Hacking the ST rom

A step closer to random stages.

It’s not much so far since the character select timer doesn’t move in my training mode hack.

Address 39A6 
jsr $ccc10.l

Address CCC10 
move.w($61d2,A5), D0
andi.w #$f, D0
move.w d0 ($c4e,A5)
add.w d0,d0
rts

Address 39A6 (rom 3)
4EB9 000CCC10

Address CCC10 (4CC10 rom 4 )
302D 61D2
0240 000F
3B40 0C4E
D040
4E75

Edit:
I found a place to add the code in the roms.

Now with the code added in full with the character select timer enabled.

edit 2
GGPO test and jsr change 2
Look at that Battle Number

http://i.imgur.com/PP1VITU.png

Nothing to do with stages,but I seen this branch when trying to edit ryu’s jab dp.

A5 = FF8000

077FE2: bsr     $78132 
078132: lea     ($44e,A5), A6		;Setting player Player 1
078136: bsr     $7813e			;Branch so it A6 doesn't become player 2's address yet
	07813E: move.l  ($6,A6), D0		;Loading the actual X Position
	078142: sub.l   ($1cc,A6), D0	;Subtracting old position with new
	078146: move.l  D0, ($1c4,A6)	;Supposed X Movement
	07814A: move.l  ($a,A6), D0		;Loading the actual Y position
	07814E: sub.l   ($1d0,A6), D0	;Subtracting old position with new
	078152: move.l  D0, ($1c8,A6)	;Supposed Y Movement
	078156: rts						;Return

07813A: lea     ($84e,A5), A6		;Setting player Player 2
07813E: move.l  ($6,A6), D0			;Loading the actual X Position
078142: sub.l   ($1cc,A6), D0		;Subtracting old position with new
078146: move.l  D0, ($1c4,A6)		;Supposed X Movement
07814A: move.l  ($a,A6), D0			;Loading the actual Y position
07814E: sub.l   ($1d0,A6), D0		;Subtracting old position with new
078152: move.l  D0, ($1c8,A6)		;Supposed Y Movement
078156: rts							;Return

The thing is there is nothing reading those movement values which what this branch is making. So in normal play this branch useless and just a left over of a debug display.

The reason I note this is that it’s a nice place to hook into since this isn’t really used.

Edit:
Added the all of it.

Also looking into it more this branch does have it’s use does have a use in normal play sorta. Only when players push boxes are touching each other does it get read but it’s not used to calculate which one moves either. Removing the above to not write a value seems to do nothing.

0BF6E2: bpl     $bf6e8
0BF6E8: move.l  ($612,A5), D2 ;Reading P1 "X Speed" and putting it on D2
0BF6EC: lsr.l   #8, D2
0BF6EE: tst.w   D2
0BF6F0: bpl     $bf6f4 ;Yes, there is a neg.w command after this branch if value negative.
0BF6F4: move.l  ($a12,A5), D3 ;Reading P2 "X Speed" and putting it on D3
0BF6F8: lsr.l   #8, D3
0BF6FA: tst.w   D3
0BF6FC: bpl     $bf700 ;Same as above
0BF700: cmp.w   D2, D3
0BF702: beq     $bf75a ;Branch past the rts if D2 and D3 are equal
0BF704: bcs     $bf730
0BF730: sub.w   D6, ($454,A5) ;Where did D6 get written? Why is it needed? What the fuck?
0BF734: sub.w   D0, ($454,A5)
0BF738: add.w   D6, ($854,A5) ;Where did D6 get written? Why is it needed? What the fuck?
0BF73C: move.b  #$1, ($5ae,A5)
0BF742: move.b  #$0, ($9ae,A5)
0BF748: tst.b   D6
0BF74A: bmi     $bf72e
0BF74C: move.b  #$0, ($5ae,A5)
0BF752: move.b  #$1, ($9ae,A5)
0BF758: rts


the if equal part
BF75A: sub.w   D6, ($454,A5) ;Where did D6 get written? Why is it needed? What the fuck?
BF75E: add.w   D6, ($854,A5) ;Where did D6 get written? Why is it needed? What the fuck?
BF762: move.b  #$1, ($5ae,A5)
BF768: move.b  #$0, ($9ae,A5)

0019D8: jsr $10efc.l
0019DE: jsr $10efc.l

Wonder why I post that?

And this jsr is everywhere. and is only used in mid match.

