1. HandsomeHans

    HandsomeHans Newbie
    Newcomer

    Joined:
    Jun 20, 2020
    Messages:
    2
    Country:
    Germany
    Is this guide stil up to date? Also the download images don't display properly anymore, I think. besides that my google chrome blocks the download. Any way to fix that? I want to make a advance wars days of ruin hack.
     
  2. FAST6191

    FAST6191 Techromancer
    Reporter

    Joined:
    Nov 21, 2005
    Messages:
    33,296
    Country:
    United Kingdom
    It is not like ROMS change with time.

    Still if you never played with internet archive there is no time like the present (also many links you might encounter when you learn to hack will often be broken so there is that)
    https://web.archive.org/web/2014041...ltimate-nintendo-ds-rom-hacking-guide.291274/
    It seems the original poster was around yesterday as well so maybe they will be able to restore things, or I might give it a go later.

    Also if you never visited http://forums.warsworldnews.com/viewforum.php?f=11 you might want to.
    Not so many editors but usually a lot of info.
     
    HandsomeHans likes this.
  3. HandsomeHans

    HandsomeHans Newbie
    Newcomer

    Joined:
    Jun 20, 2020
    Messages:
    2
    Country:
    Germany
    Thanks alot mate. Definitely will check out those links.:bow:
     
  4. Mimikyu2037

    Mimikyu2037 Member
    Newcomer

    Joined:
    Jul 24, 2020
    Messages:
    26
    Country:
    Australia
    How do I get this menu open in CrystalTile2? upload_2020-7-24_23-22-33.png
     
  5. FAST6191

    FAST6191 Techromancer
    Reporter

    Joined:
    Nov 21, 2005
    Messages:
    33,296
    Country:
    United Kingdom
    With a DS ROM opened in CT2 then click the little DS icon on the right hand side of the main menu. It will then pop up the menu in the bottom middle of the screen.
    If it detects a file format it knows (that one being the carc format, which is just NARC but compressed) then if you right click you will get a bunch of options depending upon the format. In the case of archive stuff you will then get a further window with the contents of the archive.
    You might also be able to load the carc file RAW into the CT2 and do some stuff but that gets trickier.
     
  6. Mimikyu2037

    Mimikyu2037 Member
    Newcomer

    Joined:
    Jul 24, 2020
    Messages:
    26
    Country:
    Australia
    I dont really understand sorry. here's my screen. I dont know what ds icon you mean. and when I right click on most files it says .(filetype) Unknown PakFile at the bottom upload_2020-7-25_0-39-45.png
     
  7. FAST6191

    FAST6191 Techromancer
    Reporter

    Joined:
    Nov 21, 2005
    Messages:
    33,296
    Country:
    United Kingdom
    You might try in the tools menu as well. It might have something to handle NARC files. Might also want to decompress it first (if it detects the compression it will have a decompress option as well as extract/unpack).
    Alternatively things can be detected better by CT2 when decompressed.
     
  8. Mimikyu2037

    Mimikyu2037 Member
    Newcomer

    Joined:
    Jul 24, 2020
    Messages:
    26
    Country:
    Australia
    I'm trying to follow along with part 2 of the tutorial and it says to open consoletool3 but I can't figure out how to open it there's no exe or anything
     
  9. Aaroaoi

    Aaroaoi Newbie
    Newcomer

    Joined:
    Jul 24, 2020
    Messages:
    5
    Country:
    Estonia
    What is the password to extract Crystal Tile 2?
     
  10. FAST6191

    FAST6191 Techromancer
    Reporter

    Joined:
    Nov 21, 2005
    Messages:
    33,296
    Country:
    United Kingdom
    Probably want to find a better download where someone repacked it.

    Still if it is the standard one from the site itself
    Code:
    www.angeleden.net
     
  11. Aaroaoi

    Aaroaoi Newbie
    Newcomer

    Joined:
    Jul 24, 2020
    Messages:
    5
    Country:
    Estonia
    It says that the site cant be reached
     
  12. FAST6191

    FAST6191 Techromancer
    Reporter

    Joined:
    Nov 21, 2005
    Messages:
    33,296
    Country:
    United Kingdom
    Yeah it died years ago. It is however the password for the zip file and most other files -- around the time it was released people still used a lost of direct links and had not figured out the "wait 5 seconds, point at the traffic lights and then click problems downloading anyway" routine. To that end a decent way to ensure you either spread your site was to use the site name or something as a password.
     
