Sonic 3D Blast (and other SMD games). Basic disassembling with IDA.

Discussion in 'Tutorials' started by FATA-, Dec 21, 2016.

  1. FATA-

    FATA- cmpi.w #$FA1A,d0 Member

    Joined:
    Dec 18, 2016
    Messages:
    15
    Location:
    Russian Federation, Saint Petersburg
    Couldn't find any tutorial with IDA Pro on your site, so I here it is!
    When I was starting my romhacking "career" in IDA Pro I had a lot of questions and now I want ease the way for new hackers. I won't mention difficult things for newcomers like registers, difficult instructions like SEQ,JSR,BSR and so on. :)
    This is a first introduction tutorial so it's very basic. It's super easy and step-by-step. Hope you enjoy it! Next tutorials will be more specific on Sonic 3D Blast I think.
    Background story
    On a snowy winterday evening I wanted to start hacking Sonic 3D blast. Just googled "Sonic 3D blast disassembly", downloaded,tried to open it with IDA but then error ("Sorry,this database has been created by a pirate version of IDA") occured.:mad:
    I didn't give up because I know IDA and I can make my own disassembly and hack the game!;)
    Why do I (reader) need this?
    Firstly,you need this because... imagine: you want to hack a megadrive game that doesn't have any disassemblies, any programms, any decompressors and so on. What would you do?
    Secondly, if you're novice it can increase your knowledge about 68k assembler, about game structure and so on.
    What do I (reader) need for this tutorial?
    1. IDA Pro ( version >= 6.8) ( https://www.hex-rays.com/products/ida/ )
    2. SMD Ida Tools by Lab313 (Dr.Mefist0) (https://github.com/lab313ru/smd_ida_tools/releases)
    3. Gensida by Lab313 (Dr.Mefist0) (https://github.com/lab313ru/Gensida/releases)
    4. Some basic asm knowledge (The best asm tutorial by MarkeyJester - http://mrjester.hapisan.com/04_MC68/)
    5. What is hexademical or base 16 or hex numbers (https://en.wikipedia.org/wiki/Hexadecimal)
    6. Patience
    First step. Installation.
    After you installed IDA Pro you'll need additional plugins (number 2 and 3 in the list).
    Note: I'm using older version of Gensida (1.3) and older version of SMD Ida Tools (1.0.6)

    So, how you install this 2 plugins? Well, it's easy. Download, then unzip archives.
    After you do it you'll see this:
    [​IMG]
    Simply drop it in your IDA folder.
    [​IMG]
    Drop this 2 files in plugins folder.

    Second step. Setup.
    Then download the ROM that we will be using. (Sonic 3D Blast for this and next tutorials)
    And open idaq.exe (it's better to use 32-bit version because 64 often crashes with this plugins)
    Click "New" and open your ROM.

    Then you'll see this window. PLEASE MAKE SURE THAT YOUR WINDOW,TICKS IN THE BOXES AND SO ON LOOK LIKE ON THIS SCREENSHOT.
    Then click OK and here we go.

    [​IMG]
    After you load the ROM click this green play button but make sure that you chose GensIDA debugger plugin.
    [​IMG]
    Hooray!
    Third step. So what you can do?
    A lot of things actually, a lot... But as I said we'll start from basics.
    Firstly, you need to start the emulator. To do this click on that greeny play button again. You can also setup your joystick in options -> input.
    [​IMG]
    You need to play the game in order to "unlock" the asm code. Then, after you play for while press pause button in the debugger (near play button). You'll see that there is more code than earlier. Press play button again.
    [​IMG]

