Post by ShadyRounds on Oct 16, 2017 19:48:53 GMT -5
Open the limitations within your mind as I expand your reality with new discoveries of the Megaman Legends plumbing and wiring.
Morality
-Starts as 128 (Hexbyte 80).
-Using CheatEngine in ePSXe1.9.25, I scanned it to be address B4D210 (ePSXe1.9.25 does NOT change address between restarting the game or emulator, while other emulators will. Natter of fact, it's realistically going to be B4D210 on your own computer's ePSXe+CE)
-Using a dump of native psx memory in a different emulator (psx1.13 or no$psx), I searched the same hex value (and the other values in the neighborhood around the value), to be located at address 0C1B70. This is native memory, where it should be located in a savestate or ramdump or active memory (no$psx can read and modify active memory and addresses in it's own debugger).
-Not as simple to find it in Rom. It isn't loaded at that location to ram from rom, it's loaded from another location. I found it by using a break in the debugger (in psx1.13, you set a break at address "0x000C1B70" for size of "0x00000001" and execute set to "memory->write" and count of "2". It's normal for psx1.13 to crash after breaking, but you can still read the break and debugger) (in no$psx you set a break of "[8000C1B70]!!" which is no$ language for any-write, and make sure to run the emulator again after the break for the second break that fills it). ULTIMATELY, the value is moved to ram-c1b70, from ram-0664BC. When you copy the 12-byte row on 0664BC, and paste it in HxD's search on the legends.img, you find it at 0C6684. If you're curious, this is inside a file on the disc called "RockNeo.exe" at address 056CBC.
I might make a video on that Rom part, because that's apparently something nobody's came forth and said they've handled in Legend's modding yet. I had to invent my own method, cobbled together from lots of various programs and trial-and-error and research and learning friggin MIPS r3000. Turns out I learned all that because I was pioneering the method and how-to, but it doesn't really require all that to stumble into it, it just wasn't obvious either.
So, the end-result is, Morality:
CE-ePSXe1925: B4D210
Native-PSXMem: 0C1B70
Legends.img Loc: 0C6684
Well, you can now change the game, and start as Dark Megaman, or even "on the brink" so less grinding achieves the result from Apple Market. That's rather mundane, isn't it?
Well, what about the various NPC values, specifically the ITEMS that CHESTS give you??? What's the method for changing Chest-rewards in Rom?
So Trege has done research into Archiving Memory Addresses with Ram and Gameshark that manipulates NPCs among other things. 90% of the work done for me, I just need the jumping point from Ram to Rom so I can play the game with changes already made (as well as document how chests decide to spit out items or zenny).
NPC-Scripts (Chest-Reward Edition):
-These are the ram-values of the block games load ActiveNPCs to, by location of their script at least.
-Their entire block starts ~10 bytes before, but idrc.
-The block size is 3C0, so +3C0 past 1 npc script you'll find the next npc script.
-From CE-ePSXe1925 to NativePSXRam, the distance memory location difference is always precisely the same: [CEePSXe]-A8B6A0=[PSXNative]
-CE-ePSXe1925, LoadedArea-NPC1Script: B2A7B4 ; LoadedArea-NPC2Script: B2AB74 ; repeat for 16 NPCs (probably max npcs an area can load)
-PSX-NativeRam, LoadedArea-NPC1Script: 09F114 ; LoadedArea-NPC2Script: 9F4D4 ; wash rinse repeat
The above describes the script location, but what about how the script affects the game? Well, testing "OceanTower"s "PowerRaiser" and "560Zenny" chest, I found the following:
-PowerRaiser Chest, in ST00_02 (OceanTower Area2, energy barriers right before boss), is NPC#1 and thus has script located at ram address 09F114, with hex values [40 02 0D] (3-bytes)
-560Zenny Chest, in ST00_02 (OceanTower Area2, energy barriers right before boss), is NPC#2 and thus has script located at ram address 09F4D4, with hex values [41 80 38]
So, here's the pain in the arse. I change PowerRaiser script to [40 02 28], and it's still PowerRaiser. I change it to [40 54 0D], still PowerRaiser. I change it to [62 02 0D], still PowerRaiser. Welp, this changes nothing.
