Hacking game behavior (Phantom Kingdom Portable)

Discussion in 'PSP - Hacking & Homebrew' started by kaijyuu, Apr 22, 2015.

  1. kaijyuu
    OP

    kaijyuu Newbie

    Newcomer
    9
    0
    Apr 22, 2015
    United States
    I'm wanting to change how the game works (specifically how the bonus gauge gives bonuses; I don't want to have to deploy units for them to get the bonus experience and instead just have it give the bonus to every character in my party), and have been having trouble finding tools to figure out how to do this. I've done a fair bit of Super Nintendo hacking, but almost nothing for any system newer than that. I don't know MIPS but I can figure it out most likely.

    What I need is some sort of memory tracer/cheat creator. Unfortunately the game does not give a numerical value for experience (just a graphical bar), so ideally I'd like something that could find ram addresses that change by particular amounts (say, 400 decimal higher than they were before), not just find addresses that were some value X at one frame and some value Y at another. Does something like this exist?

    I have PPSSPP and have been looking through its debugger, and its breakpoint functionality and code tracer look like they'll suit my purposes. I just need to find character experience values in the RAM so I can trace the routines.

    Any further advice is welcome since I'm new at this.
     
  2. kaijyuu
    OP

    kaijyuu Newbie

    Newcomer
    9
    0
    Apr 22, 2015
    United States
    Okay! Got my hack working on emulators. However, it crashes on real hardware, and I don't know why.

    Here's the code I added. Do I need to wait before reading from the HI/LO registers after a mult operation? (though even if that was the case I dunno why it'd crash)

    Also one oddity I noticed is the format of my jump operation. In order for PPSSPP to actually read the operation correctly I had to format it as 0A32D5D3 (or j 0x08CB574C, including the 0x08804000 offset). The game's regular jumps and such seemed to not include the 0x08804000 offset, and I don't know why. Notably, if I use PPSSPP's "copy instruction to hex" feature on the game's jumps, it incorrectly gives a hex value that includes the offset, when looking directly at the hex code in the eboot the offset is not there. Ex: Hex directly ripped from the eboot for a jal instruction is 0C0177FE, while PPSSPP gives me 0E2187FE.

    Any hints?

    EDIT: After some tedious testing (it takes ~4 minutes to compile and upload a change to my psp for testing), it is indeed the jump operations that are making the system crash. Well the other stuff could potentially cause crashes too, but a simple jump to my hijack area and jump back will work fine on any emulator I've tried but crash my psp. No idea what I'm doing wrong; I tried jpcsp and its debugger also shows the same issue with jals and jumps that PPSSPP does.

    EDITEDIT: Further digging suggest I need to modify the relocation table (?) for my jumps to work correctly. Hardcoding their address seemed to work fine on an emulator, but perhaps not on hardware.
    So, any advice/links/etc on how to modify the relocation table? I found a nice tutorial thingy for modifying the elf header, but I'm in the dark here. Google is failing me too.
     
  3. Scorp

    Scorp GBAtemp Regular

    Member
    247
    82
    Sep 23, 2010
    Kazakhstan
    Advice - do not change things, which affect relocation. Put jumps to your code before/after. Or you can see what is the recolated difference and change it appropriately like jal 0x0XXXXXXX-0x8804000. But this is not good, as even if that would work in most cases, address is not always 8804000.
     
  4. kaijyuu
    OP

    kaijyuu Newbie

    Newcomer
    9
    0
    Apr 22, 2015
    United States
    I'm pretty sure it's necessary to change the relocation table since the amount of code I'm inserting is too large to fit in any freespace that I've seen.

    My blind flailing has made my first jump work correctly on an emulator, but I'm unable to make the jump back get relocated. Also there's a RAM pointer in the custom code I'm pretty sure needs relocation too.

    Ex: 0005330C 00000004 is an item in the original relocation table that redirects a jal that's not too far past my hijack location. I stuck 000532E4 00000004 right before it and it fixed my first jump.
    However, placing 002B17D8 00000004 in the next slot does not fix the jump back after my custom code.

    What exactly does the 00000004 mean? Also does order matter in the relocation table at all?

    Perhaps of note, my custom code is in a new section that I defined in the elf header. Would I need to use different relocation values for jumps/jals to it than I would for jumps/jals to the regular game code in the original sections?
     
  5. thexyz

    thexyz Member

    Newcomer
    40
    24
    Jan 8, 2014
    Serbia, Republic of
  6. Scorp

    Scorp GBAtemp Regular

    Member
    247
    82
    Sep 23, 2010
    Kazakhstan
    You can read link thexyz told, or alternatively you can open PPSSPP sources and read there how relocations got loaded.

    If I were you, I would just added my code after some file, which loads certainly (like font) or load a file yourself, as adding new section in eboot is a real pain (as no good tools) and no guarantee that would be working everywhere. In this case you do not need to care about relocatives, as you just need to do a J XXX somewhere.
     
  7. kaijyuu
    OP

    kaijyuu Newbie

    Newcomer
    9
    0
    Apr 22, 2015
    United States
  8. Scorp

    Scorp GBAtemp Regular

    Member
    247
    82
    Sep 23, 2010
    Kazakhstan
    I am pretty sure you can use any cheat finder for PC (I use this one for example http://www.systemsoftlab.com/artmoney743eng.exe) and when the place of the value found - I just go in memory editor and use emulator built-in search to find that in actual PPSSPP memory.
     
  9. kaijyuu
    OP

    kaijyuu Newbie

    Newcomer
    9
    0
    Apr 22, 2015
    United States
    Ah I found the RAM addresses I needed a while back (RAM dumping and searching with a script, heh). Such tools may be useful in the future, though.


    EDIT: Okay, once again I'm stuck on something that works in an emulator but breaks on hardware. Specifically, I'm getting kernal errors on load, and they don't happen if I don't try to relocate things in my new section.

    My elf header. My new section is the third one, before the relocation data one.

    The relocation that breaks: 0000008C 00000204
    Notably I stuck this pretty much smack dab in the middle of the table. PPSSPP didn't want to use it if I put it at the end, even though I extended the relocation table by 0x20 bytes. A real PSP had the kernal error regardless of where I put it.

    The relocation of the jump in the regular game code works fine. Couldn't test thoroughly on hardware but it works on PPSSPP and did not cause kernal errors.


    Is it some sort of alignment error? I have no idea what the alignment value in the header actually means, since it doesn't correspond to what standard ELF documentation states. There's no physical address to mod against. I gave my section a healthy buffer between other sections, as noted here, assuming I'm understanding what that said.

    EDIT EDIT: I discovered the section header table. Do I need to add anything to this for my new section? I tried extending one of the previous sections instead but proved a huge headache and I could never get PPSSPP to boot up the game properly. Probably because I didn't understand the section header table.
     
  10. kaijyuu
    OP

    kaijyuu Newbie

    Newcomer
    9
    0
    Apr 22, 2015
    United States
    Sorry for replying to myself but I wanted to clean up this thread a bit. I've got a lot of questions up there and it's probably difficult to parse it all.

    Here are my questions; anything I asked previously that was unanswered you can assume I figured out myself.
    - When extending the relocation table, why does PPSSPP not recognize new relocations at the bottom of the table? I extended the table by 0x20 bytes in the program header but nothing placed in that area is used as far as I can tell. Stuffing new relocations in the middle seems to work though. Am I missing some other address I need to update? Is ordering important somehow?
    - What does the alignment byte in the program header do? It doesn't seem to correspond to regular ELF format since there's no physical address.
    - What could cause a kernal error (80020001) when applying a relocation? Regardless of where I put it in the relocation table (end or middle), trying to apply a relocation to my return jump in my new section will make the game fail to load on an actual PSP. Removing the relocation makes it load fine (though of course my new code doesn't work).
    - Do I need to care about the section header table, aside from making sure the pointers to the original game's stuff are accurate? I read that they're "unnecessary" so I don't want to bother with them more than I have to.


    Thanks all for your help so far. It's been lots of fun figuring out how to hack a game on a new system.
     
  11. GreenZeldaCap

    GreenZeldaCap Member

    Newcomer
    45
    9
    Apr 26, 2015
    Canada
    So you're trying to run the code on emulators? What is the difference versus normal hardware, if I may ask? (sorry for the noob question)
     
  12. kaijyuu
    OP

    kaijyuu Newbie

    Newcomer
    9
    0
    Apr 22, 2015
    United States
    Ultimately I want to run my hack on a real PSP, but I'm testing in on both a PSP and on an emulator. Emulators have the advantage of letting me see the RAM and trace the code as it is running to find mistakes.

    As for differences, I dunno. Some things work on an emulator that don't on a real PSP. It's kinda frustrating sometimes actually, since it's much easier to debug things on an emulator. If it only breaks on a PSP it's sometimes difficult to determine what is wrong.
     
  13. kaijyuu
    OP

    kaijyuu Newbie

    Newcomer
    9
    0
    Apr 22, 2015
    United States
    *sighs*

    Okay I got it to work in its entirety (on an emulator and on a psp), though I did something I wish I didn't have to do.

    I found a long string of 00s in the main code section and just stuck my new code there. Fingers crossed that this does not somehow break something. My previous questions still stand, since I'd like to do it more properly and not just hope that the spot I found is actual freespace.

    Desperate times call for desperate measures! I really wanted to make this before a long trip I'm going on next week. This should be adequate for the long plane ride and such. Hooray! I'd release a patch but I dunno if it'd be compatible with both the base game and the translation hack.