Pages: 1
|
|
Posted on 05-28-12, 04:53 pm (rev. 4 by
|
|
☭ coffee and cream
 Karma: 10415 Posts: 329/2768 Since: 06-26-11 |
(disclaimer: this thread is mostly a dump for my findings so don't expect it to be organized nicely)
In this thread, we're going to work with the Star Coin sprite (ID 235, ClassID 67). I might also want to precise that I'm using an USA ROM. Class table layout (312 (0x138) bytes) * dword: pointer to the constructor
* word: class ID
* word: ???
* dword: ???
* dword: zero
* dword: zero
* 73 dwords (TODO: find out what which one is!) Among the 73 function pointers: * function #9 performs the graphical rendering * function #10 controls graphical rendering (sprite is only rendered if it returns 1) * function #21 controls graphical rendering (sprite is only rendered if it returns 0) The fact that the class ID is present in the class table, can be used to sense the presence of a certain class table at a certain address. I used that method with SM64DS for finding out which banks the objects belong to. The sprite's class table is loaded at 0x0216D01C. The first dword there (0x02154E94) is a pointer to the constructor. * constructor starts by calling 0x0204CC98 with R0 set to 0x520. Changing the value of R0 freezes the game when the star coin has to be created. Probably, this call opens a graphics/whatever file used by the sprite. 0x520 must be the file's internal ID (todo: find the table that maps internal IDs to file IDs). The function returns a value in R0, probably a handle to the file. Mini-Goomba's constructor calls the same function with R0=0x45C. Interesting functions * 02044814: glTranslate (r0=something, r1=X, r2=Y, r3=Z) (arguments guessed!) * 02044888: glRotateY (r0=something, r1=angle) * 0204CC98: LoadModel? (r0=internal file ID) _________________________ Kuribo64 - zrghij |
|
|
Posted on 05-28-12, 04:55 pm
|
 Roy Koopa Karma: 4011 Posts: 1533/2722 Since: 06-26-11 |
Lol I dont get that... Possible to explain that for dummies?
See a lots of creative DS Hacking here
_________________________ If you want to support me, you might check out my Patreon Page : ) |
|
|
Posted on 05-28-12, 04:57 pm
|
|
☭ coffee and cream
Karma: 10415 Posts: 330/2768 Since: 06-26-11 |
This thread is mostly a finding dump, not a tutorial of any kind.
It's basically about finding out how sprite rendering is done, and perhaps reprogram sprites to use other graphics. My original idea was to hack 3D sprites to make them giant 
_________________________ Kuribo64 - zrghij |
|
|
Posted on 05-28-12, 04:58 pm
|
|
Roy Koopa Karma: 4011 Posts: 1534/2722 Since: 06-26-11 |
OMG! I'll defintely try to find more out if this will help me with my level!
See a lots of creative DS Hacking here
_________________________ If you want to support me, you might check out my Patreon Page : ) |
|
|
Posted on 05-28-12, 05:13 pm
|
 Super Mario( ͡° ͜ʖ ͡°) Karma: 10010 Posts: 1769/4457 Since: 06-08-11 |
Which ROM region are you looking at? I recommend we hack the U region only, because I already have lots of info on it.
I also have some adresses and tables about sprites. Basically, every sprite has something called a "vtable". The first word on the sprite structure in RAM points to it. The vtable contains pointers to all the virtual functions of the class. vtable[0] = some kind of "init" function (NOT constructor) There was also preRender, render, postRender, preTick, tick and postTick, or something like that. I have the actual offsets in IDA Pro, will post them when I get it installed. |
|
|
Posted on 05-28-12, 06:38 pm
|
|
☭ coffee and cream
Karma: 10415 Posts: 331/2768 Since: 06-26-11 |
|
|
Posted on 05-28-12, 07:09 pm
|
|
Super Mario ( ͡° ͜ʖ ͡°) Karma: 10010 Posts: 1771/4457 Since: 06-08-11 |
Function #3: Destructor
Function #6: Update function 020C940C: vtable for the "level scene" actor (Called BG_GM in NSMBW according to Treeki) 0216CCD8: vtable for the "pre-level scene" actor that says "World 1-1" (Called CRSIN in NSMBW according to Treeki) 02126428: vtable for Goomba 021284E8: vtable for Mario 0213C55C: vtable for Enemy-In-Pipe generator (note how the render function for this does nothing. Looks good!) 0203997C: Table for classes. Contains 1 pointer for each class ID to the "class table" In fact, the class table you're talking about is two things. There's a 3-word structure, you call it the "class table", I call it the "actor flags" * dword: pointer to the constructor. Also, if sprite set is not loaded, it's NULL.
* word: class ID
* word: ???
* dword: ??? The constructor allocates memory, calls any "sub-class" constructors, and sets the pointer to the vtable. The vtable is *not* part of this structure. In the case of the star coin it's right next to it, but there are cases where it isn't. Also: 0204CC98: AllocFromGameHeap (used by the game to allocate objects). it's NOT LoadModel. Receives size to allocate, returns pointer to allocated memory. The other two functions you posted do look like translate and rotate Unrelated, but useful: 0208B168: Pointers to all of the "blocks" in the level file. 0208B130: Lengths of the blocks. 02085A84: Set to 1 in Mario vs Luigi mode 02085A1C: Set to 1 when starting level from midway point. |
| coolas1 |
Posted on 06-24-12, 01:28 am
|
 PorcupoDid you win the game? Karma: 211 Posts: 265/322 Since: 06-28-11 |
Dirbiao/ Mega-Mario
If the vtable is not part of the structure, can you tell us where you can find the pointers to the vtable? |
|
|
Posted on 06-24-12, 10:55 am
|
|
☭ coffee and cream
Karma: 10415 Posts: 422/2768 Since: 06-26-11 |
|
|
Posted on 06-24-12, 02:50 pm
|
|
Super Mario ( ͡° ͜ʖ ͡°) Karma: 10010 Posts: 1831/4457 Since: 06-08-11 |
It's easy to find any vtable for any class in the game.
Go to 0203997C + classID*4. Follow the pointer in there. Follow the new pointer again. You'll end up in some piece of code that will allocate some RAM, and then store an address in the first word of the allocated RAM. That one is the vtable. |
|
|
Posted on 06-24-12, 08:10 pm
|
|
☭ coffee and cream
Karma: 10415 Posts: 423/2768 Since: 06-26-11 |
|
|
Posted on 06-24-12, 09:04 pm
|
|
Super Mario ( ͡° ͜ʖ ͡°) Karma: 10010 Posts: 1835/4457 Since: 06-08-11 |
Yea, you're right, it's not easy to automate
Because some constructors call constructors for subclasses (which write other vtable addresses) and then write the "good" vtable address... |
Pages: 1