Once you go Klonoa, you can never go slowa.

Untamed Heart Klonoa Collective Untamed Heart Klonoa Collective Untamed Heart Klonoa Collective

Author Topic: Reverse engineering  (Read 23339 times)

0 Members and 1 Guest are viewing this topic.

Offline Voka~Daemyn

  • Old Tree
  • Global Moderator
  • *
  • Posts: 1766
  • Dreamer Rating: 70
  • Squiiirrrrrrrrrrrrrrrrle
Re: Reverse engineering
« Reply #20 on: April 13, 2017, 01:19:43 pm »
I blew about 4 hours messing with one very unfortunate Moo  ;). I hope these addresses might be helpful for what you have planned. Most of the other stuff seems way beyond what I can just figure out for now.

Code: [Select]
0C03A0 d s 0 MainRAM Vision 1-1 1st Moo  thrown location a lot of numbers make it want to go left? but doesn't work all the time @_@
0C0168 d u 0 MainRAM 1-1 1st Moo. freeze at zero to prevent the 1st moo from spawning.
0C03A4 d u 0 MainRAM 1-1 also affects the first Moo. setting to 500 makes him flip in and out of being visible. 97536 replaces the poor guy's pallete with some location on screen
0C0424 d u 0 MainRAM 1-1 1st moo affects rotateing animation when caught
0C0434 d u 0 MainRAM 1-1 first moo ?position? if frozen he falls through the level
0C044C d u 0 MainRAM 1-1 qst moo. this made him jump from a tree somehow but I don't understand
0C0424 d u 0 MainRAM 1-1 1st moo. freezing this will mess up the 1st Moo's animation. 40000 appears to be the moo's idle animation or some part of it
0C0454 d u 0 MainRAM 1-1 1st Moo's position along a path it seems but ti has boundaries
0C045C d u 0 MainRAM 1-1 1st moo x-pos ? seems to be along the path much like Klonoa





Offline cows

  • Moo
  • *
  • Posts: 27
  • Dreamer Rating: 8
Re: Reverse engineering
« Reply #21 on: April 14, 2017, 01:34:16 am »
That actually looks like it'll be extremely helpful, and it suggests I should probably use a different approach than what I've been doing so far.

I've been reading up on how data and instructions get sent to the GPU with the idea of working backwards from when the enemies are actually drawn on the screen, but that's probably not the fastest way of going about this, and it might have proved to be prohibitively tedious. I identified some situations where instructions are sent to the GPU directly, which is kind of neat in its own right, but I'm not even sure that's how the enemies are drawn. There's another less straightforward way of sending instructions to the GPU called DMA that I'm just starting to get familiar with (it's a concept I've become superficially comfortable with on the Sega Genesis, but even there I was pretty lazy and avoided learning how to use it properly as much as possible). I wouldn't be surprised if this is used at least partially for drawing the enemies.

Another probable sticking point in starting from the drawing and working backwards is that the Playstation has a yet another co-processor called the GTE*, which can do a lot of useful rendering-related math much faster than the main processor, and I have pretty much no idea how to talk to it yet. I'd say it's almost certain that a lot of the functionality for displaying enemies is done via this, so I'd need to have at least some understanding of how it works in order to step backwards all the way from the actual drawing to the higher level behavior (e.g. which animation frame should be displayed, where are the enemies in "world" space, collision detection, etc.)

The addresses you found suggest that instead of doing all the stuff I mentioned above, I should be able to find how a lot of the higher-level behavior works before I dig too deeply into the rendering stuff. It should actually make the rendering stuff easier to figure out, too, since it's a lot easier to follow high level data all the way down to the low-level rendering functionality than it is to work backwards. I wasn't confident that this was actually a plausible strategy at first, but now it seems like the most promising approach.

*It's interesting that this isn't actually part of the GPU, at least relative to more modern systems, where I believe these calculations are always either done by the GPU itself, or are simply done on the main processor without any special "acceleration." Even the Sega Genesis essentially has a GPU that handles all of the rendering, performing certain functions very quickly at the expense of flexibility. In this case, too, everything else needs to be done on the CPU in "software."

Offline Voka~Daemyn

  • Old Tree
  • Global Moderator
  • *
  • Posts: 1766
  • Dreamer Rating: 70
  • Squiiirrrrrrrrrrrrrrrrle
Re: Reverse engineering
« Reply #22 on: April 14, 2017, 02:29:11 pm »
I want to say that there were other addresses that did the same thing's as the one I was messing with involving that one poor moo though it may have been the other near by moos. Also sometimes other things use the addresses but I am unsure what. whatever is in these I have for the 2nd Moo can also freeze up the cutscene with balue and lephise's statue.

