Hacking How to patch the NSMB image to get NEWER

[mike333]

Providing md5s of files before and after modification might save lots of time.

 

[JasonP27]

That'll get you a .S file with all the ASM. Inside look for lis and ori commands, like the ones I posted above. Once you've worked out what to change them to, create a new .S file with contents like this:

lis        r31,-32768 ;0x8000
ori        r31,r31,5892 ;0x1704

Then compile this smaller .S file with this command:

powerpc-eabi-as -mregnames -be example.S

This will generate a file "a.out", we just want the binary code, so after the above run:

powerpc-eabi-objcopy -O binary a.out a.bin

a.bin will (in the above example) now be an 8 byte file containing the two commands above. Open with a hex editor, copy these 8 bytes and overwrite the original 8 bytes in Loader.bin.

Repeat for each lis & ori pair.

So I've worked up the will to learn/try this, but don't understand why I wouldn't just change all the pairs in the Loader.S and convert it back to Loader.bin ... I mean wouldn't that be easier? how am I to know where each 8 bytes goes in the hex?

also, my outputted Loader.S file doesn't look the same as yours...

100:    93 c1 00 58    stw    r30,88(r1)
104:    93 a1 00 54    stw    r29,84(r1)
108:    38 c0 00 31    li      r6,49
10c:    3c a0 80 76    lis    r5,-32650
110:    60 a5 8d 50    ori    r5,r5,36176
114:    80 65 00 00    lwz    r3,0(r5)
118:    54 63 04 3e    clrlwi  r3,r3,16
11c:    2c 03 6d e1    cmpwi  r3,28129
120:    41 82 00 44    beq-    0x164
124:    2c 03 6c a1    cmpwi  r3,27809
128:    41 82 00 48    beq-    0x170
12c:    2c 03 6a b1    cmpwi  r3,27313
130:    41 82 00 4c    beq-    0x17c
134:    2c 03 00 14    cmpwi  r3,20
138:    40 82 03 30    bne-    0x468

 

[SifJar]

Your outputted file looks exactly the same as mine. And the reason I advise creating a separate file and assembling it, then patching the new bytes in with a hex editor is in case any of the rest of the commands got disassembled incorrectly, or get reassembled incorrectly. This way you minimize the risk of some error causing a problem.

 

[JasonP27]

OK thanks I thought maybe it was to be safe. I don't think I'm quite ready to do it yet so I've taken to the internet to read up on PPC ASM.

 

[Wiimm]

Because of the NEWER project, I have added 2 more DOL features to my wit tools:
* Details: http://gbatemp.net/threads/wwt-wit-wiimms-wbfs-iso-tools.182236/page-78#post-4674404

The first thing is, that "wit dump main.dol --long" dumps now a table with delta values. This delta helps to translate a virtual memory address to a file offset for hex editing: Only subtract the delta from the address.

# wit dump pool/nsmb/main.dol --long
....
 
  Delta between file offset and virtual address:
 
          unused :  off(beg) ..  off(end) :      size :    delta : section
    ----------------------------------------------------------------------
                  :  80004000 ..  800066c0 :      26c0 : 80003f00 : text #0
                  :  800066c0 ..  80006720 :        60 : 7fd1c9a0 : data #0
                  :  80006720 ..  80006780 :        60 : 7fd1c9a0 : data #1
                  :  80006780 ..  802edce0 :    2e7560 : 80003fc0 : text #1
                  :  802edce0 ..  802edfc0 :      2e0 : 80003f00 : data #2
                  :  802edfc0 ..  802edfe0 :        20 : 80003f00 : data #3
                  :  802edfe0 ..  802fe6a0 :    106c0 : 80003f00 : data #4
                  :  802fe6a0 ..  80351980 :    532e0 : 80003f00 : data #5
            d6000 :  80427980 ..  80429ea0 :      2520 : 800d9f00 : data #6
            14c0 :  8042b360 ..  8042fec0 :      4b60 : 800db3c0 : data #7

The second feature is, that is can patch a dol file by reading a Riivolution XML file and applying all memory tags:

Example for NEWER SMBW:

