Experimenting with assembly

I haven't really discovered anything that the expert assembly hackers shouldn't already know about.

But I did manage to find some simple hacks that can be done.

So, after trying to use OllyDbg seriously for once...

===Machine gun bullet speed===

CPU Disasm
Address   Command                           Comments
00405322  MOV DWORD PTR SS:[EBP-84],1000    ;speed of machine gun
0040532C  JMP SHORT 00405344
0040532E  MOV DWORD PTR SS:[EBP-84],1000    ;speed of machine gun
00405338  JMP SHORT 00405344
0040533A  MOV DWORD PTR SS:[EBP-84],1000    ;speed of machine gun

These 3 values seem to control what speed at which the machine gun fires its bullets.
Must change all of those values (default = 1000) at the same time. Warning: if you change the speed, the sprites will be messed up, since the machine gun bullets are more than one sprite.

===Bubbler Lvl 3 Bouncing speed===

CPU Disasm
Address   Command                                  Comments
00406734  MOV DWORD PTR DS:[ECX+18],400   ;speed at which bubbles move right when hitting left wall. Default = 400.
0040673B  MOV EDX,DWORD PTR SS:[EBP+8]
0040673E  CMP DWORD PTR DS:[EDX+18],0
00406742  JLE SHORT 00406758
00406744  MOV EAX,DWORD PTR SS:[EBP+8]
00406747  MOV ECX,DWORD PTR DS:[EAX]
00406749  AND ECX,00000004
0040674C  JE SHORT 00406758
0040674E  MOV EDX,DWORD PTR SS:[EBP+8]
00406751  MOV DWORD PTR DS:[EDX+18],-400  ;speed bubbles move left when hitting right wall
00406758  MOV EAX,DWORD PTR SS:[EBP+8]
0040675B  CMP DWORD PTR DS:[EAX+1C],0
0040675F  JGE SHORT 00406775
00406761  MOV ECX,DWORD PTR SS:[EBP+8]
00406764  MOV EDX,DWORD PTR DS:[ECX]
00406766  AND EDX,00000002
00406769  JE SHORT 00406775
0040676B  MOV EAX,DWORD PTR SS:[EBP+8]
0040676E  MOV DWORD PTR DS:[EAX+1C],400   ;speed bubbles move down when hitting ceiling?
00406775  MOV ECX,DWORD PTR SS:[EBP+8]
00406778  CMP DWORD PTR DS:[ECX+1C],0
0040677C  JLE SHORT 00406792
0040677E  MOV EDX,DWORD PTR SS:[EBP+8]
00406781  MOV EAX,DWORD PTR DS:[EDX]
00406783  AND EAX,00000008
00406786  JE SHORT 00406792
00406788  MOV ECX,DWORD PTR SS:[EBP+8]
0040678B  MOV DWORD PTR DS:[ECX+1C],-400   ;speed bubbles move up when hitting floor?

You can change these values to change at what speed the bubbles go at when they bounce off walls. Only works after bouncing off walls.
I guess you can make the values really big for super-bouncy bubbles, or make them zero to create sticky bubbles that have 0 speed when hitting walls (but they will still slowly move back towards the main character).

===Bubbler Lvl 3 Firing Speed===

CPU Disasm
Address   Command                                  Comments
004065D9  PUSH -200                       ;firing speed of bubbles when shot out of bubbler
004065DE  PUSH -400                       ;firing speed of bubbles when shot out of bubbler
004065E3  CALL 0040F350
004065E8  ADD ESP,8
004065EB  MOV EDX,DWORD PTR SS:[EBP+8]
004065EE  MOV DWORD PTR DS:[EDX+18],EAX
004065F1  PUSH 4
004065F3  PUSH -4
004065F5  CALL 0040F350
004065FA  ADD ESP,8
004065FD  SHL EAX,9
00406600  CDQ
00406601  SUB EAX,EDX
00406603  SAR EAX,1
00406605  MOV ECX,DWORD PTR SS:[EBP+8]
00406608  MOV DWORD PTR DS:[ECX+1C],EAX
0040660B  JMP 004066AA
00406610  PUSH 400                          ;firing speed of bubbles when shot out of bubbler
00406615  PUSH 200                          ;firing speed of bubbles when shot out of bubbler
0040661A  CALL 0040F350
0040661F  ADD ESP,8
00406622  MOV EDX,DWORD PTR SS:[EBP+8]
00406625  MOV DWORD PTR DS:[EDX+18],EAX
00406628  PUSH 4
0040662A  PUSH -4
0040662C  CALL 0040F350
00406631  ADD ESP,8
00406634  SHL EAX,9
00406637  CDQ
00406638  SUB EAX,EDX
0040663A  SAR EAX,1
0040663C  MOV ECX,DWORD PTR SS:[EBP+8]
0040663F  MOV DWORD PTR DS:[ECX+1C],EAX
00406642  JMP SHORT 004066AA
00406644  PUSH -400                         ;firing speed of bubbles when shot out of bubbler
00406649  PUSH -200                         ;firing speed of bubbles when shot out of bubbler
0040664E  CALL 0040F350
00406653  ADD ESP,8
00406656  MOV EDX,DWORD PTR SS:[EBP+8]
00406659  MOV DWORD PTR DS:[EDX+1C],EAX
0040665C  PUSH 4
0040665E  PUSH -4
00406660  CALL 0040F350
00406665  ADD ESP,8
00406668  SHL EAX,9
0040666B  CDQ
0040666C  SUB EAX,EDX
0040666E  SAR EAX,1
00406670  MOV ECX,DWORD PTR SS:[EBP+8]
00406673  MOV DWORD PTR DS:[ECX+18],EAX
00406676  JMP SHORT 004066AA
00406678  PUSH 100                        ;downward speed of bubbles when shot out of bubbler?
0040667D  PUSH 80                         ;downward speed of bubbles when shot out of bubbler?
00406682  CALL 0040F350

Change these PUSHed values to different numbers to change the speed at which the bubbles are fired from the lvl 3 bubbler.
The 4 different sections of PUSHed values most likely corresponds to the direction in which the bubbles are fired in.
I just changed them all at once, so I don't know which section refers to which direction.

===Player Motion===

CPU Disasm
Address   Command                                  Comments
0041571F  MOV DWORD PTR SS:[EBP-14],32C            ;Value 1, left/right speed of player

0041573B  C745 D8 00100 MOV DWORD PTR SS:[EBP-28],500      ;Value 2, player's max jump?

CPU Disasm
Address   Hex dump      Command                                  Comments
00415742  C745 DC 00100 MOV DWORD PTR SS:[EBP-24],55           ;Value 4
00415749  C745 E8 00100 MOV DWORD PTR SS:[EBP-18],20           ;Value 5
00415750  C745 E0 00100 MOV DWORD PTR SS:[EBP-20],33           ;Value 6

Changing Value 1 will change the left/right speed of the player. Do 0 to make Quote crippled, make it a big number to make him really fast.
Changing value 2 seems to modify maximum jump height, make it bigger to make quote jump higher. Note that there seems to be a maximum limit (i.e. you cannot make Quote jump infinitely high).
Quote's default horizontal speed is 32C hexadecimal. Technically, since Quote accelerates, this is his maximum speed.

Values 4, 5, and 6 seem to have something to do with the ability of the main player to move left/right. Changing them will cause the player to move in strange ways. Not sure exactly what it does.

===Player Gravity===

CPU Disasm
Address   Command                                  Comments
00415726  MOV DWORD PTR SS:[EBP-0C],5FF            ;Something to do with gravity
0041572D  MOV DWORD PTR SS:[EBP-1C],50             ;Something to do with gravity
00415734  MOV DWORD PTR SS:[EBP-10],20             ;Something to do with gravity

Changing these values to low numbers will make gravity very low. Now you CAN make quote jump infinitely high.
Changing these values to negative numbers will make gravity work backwards!
(the main player will fall toward the ceiling)
Changing them to zero will cause Quote to float, but since you can't touch the ground, you can't jump or move up.

===An example of a simple instruction hack===

CPU Disasm
Address   Command                                  Comments
00404830  MOV EAX,OFFSET Doukutsu.0049E6E8    ; shove 0049E6E8 into EAX
00404835  NOP
00404836  NOP
00404837  NOP                                      
00404838  NOP
00404839  NOP                                      
0040483A  NOP
0040483B  NOP
0040483C  MOV BYTE PTR DS:[EAX],50            ; shove the number 50 into [EAX]
0040483F  NOP
00404840  NOP
00404841  NOP
00404842  NOP

I've replaced the polar star "shoot left" code with the above commands at the above addresses.
The NOPs make it look really messy, but whatever.
Since OllyDbg's syntax is weird, just remember that the commands here basically mean:

MOV EAX, 0049E6E8
MOV [EAX], 50

Which is pretty straightforward. Take the offset of the booster fuel [0049E6E8]
And shove the number 50 (hex) into it. The booster will be reset to 50 fuel when you shoot the polar star in the left direction.

Which means... as long as you repeatedly fire the polar star in the left direction, you have infinite booster!
(Don't shoot the polar star up or else the game will crash. Yeah, I know. Not a very practical code replacement.)

Oh yeah, if you find errors with my explanations (I'm sure there are many), please don't hesitate to point them out!

 

00415726  MOV DWORD PTR SS:[EBP-0C],5FF            ;Something to do with gravity
0041572D  MOV DWORD PTR SS:[EBP-1C],50             ;Something to do with gravity
00415734  MOV DWORD PTR SS:[EBP-10],20             ;Something to do with gravity

first line looks to be max, second acceleration w/o z key, third acceleration while z key is pressed.

actually, when you get down to it, the whole player movement fiasco is really well documented, just search.

MOV EAX, 0049E6E8
MOV [EAX], 50

you can actually just do:

MOV [49e6e8], 50

and the nops between commands are unneccesary.

otherwise, looks good, keep searching.

oh, and about

I haven't really discovered anything that the expert assembly hackers shouldn't already know about.

just cuz we can find it, doesn't mean we have found it, ie, I don't have anything you just posted but agility and booster offsets. anyways, none of the hackers on this forum can really be counted experts except for maybe dooey and sshsigi.

 

Alright, thanks for the advice. I find that offsets are really useful, now I just have to document a bunch of stuff to see how the original cave story works.

Improved infinite booster:

CPU Disasm
Address   Hex dump          Command                                  Comments
0042659D      C605 E8E64900 MOV BYTE PTR DS:[49E6E8],35       ;Sets booster fuel to 35.
004265A4      89EC          MOV ESP,EBP
004265A6      5D            POP EBP
004265A7      C3            RETN

A bit of booster code at the end of the entity 0 code. Provides a feasible infinite booster on all maps with an entity 0.

Infinite booster can be disabled by deleting all NPC 0s on a certain map, which is great if you don't want the player to have God mode activated for the whole game.

 

This thread is cool and all, but umm

http://www.cavestory.org/forums/threads/1725/

Didn't we already have a thread like this?

Oh well, good on you for peeking into assembly carrotlord .

 

for infinit boost, you can also just make it never decrease

 

This thread is cool and all, but umm

http://www.cavestory.org/forums/threads/1725/

Didn't we already have a thread like this?

Oh well, good on you for peeking into assembly carrotlord .

Lol. I specifically avoided the polar star, fireball, and snake to prevent repeating information on the forums.

Should I keep posting assembly snippets, or wait until I get some of the more advanced concepts down?

Also, I have some assembly experience from calculator coding (performing calculator hacks doesn't sound quite as interesting, though). Most of the commands are really similar.

for infinit boost, you can also just make it never decrease

Yeah, I've seen the hex edit that does that. But attaching it to an entity allows me to turn it off and on, giving slightly more functionality.

 

you might wanna do a useless entite though, cuz 0 is used a LOT

 

you might wanna do a useless entite though, cuz 0 is used a LOT

I guess I could use the pot.

"Suddenly, out of nowhere, you realize the magical pot gives you infinite fuel!"

 

xD
Maybe you could make it so teh magical pots can be broken, and if you break all of them, you get infinite boost.