Code: [Select]
0D44F8   d   u   0   MainRAM   near start of level / vison data ? something important. affects the 1st tree's polygon too
0BF3A8   d   s   0   MainRAM   2nd moos from tree and such1
0C0028   d   s   0   MainRAM   2nd moos from tree and such2
0C0238   d   s   0   MainRAM   2nd moos from tree and such3
0C0258   d   s   0   MainRAM   2nd moos from tree and such4
0C0278   d   s   0   MainRAM   2nd moos from tree and such5


There are also some addresses in a huge chunk from 0D44F8 onwards to 0D8000 or around that that appears to contain vision / level data. I know in the 0d4ff8 area I was getting geometry glitches and such by freezing values. 0d4ff8 being part of the first tree.


Edit: Aside from debug mode which I still can't find a way into  :sad_face:
There is some kind of editor dunno if it is functional though :O. Yume Kakera means dream fragment from what best I can tell.

« Last Edit: April 14, 2017, 03:09:12 pm by Vokadae »

Offline cows

  • Moo
  • *
  • Posts: 27
  • Dreamer Rating: 8
Re: Reverse engineering
« Reply #23 on: April 15, 2017, 02:02:58 am »
Yeah, this is all great stuff I hadn't found yet. Let me see if I can find a way to trigger the debug mode via an emulator, if you haven't already. I wouldn't be surprised if it's not supposed to ever appear when the game is running normally, but manually opening it up is certainly possible (assuming, of course, that it even exists in my copy of the game). Sonic 3D Blast had a "secret level select code" that I believe was actually the game's fault handler, so that any set of circumstances that crash the game can be used as a "secret code" instead. Much like Klonoa's debug mode, I wouldn't be surprised if that was internally used for debugging before the "intentional" way of bringing it up was removed from the final game.

EDIT: It looks like you already figured out a way to enter debug mode. Does it always work when you do that?
« Last Edit: April 15, 2017, 02:15:15 am by cows »

Offline Voka~Daemyn

  • Old Tree
  • Global Moderator
  • *
  • Posts: 1766
  • Dreamer Rating: 70
  • Squiiirrrrrrrrrrrrrrrrle
Re: Reverse engineering
« Reply #24 on: April 15, 2017, 05:39:51 am »
Sorry this post has turned into a giant mess I'm trying to keep from double and triple posting so much xD

So far yes pretty much it always opens. I meant to post this but I fell asleep  x_x
yeah it seems like it does.
Code: [Select]
10E5EC   d   u   0   MainRAM   set to 1 in mid vison to open a debug menu.
It seems like someone had already found the debug menu besides Luseu on youtube but there is a slight bit more information on this article that I didn't know about till very recently https://tcrf.net/Klonoa:_Door_to_Phantomile_(PlayStation)



Edit:1 I got the Japanese debug menu code.
Code: [Select]
SystemID PSX
10DAE0    d    u    0    MainRAM    amount of hearts. also this address is often 8 addresses above debug menu set to 1 address
10DAFC    d    u    0    MainRAM    set to 1 to enter debug menu mid game
0C8D2C    d    u    0    MainRAM    debug world select 1st digit
0C8D78    d    u    0    MainRAM    debug world select 2nd digit

there does not seem to be any difference aside from an earlier date and that vision/[3DACTION]? 8-2 and 9-2 take you to glitched versions of 1-1 that freeze very quickly. 8-2 spawns you under ground


Edit:2 more random addresses that do some peculiar maybe useless things also debug addresses for other versions of Klonoa Door to Phantomile.

Code: [Select]
0BE644 d u 0 MainRAM freezing at 0 allows player movement during cutscenes
0BE6FC d u 0 MainRAM setting this to 1 makes you fall through the level. I don't know what this is

Debug codes for other versions of Klonoa DtP
Japanese Klonoa DtP
Code: [Select]
10DAE0 d u 0 MainRAM amount of hearts. also this address is often 8 addresses above debug menu set to 1 address
10DAFC d u 0 MainRAM set to 1 to enter debug menu mid game. setting to 5+ mid game soft restarts the vision without music seems to be stuck in something related to cutscenes. breaks lots of things
0C8D2C d u 0 MainRAM debug world select 1st digit. [4294967295] is 1-1 cutscene value ????
0C8D78 d u 0 MainRAM debug world select 2nd digit
0C8D28 d u 0 MainRAM sets to 2 when vision is confirmed for debug level loading [2149033814] is cutscene value????
0C8D80 d u 0 MainRAM sets to 1 on loading a vision via debug select

French Klonoa DtP
Code: [Select]
10E478 d u 0 MainRAM france Klonoa hearts
10E494 d u 0 MainRAM france Klonoa debug menu set to 1 mid game for debug menu

