GoldenEye 007 Nintendo 64 Community, GoldenEye X, Nintendo 64 Games Discussion

[acceptable67]

I use the program often to open executables and fool around with how they work and the assembly inside them, but never had luck with Nintendo64 ROM files for the longest time. Perfect Dark and the like are always shown packed and in-editable, but what about games that lack equal compression?

Today I opened 'Army Men - Sarge's Heroes' to see if I could have any luck in messing around with, at the very least, menus. Upon doing a String Search, it was very apparent this ROM had much uncompressed text and assembly data.

I clicked on 'No Controller Pak Found' as it is a familiar string (here is a picture for reference of where it shows up), and it took me to the assembly reference in the appropriate window. http://gyazo.com/4bf40a3589ae6ae0a51df41e78d7011e

I clicked on 'la $a1, aNoControllerPa' and it gave me the ROM offset of the uncompressed assembly at 000182B0. At this address are the hexidecimal numbers of '3C 05 80 09 24 A5 68 F4'. I then clicked on 'la $a1, aYouWillNotBeAb' and it gave me the ROM offset of 000182D8'. At this address were the hexidecimal numbers of '3C 05 80 09 24 A5 69 60' -- it was very apparent the last 2 digits were the text pointer. Popped open the hex editor, switched the last two digits in the first line from '68 F4' to '69 60', saved, updated the ROM CRC, opened the ROM and voila...

http://gyazo.com/fe7544a8375d36afbe773ef6dfcffa34

I suppose the possibilities of this program are endless.

Just another tale of my amateur hacking adventures...
_________________

Rare wrote:

Perfect Dark Forever.

[Rey]

Bro, if Army Men Sarges Heroes had an editor. I would jump on that so fast. There are quite a bit of 64 games I wish had an editor like GE and Perfect Dark.
_________________
www.youtube.com/gamerrey23

[mistamontiel]

Army Men SA1 has been for Windows .. best bet nab image perhaps
_________________

[SubDrag]

PD has compressed assembly, so that's probably why only the main beginning was like that. You'll have much better luck disassembling RAM though (and some games like GE/PD use TLB, so start address is 7F000000 and not tied directly to RAM addresses straight). Most games are normal RAM, as 80000000 though.

I made my own disassembler since IDA wouldn't let the MIPS part go for purchase to non-corporations. It's not as powerful, but it should work well for N64.

http://goldeneyevault.com/viewfile.php?id=219

[acceptable67]

Ah yes, I remember your disassembler (as well as you trying to assist me in trying to hack the Enemy Rockets 'Rocket Launcher'! I still need assistance on that...) If I recall the dumping range for the RAM is 80000000 to 81000000? I'll fool around with it a bit.
_________________

Rare wrote:

Perfect Dark Forever.

[zoinkity]

TLB isn't a fixed range, and it doesn't start at 7*. It's a virtual address. When they set up TLB entries you set the address some block of memory will appear at. Some games use 1*******, for instance.

Both Sarge's Heroes and the sequel use arithmetic encoding for their files. Extraction is supported by Midwaydec, and even if you aren't interested in using the program filelists are provided for the known versions of the game as well as decompression code. Usually these filelists also include some notes about game-specific file formats or wrappers.
Arithmetic encoding is an old one, and I believe their implementation was the original. Should have source for a compatible compressor someplace, but will probably forget to get by the time I get home ;*)


There are several features built into Nemu that used to be standalone tools. Among them is a feature to map standard library functions (provided you have samples of the libraries) in the current game. Somebody really should write a manual on its advanced usage.

Unless you get familiar with compressed files and how to map out ROM you're really better off using a combination of ROM + RDRAM hacking. One of the easier ways to tell if compression is used and what type it is would be to set a write breakpoint on A460000C, press "step" so the size is set and the interrupt is tripped, then set a read breakpoint on the first few words of data at the rdram address given. It will be pretty obvious from the way that data is treated if the thing is decompressing it someplace, and reading through that code is how you figure out the decompression routine.
_________________
(\_/) Beware
(O.o) ze
(> <) Hoppentruppen!

[acceptable67]

Very informative write-up Zoink, thanks. 'Midwaydec' also seems like a very good program to poke at files for games other than the ones listed in the Rare Decompressor. I'm definitely not thinking about getting serious with Army Sarges but perhaps someone with even more technical knowledge than myself could eventually come across this and perhaps put something together, may it be an editor or further documentation. Maybe one day I will know enough to find file tables and their respective data offsets on my own. I've read your open source C TWINE decompressor files and it admittedly just makes me ponder, that maybe one day I could be doing the same thing? Technically I am for JFG, but Sub did the majority of the documentation....
_________________

Rare wrote:

Perfect Dark Forever.

Last edited by acceptable67 on Fri Aug 08, 2014 8:39 am; edited 1 time in total

[zoinkity]

Sub and I collaborated with his decompressor and sound extractor, and Midwaydec was a terrible little tool built on the side for testing decompression algorithms before he ported them to C. (It is terrible too--been trying to rewrite it in proper Python for a while now) It obviously does a lot more than Midway titles now.

Oh dear, trying to start with that TWINE code is murder. I really can't program well (barely at all), that probably wasn't a good implementation anyway, and Eurocom has one of the more complicated and rigid file structures out there.
_________________
(\_/) Beware
(O.o) ze
(> <) Hoppentruppen!

[MRKane]

Small side note: I always found C# had better IO and "readability" than python...but that's just me
_________________
No Mr. Bond, I expect you to be re-coded!