  13. Aaroaoi

    Aaroaoi Newbie
    Newcomer

    Joined:
    Jul 24, 2020
    Messages:
    5
    Country:
    Estonia
    okay i typed it and it said it was not valid
     
  14. FAST6191

    FAST6191 Techromancer
    Reporter

    Joined:
    Nov 21, 2005
    Messages:
    33,296
    Country:
    United Kingdom
    No idea in that case. Assuming you did not typo somewhere in that then I guess someone else changed the password to something else.
    https://www.romhacking.net/utilities/818/ if you still want it.
     
    Aaroaoi likes this.
  15. Sammy6

    Sammy6 Member
    Newcomer

    Joined:
    Feb 28, 2020
    Messages:
    45
    Country:
    Canada
    Is there any way to edit the code?
     
  16. FAST6191

    FAST6191 Techromancer
    Reporter

    Joined:
    Nov 21, 2005
    Messages:
    33,296
    Country:
    United Kingdom
    Code for what?

    Many times in threads like this then code = the ROM itself and... yeah this is what this thread and the ROM hacking section here cover and have for years.

    If the average programmer asks me that then I will think they mean either the stuff running on the CPU or a scripting language if it is one of those games (we saw a few on the DS using various shades of Lua as well as their own custom stuff that may or may not have been Turing complete).

    In that case yeah pretty much since proper custom ROMs could be run.

    In DS ROMs the code is found in technically four locations, maybe 5 but we will cover that in a minute, plus scripting if that is a thing.

    Said locations are

    ARM9.bin

    ARM7.bin

    Overlay files, both ARM9 and ARM7 flavours can exist in theory but in practice there will tend to only be ARM9 files.

    The fifth oddity then being download play (usually seen as something .srl or ultility.bin, especially if located in a directory called DWC). This is basically another DS ROM (as in literally use the same tools you used to pull apart the ROM to get there to play with this. It is signed so you either need to use the signing trick discovered not so very long ago or use a DS with flashme installed (don't know what goes for DSi and 3ds). Most things will be various flavours of compressed. Editing this is usually done for purposes of editing the download play aspect (sometimes they are nice little games you can't get otherwise) or if the download play is a simplified version of the main game and you can use that as being simpler to find a rough equivalent (don't know I have really seen this done for assembly, quite often though for fonts, graphics and the general layout of a ROM and thus it follows assembly might yield something).


    Anyway general breakdown for most commercial ROMs (homebrew can and does play things differently on occasion).

    ARM9. This is the workhorse of the DS. It is the faster of the two processors and more capable, and sort of tied into hardware more (though for most practical purposes you don't care). If the game does something as far as game mechanics it is probably done with this.

    ARM7. This is a coprocessor but basically relegated to glorified library. The ARM7.bin files can actually be swapped around with other ROMs of similar vintage with no ill effect, indeed it was a sort of fix at one point.
    The only reason any ROM hacker usually cares about the ARM7 is because it can be a nice place to inject some of your own code.

    Overlays...
    In modern computer world we use DLL files and other such things to have code grabbed and used that would not be used the whole time and thus does not need to be in memory, however the functionality would be nice to be able to use once every so often/few thousand runs (see the classic everybody only uses 10% of the functionality, however it is a different 10% thing). The DS however is in terms of architecture closer to an early 1990s computer (albeit with better 3d, still 4 megs of RAM though). It then uses an older method called overlays. Here a section of memory is set aside (can be one overlay at a time, sometimes has multiple sub sections) and then swapped out at will. We have seen games use thousands of overlays and have everything from actual instructions for the CPU to run to just graphical assets but this is rare.