Official U.S. PlayStation Magazine Demo Disc 08 [Klonoa Demo]
Code: [Select]
1154A0 d u 0 MainRAM Klonoa hearts 8 adresses above debug code normally
1154BC d u 0 MainRAM debug menu set to 1







« Last Edit: April 15, 2017, 05:12:21 pm by Vokadae »

Offline Fennekin

  • Fennekin Lover
  • Star Member
  • *
  • Posts: 243
  • Dreamer Rating: 10
  • Gender: Female
  • Please sit, and let's talk for a while.
Re: Reverse engineering
« Reply #25 on: April 17, 2017, 03:08:28 pm »
I don't understand any of what's happening here but it looks amazing  :embarassed:


Offline cows

  • Moo
  • *
  • Posts: 27
  • Dreamer Rating: 8
Re: Reverse engineering
« Reply #26 on: April 19, 2017, 12:32:23 am »
Thanks! In less enthusiastic news, my computer has ceased to function and my only other machine isn't really fast enough to really get anywhere. The good news is my computer is still under warranty; the bad news is that that means I have to wait for someone else to fix it. I should be able to get going again this weekend.

Offline Voka~Daemyn

  • Old Tree
  • Global Moderator
  • *
  • Posts: 1766
  • Dreamer Rating: 70
  • Squiiirrrrrrrrrrrrrrrrle
Re: Reverse engineering
« Reply #27 on: April 20, 2017, 07:42:41 am »
Aww. I hope that your computer will be ok  :(. I'm glad their is a warranty on it hopefully your data doesn't get messed with too much either.

Offline cows

  • Moo
  • *
  • Posts: 27
  • Dreamer Rating: 8
Re: Reverse engineering
« Reply #28 on: April 25, 2017, 12:23:16 am »
I've figured out a bit more about the enemies, but there's definitely going to be some difficult challenges ahead. I managed to isolate where in memory a particular moo's position was being stored (and freezing it made the enemy unable to move), but the next time I started up the game, the enemy position was NOT stored in the same place, even at roughly the same point in the game.

This very strongly suggests something I already suspected: the enemies are being allocated dynamically (if you're not familiar with that concept, there's a pretty good explanation at https://en.wikipedia.org/wiki/Memory_management#DYNAMIC). Basically, the game says "find me some empty memory to reserve for this chunk of data" and another function does this and passes address of the newly-reserved memory back to the game. Thus, in order to reliably locate enemy data, I'll need to find the chunk of code that allocates memory for the enemies and read the memory address that gets sent back.

One thing I'm not completely sure of is whether the game allocates memory for each individual enemy on the fly, or if it allocates a big block of memory (array) for a whole list of enemies at once. I'm guessing it allocates memory for each enemy based on two things. First, it saves memory to do it this way; if we reserve memory for a bunch of enemies at once, and there are only one or two enemies that are actually "active," there's a bunch of unused memory that the game can't use for anything else. Second, if the enemies are all allocated in advance, they'll almost certainly be evenly spaced in memory, but this doesn't seem to be the case. I found the position value for two different enemies at 0x0C06E0 and 0x0BFF98, which are 0x000748 apart from each other, but jumping ahead by that same value again (to 0x0C06E0) didn't seem to yield anything useful.

In an ideal world (for me at least), there'd be a single chunk of memory at a fixed location for all of the enemies, but it doesn't seem like this is the case. That said, enemy data also needs to be stored in the ROM itself (at least the enemy's initial position, type, etc.), so at least that will exist in a fixed location. I bet if I can find an enemy's first position value in memory, I'll be able to search for that same value in the ROM's data. Unfortunately it's going to be tough to set a breakpoint for the first time that value is set, since I won't actually know WHICH value it is that's going to be set...

EDIT: One other thing I'm curious about is how the game keeps track of the "list" of enemies. A common approach is to use a "linked list," where each chunk of enemy data would also store the memory location of the NEXT enemy on the list. That way in order to loop through all of the enemies, the game would just need to know the location of the first enemy and then follow the chain until it reaches the last enemy. The last enemy would just have a null/dummy value like 0 for the address of the non-existent "next" enemy, so that the game knows it's reached the end of the list.
« Last Edit: April 25, 2017, 12:34:05 am by cows »

Offline Voka~Daemyn

  • Old Tree
  • Global Moderator
  • *
  • Posts: 1766
  • Dreamer Rating: 70
  • Squiiirrrrrrrrrrrrrrrrle
Re: Reverse engineering
« Reply #29 on: April 25, 2017, 12:24:26 pm »
hmm :o I'll read on that. I don't know if I could get anywhere but I'll keep messing with the moos and other enemies. I don't think I have a screen large enough to look at a ton of memory addresses at once :( But I wonder if I can slowly find the start and end of the moo's as they appear in memory.  :unsure: