Wrong We Were! - Assembly

Hey guys,
Yesterday, I started working on some new weapons, but the weapon code was fairly annoying, so I decided to edit some TSC commands.

For instance, ML+ now doubles your current health.

This may seem a tad boring, but I found something interestiong while I was doing this.

The interesting thing being:

http://img152.imageshack.us/my.php?image=wrongbp8.png

So what was the interesting thing again?

Well, as most of you know, once you get over 256 health, the health bar overflows. Here, I have 9999 health, and the health bar hasn't overflowed yet!

In case you wanted the command I made, here it is:

push ebp ;random TSC function that replaces ML+
mov ebp,esp ;good practrice to store the TSC var.
mov ecx,[0049E6CC] ;moves the current health into ecx,
add ecx,ecx ;doubles it,
mov [0049E6D0],ecx ;and makes it the max health
mov [0049E6CC],ecx	;and current health
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
pop ebp
ret

And that's at offset 419CB0.

I know this isn't very threadworthy, but I'll post any other things I find here.

Cheers!
Lace

Edit:
A while back, I think I posted this:

Snake: 0x00004160, 0x000043f0, 0x000047b0
Polar Star: 0x00004b30, 0x00005120, 0x000055a0
Fireball: 0x00005d80, 0x00005f30, 0x00006190
Machine Gun: 0x000064d0, 0x000068b0, 0x000075e0
Missile Launcher: 0x000078a0, 0x00006bb0, 0x00006e60
Bubbler: 0x00007110, 0x00007910, 0x00008080
Blade: 0x00008230, 0x00008710, 0x00008ae0
Super Missile Launcher: 0x00008230, 0x00008f40, 0x00008f90

None of these values had actually been tested, and when I tried to actually edit a weapon using these, nothing happened, not even when I deleted all of the code.

A call to snake level 1 is made in 409053, so I just changed the

call 00404160

To another value on the list.

0x000043f0 is not snake level 2, but rather, snake level 3, and 0x000047b0
is a weapon that shouldn't exist.

It is 100% invisible, travels almost instantaneously, and goes through walls.

The reason it shouldn't exist is because it isn't weapon 0008, which doesn't work at all, or any other weapon, so it is good as free space.

I'll add more values when I find them.

Edity:
This post just keeps getting longer and longer...
Okay, interesting stuff.

I was calling to all the weapon functions through the snake, and I thought that that wouldn't matter, since it's the bullets that have the different properties.

Of course, I was wrong
Most of the weapons looked like the ones in the game, but with a few snake properties as well.
For instance, all weapons traveled through walls, and you couldn't hold x. The missile launcher traveled in wavy lines, and the bubbler went twice as far.

Some of these anomolies make sense, like that you can't hold down x. This function would be handled elsewhere.

But some things, like the going through walls, and especially the variation inw hich snake traits they have, are quite strange indeed.

Edit...
Okay, found out about the missile launcher. It turns out that it was being wavy because it was level 3, and not level one, that I edited. The reason there was only one on the screen was because the snake didn't fire three at once.

What I'm doing here is taking a gun, and filling it with another guns ammo, not everything is changed.

On a related note, anyone know where the offset for the firing mechanism (gun) is?

Gads, if someone doesn't read this soon, This post will destroy the page.

One... More... edit...
Found out what the values lead to.
Note that there are a few holes, not every weapon is there.

Snake:
0x00004160 - Snake Level 1
0x000043f0 - Snake Level 3

Fireball:
0x00004b30 - Fireball level 3

Missile Launcher:
0x000055A0 - Missile Launcher Level 3

Super Missile Launcher:
0x00007910 - Super Missile Level 3

Spur:
0x00008710 - Spur All Levels?

