We're partners with the Klonoa for Smash Bros. Facebook page! Be sure to give them a visit!

Untamed Heart Klonoa Collective Untamed Heart Klonoa Collective Untamed Heart Klonoa Collective

Author Topic: Reverse engineering  (Read 27246 times)

0 Members and 2 Guests are viewing this topic.

Offline cows

  • Moo
  • *
  • Posts: 27
  • Dreamer Rating: 8
Reverse engineering
« on: March 04, 2017, 01:47:07 am »
Hi everyone. I've (barely) started to try to figure out exactly how the game works, with the ultimate goal of making it easier to modify the original game, find glitches for TAS, and also do some crazy project that I'm not quite ready to share, simply because I'm not sure I'll actually be able to do it and I don't want people to be disappointed.

So far, I haven't been able to find much research done by others on this topic. http://tasvideos.org/3972S.html is reasonably technical, but not even close to comprehensive. If anyone else has seen any useful information, I'd love if you could share.

Right now the debugger I'm using is Bizhawk. It's primarily designed for TAS, but it also has a lot of tools that are critically important for this sort of thing, and I haven't seen any other tools/emulators that offer the same functionality.

My first goal is creating a table of useful memory addresses and what data they store, making it possible to read data directly from the game. Being able to modify them is much more involved for two reasons:

-Most useful information gets copied into memory in multiple places, so changing just one of them will likely do nothing or cause the game to become unstable
-Often times whatever function causes a value to change also does a bunch of other things as well, so it's often necessary to be able to reproduce all of those behaviors as well

Disassembling parts of the game might be necessary in order to accomplish this, but in some cases it's possible to figure out some logic just based on the order in which things change, etc. Also sometimes changing a value in memory directly just magically works -- "freezing" a value tends to yield better results than modifying it, but to be honest I'm not sure exactly why that's true. This kind of direct memory manipulation is in fact how the original Game Shark works: https://gamehacking.org/faqs/hackv500c.html#playstation_code_types

All in all, I'm not sure how far I'll be able to get with this. I've done this with Sega Genesis games mostly successfully, but the PlayStation seems much weirder to me so far. In fact, there's a chance that the Wii version would be much easier to work with, but that wouldn't be my first choice.

Edit: I'm going to keep the most up to date documents here so that people won't have to search the entire thread to find the newest version.

Code: [Select]
SystemID PSX
10E5CA d u 0 MainRAM Lives
0C973C d u 0 MainRAM Lives (copy)
10E5D0 d u 0 MainRAM Health
1FFDD8 d u 0 MainRAM Facing Forward/Back
1FFDDC d u 0 MainRAM Facing Left/Right
0BF020 d 2 0 MainRAM X Pos 1
0BF060 d 2 0 MainRAM X Pos 2
10E5F4 d u 0 MainRAM X Pos 2 (copy)
0C95CC d u 0 MainRAM ? X Pos on Ground
1FFE50 d u 0 MainRAM ? Derived from X Pos
10674C d 2 0 MainRAM Y Pos 1
1FFD40 d 2 0 MainRAM Y Pos 2
0BEF98 d u 0 MainRAM ? Y Pos in Jump
0BEFA0 d u 0 MainRAM ? Y Pos in Jump
1FFD38 d s 0 MainRAM ? Y Pos on Ground
1FFD1C d 2 0 MainRAM ? Fall Down Height
1FFDCC d 2 0 MainRAM ? Jump Up Height
1FFE18 d u 0 MainRAM ? Colliding

« Last Edit: March 17, 2017, 04:15:17 am by cows »

Offline Voka~Daemyn

  • Old Tree
  • Global Moderator
  • *
  • Posts: 1767
  • Dreamer Rating: 70
  • Squiiirrrrrrrrrrrrrrrrle
Re: Reverse engineering
« Reply #1 on: March 04, 2017, 09:28:39 pm »
I don't know a whole lot on this stuff sadly :sad_face: . But modifying the older Klonoa games would definitely be exciting.

I know that a debug menu exists.
Sorry but you are not allowed to view spoiler contents.
I've tried to find it with cheat engine but my knowledge of this stuff is so limited and I never had any luck  :sad_face: 

I've tried some verrrrry basic noob stuff on Klonoa 2 on pcsx2. I believe I tried it on pcsx2 1.2.1 and 1.3.0. I should try 1.5.0-dev-1720 some time. Also with cheat engine over in this thread https://forums.untamedheart.us/?topic=1035.0

I wish you best of luck on this reverse engineering  :D
« Last Edit: March 04, 2017, 10:22:57 pm by Vokadae »

Offline cows

  • Moo
  • *
  • Posts: 27
  • Dreamer Rating: 8
Re: Reverse engineering
« Reply #2 on: March 12, 2017, 04:44:29 am »
Hey, that's pretty cool. So far I haven't had as much free time as I'd like, but I've made a tiny bit of progress in generating a table of memory addresses.