HOLD ON 1 MOMENT. So I change them all to [02 02 02], and NOW it changes to "SniperRange". What??? So I change it to [8E 00 8E] and it changes to "You got Library"? Well, this happens to line up with a textblock in the RockNeo.exe inside legends.img (it's not direct-text, it's secret-military-coded text, I use Transhextion loaded with a ThingyTable to read it. Ambyra created a text-romhack for Legends apparently over a decade ago, along with a thingy-table, and I'm sorry I was still in high school chasing women and the idea of a military career around this time else I'd have gotten aboard LegendsStation memory-hacks years ago. Ambyra's TextPatch for Legends: www.romhacking.net/hacks/40/ )
The TextBlock has entries back to back, each entry ending in a hex-byte 91. Well, 00 is BlasterUnitΩ, 01 is SniperUnitΩ, 02 is Laser, 03 is SniperRange. This continues, all the way down the block, 00-1F being BusterParts, 20-3F being KeyItems (including an unused "Key-Item-E" at 3E, and "You got !" as 3F), 40-7F being NormalItems (including "Junk-Item-3" & 4 & 5... at 7D & 7E & 7F). Beyond this point includes "empty", "Normal Arm", and "Megaman Buster", and other special weapons (unlike buster parts, shop items, key items... putting special weapons and entire cities in chests do NOT give you the item in case you're wondering).
So now the 560ZennyChest. When set to [41 79 38], it's empty. When set to [41 81 38], it's "3120 Zenny". Set to [41 82 38], it's "5680 Zenny". Going back and trying 3rd byte, when set to [41 80 37], it's "550 Zenny". Set to [41 80 36], it's "540 Zenny". Then it became obvious, so setting [41 80 00], says "You found 0 Zenny", interesting. That byte increases ZennyChest by intervals of 10, so [01] is 10Zenny, [0F] is 150Zenny, [10] is 160Zenny, [7F] is 1270Zenny, [80] is 1280Zenny, [FF] is 2550Zenny. How do you get bigger values? Well, that 2nd-byte is "chest is empty" when below [80], and at [80] it has a value of 0, and for every +1 above [80] it adds a hexthousands to the zenny (2560Zenny, but plus what the 3rd byte adds). SO, [41 81 00] is 2560Zenny, [41 84 28] is 10640Zenny (use MSCalculator, set to Programming, and set to "Hex", and enter "0428", and switch to "Dec" to find it's "1064", or "10640Zenny").
I do NOT know why, but apparently:
-[xx xx xx] is the global-script. If a chest keeps this value the same, it doesn't matter what else changes, it remembers what it's supposed to be, but if this is changed it can have an existential crisis and listen to [xx xx xx] instead (which in case of PowerRaiser is in fact [0D]) IMPORTANT EDIT: A more perfect detailed hacking method for this has been added below, to the third update to this thread.
-[xx xx xx] is ambiguous, but if it's [79] or under, it's NOT a zenny chest, and if it's [80] or higher, it IS a zenny chest, with every +1 over [80] being +2560 zenny
-[xx xx xx] is zenny-amount when 2nd-byte is >[80], and is item-number when 2nd-byte is <[80].
The item-list in numerical order: 00 Blaster Unit Ω, 01 Sniper Unit Ω, 02 Laser, 03 Sniper Range, 04 Turbo Battery, 05 Power Raiser Ω, 06 Range Booster Ω, 07 Turbo Charger Ω, 08 Blast Unit, 09 Sniper Unit, 0A Power Raiser ⧜, 0B Range Booster ⧜, 0C Turbo Charger ⧜, 0D Power Raiser, 0E Range Booster, 0F Turbo Charger, 10 Buster Max, 11 Power Stream, 12 Blaster Unit R, 13 Buster Unit Ω , 14 Omni-Unit Ω , 15 Auto Battery, 16 Sniper Scope, 17 Rapid Striker, 18 Gatling Gun, 19 Omni-Unit, 1A Power Blaster R, 1B Power Blaster L, 1C Machine Gun, 1D Triple Access, 1E Buster Unit, 1F Rapid Fire, 20 Helmet, 21 Jump Springs, 22 Jet Skates, 23 Life Gauge, 24 Energy Canteen, 25 Extra Pack, 26 Adapter Plug, 27 Refractor, 28 Refractor, 29 Refractor, 2A Citizen's Card, 2B Class A License , 2C Class B License, 2D Bonne Key, 2E Starter Key, 2F Starter Key, 30 Starter Key, 31 Starter Key, 32 Starter Key, 33 Starter Key, 34 ID Card, 35 ID Card, 36 ID Card, 37 'Watcher' Key, 38 'Sleeper' Key, 39 'Dreamer' Key, 3A Flak Jacket, 3B Kevlar Jacket,3C Kevlar Jacket Ω, 3D Walkie-Talkie, 3E KEY-ITEM E, 40 Shield Repair, 41 Hyper Cartridge, 42 Chameleon Net, 43 Defense Shield, 44 Flower, 45 Bag, 46 Trunk, 47 Pick, 48 Saw, 49 Lipstick, 4A Music Box, 4B Old Bone, 4C Old Heater, 4D Old Doll, 4E Antique Bell, 4F Giant Horn, 50 Shiny Object, 51 Old Shield, 52 Shiny Red Stone, 53 Stag Beetle, 54 Beetle, 55 Comic Book, 56 Ring, 57 EMPTY, 58 Mine Parts Kit, 59 Cannon Kit, 5A Grenade Kit, 5B Blumebear Part, RandomGibberish, 5C Mystic Orb, 5D Marlwolf Shell, 5E Broken Motor, 5F Broken Propeller, 60 Broken Cleaner, 61 Bomb Schematic, 62 Blunted Drill, 63 Guidance Unit, 64 Zetsabre, 65 Pen Light, 66 Old Launcher, 67 Ancient Book, 68 Arm Supporter, 69 X Buster, 6A Weapon Plans, 6B Prism Crystal, 6C Spring Set, 6D Safety Helmet, 6E Rollerboard, 6F Old Hoverjets, 70 Joint Plug, 71 Broken Circuits, 72 Main Core Shard, 73 Sun-light, 74 Rapidfire Barrel, 75 Plastique, 76 Bomb, 77 Gatling Part, 78 Flower Pearl, 79 Autofire Barrel, 7A Generator Part, 7B Target Sensor, 7C Tele-lens, 7D JUNK-ITEM 3, 7E JUNK-ITEM 4, 7F JUNK-ITEM 5
I used the same method with morality, to find the Rom-location that writes to an area's npc#'s first load (when you enter an area's door and it fades-to-black). Set break-address to 09F114 (for NPC#1 like PowerRaiser chest), and let it break once, run, then break a second time (or set count to 2 in PSX1.13), then it mentions the address near register-16 (r16), which contains another ram address (offset by -0C I believe), which thankfully the 12-byte row at that address translates directly to Rom, at the address 4CBCE8 in rom for PowerRaiser. NPC Script are stored close together, and within the individual-file ST00_02.bin. Each area's scripts is probably is stored in their own bin.
Morality
-Starts as 128 (Hexbyte 80).
-Using CheatEngine in ePSXe1.9.25, I scanned it to be address B4D210 (ePSXe1.9.25 does NOT change address between restarting the game or emulator, while other emulators will. Natter of fact, it's realistically going to be B4D210 on your own computer's ePSXe+CE)
-Using a dump of native psx memory in a different emulator (psx1.13 or no$psx), I searched the same hex value (and the other values in the neighborhood around the value), to be located at address 0C1B70. This is native memory, where it should be located in a savestate or ramdump or active memory (no$psx can read and modify active memory and addresses in it's own debugger).
-Not as simple to find it in Rom. It isn't loaded at that location to ram from rom, it's loaded from another location. I found it by using a break in the debugger (in psx1.13, you set a break at address "0x000C1B70" for size of "0x00000001" and execute set to "memory->write" and count of "2". It's normal for psx1.13 to crash after breaking, but you can still read the break and debugger) (in no$psx you set a break of "[8000C1B70]!!" which is no$ language for any-write, and make sure to run the emulator again after the break for the second break that fills it). ULTIMATELY, the value is moved to ram-c1b70, from ram-0664BC. When you copy the 12-byte row on 0664BC, and paste it in HxD's search on the legends.img, you find it at 0C6684. If you're curious, this is inside a file on the disc called "RockNeo.exe" at address 056CBC.
I might make a video on that Rom part, because that's apparently something nobody's came forth and said they've handled in Legend's modding yet. I had to invent my own method, cobbled together from lots of various programs and trial-and-error and research and learning friggin MIPS r3000. Turns out I learned all that because I was pioneering the method and how-to, but it doesn't really require all that to stumble into it, it just wasn't obvious either.
So, the end-result is, Morality:
CE-ePSXe1925: B4D210
Native-PSXMem: 0C1B70
Legends.img Loc: 0C6684
Well, you can now change the game, and start as Dark Megaman, or even "on the brink" so less grinding achieves the result from Apple Market. That's rather mundane, isn't it?
Well, what about the various NPC values, specifically the ITEMS that CHESTS give you??? What's the method for changing Chest-rewards in Rom?