Weapon 0008:
0x00005D80 - Weapon 0008 Level 1
0x000078a0 - Weapon 0008 Level 2
0x00008080 - Weapon 0008 Level 3
0x00008ae0 - Weapon 0008 Level 4
0x00008f90 - Weapon 0008 Level 5

Bubbler:
0x00005f30 - Bubbler Level 1
0x00006190 - Bubbler Level 2
0x000064d0 - Bubbler Level 3
0x000068b0 - Thorn

Blade:
0x00006bb0 - Blade Level 1
0x00006e60 - Blade Level 2
0x00007110 - Blade Level 3
0x000075e0 - Blade Slashes

Unknown:
0x000047b0 - Invisible Instant 1
0x00008230 - Invisible Instant 2
0x00008f40 - Invisible Instant 3
0x00005120 - Stay Pop

Gawds, another edit.
Here's how you would do ML-

push ebp ;ML-
mov ebp,esp ;stores the TSC var
mov ecx,[0049E6D0] ;stores the max health
sub ecx,[ebp+0008] ;subracts the TSC var from it
mov [0049E6CC],ecx ;and makes it the current health
mov [0049E6D0],ecx ;and the max health
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
pop ebp
ret

 

I'm sure if I even understood half of what this meant my brain would explode in joy.
o.o
Good work?

 

What's Weapon 0008?

 

weapon 0008 is a blank weapon, probably used for something in the beta.it doesn't actually have five levels, I just don't know which ones are its.

DB, I doubt your head would explode, it isn't that cool.
What part don't you understand?

Okay, can't find the other TSC commands, anyone know where they would be?

It definately isn't above or below, because the two I tried near ML+ either made the health permanently zero, or said I got a hell time of zero, and put sue on the front page.

Edit: ML+ is called to at 0x00422730. I'm pretty sure this is the TSC handler, because it is called nowhere else. Also, 0x00421900 is called repeatedly in this area, so if you find a call to something other than these, it probably is a TSC command.

Speaking of which:

00402090 | push ebp
00402091 | mov ebp,esp
00402093 | push ecx
00402094 | mov [ebp-0004],00000000
0040209B | jmp 004020A6
0040209D | mov eax,[ebp-0004]
004020A0 | add eax,01
004020A3 | mov [ebp-0004],eax
004020A6 | cmp dword ptr [ebp-0004],08
004020AA | jnl 004020D7
004020AC | mov ecx,[ebp-0004]
004020AF | imul ecx,ecx,14
004020B2 | cmp dword ptr [ecx+00499BC8],00
004020B9 | jne 004020BD
004020BB | jmp 0040209D
004020BD | mov edx,[ebp-0004]
004020C0 | imul edx,edx,14
004020C3 | mov eax,[ebp-0004]
004020C6 | imul eax,eax,14
004020C9 | mov ecx,[edx+00499BD4]
004020CF | mov [eax+00499BD8],ecx
004020D5 | jmp 0040209D
004020D7 | mov esp,ebp
004020D9 | pop ebp
004020DA | ret

That's another command, not sure which one it is though, all I know is that it doesn't use the tsc variable <AM+XXXX, because [ebp+0008] is never moved.

Coolio!

Lace

 

Okay, can't find the other TSC commands, anyone know where they would be?

Which are you missing?

 

I can find all of the commands, my problem is knowing which commands they are.
So I guess that I don't have the offsets of any command but ML+, even though I do, in fact, have all the offsets...

Not to get technical or anything.

 

I can find all of the commands, my problem is knowing which commands they are.

Isn't that explained in a FAQ somewhere?

So I guess that I don't have the offsets of any command but ML+, even though I do, in fact, have all the offsets...

You are guessing that you don't have the offset of any of the commands, except that of "ML+"?. But then, you actually have all the offsets?
Uhm... Can you rephrase that?

 

Well, I know where the TSC handler is, because that's the only place where ML+ is called. A few offsets are routinely called in that block of code, but a few are only called once. This leads me to believe that all of the offsets called just once are the TSC commands, I believe I posted one earlier (offset 0x00402090).

When I say I don't have them, I mean that I don't know which commands they are, because I don't think they are in any particular order.

Uh, yeah,
got it?

 

Mostly...
Everything.
._.
I barely understand TSC, but you're going into offsets.
But this seems like it will prove useful.
So.
KUTGW.

-Leaves, muttering-

o_o
Why?
Why do you confuse me so?
-_-,

Ohai, remember that? =^.^=

 

When I say I don't have them, I mean that I don't know which commands they are, because I don't think they are in any particular order.

Alright. Well, the tsc parsing routine starts at address 0x422510 and ends at address 0x425770. The routine is basically a big nested if that compares the character in the freshly read token to those defined, the commands are in the form of hard coded character codes and are being checked one by one, assumably for reasons of speed.

