RWP Hacking Class #2

Welcome to the second RWP Hacking Class.
Thank you for coming. This class is designed to be interactive, so please stop me at every step if you are confused or have questions. Do, however, try to avoid unnecessary or irrelevant conversation in the chat channel. I recommend you log this chat so you can relook at it later, but I will release a transcript. With that, class 2 has begun.

Last time we learned what 8-bit, 16-bit, 32-bit, and floating point means. And about known and unknown searches, and how to hack these using Renegade 64.
This class, we will use that knowledge to hack slightly more advanced codes. Today we will learn how to hack activators (and what they are), and then use this knowledge to hack a moonjump code.

Before we start hacking, let me explain what "activators" are. There is a codetype called Activator, which is done by D0XXXXXX 00YY. D0XXXXXX 00YY means that if the memory address at XXXXXX is value YY, then turn on the code below it. If not, the code will be inactive.

For example, last week we hacked an infinite ammo code. So we know the address of the current ammo. We could do something like, Detect if ammo is 4 bullets, if so, give us 7 bullets. So last week the code was 800D37FF 0064 for infinite ammo. That means memory address 800D37FF was always fixed to 0x64, or 100 in decimal, so you always had 100 bullets. Some of you did FF, which meant 255 bullets always.

Everyone open up Project 64 (no need to open Renegade 64 yet), and open the Goldeneye ROM. Now, try the following code in PJ64: D00D37FF 0003, 800D37FF 0007. Shoot bullets, when you get to 3, suddenly you're at 7! You should be able to understand how it works now, since it detected the value 3 at 0D37FF, it made the value 7.

Lets expand this to another well-known use of activators, detecting what button on controller is pressed. The N64 stores a lot of things using a method called bitflags. Lets say we have an 8-bit code. While we usually hexadecimal, this is really 8 of what we call bits (either a 0 or a 1). The n64 has an 8-bit variable that detects whether R is pressed, L, C-right, C-left, C-down, and C-up, or some combination. For example, if only R is pressed, the value is 0x10 hex, or 16 decimal. If only L is pressed, the value is 0x20 hex, or 32 decimal. If we want to detect whether both R and L are pressed, we would search for 0x30, or 48 in decimal.

How did we get this? Everyone open up Windows Calculator. Now in Scientific mode, click Hex. Type in 10. Now click the Or red button on the right side, and type 20
Then click equals. What do you get? 30, what we wanted. In future lectures, I may discuss why we use OR here.

This is identical in all N64 games (as far as I know), and so this code can be used for any game. This website will show you the listing. The start button, Z, B, A, etc buttons are in another separate 8-bit variable, but with a similar idea.

Now, lets finally hack Banjo Kazooie, and use this knowledge to hack an activator. Open up PJ64, and open up the Banjo-Kazooie ROM. Press F2 as soon as it starts to pause.
Now open up Renegade 64, attach to emulator as we did before, and open up the Code Search Window. We want an 8-bit known search. In Banjo, unpause, hold R, and then press F2 while still holding R. Search for the hex value 10, equivalent to pressing R
Now go back to Banjo, unpause, then hold L, and pause. Search for 20 hex in Renegade 64. This should be enough to find our code, but if not, you could try holding L and R, and search for 30 (we found this before in windows calculator). You should get about 5-10 codes. Please note, usually games have more than one controller activator, so there is more than one right code! In any case, in Banjo, the code we will use is 281251. Does everyone have this? We will use this later.

Before I go on any farther, I want to remind you about floating point codes.
This code converted hexadecimal to decimal, as a reminder. Floating point codes were always 32-bit I told you, and also they expressed decimals. For example, they show 4.555, or 244.22. I didn't mention last time, but floating point values can be either positive or negative. So if you want, you could search for -234.444, and that is a 32-bit floating point value.

We want to hack a moonjump for Banjo-Kazooie. A moonjump is really just another name for "jump velocity". If anyone has ever taken a basic physics class, you will know about gravity and motion. You just need to know the results here. When you jump into the air, you start off slow, then speed up until you hit the point where you in between jumping and falling. Then you start falling slow, and as you fall you fall faster as more time elapses.

In terms of Banjo-Kazooie, Banjo is on the ground and his jump speed is essentially zero (but NOT ALWAYS). As you start a jump, your velocity is max and positive
As you raise up, your velocity decreases but is still positive. When you start to fall your value is now negative and small. When you are about to hit the ground falling, your value is negative and large. One trick is that when you are on the ground, Banjo's jump velocity is not always 0, for some reason, so we can't use this. How we will hack it is by using the above knowledge about motion

Everyone open up Banjo-Kazooie in PJ64, and now go into any level. If you never used the ROM before, use this savestate
To use it, save to the desktop, open up the Banjo-Kazooie ROM, press Cntl-L, and choose this file.

Class do we do a known search or unknown? Right, unknown, because even though we know how the values will change, we have no clue the real values. Choose a 32-bit value, and make sure you click the signed flag below. If you don't choose this, Renegade 64 will not use negative numbers and your search will fail.
Use this flag every time you are searching for a 32-bit floating point value
Now, start to jump, and press F2 to pause. Do initial dump, by clicking ==
If you can pause it a little higher in your jump (but BEFORE YOU START TO FALL), hit F2, and do a < than search. Now as you start to fall, do another < search. Unpause, and before you hit the ground pause again, and do another < than. Now start another jump, and while jumping, do a >, and then repeat the previous < than searches as you raise and fall. If it all works, you should eventually get the code results for the address 37C4BC.

If we just turn this code on, you will see Banjo suddenly just float to the sky and you can't stop him! Any ideas how we will solve this?

Why, we will use our controller activator from before! We found it was the address 281250. Most times we use the button L for a moonjump. So first part of our code will be D0281251 0020 <- remember L = 0x20. The second part will be the spot we just found, 37C4BC. You can fix this value to whatever jump speed you want.
You can use the hex floating point convertor page I gave you before to put in a value.

I will tell you 43e00000 is a good value. That page should tell if you it is 448 in decimal.
Since this is a 32-bit value, we need to break our code into two 16-bit codes. A 16-bit code remember is done by 81XXXXXX YYYY. Our address is 37C4BC. So we need to break the 32-bit address into two 16-bit, which is 37C4BC and 37C4BE. Our final code will be
  • D0281251 0020
  • 8137C4BC 43E0
  • D0281251 0020
  • 8137C4BE 0000
Now try it!

What if we wanted a "moonfall code". Lets put in a negative value. An example is C3E00000 (-448).
  • D0281251 0020
  • 8137C4BC C3E0
  • D0281251 0020
  • 8137C4BE 0000

If you jump off anywhere, and hold L, you will notice you fall RAPIDLY to the floor Next week we will hack some even more advanced codes!
%s1 / %s2