So Trege has done research into Archiving Memory Addresses with Ram and Gameshark that manipulates NPCs among other things. 90% of the work done for me, I just need the jumping point from Ram to Rom so I can play the game with changes already made (as well as document how chests decide to spit out items or zenny).
NPC-Scripts (Chest-Reward Edition):
-These are the ram-values of the block games load ActiveNPCs to, by location of their script at least.
-Their entire block starts ~10 bytes before, but idrc.
-The block size is 3C0, so +3C0 past 1 npc script you'll find the next npc script.
-From CE-ePSXe1925 to NativePSXRam, the distance memory location difference is always precisely the same: [CEePSXe]-A8B6A0=[PSXNative]
-CE-ePSXe1925, LoadedArea-NPC1Script: B2A7B4 ; LoadedArea-NPC2Script: B2AB74 ; repeat for 16 NPCs (probably max npcs an area can load)
-PSX-NativeRam, LoadedArea-NPC1Script: 09F114 ; LoadedArea-NPC2Script: 9F4D4 ; wash rinse repeat
The above describes the script location, but what about how the script affects the game? Well, testing "OceanTower"s "PowerRaiser" and "560Zenny" chest, I found the following:
-PowerRaiser Chest, in ST00_02 (OceanTower Area2, energy barriers right before boss), is NPC#1 and thus has script located at ram address 09F114, with hex values [40 02 0D] (3-bytes)
-560Zenny Chest, in ST00_02 (OceanTower Area2, energy barriers right before boss), is NPC#2 and thus has script located at ram address 09F4D4, with hex values [41 80 38]
So, here's the pain in the arse. I change PowerRaiser script to [40 02 28], and it's still PowerRaiser. I change it to [40 54 0D], still PowerRaiser. I change it to [62 02 0D], still PowerRaiser. Welp, this changes nothing.
HOLD ON 1 MOMENT. So I change them all to [02 02 02], and NOW it changes to "SniperRange". What??? So I change it to [8E 00 8E] and it changes to "You got Library"? Well, this happens to line up with a textblock in the RockNeo.exe inside legends.img (it's not direct-text, it's secret-military-coded text, I use Transhextion loaded with a ThingyTable to read it. Ambyra created a text-romhack for Legends apparently over a decade ago, along with a thingy-table, and I'm sorry I was still in high school chasing women and the idea of a military career around this time else I'd have gotten aboard LegendsStation memory-hacks years ago. Ambyra's TextPatch for Legends: www.romhacking.net/hacks/40/ )
The TextBlock has entries back to back, each entry ending in a hex-byte 91. Well, 00 is BlasterUnitΩ, 01 is SniperUnitΩ, 02 is Laser, 03 is SniperRange. This continues, all the way down the block, 00-1F being BusterParts, 20-3F being KeyItems (including an unused "Key-Item-E" at 3E, and "You got !" as 3F), 40-7F being NormalItems (including "Junk-Item-3" & 4 & 5... at 7D & 7E & 7F). Beyond this point includes "empty", "Normal Arm", and "Megaman Buster", and other special weapons (unlike buster parts, shop items, key items... putting special weapons and entire cities in chests do NOT give you the item in case you're wondering).
So now the 560ZennyChest. When set to [41 79 38], it's empty. When set to [41 81 38], it's "3120 Zenny". Set to [41 82 38], it's "5680 Zenny". Going back and trying 3rd byte, when set to [41 80 37], it's "550 Zenny". Set to [41 80 36], it's "540 Zenny". Then it became obvious, so setting [41 80 00], says "You found 0 Zenny", interesting. That byte increases ZennyChest by intervals of 10, so [01] is 10Zenny, [0F] is 150Zenny, [10] is 160Zenny, [7F] is 1270Zenny, [80] is 1280Zenny, [FF] is 2550Zenny. How do you get bigger values? Well, that 2nd-byte is "chest is empty" when below [80], and at [80] it has a value of 0, and for every +1 above [80] it adds a hexthousands to the zenny (2560Zenny, but plus what the 3rd byte adds). SO, [41 81 00] is 2560Zenny, [41 84 28] is 10640Zenny (use MSCalculator, set to Programming, and set to "Hex", and enter "0428", and switch to "Dec" to find it's "1064", or "10640Zenny").
I do NOT know why, but apparently:
-[xx xx xx] is the global-script. If a chest keeps this value the same, it doesn't matter what else changes, it remembers what it's supposed to be, but if this is changed it can have an existential crisis and listen to [xx xx xx] instead (which in case of PowerRaiser is in fact [0D]) IMPORTANT EDIT: A more perfect detailed hacking method for this has been added below, to the third update to this thread.