Code: [Select]
SystemID PSX
0C973C d u 0 MainRAM Lives
1FFDD8 d u 0 MainRAM Facing Forward/Back
1FFDDC d u 0 MainRAM Facing Left/Right
0BF020 d u 0 MainRAM X Pos 1
0BF060 d u 0 MainRAM X Pos 2
10E5F4 d u 0 MainRAM X Pos 2 (copy)
0C95CC d u 0 MainRAM ? X Pos on Ground
1FFE50 d u 0 MainRAM ? Derived from X Pos
10674C d u 0 MainRAM Y Pos 1
1FFD40 d u 0 MainRAM Y Pos 2
0BEF98 d u 0 MainRAM ? Y Pos in Jump
0BEFA0 d u 0 MainRAM ? Y Pos in Jump
1FFD38 d u 0 MainRAM ? Y Pos on Ground


You can import these directly into BizHawk's RAM watch by copying and saving them into a .wch file.

I haven't quite figured out how the position values work. For instance, if you freeze the values I have marked as "Y Pos" while Klonoa is on the ground, Klonoa is unable to jump and will float if you try to walk off a slope. So far so good, but if you freeze those values while Klonoa is jumping, he can move up and down normally. What's especially odd is that he can continue to move up and down normally, even after he's landed. Collision detection works as usual, too, so unless I've made a mistake, the game must be storing the y position in some other location as well, but I haven't found it. I also haven't been able to come up with a plausible hypothesis for why the game seems to permanently stop needing those values to be updated in this case.

Offline Voka~Daemyn

  • Old Tree
  • Global Moderator
  • *
  • Posts: 1767
  • Dreamer Rating: 70
  • Squiiirrrrrrrrrrrrrrrrle
Re: Reverse engineering
« Reply #3 on: March 12, 2017, 09:14:07 am »
I may take me a few days and I've never used bizhawk. but I definitely want to play around with this some :o Many many thanks for these even if it is just starting out stuff. hopefully I can figure out how to make those works because I love trying to explore outside of level bounds. which is really hard to do in 2.5d Klonoa games : x

Offline cows

  • Moo
  • *
  • Posts: 27
  • Dreamer Rating: 8
Re: Reverse engineering
« Reply #4 on: March 13, 2017, 03:32:05 am »
I may take me a few days and I've never used bizhawk. but I definitely want to play around with this some :o Many many thanks for these even if it is just starting out stuff. hopefully I can figure out how to make those works because I love trying to explore outside of level bounds. which is really hard to do in 2.5d Klonoa games : x

Yeah, that's definitely something that should be possible. The one thing that might be a sticking point is getting the camera to follow Klonoa when he's outside of where he's supposed to be. My guess is that the camera moves along a predetermined "track" of some kind (well, multiple tracks when there are multiple level paths on top of each other). It'd be interesting to see if it's possible to take direct control over the camera, but I haven't yet found a way to accomplish this. I have found some of the camera position variables, but I'm not sure if they represent the camera's absolute position in space or just where along the "track" (if that's actually a thing) the camera should be.

Offline Voka~Daemyn

  • Old Tree
  • Global Moderator
  • *
  • Posts: 1767
  • Dreamer Rating: 70
  • Squiiirrrrrrrrrrrrrrrrle
Re: Reverse engineering
« Reply #5 on: March 15, 2017, 03:43:44 pm »
I have videos and other things though the one's using your codes are gonna stay unlisted unless you don't mind me using it on youtube.

Also I found a few more values but because I barely know what I am doing :sick: I don't know what a lot of these do beyond' vaugely this or is affecting such and such but I don't understand how.

the only reason some of those are signed is because I was trying out the effects of negative value's on some things.

