Beginner's Guide to Cavestory Assembly

Re: Beginner's Guide to Cavestory Assembly

It helped me A LOT. I still don't know a lot about ASM, but this guide actually helped a lot for me.

 

Re: Beginner's Guide to Cavestory Assembly

EDIT AGAIN: Okay now when I try to save the changes for the diagonal bullet hack, it tells me it is unable to back up the file, and that I need to use a different name.

 

Then make a different filename
This happened to me sometimes and I have no idea what causes it.

 

Re: Beginner's Guide to Cavestory Assembly

This seems rather odd... Anyone have any idea what could be causing it?
EDIT: When I finished the diagonal bullet hack, exactly like it said, for some reason my bullet shoots straight up, not diagonal.

When doing the raged behemoth hack, it tells me to NOP out everything from 00426D01 to 00426D1D. But I don't see the address 00426D1D anywhere in that line of code. When I search for it, it points to 00426D1E.

 

Re: Beginner's Guide to Cavestory Assembly

This seems rather odd... Anyone have any idea what could be causing it?
EDIT: When I finished the diagonal bullet hack, exactly like it said, for some reason my bullet shoots straight up, not diagonal.

When doing the raged behemoth hack, it tells me to NOP out everything from 00426D01 to 00426D1D. But I don't see the address 00426D1D anywhere in that line of code. When I search for it, it points to 00426D1E.

Hmm... for the diagonal bullet issue, you should see:

Address  Command
40482D   MOV ECX,DWORD PTR SS:[EBP+8]     ;this is right.
404830   MOV DWORD PTR DS:[ECX+18],-1000
404837   NOP
404838   NOP

Instead of...

Address  Command
40482D   MOV DWORD PTR DS:[49E6D0],60     ;this is not right.
404837   NOP
404838   NOP

So replace the MOV DWORD PTR DS:[49E6D0],60 with the original 2 commands. But keep the NOPs there. That's just my hunch.

For the behemoth issue, I did say "NOP out everything from 00426D01 to 00426D1D". Now, you can't really see the address 426D1D, but it's still there. What I really mean is "NOP out every instruction from 00426D01 up until 00426D1E, but do not actually erase the instruction at 426D1E" (keep the instruction at 426D1E, and put the NOPs before it.)

 

Re: Beginner's Guide to Cavestory Assembly

thanks. How do I turn everything into NOPs? I didn't really understand, I just knew that Olly did it sometimes. And I still don't have the keep size checkbox, is it important?

 

Re: Beginner's Guide to Cavestory Assembly

thanks. How do I turn everything into NOPs? I didn't really understand, I just knew that Olly did it sometimes. And I still don't have the keep size checkbox, is it important?

Right click on instruction or selected region > Edit > Fill with NOPs.

Keep size is not important - just leave it unchecked. I usually keep it unchecked anyway.

 

Quick Question, I was taking a look at the TSC Hacking portion, would we need to do a lot of optimizing if we were to add more TSC commands without taking others out? Also, how do we get Cave Editor to show those commands in its list of commands, and tell you what it does?
(Above question for anyone)
This question for noxid only: Could I do the <IMG hack by having ASM call its framrects?

Um I was working on adding the <BBP, I copied directly from the thing, just to be sure I didn't screw it up, yet when I ran it, it crashes immediately and gives me a garbled piece of corruption. I have no idea why, I did it exactly like the file said.

 

I've already made a TSC parser with room for as many additional commands as you would want. I posted it in some thread about adding a new command called <RNJ or whatever, which I may or may not be too lazy to find right now.

Getting the commands to appear in CE's list depends a bit on your version of Cave Editor, but I'm pretty sure most have an external file ("CE_TSC.txt" or "CaveEditor.txt") with a big list that you can add them to.

There are also other things for <IMG you need to consider. The image has to be loaded to an image slot, then it has to be drawn every frame on top of the tiles/UI/stuff but below textboxes and fade-ins. I am going to finish that patch sometime soon maybe

I didn't actually read the guide very in-depth because I kind of already knew how to ASM when it came out so I can't answer any questions about it specifically.

 

Quick Question, I was taking a look at the TSC Hacking portion, would we need to do a lot of optimizing if we were to add more TSC commands without taking others out? Also, how do we get Cave Editor to show those commands in its list of commands, and tell you what it does?

Well, you don't need to do a lot of optimizing. You can just JMP to some free space and JMP back to the parser, and insert your new TSC command into that free space.
As an example I've used before, if you decide that you're never going to use Ballos in your mod, you can use all the Ballos code for free space. You won't need to remove existing commands.

So basically, implementing Noxid's Space-Efficient TSC Parser is quite useful, but it's not required for new TSC commands.

Um I was working on adding the <BBP, I copied directly from the thing, just to be sure I didn't screw it up, yet when I ran it, it crashes immediately and gives me a garbled piece of corruption. I have no idea why, I did it exactly like the file said.

Well, a possible problem could be that you're using DWORD instead of BYTE.