    You edit these much as you would with anything else

    A disassembler takes the binary and outputs it as a assembly code
    http://problemkaputt.de/gbatek.htm#armcpureference
    http://imrannazar.com/ARM-Opcode-Map

    If you are not familiar with assembly I don't have a great intro to it by way of jumping right into ARM.
    I usually suggest
    https://www.plantation-productions.com/Webster/
    http://stuff.pypt.lt/ggt80x86a/asm1.htm

    Disassemblers are many and somewhat varied
    ndsdis2 is an old one but nice for a lot of things.
    crystaltile2 (you see pictures of it above) has such things
    many emulators will have such features, with the added bonus of being available at runtime so you can follow what is going on. Also dodges compression issues.

    Desmume has such things but no$gba is probably what we suggest
    http://problemkaputt.de/gba.htm
    There are several other emulators with some amount of debugging functionality, however they are mostly old. MelonDS does however look to be doing something.

    Compression issues.
    All the DS binaries and overlays can optionally be compressed by the devs that made the game, or on super rare occasion the one dumping or hacking the game (this is generally discouraged and viewed as pointless but it is a thing that can be out there).
    The compression however is not the standard compression seen in most other files on the DS (and GBA) and is instead a kind of backwards approach. Just need the relevant tool to handle it
    In this case the BLZ tool in https://www.romhacking.net/utilities/826/ is good.
    Crystlatile2 has such options but often lies about detecting compression.

    If you do any amount of assembly work as a big boy hacker you will probably meet IDA, though it is paid for software. There are some modules for it but have not kept up to date there. Not sure if ghidra and radare2 have anything specifically for ARM right now but they are two of the tools that usually form the open source world's answer to IDA.
    Desmume above speaks to GDB if you want it to. GDB is a debugger for popular open source programming tools.


    Debuggers if you use one have a few key features. Breakpoints and memory viewers are what most will spend most time with here.

    Once you are done looking at assembly code you then want to edit it.
    Nobody disassembles something, changes one thing and reassembles it. Indeed disassemblers tend to struggle to output a file that can be reassembled. The only times this happens is when someone spends many days/months/years getting it back to a point this works for. It has happened before in ROM hacking world (all those nice Mario, Sonic and pokemon diassemblies tending to be this when completed, plus all nice comments, variable names and the like) but yeah tends to be reserved for old and popular games, likely not whatever you are looking at.

    Anyway you can hand encode instructions (the earlier links for DS/ARM assembly covering how you would do that) but that is a monstrous pain in the arse for more than about 3 instructions that are replacing existing ones. Start changing things up, adding functionality and making more code than you started with and not fun at all.
    To this end we have assemblers. Your debugger or disassembler if it is one of the fancy GUI ones might have such functionality. More than likely you get to write a code fragment and then either inject it yourself, or maybe with some of them you can even specify an injection point and it will do it for you.

    Generally there are two tools people use here, however many more exist out in the world

    1) Some hacked up GCC (GCC being the GNU compiler collection, also commonly associated with GDB mentioned earlier, and also basis for many homebrew development kits) script.
    Not sure what I have for a download right now and don't know I would suggest installing full devkitpro/devkitarm just for this but eh.

    You might see variations in things like
    https://gbatemp.net/threads/crackers-ds-trainer-maker-tutorial.44410/
    https://web.archive.org/web/20140518192134/http://crackerscrap.com/index.php

    2) A more dedicated hacking tool like ARMIPS. This is probably what I would suggest get working for you.
    http://www.romhacking.net/utilities/635/
    https://github.com/Kingcom/armips
    https://buildbot.orphis.net/armips/

    There are plenty of other things (see something like the new super mario brothers wave audio injection script as it did some fun things) but those are the main two most around here and other places will use.