    :rolleyes: I went to Green grove zone and opened tools -> RAM Search. Do this with me;)
    Then in RAM Search window I ticked "Greater than" and "Previous Value". I collected one ring then clicked search, then repeated this process again and again.
    [​IMG]
    Hope you get the idea with RAM search.
    So I did this process 4 times and found 3 interesting RAM results, all are matching my ring status. Let's remember 00FF0A57...
    Now let's open tools -> hex editor (region is RAM68k) and find our 00FF0A57
    [​IMG]
    [​IMG]
    To prove that this adress is our ring status I'll change it.
    [​IMG] [​IMG]
    Hooray! We did something! We prove that this adress = decimal ring status.Now we need to find lines in code that are responsible for ring status. It's easy to do. We only need to activate breakpoint in 00FF0A57. What is the 'breakpoint'? In this case, it's the thing that will stop the game when game code does something with our RAM adress.[​IMG]
    Let's open breakpoints list.
    [​IMG]
    And create a breakpoint and click OK.
    [​IMG]
    [​IMG]
    Once you do it, you'll find out that the game stopped.
    You'll see something like refreshing rings status subroutine, we don't need this. So left click on blue line-> add breakpoint than again left click on this line->edit breakpoint. Write "1" in condition and tick "Low level condition". Now this line won't stop the game when it'll be "activated" by the code.Click OK and press play button.
    [​IMG]
    There will be 2 or 3 lines like that, do the same thing with them and then the game won't stop.
    Now go get one ring and game will stop and you'll see ring adding subroutine.
    [​IMG]
    Then go to our hex editor in Gens (make sure you chose ROM as region). And go to 0x1A148. There will be a line 1439FF0A57 it's our move.b (word_FFFF0A56+1).longword,d2. You'll need the thing called "opcodes" (like command "nop" in hex will be 4E71) or asm 68k to hex converter (there was one but I don't remember where I saw it). Just google it and find, it's not that hard. I changed hex line from 1439FF0A57 to 1439FF0A5F.

    Now code adds +1 to wrong RAM adress and there is now only 1 ring.
    [​IMG]
    Then I've changed 1439FF0A57 to 143FFF0A57. And funny result happened: when I picked up a ring game teleported me to level select screen. I think that is because sonic've got too many rings:D
    [​IMG]
    And finally I've changed 1439FF0A57 to 1435FF0A57. That adds sonic 100 rings per 1 ring. So editing code like that is trial and error and it's very fun thing to do. You can learn a lot with this things about asm.

    And, in the end I want to briefly say about VDP in this emulator. You can go to tools-> VDP Ram. In this section you can see sprites, palletes and what is the most important thing- you can dump all this, just click dump and save! So you can easily steal pallete and some tiles from someones hack:D (Just joking I don't recommend doing this)
    [​IMG]
    Same with the sprites (tools - VDP Sprites)

    I think that's enough for first introduction tutorial. We learned how you "unlock" asm code,learned how to find RAM adress that we need,learned how to edit it,how to make breakpoints,how to find a specific line of code and edit it, how to dump tiles,sprites and palletes for yychr.
    Thank you all who read this till the end and I'll see you in my next tutorial! Bye!:)
     
    Last edited: Dec 21, 2016
  2. Natsumi

    Natsumi Markey's Member

    Joined:
    Oct 7, 2011
    Messages:
    470
    Location:
    Otter's lap
    For someone's first post, this is a lot more than you could expect from just any newbie. That said, the grammar, and content of the post is still lacking. Now I do understand you are not native speaker, but if you ask me, you should invest some more time in properly explaining everything, improving the grammar, and trying to improve the quality of this post. Also, to be fair, I knew these tools did exist, but I did not realize how useful they could be, so thanks for the tip-off!
     
  3. MainMemory

    MainMemory Well-Known Member Member

    Joined:
    Mar 29, 2011
    Messages:
    679
    You know, the Sonic 3D disasm has an IDC file that you can use to import all the data from the existing database (as detailed in the "IDCFILES" file).
     
  4. FATA-

    FATA- cmpi.w #$FA1A,d0 Member

    Joined:
    Dec 18, 2016
    Messages:
    15
    Location:
    Russian Federation, Saint Petersburg
    I know that for sure. If I had written that I know another way,a lot easier way, the tutorial would have had less sense,I think. And this path using existing database is for weak and less interesting :Dbut anyway thanks for your message, I like your hacks!
    Thanks for that! I'll try to improve my language skills and expand this tutorial as much as possible.
     
    nineko likes this.
  5. TheStoneBanana

    TheStoneBanana The Bananaman Member

    Joined:
    Nov 27, 2013
    Messages:
    571
    Location:
    The Milky Way Galaxy
    Wow. What a way to start off here on SSRG!
    Very nice guide, and I'm sure this will help a lot of people out (including myself) in the future.
     
    HackGame, FATA- and MarkeyJester like this.
  6. MarkeyJester

    MarkeyJester It takes only one mistake. Member

    Joined:
    Jun 27, 2009
    Messages:
    2,511
    Location:
    Miss Fox's heart~
    Fantastic work here, top man! Screenshots and examples are essential to a good guide, and you have provided just that.

    Also welcome~
     
    FATA- likes this.