# wit dolpat nsmb/main.dol -d nsmb/res.dol nsmb/NewerSMBW.xml
+Patched:        [D4] addr 802f148c+07, offset  2ed58c: 77 69 69 6d 6a 32 64 -> 4e 65 72 53 4d 42 57
-Original differ: [D4] addr 802f118c+07, offset  2ed28c: 00 00 00 00 80 31 65
-Original differ: [D4] addr 802f0fac+07, offset  2ed0ac: 00 00 00 2a 00 00 00
+Patched:        [D5] addr 80328478+04, offset  324578: 80 15 bc 60 -> 80 00 18 00
-Original differ: [D5] addr 80328130+04, offset  324230: 80 15 a5 b0
-Original differ: [D5] addr 80327e98+04, offset  323f98: 72 75 5f 30
+Patched:        [T1] addr 800e4a84+04, offset  e0ac4: 3c 60 01 20 -> 3c 60 01 40
-Original differ: [T1] addr 800e4994+04, offset  e09d4: 80 84 00 4c
-Original differ: [T1] addr 800e4914+04, offset  e0954: 00 00 00 00
+Patched:        [T1] addr 800b64ec+04, offset  b252c: 3c 80 00 30 -> 3c 80 00 32
-Original differ: [T1] addr 800b649c+04, offset  b24dc: 4e 80 00 20
-Original differ: [T1] addr 800b641c+04, offset  b245c: 83 e3 00 08
+Patched:        [T1] addr 801b0204+04, offset  1ac244: 54 00 ff fe -> 38 00 00 00
-Original differ: [T1] addr 801b00c4+04, offset  1ac104: 39 46 00 12
-Original differ: [T1] addr 801afed4+04, offset  1abf14: 83 a1 00 44
+Patched:        [T1] addr 8015d850+04, offset  159890: 38 60 00 00 -> 4e 80 00 20
-Original differ: [T1] addr 8015d710+04, offset  159750: 40 82 00 40
-Original differ: [T1] addr 8015d520+04, offset  159560: 81 9e 00 74
+Patched:        [T1] addr 800e4e84+04, offset  e0ec4: 38 63 33 0c -> 38 60 00 00
-Original differ: [T1] addr 800e4d70+04, offset  e0db0: 90 7f 00 4c
-Original differ: [T1] addr 800e4cf0+04, offset  e0d30: 41 82 00 1c
!Can't patch: Range outside dol: addr 80001800+968
* Save patched DOL to: nsmb/res.dol

The command line accepts also patch statements.

 

[tHciNc]

Excellent work as always Wiimm, your tools are great...

 

[Slimmmmmm]

Wiimm you are awesome as always

 

[Wiimm]

The new version of my wit tools is available: http://wit.wiimm.de/
The new command is: DOLPATCH: http://wit.wiimm.de/cmd/wit/dolpatch

@damysteryman
I have added also some features as patching scripts support.
* The scripts setup.sh and setup.bat gives info about the extracted image.

 

[wiismodrome]

Not sure why this is not working. I used the exact command structure shown in your dolpatch example. Is an offset value supposed to be entered manually?

Here's the result with Newer (located in 'specials/NewerFiles/'), and the extracted NSMB in 'specials/nsmb.d/':

G:\specials>wit dolpatch nsmb.d/sys/main.dol \ xml=NewerFiles/riivolution/NewerSMBW.xml \ --source NewerFiles/NewerSMBW/
! wit: Offset expected: \
!Can't patch: Range outside dol: addr 7fffffff+07
!Can't patch: Range outside dol: addr 7fffffff+07
!Can't patch: Range outside dol: addr 7fffffff+07
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+968
! wit: Offset expected: \
* DOL not modified: nsmb.d/sys/main.dol

 

[Wiimm]

That looks like a 32/64 bit error. I tested it on linux/64 bit, and you'r using the Cygwin version? (cygwin is 32 bit system).

I will test it and update the tools soon as possible.

One other note:
The backslash as last char of a line means: continuation line follows. This is usual for unix based systems, but misleading for windows users. I'll remove them in the docu.

 

[wiismodrome]

Thanks Wiimm!

OS is Windows 7 x64. Command line is not my forté....

 

[SifJar]

Don't put the \. Those are just required if you're taking a new line (e.g. in a batch file). Remove them and it should work.

EDIT: Maybe I have too many tabs open at once...

 

[the_randomizer]

Is there something illegal about patching the ISO to use the Newer Super Mario Bros. hack to be read on USB loaders? I'm just wondering why people are so hush-hush about it.

 

[wiismodrome]

Removed the backslashes and it still did not work:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

G:\specials>wit dolpatch nsmb.d/sys/main.dol xml=NewerFiles/riivolution/NewerSMBW.xml --source NewerFiles/NewerSMBW/
!Can't patch: Range outside dol: addr 7fffffff+07
!Can't patch: Range outside dol: addr 7fffffff+07
!Can't patch: Range outside dol: addr 7fffffff+07
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+04
!Can't patch: Range outside dol: addr 7fffffff+968
* DOL not modified: nsmb.d/sys/main.dol

EDIT: Going to try using dolpatch with the latest wit on an XP 32-bit machine.

 

[WiiUBricker]

Is there something illegal about patching the ISO to use the Newer Super Mario Bros. hack to be read on USB loaders? I'm just wondering why people are so hush-hush about it.

Well, according to GBAtemp's rules, it should be not allowed here to discuss how to bypass ap measures of programs.

 

[SifJar]

Is there something illegal about patching the ISO to use the Newer Super Mario Bros. hack to be read on USB loaders? I'm just wondering why people are so hush-hush about it.

As long as you ripped the ISO from your own disc, it's legal. People being "hush-hush" is probably because chances are most people wanting to patch the ISO have not done so, and don't own a disc copy. The Newer team made the decision not to create an ISO patch as well as the Riivolution patch for (at least partly) that reason.

Well, according to GBAtemp's rules, it should be not allowed here to discuss how to bypass ap measures of programs.

But patching the ISO isn't bypassing the AP measures of any program. That's already been done when the ISO was ripped. Newer itself doesn't have any AP, and you're not bypassing Riivolution's "AP" either. (I say "AP" because as I understand it, it is mostly a case of not implementing backup loading features, rather than explicitly blocking them. I think they blocked a couple of modchips, so that's why I say "mostly").

EDIT: Of course, if you're going to get really technical about that rule, it could be argued that any software with the ability to rip or play backups of games should be disallowed, but that'd discount about 90% of the discussions on the site.

 

[wiismodrome]

That looks like a 32/64 bit error. I tested it on linux/64 bit, and you'r using the Cygwin version? (cygwin is 32 bit system).

Just tried again with Win XP 32 and got the same result as above.

Thanks for the help!

 

[the_randomizer]

Well, according to GBAtemp's rules,

it should be not allowed here to discuss how to bypass ap measures of programs.

Well, backing up ISO images and running them on HDDs is technically bypassing DRM/AP, but I'll just leave it at that and desist from asking the question again

As long as you ripped the ISO from your own disc, it's legal. People being "hush-hush" is probably because chances are most people wanting to patch the ISO have not done so, and don't own a disc copy. The Newer team made the decision not to create an ISO patch as well as the Riivolution patch for (at least partly) that reason.

But patching the ISO isn't bypassing the AP measures of any program. That's already been done when the ISO was ripped. Newer itself doesn't have any AP, and you're not bypassing Riivolution's "AP" either. (I say "AP" because as I understand it, it is mostly a case of not implementing backup loading features, rather than explicitly blocking them. I think they blocked a couple of modchips, so that's why I say "mostly").

EDIT: Of course, if you're going to get really technical about that rule, it could be argued that any software with the ability to rip or play backups of games should be disallowed, but that'd discount about 90% of the discussions on the site.

Ugh. Oh well. Just going to drop it. Thanks for the explanation, I was merely curious is all. Must've had one helluva ASM hack to make essentially an entirely new game

 

[Wiimm]

That looks like a 32/64 bit error. I tested it on linux/64 bit, and you'r using the Cygwin version? (cygwin is 32 bit system).

It was an 32/64 bit issue. Bad programmer!
A bug fix update is online now.

 

[wiismodrome]

It was an 32/64 bit issue. Bad programmer!
A bug fix update is online now.

Thanks for the fix.

Here's the result using wit-v2.21b-r4492-cygwin:

G:\specials>wit dolpatch nsmb.d/sys/main.dol xml=NewerFiles/riivolution/NewerSMBW.xml --source NewerFiles/NewerSMBW/
+Patched: [D4] addr 802f118c+07, offset 2ed28c: 77 69... -> 4e 65...
+Patched: [D5] addr 80328130+04, offset 324230: 80 15... -> 80 00...
+Patched: [T1] addr 800e4994+04, offset e09d4: 3c 60... -> 3c 60...
+Patched: [T1] addr 800b649c+04, offset b24dc: 3c 80... -> 3c 80...
+Patched: [T1] addr 801b00c4+04, offset 1ac104: 54 00... -> 38 00...
+Patched: [T1] addr 8015d710+04, offset 159750: 38 60... -> 4e 80...
+Patched: [T1] addr 800e4d70+04, offset e0db0: 38 63... -> 38 60...
!Can't patch: Range outside dol: addr 80001800+968
* Save patched DOL to: nsmb.d/sys/main.dol