMadeOfGouda joexv.github.io

C me

Creator of Pokemon League Of Legends

azurile13

Blah

Free supporter

C me

Creator of Pokemon League Of Legends

Blah

Free supporter

C me

Creator of Pokemon League Of Legends

Blah

Free supporter

C me

Creator of Pokemon League Of Legends

Blah

Free supporter

Touched

Resident ASMAGICIAN

Blah

Free supporter

C me

Creator of Pokemon League Of Legends

Blah

Free supporter

robinjea

Blah

Free supporter

NewDenverCity

robinjea