    Places to inject your code then.
    Always a fun one when playing assembly hacker.
    Unlike many older systems also using cartridges the DS copies (possibly decompresses) the binary into RAM. This means you don't necessarily have as much space as you might like (the GBA on the other hand -- more or less the rest of the full 32 megabytes to do what you like in) or that might be available in other aspects of DS ROM hacking.
    Being in RAM does mean you can make a cheat to edit the binary in RAM (various tools will tell you, indeed one of the bonuses of emulators, but NDSTS is my usual choice here http://www.no-intro.org/tools.htm )
    Anyway if you can do it all in place (say you want to change a subtract to an add, or maybe a NOP just to have it do nothing* rather than taking a path you don't like so it always takes the one you want) then do that.
    If not then you get to find a space.
    You can optimise code. Don't do this if you can help it -- generally only optimise when you need the speed boost or battery consumption lowered.
    This then leaves finding redundant code to instead overwrite with your stuff and have the game jump from where it normally would be to there, do what it needed to do (including any instructions you overwrote with the jumps) and jump back. In the case of the DS the compiler had a nasty habit of including each and every random wifi error code for things that nobody in the world likely ever experienced but could still have happened, in maybe 5 languages if it was a European ROM. If then you have a wifi enabled game you can find these (they are usually in plain ASCII) and overwrite them with your stuff.
    There might also be random junk the devs left in for whatever reason and you can overwrite that.
    Free space memory on the DS is kind of a thing sometimes. Tools to help find it include older versions of DSATM (4.3.4 I think was the last) which has a DEADBEEF padding option (it will hopefully flood the memory with DEADBEEF as opposed to the normal 0000 or random noise, you then play through to the point you care about in the game, plus whatever options/oddities you can think of, and if the memory still has DEADBEEF in there it likely is not going to use it and you are free to use it yourself, there is also the desmume free space finder fork https://gbatemp.net/threads/unofficial-desmume-build-unused-memory-finder-tool.349332/
    Theoretically you could do your own extra overlay too but I don't think anybody has ever done this. Might have used the overlay space for a sneaky spare bit of memory though.
    After the overlay section is often a small dump of the firmware details (your birthday, favour colour, nickname and whatever else it gets you to enter). Any use this sees in games is usually for the language settings (you can change this to force different languages even, sometimes including languages the game never officially featured, though most just use it with bad flash carts and emulators on mobile phones) and maybe the nickname so you can consider this one.
    I mentioned ARM7 earlier. Many cheat tools do use this, fewer hackers though.


    *NOP is short for no operation which is to say it still runs but no end result happens. Not all processors will have a dedicated one, not all assemblers will give you one as a shortcut (some assemblers give people little shortcut meta instructions**) but you can usually make one where nothing really happens. mov r1, r1 being a fairly obvious example wherein the contents of r1 are copied to r1 and thus nothing happens but some wasted time.

    **seems my tangents have asides which have tangents now. Classic one is the ARM processor can't include a full 32 bit number in the instruction itself (no room for the instruction if they do that), this differs to PC. Many assemblers however will create something like this for you and handle it all itself. This spares the user then having to do something like put the 16 or however many bits in they can, then shifting the result and then adding the final bit (kind of like if you can't write 110 you can still do add 10, multiply by 10 and add 10 and yes that is possibly a bit longer winded that just multiplying by 11 but shifting is a thing on ARM processors), or maybe messing around with movn (mov negate, basically put the number in and invert the results movn 0000 becomes FFFF in memory sort of thing).

    Anyway most DS assembly hackers are only concerned with changing the maths within parameters it understands (2x growth is still growth using all the same maths), marginally improving things (say adding a variable width font), stopping it from doing something (in the classic IF ELSE programming loop you might NOP one of the various IFs, in this case likely some form of compare and branch if equal or maybe not equal, so the more positive ELSE always happens, or maybe telling it to always take the good path -- classic example being anti piracy checks in that you don't have to disable the check if you can instead just tell it to always take the "all is good here" path) or something equally compact.


    I should also note that in the various "gigaleaks" earlier this year various pieces of DS source code were leaked, including for some pokemon games, and the attendant development tools (before it was mostly some old stuff). You are on your own for that one, however it is possible and some people of relatively limited coding skills managed to get the compilers working. Also means you can edit C code rather than assembly, and also not have to worry so much about injection (you are still limited by the hardware but eh).
     
  17. Sammy6

    Sammy6 Member
    Newcomer

    Joined:
    Feb 28, 2020
    Messages:
    45
    Country:
    Canada
    Thanks for such a detailed post! This'll surely be helpful!
     
Draft saved Draft deleted
Loading...

Hide similar threads Similar threads with keywords - Ultimate, Nintendo, Hacking