Let's consider an example, here's the code for the CMU tsc code:

 tsc_cmu: ; change music
.text:004242DA mov     eax, ds:4A5AD8h ; (presumably) the location of the read-in data
.text:004242DF add     eax, ds:4A5AE0h ; (presumably) add the current script offset
.text:004242E5 movsx   ecx, byte ptr [eax+1]
.text:004242E9 cmp     ecx, 43h ; 'C'
.text:004242EC jnz     short tsc_fmu ; jump to the next test
.text:004242EE mov     edx, ds:4A5AD8h
.text:004242F4 add     edx, ds:4A5AE0h
.text:004242FA movsx   eax, byte ptr [edx+2]
.text:004242FE cmp     eax, 4Dh ; 'M'
.text:00424301 jnz     short tsc_fmu
.text:00424303 mov     ecx, ds:4A5AD8h
.text:00424309 add     ecx, ds:4A5AE0h
.text:0042430F movsx   edx, byte ptr [ecx+3]
.text:00424313 cmp     edx, 55h ; 'U'
.text:00424316 jnz     short tsc_fmu
.text:00424318 mov     eax, ds:4A5AE0h
.text:0042431D add     eax, 4
.text:00424320 push    eax
.text:00424321 call    ascii_to_num ; convert music number arg to a number
.text:00424326 add     esp, 4
.text:00424329 mov     [ebp+var_24], eax
.text:0042432C mov     ecx, [ebp+var_24]
.text:0042432F push    ecx
.text:00424330 call    change_music ; call change music subroutine with music number arg
.text:00424335 add     esp, 4
.text:00424338 mov     edx, ds:4A5AE0h
.text:0042433E add     edx, 8
.text:00424341 mov     ds:4A5AE0h, edx
.text:00424347 jmp     loc_4252A7 ; jump away

Notice how the program checks one character at a time, and jumps to the next tsc code test if a character doesn't match; If every character match, then it falls through and does it's job, potentially calling other subroutines. To find every one of these tsc code snippets, just look for the familiar pattern of comparing a register to a intermediate value at least three times in a row with local jumps inbetween.

 

Cool, thanks,
Why is the ML+ script so different then?
It seems that the call to ML+ fits the TSC handler offsets you gave as well.

Unless the code looked something like this:

;pseudo code, none of these offsets are right.
call 0x00405743 ;check if the command is ML+
cmp ex,dx 
je 0x00408647 ;if they are equal, go to the ML+ code
ret

I barely understand TSC, but you're going into offsets.
But this seems like it will prove useful.

Don't worry, I don't get TSC either. xD

o_o
Why?
Why do you confuse me so?
-_-

the offsets aren't confusing at all -
just look at the code. :eek:

lols.

lace

 

Okay, finally understood what you were saying.
CMU is called at the end of the code, after it checks what the command is.

00420EE0 55						push ebp
00420EE1 8B EC					mov ebp,esp
00420EE3 83 7D 08 00				cmp dword ptr [ebp+0008],00
00420EE7 74 0D					je 00420EF6
00420EE9 8B 45 08					mov eax,[ebp+0008]
00420EEC 3B 05 F4 57 4A 00			cmp eax,[004A57F4]
00420EF2 75 02					jne 00420EF6
00420EF4 EB 50					jmp 00420F46
00420EF6 E8 75 B8 FF FF				call 0041C770
00420EFB A3 F8 57 4A 00				mov [004A57F8],eax
00420F00 8B 0D F4 57 4A 00			mov ecx,[004A57F4]
00420F06 89 0D FC 57 4A 00			mov [004A57FC],ecx
00420F0C E8 DF B8 FF FF				call 0041C7F0
00420F11 8B 55 08					mov edx,[ebp+0008]
00420F14 8B 04 95 E8 81 49 00			mov eax,[edx*4+004981E8]
00420F1B 50						push eax
00420F1C E8 CF B7 FF FF				call 0041C6F0
00420F21 83 C4 04					add esp,04
00420F24 6A 64					push 64
00420F26 E8 95 B8 FF FF				call 0041C7C0
00420F2B 83 C4 04					add esp,04
00420F2E 6A 00					push 00
00420F30 E8 FB B7 FF FF				call 0041C730
00420F35 83 C4 04					add esp,04
00420F38 E8 53 B8 FF FF				call 0041C790
00420F3D 8B 4D 08					mov ecx,[ebp+0008]
00420F40 89 0D F4 57 4A 00			mov [004A57F4],ecx
00420F46 5D						pop ebp
00420F47 C3						ret

Thanks!
Lace

 

where abouts are the image sizes and half-fade effect stored in ASM? I'd like to remove the credit half-fade, and have the credit images take up the whole screen. I'm clueless as to how to do this.