The following is correct:

00493800  CMP [B]BYTE[/B] PTR DS:[ECX+1],42          ;B
00493804  JNE 00424F33                        ;if letter isn't B, go to 424F33 (address of <GIT command)
0049380A  CMP [B]BYTE[/B] PTR DS:[ECX+2],42          ;B
0049380E  JNE 00424F33                        ;if letter isn't B, go to 424F33.
00493814  CMP [B]BYTE[/B] PTR DS:[ECX+3],50          ;P
00493818  JNE 00424F33                        ;if letter isn't P, go to 424F33.

But this is not correct:

00493800  CMP [B]DWORD[/B] PTR DS:[ECX+1],42    ;Text characters are not DWORD-sized.
00493804  JNE 00424F33
0049380A  CMP [B]DWORD[/B] PTR DS:[ECX+2],42
0049380E  JNE 00424F33
00493814  CMP [B]DWORD[/B] PTR DS:[ECX+3],50
00493818  JNE 00424F33

Alternatively, it's possible that it's not your fault--your computer might just refuse to run code from a data-section of the executable.
In that case, change the <BBP command so that it starts at a much lower address than 4937F4, and jump to that lower address to check for the command. Do this on a dummy executable instead of a real mod, or else problems may occur.

 

Re: Beginner's Guide to Cavestory Assembly

(facepalm) yep, it was the Dword. I really gotta pay attention.
EDIT: Wait no, I did the bytes right. Wtf?
Quick Question. How do I get between the free space and the space where all the code already is? When I go to the area with the free space, its a separate section than the normal code.
Now when I attempt to save, it says it cannot locate any data in the executable. ugh.

 

Quick Question. How do I get between the free space and the space where all the code already is? When I go to the area with the free space, its a separate section than the normal code.
Now when I attempt to save, it says it cannot locate any data in the executable. ugh.

Well, I just used Ctrl+G to get to 4937F4 and put the code for <BBP there. Ctrl+G can be used to jump between sections of the executable.

Yes, 4937F4 is part of the data section. It should be okay to use the data section to run code. I've tested this on both a 32-bit version of Windows and a 64-bit version with no problems.

Now, I'm not sure why OllyDbg is refusing to save for you. I'm using OllyDbg version 2.01 alpha 3 on a (regularly updated) 64-bit Windows 7 computer. What are you using? Maybe try a different version of OllyDbg and see if that helps?

Are you sure you used the correct method to "Copy to Executable"? You need to select the entire block of red code so that it's highlighted in gray, and then right click on it and do Edit > Copy to Executable. Then close the window that pops up, then click Yes, Save, and then Yes again. Since you seem to already have done previous example hacks, I'm doubting whether this is the issue or not.

Essentially, I can't really tell what the problem is. If you're still stuck, send me the copy of Cave Story (the entire folder) that you hacked via PM or VM and maybe I can gather more information from that.

---------

EDIT: Found something. This guy has your exact problem:
http://www.woodmann.com/forum/showthread.php?9434-unable-to-save-changes-in-exe-file-by-Ollydbg

Those forumgoers on the OllyDbg support forums appear to argue back and forth about how it's possible or not possible to save code that exists in any section.

I dunno - the solution is to use a hex editor and copy the hex dump manually that you see inside OllyDbg. That seems more complicated than necessary, but it is possible. Oddly, I've never run into this problem. (plus the link is 5 years old)

EDIT2: If you don't want to use a hex editor to do this, then I could probably rig up something with the Doukutsu Assembler to make it work. As a final note, you don't *have* to do all the example hacks. They are there for demonstration. Also, it is possible to become a perfectly proficient ASM hacker without needing to shove code into a non-code section.

 

Re: Beginner's Guide to Cavestory Assembly

Shoot. And what I'm worried about is, I'm gonna have to do this over and over, because with my luck the problem will continue to come up. And due to the stupid filter my mom put on my computer, I can't even check the link. What hex editor should I use, and how do I do it?
EDIT: I might have to use the doukutsu assembler, and I wanna do all the demonstrations, so that I at least know I'm doing it right. And I'm not sure what shoving code into a non-code section is, so I'm gonna assume its using the free space, so I'll just take out other parts of the script I'm not gonna use and use that space instead.

 

Re: Beginner's Guide to Cavestory Assembly

Wow this guide has really evolved a lot since the last version I've read. Reawakened in me the dormant desire to learn ASM. Thanks man

 

Great guide, it really helped me understand how ASM works! I was very surprised that something like adding a custom TSC command, which I thought to be very difficult turned out to be relatively easy! There is a problem with trying to do your <BBP code though: When I try to assemble the first line it says 'no room for this command'. When I untick the box with 'keep size' it works, but the resulting code causes an error at the first line of the script. Any idea what might be causing this or why it tells me there is no room for the command?

Also, is there any way to make more room (aka more NOP's) without having to go through the code and optimize it? Like, add some NOP's at the back of the code?

 

Going through the code and optimizing it is a great exercise. Do that.
As for your question, it says "no room for this command" because the command you're inputting requires more bytes than the one that is already there. Once you untick the box, it uses the required amount of bytes, but this obviously screws up the rest of the code.

Solution: figure out what the code does and rewrite it so it all works nicely.

 

You could also use a resource hacker and insert something plain, like a black bmp and use the addresses for data storage.

 

I've been trying to optimize the code for the Frog (NPCID 104) from the point specified in the tutorial and it has been going really well, especially since OllyDbg shows if a line of code jumps somewhere and if it is jumped to. But when I tried to get to the start point for the frog code with offset 0x003B7F0 (from Noxid's assembly compendium) OllyDbg said 'no memory at this location'. I soon found out that I was trying to search for the offset '0003B7F0' instead of 'address+0003B7F0'. What is the address I'm supposed to offset this from?

 

x400000

 

Ah, thank you! I also have a question regarding optimizing a piece of code that appears often. Am I doing this right?

MOV ECX,DWORD PTR SS:[EBP+8]
CMP DWORD PTR DS:[ECX+64],2

Which I optimized to:

CMP DWORD PTR SS:[EBP+72],2

I suspect this is wrong since the guide doesn't use this optimization in a place it could be used. Because I suspect I did it wrong I optimized the bit of Frog code from the beginning of the optimization bit (the part that was an example in the guide) to the JMP command. I put this code right under the rest of the code above and I edited the addresses of the JLE commands accordingly. I also did

MOV ECX,DWORD PTR SS:[EBP+8]

once and replaced the EDX and EAX that contained the same value. The original code and the optimized code are below.
Original:

CPU Disasm
Address   Hex dump		  Command								  Comments
0043B9AE	  8B4D 08	   MOV ECX,DWORD PTR SS:[EBP+8]
0043B9B1	  8B51 64	   MOV EDX,DWORD PTR DS:[ECX+64]
0043B9B4	  83C2 01	   ADD EDX,1
0043B9B7	  8B45 08	   MOV EAX,DWORD PTR SS:[EBP+8]
0043B9BA	  8950 64	   MOV DWORD PTR DS:[EAX+64],EDX
0043B9BD	  8B4D 08	   MOV ECX,DWORD PTR SS:[EBP+8]
0043B9C0	  8379 64 02    CMP DWORD PTR DS:[ECX+64],2
0043B9C4	  7E 19		 JLE SHORT 0043B9DF
0043B9C6	  8B55 08	   MOV EDX,DWORD PTR SS:[EBP+8]
0043B9C9	  C742 64 00000 MOV DWORD PTR DS:[EDX+64],0
0043B9D0	  8B45 08	   MOV EAX,DWORD PTR SS:[EBP+8]
0043B9D3	  8B48 68	   MOV ECX,DWORD PTR DS:[EAX+68]
0043B9D6	  83C1 01	   ADD ECX,1
0043B9D9	  8B55 08	   MOV EDX,DWORD PTR SS:[EBP+8]
0043B9DC	  894A 68	   MOV DWORD PTR DS:[EDX+68],ECX
0043B9DF	  8B45 08	   MOV EAX,DWORD PTR SS:[EBP+8]
0043B9E2	  8378 68 01    CMP DWORD PTR DS:[EAX+68],1
0043B9E6	  7E 0A		 JLE SHORT 0043B9F2
0043B9E8	  8B4D 08	   MOV ECX,DWORD PTR SS:[EBP+8]
0043B9EB	  C741 68 00000 MOV DWORD PTR DS:[ECX+68],0
0043B9F2	  8B55 08	   MOV EDX,DWORD PTR SS:[EBP+8]
0043B9F5	  837A 78 12    CMP DWORD PTR DS:[EDX+78],12
0043B9F9	  7E 14		 JLE SHORT 0043BA0F
0043B9FB	  8B45 08	   MOV EAX,DWORD PTR SS:[EBP+8]
0043B9FE	  C740 74 01000 MOV DWORD PTR DS:[EAX+74],1
0043BA05	  8B4D 08	   MOV ECX,DWORD PTR SS:[EBP+8]
0043BA08	  C741 74 01000 MOV DWORD PTR DS:[ECX+74],1
0043BA0F	  E9 E4000000   JMP 0043BAF8

Optimized:

CPU Disasm
Address   Hex dump		  Command								  Comments
0043B9AE	  8B4D 08	   MOV ECX,DWORD PTR SS:[EBP+8]
0043B9B1	  FF41 64	   INC DWORD PTR DS:[ECX+64]
0043B9B4	  8379 64 02    CMP DWORD PTR DS:[ECX+64],2
0043B9B8	  7E 0A		 JLE SHORT 0043B9C4
0043B9BA	  C741 64 00000 MOV DWORD PTR DS:[ECX+64],0
0043B9C1	  FF41 68	   INC DWORD PTR DS:[ECX+68]
0043B9C4	  8379 68 01    CMP DWORD PTR DS:[ECX+68],1
0043B9C8	  7E 07		 JLE SHORT 0043B9D1
0043B9CA	  C741 68 00000 MOV DWORD PTR DS:[ECX+68],0
0043B9D1	  8379 78 12    CMP DWORD PTR DS:[ECX+78],12
0043B9D5	  7E 07		 JLE SHORT 0043B9DE
0043B9D7	  C741 74 01000 MOV DWORD PTR DS:[ECX+74],1
0043B9DE	  E9 15010000   JMP 0043BAF8