Code: [Select]
SystemID PSX
0BF17C   d   u   0   MainRAM   maybe Windbulet X Pos
0BF038   d   u   0   MainRAM   freezing this increases animation speed? "actually I think it just cancels them out now.
0BF07C   d   s   0   MainRAM   freezing this break ear flapping. set to 1 for more interesting stuff.
0BF320   d   s   0   MainRAM   these changed with enemy captured value I think or just more animation stuff?
1067CC   d   s   0   MainRAM   setting to 1 = enemy is captured?
10C5C8   d   u   0   MainRAM   connected to animations or their display but idk how
0C9738   d   u   0   MainRAM   dreamstones 1
10E5CC   d   s   0   MainRAM   dreamstones 2 / dreamstones aquired at this current gem?
106774   d   u   0   MainRAM   something to do with jumping
0BF018   d   s   0   MainRAM   freezing this affects jumping and causes the hit animation make your body dissappear
0BEFA4   d   s   0   MainRAM   related to being hit?. setting to 1 makes you only physically invisible. might be just trying to change what sprite it is on idk : s
0C435C   d   u   0   MainRAM   lives 1 changes with lives
0C96A4   d   u   0   MainRAM   lives 2 this one changes the current number if I remember right.
0C97CC   d   u   0   MainRAM   lives 3 also changes with lives

Sorry but you are not allowed to view spoiler contents.
Sorry but you are not allowed to view spoiler contents.
Sorry but you are not allowed to view spoiler contents.
Sorry but you are not allowed to view spoiler contents.
Sorry but you are not allowed to view spoiler contents.
Sorry but you are not allowed to view spoiler contents.
Sorry but you are not allowed to view spoiler contents.

I don't know if those value's will be very helpful but I had a good bit of fun  :smile2:
« Last Edit: March 15, 2017, 03:57:20 pm by Vokadae »

Offline cows

  • Moo
  • *
  • Posts: 27
  • Dreamer Rating: 8
Re: Reverse engineering
« Reply #6 on: March 16, 2017, 09:21:37 pm »
Cool, nice videos, and yeah, do whatever you want with anything I post. I figure the more stuff that gets into "the wild," the more likely it is that other people start looking into it as well.

Offline cows

  • Moo
  • *
  • Posts: 27
  • Dreamer Rating: 8
Re: Reverse engineering
« Reply #7 on: March 17, 2017, 04:17:43 am »
I made a couple of additions and corrections to the list in the first post. I haven't had a chance to add your information to the list yet, but I think having everything in one place would be useful, as long as you don't mind.

Offline Voka~Daemyn

  • Old Tree
  • Global Moderator
  • *
  • Posts: 1767
  • Dreamer Rating: 70
  • Squiiirrrrrrrrrrrrrrrrle
Re: Reverse engineering
« Reply #8 on: March 17, 2017, 09:47:47 am »
Nah I don't mind them being added. I hope to get time to mess with it again soon.

Offline Voka~Daemyn

  • Old Tree
  • Global Moderator
  • *
  • Posts: 1767
  • Dreamer Rating: 70
  • Squiiirrrrrrrrrrrrrrrrle
Re: Reverse engineering
« Reply #9 on: March 20, 2017, 09:15:41 am »
Posting these codes asap before my internet goes back off. There have been a lot of internet issues at my place lately and it's going to get fixed soon. Anyways heheh I had some fun and I'll post videos when I can. I'll add them to this thread later.

Code: [Select]
0B83F4   d   u   0   MainRAM   Seems to be the position along the track of curren't vision you are in. set to 29 to get directly under the bell in the middle of the rango longo fight
0BFCCC   d   u   0   MainRAM   Ghadius's head Y axis in vision 1-2 cutscene
0BFCD0   d   u   0   MainRAM   Ghadius's head x-axis in vision 1-2 cutscene
0C44F8   d   s   0   MainRAM   Camera panning in 1-2 cutscene (X axis either way?)
0C44FC   d   s   0   MainRAM   1-2 cutscene cam ( Y axis sort of?)
0C4508   d   s   0   MainRAM   1-2 cutscene z-axis sort of
0C450C   d   s   0   MainRAM   1-2 cutscene y-axis sort of
0C4510   d   s   0   MainRAM   1-2 also sort of Z axis -40000 makes for mega zoom out
0C4518   d   s   0   MainRAM   1-2 another camera . I can't guess the axis T_T
0C96B0   d   s   0   MainRAM   Affects the bottom third of the background in 1-2. setting to 780 makes it spin pretty quicjkly in cutscene
0C96B8   d   s   0   MainRAM   Also affects the bottom third of the background in 1-2
0C96B4   d   s   0   MainRAM   bottom third of background inrelation to camera maybe
0BF028    d   u    0   MainRAM   Same as 0B83F4 appears to be the position you are in along the level track?

some more vids
« Last Edit: March 20, 2017, 10:41:46 pm by Vokadae »