Old Character code
Edit: Added more comments

00E9B0: jmp     $14eae.l
	014EAE: tst.b   ($2a5,A4); Testing if code has been entered already.
	014EB2: bne     $14ec4; Branch if code has been entered before.

	014EB4: moveq   #$0, D0 ; Clearing D0
	014EB6: move.b  ($391,A4), D0 ; Selected Character moved to D0
	014EBA: add.w   D0, D0; Making the number even
	014EBC: move.w  ($8,PC,D0.w), D0
	014EC0: jmp     ($4,PC,D0.w); Jump to Old Character Code
	
	;Old Ken code cause that's who I was using making this trace.
	015106: moveq   #$0, D0
	015108: move.b  ($90,A4), D0
	01510C: move.w  ($6,PC,D0.w), D0
	015110: jmp     ($2,PC,D0.w); jumps to $15766 no matter which character
	;end of old ken code

	015766: move.w  ($394,A4), D0
	01576A: andi.w  #$50, D0
	01576E: beq     $15772; Branch if direction inputs are right
		015772: move.w  ($392,A4), D0
		015776: andi.w  #$50, D0
		01577A: beq     $15786; branch if jab wasn't pressed
		01577C: move.b  #$0, ($90,A4)
		015782: bra     $15788 ;Old Character has been selected.

Past few days I went back to hacking Vsav.

But for today’s experiment.
See how much I can delete in the bus with out crashing.
With the useless jumps I found

0019D8: jsr $10efc.l
0019DE: jsr $10efc.l

I made them jump to FFF000 where I wrote code.

0019d8: jsr $FFF000.l 
0019DE: jsr $FFF000.l

http://i.imgur.com/DeiuVK1.png

As for the answer you can get rid of most of it except for A7.

So it didn’t crashed, but how the game behaved after it?
Also, in which address of which rom filedid you placed your custom code?

It won’t crash as long I don’t touch A7 cause the command after the Jump subroutines rewrites all the data and adresses.
At 0x19E4: movem.l (A7)+, D0-D7/A0-A6; This is why you can’t touch A7 unless you store it somewhere and then rewrite it before this command.

Where my custom code is written in a blank space in the actual memory similar Pasky’s Health Cheat(Specifically 0xFFF000). Since it’s more of experimentation it doesn’t matter if I where wrote it as long it’s valid code.

edit: As long as the code is more valid than my English in this post.

Byte Code

41F9 0090 018A
3010
3200
3400

0240 0f00
0241 00f0
0242 000f

0640 0100
0641 0010
0642 0001

0040 F000
8041
8042
3080
4E75

impressive!

Fucked up the y camera but another example what you could do with with jsr $10efc.l

P1 Position
Byte code
41F9 00FF844E
4DF9 00FFF000
3028 0006
322D 0ED4
9041
3D40 0100
3028 000A
322D 0ED8
9041
3D40 0102

49F9 00910000
302E 0100
322E 0102

D07C 0020
D27C 00A9
0040 E000

3940 0230
3941 0232
397C 81CA 0234
397C 030A 0236

4E75


Motorola 68000 Assembly
lea $ff844e.l, A0 ; Load P1 Address to A0
lea $fff000.l, A6 ; Load My memory Address
move.w ($6,A0), D0 ; Load player x position to D0
move.w ($ed4,A5), D1 ; load camx to D1
sub.w D1,D0 ; camx - px
move.w D0, ($100,A6) ; x loaded to $fff100 
move.w ($a,A0), D0 ; overwriting x data with player y
move.w ($ed8,A5), D1 ; overwriting camx with camy
sub.w D1,D0 ; Probably should switch this to an add
move.w D0,($102,A6) ; move y value to $fff102
lea $910000.l, A4 ; loading 16x16 bank 2 address to A4
move.w ($100,A6), D0 ; moving x to D0
move.w ($102,A6), D1 ; moving y to D1
add.w #$20, D0 ; adding the x offset to D0
add.w #$a9, D1 ; adding the y offset to d1
ori.w #$e000, D0 ; This is to make the graphic visible
move.w D0, ($230,A4) ; Writing x location and graphic priority(0xPXXX)
move.w D1, ($232,A4) ; Writing x location and graphic bank(0xBYYY)
move.w #$81ca, ($234,A4) ;Location of the graphic I want to use
move.w #$30a, ($236,A4) ; How many 16 x 16 up and right do i want, flip, and palette
rts

Oh, man I can’t wait to see where you go with this new found program space!
-ud

It’s not really space just a really great jump for somebody to add their own code. I still have to find space if I want to add it to a rom. I’m telling the game to jump directly into the memory where my code is.