 

where abouts are the image sizes and half-fade effect stored in ASM? I'd like to remove the credit half-fade, and have the credit images take up the whole screen. I'm clueless as to how to do this.

Like I said, again this won't work.
You can only start the credits once.
You have to screw the whole credits mechanism.

 

Making TSC Commands

Don't know about the credits, but the offset for them is at --- if that matters.

To make a new command, find a command that you're not going to use. - I chose XX1, because it is very easy to find, and it is relatively useless. Then convert its letters into hex ascii values, so we have 58, 58, 31.

Search for a cmp with these in it, first 58, then 58, then 51, and the "mov eax,[004A5AD8]" somewhere above the first CMP is the start of your code. Changing the ascii values will change what the TSC command is. In my case, I'm going to change it to the values 4D, 4C, 2D, for an ML-.

(Code is at 00425149 btw)

Okay, to change the command, find the last call in the command you chose, and then go to that offset. There is the code for the TSC command.

WARNING: IF YOU CHANGE ITS LENGTH, YOU WILL NOT BE ABLE TO EDIT IT WITH SUES OR ANY OTHER EDITOR!!

Okay, yeah, find out how long it is, and nop everything from the push to the . It would look like this if you had XX1:

0040DB70 push ebp
0040DB71 nop
0040DB73 nop
0040DB76 nop

...

0040DD64 nop
0040DD66 pop ebp
0040DD67 ret

Then, replace the top few nops with your own code: remember, don't change the length!

for ML-, it would be:

0040DB70 push ebp
0040DB71 mov ebp,esp
0040DB73 mov ecx,[0049E6D0]
0040DB76 sub ecx,[ebp+0008]
0040DB7D mov [0049E6CC],ecx
0040DB84 mov [0049E6D0],ecx0040DB8B nop
0040DB92 nop
0040DB99 nop

...

0040DD5A nop
0040DD5F nop
0040DD64 nop
0040DD66 pop ebp
0040DD67 ret

You'll notice that we have a lot of blank code, that's good, because it is extra space we can use for different things, for instance, Rune's type of drowning didn't check which way you were facing, with this space, you could check that, and make the drowned sprite face the same way as the normal sprite.

(about all the nops before the pop ebp ret, that's just personal preference, you can place those wherever you like, in fact, it would probably be better to do so.)

Hope that helps some people!
Cheers!
Lace

(I'll edit with your offset ZT, gotta do something else right now.

 

Max Maps!

I hate double posting and I hate double posters, but...
Found out how to change the maximum amount of maps!

00414B20 push ebp
00414B21 mov ebp,esp
00414B23 push 0080
00414B28 push 00
00414B2A push 49E5B8
00414B2F call 00480D30
00414B34 add esp,0C
00414B37 pop ebp
00414B38 ret

Change push 0080 to something else to change the max number of maps.

I believe this has no adverse affects, but it might make the game slower.

(Sorry, still no offset ZT, I'm just too lazy >_>)

Lace

Edit:
Here's some more code, use this if you want to set the health to the original health. You might want to replace ZAM, just because It isn't that useful, and is the only TSC command with a Z in it (easier to find)

Okay,

push ebp 
mov ecx,[00414BD8[font=Verdana]] ;moves the original health (m) into ecx
mov [0049E6D0],ecx ;and makes it the max health
mov ecx,ecx,[00414BCF[font=Verdana]] ; moves the original health (c) into ecx[/font][/font]
[font=Verdana]mov [0049E6CC],ecx	;and makes it the current health[/font]
pop ebp
ret

Or, you could make a new command in all that empty space we left over from ML-!

All you would need to do is take the ML- part of the parser, and copy it to wherever your empty space is. Then, in your original parser place, change the JMPs if the TSC command isn't right to the start of your homebrew parser. In your parser, change the last call to the empty space immediately after, and write your function there, presto!

Ciao!