-[xx xx xx] is ambiguous, but if it's [79] or under, it's NOT a zenny chest, and if it's [80] or higher, it IS a zenny chest, with every +1 over [80] being +2560 zenny
-[xx xx xx] is zenny-amount when 2nd-byte is >[80], and is item-number when 2nd-byte is <[80].
The item-list in numerical order: 00 Blaster Unit Ω, 01 Sniper Unit Ω, 02 Laser, 03 Sniper Range, 04 Turbo Battery, 05 Power Raiser Ω, 06 Range Booster Ω, 07 Turbo Charger Ω, 08 Blast Unit, 09 Sniper Unit, 0A Power Raiser ⧜, 0B Range Booster ⧜, 0C Turbo Charger ⧜, 0D Power Raiser, 0E Range Booster, 0F Turbo Charger, 10 Buster Max, 11 Power Stream, 12 Blaster Unit R, 13 Buster Unit Ω , 14 Omni-Unit Ω , 15 Auto Battery, 16 Sniper Scope, 17 Rapid Striker, 18 Gatling Gun, 19 Omni-Unit, 1A Power Blaster R, 1B Power Blaster L, 1C Machine Gun, 1D Triple Access, 1E Buster Unit, 1F Rapid Fire, 20 Helmet, 21 Jump Springs, 22 Jet Skates, 23 Life Gauge, 24 Energy Canteen, 25 Extra Pack, 26 Adapter Plug, 27 Refractor, 28 Refractor, 29 Refractor, 2A Citizen's Card, 2B Class A License , 2C Class B License, 2D Bonne Key, 2E Starter Key, 2F Starter Key, 30 Starter Key, 31 Starter Key, 32 Starter Key, 33 Starter Key, 34 ID Card, 35 ID Card, 36 ID Card, 37 'Watcher' Key, 38 'Sleeper' Key, 39 'Dreamer' Key, 3A Flak Jacket, 3B Kevlar Jacket,3C Kevlar Jacket Ω, 3D Walkie-Talkie, 3E KEY-ITEM E, 40 Shield Repair, 41 Hyper Cartridge, 42 Chameleon Net, 43 Defense Shield, 44 Flower, 45 Bag, 46 Trunk, 47 Pick, 48 Saw, 49 Lipstick, 4A Music Box, 4B Old Bone, 4C Old Heater, 4D Old Doll, 4E Antique Bell, 4F Giant Horn, 50 Shiny Object, 51 Old Shield, 52 Shiny Red Stone, 53 Stag Beetle, 54 Beetle, 55 Comic Book, 56 Ring, 57 EMPTY, 58 Mine Parts Kit, 59 Cannon Kit, 5A Grenade Kit, 5B Blumebear Part, RandomGibberish, 5C Mystic Orb, 5D Marlwolf Shell, 5E Broken Motor, 5F Broken Propeller, 60 Broken Cleaner, 61 Bomb Schematic, 62 Blunted Drill, 63 Guidance Unit, 64 Zetsabre, 65 Pen Light, 66 Old Launcher, 67 Ancient Book, 68 Arm Supporter, 69 X Buster, 6A Weapon Plans, 6B Prism Crystal, 6C Spring Set, 6D Safety Helmet, 6E Rollerboard, 6F Old Hoverjets, 70 Joint Plug, 71 Broken Circuits, 72 Main Core Shard, 73 Sun-light, 74 Rapidfire Barrel, 75 Plastique, 76 Bomb, 77 Gatling Part, 78 Flower Pearl, 79 Autofire Barrel, 7A Generator Part, 7B Target Sensor, 7C Tele-lens, 7D JUNK-ITEM 3, 7E JUNK-ITEM 4, 7F JUNK-ITEM 5
I used the same method with morality, to find the Rom-location that writes to an area's npc#'s first load (when you enter an area's door and it fades-to-black). Set break-address to 09F114 (for NPC#1 like PowerRaiser chest), and let it break once, run, then break a second time (or set count to 2 in PSX1.13), then it mentions the address near register-16 (r16), which contains another ram address (offset by -0C I believe), which thankfully the 12-byte row at that address translates directly to Rom, at the address 4CBCE8 in rom for PowerRaiser. NPC Script are stored close together, and within the individual-file ST00_02.bin. Each area's scripts is probably is stored in their own bin.