Well, I’m going to be taking a break from Hacking ST I want to continue hacking Vsav.

If somebody else with Motorola 68000 assembly knowledge wants to work with it more I could explain the graphic format more. Maybe fix the Y.

Bank 0
8019 Collision Box Top Left
801A Collision Box Bottom Left
801B Collision Box Top Right
801C Collision Box Bottom Right

I’d say it’s them cause it’s the same ones used in early sf2 games.

81CA what i use for the axis

just curious…
would it be possible to hack the hyper super street fighter 2 anniversary edition to fix new/old sagat’s fireball start up/recovery, input for vega’s wall dive, and for super turbo characters to soften old super throws and
then write them to the eproms so it would be a more accurate ST version when playing on the cps2?

thanks

I thought Vega’s walldive was only bugged in the console ports?

Probably, a simple fix in the frame data.

That’s going to require some coding. There was some hacking on special inputs earlier in this thread.
I know undamned has a version of my training mode burned to a few roms.

If we have room @ evo in the ST area (TOLII and X-Mania USA) I thought it would be fun to bring an extra setup for people to play around with your training mode hack I know you are moving over to more VS stuff, but keep me posted on your “latest&greatest” ST training mode ROMs.
-ud

I should do another update where the graphic part of life would refill. Since, I found those jump subroutines that does nothing and add the sort of random stages(Based on the frame counter of Character select screen).

As for the Vsav hacking.

http://i.imgur.com/80TFx9X.png

I had to rewrite a sprite table for this which include all the small portraits. And, only after doing it I decided I need to make a script to make it easier if I decide to do more work with background sprites. Never thought I would get more use out of my old window lua script.

Edit:
Random Stage Hack for the Japanese set (like the training hack)
I had this for awhile there is no second checks like what pasky wanted, but it still…

“Makes ST more Enjoyable” - Falken
Regular Ol’ IPS patches

Edit2:
It is a known bug that’ll you’ll keep fighting Ryu indefinitely in single player.

Some weeks ago I was wondering: what if old dj could juggle with his MGU? Would it be a decent anti air? Would it be interesting? I always had the impression that capcom actually wanted it to be like that, but “didnt knew how”… i dont know… they only implemented a propper juggle system on ST…
I was so intrigued by that idea that I actually hacked the rom to see how would that look like: (sorry, I couldnt get the sound working)

I believe Nin, said there was a juggle system in one of CPS1 versions and removed most of it but Dhalsim managed to slip through the cracks.

Update to the character axis code I made earlier.
The code.

http://i.imgur.com/bS2h24j.png

Result

Update 2

http://i.imgur.com/iDvFO0M.png

Works on both characters also found out how many frames late it is. Which is 2 frames late. So keep that in mind when you’re using this jsr.

0019D8: jsr   $fff000.l

FFF000: 41F9 00FF 844E             lea     $ff844e.l, A0
FFF006: 49F9 0091 0000             lea     $910000.l, A4
FFF00C: 610C                       bsr     $fff01a
FFF00E: 41F9 00FF 884E             lea     $ff884e.l, A0
FFF014: 49F9 0091 0010             lea     $910010.l, A4

FFF01A: 3028 0006                  move.w  ($6,A0), D0
FFF01E: 322D 0ED4                  move.w  ($ed4,A5), D1
FFF022: 9041                       sub.w   D1, D0
FFF024: 3140 6CB2                  move.w  D0, ($6cb2,A0)

FFF028: 303C 00F8                  move.w  #$f8, D0
FFF02C: 3228 000A                  move.w  ($a,A0), D1
FFF030: 342D 0ED8                  move.w  ($ed8,A5), D2
FFF034: 9242                       sub.w   D2, D1
FFF036: 9041                       sub.w   D1, D0
FFF038: 3140 6CB6                  move.w  D0, ($6cb6,A0)

FFF03C: 3028 6CB2                  move.w  ($6cb2,A0), D0
FFF040: 3228 6CB6                  move.w  ($6cb6,A0), D1
FFF044: D07C 0038                  add.w   #$38, D0
FFF048: 0040 E000                  ori.w   #$e000, D0
FFF04C: 3940 0230                  move.w  D0, ($230,A4)
FFF050: 3941 0232                  move.w  D1, ($232,A4)
FFF054: 397C 801D 0234             move.w  #$801d, ($234,A4)
FFF05A: 397C 0019 0236             move.w  #$19, ($236,A4)
FFF060: 4E75