Help Thread: ASM & Disassembly

[azurile13]

You can temporarily edit a stat. Try something like placing it in the pc then withdrawing again. It will cancel out your alteration which (I'm guessing) is not your goal.

 

[Lance32497]

You can temporarily edit a stat. Try something like placing it in the pc then withdrawing again. It will cancel out your alteration which (I'm guessing) is not your goal.

Oh, I haven't tried that yet, maybe that's not a good hack to start my asm. Well I will still try, If I finally changed the bytes there then I will advance to that.

 

[NewDenverCity]

Oh, I haven't tried that yet, maybe that's not a good hack to start my asm. Well I will still try, If I finally changed the bytes there then I will advance to that.

http://bulbapedia.bulbagarden.net/wiki/Pokémon_data_structure_in_Generation_III
You'll need this to understand the Pokémon data structure.

 

[Lance32497]

http://bulbapedia.bulbagarden.net/wiki/Pokémon_data_structure_in_Generation_III
You'll need this to understand the Pokémon data structure.

I actually knew tye data structure, as I had studied that before I try to build a routine. My problem, as stated by azurile13, is the changes will be discarded after I deposit-withdraw the pokemon in PC, also, I can't edit any byte from the stats with my routine. I will try to modify the routine given by FBI

 

[PurpleOrange]

No, you should just use some math. Recall, countpokemon stores the amount of Pokemon in the lastresult (I forget if it's 0-5 or 1-6). From there, you just add to 0x2024284, 0x64 * amount of Pokemon. Lastresult is 0x20370D0 btw.

i'm a little confused by this bit, do i use countpokemon in an xse script and somehow put the compare lastresult part in the routine? sorry if 'm being stupid here ahaha

You can't using mov. What you can do is use ldr instead of move for things that are 32 bits (so a nickname won't fit). But set_attr (the function Touched calls in that routine) takes a pointer to the value to set, rather than an actual value (so you don't need to make r2 something other than a pointer. Touched uses the stack, which is probably what confused you. You could use a ROM address. Like this:

    ldr r0, =(0x02024284)
    mov r1, #0x2
   ldr r2, =(address to nick name)
    ldr r3, =(0x0804037C + 1)
    bl linker

so the ldr r2 replaces the move r2; push {r2}; and move r2, sp, but does the bl linker get rid of the bl call_via r3 and the two pops at the end of the routine?

orig routine below for convenience

Spoiler:

.text
.align 2
.thumb
.thumb_func

main:
    push {lr}

    ldr r0, =(0x02024284)
    mov r1, #0x27
    mov r2, #0x1F
    push {r2}
    mov r2, sp
    ldr r3, =(0x0804037C + 1)
    bl call_via_r3
    pop {r2}
    pop {pc}

call_via_r3:
    bx r3

 

[Inmortal Kaktus]

Well ... I have a question about creating a sort of puzzle, that is, what I want is to make a square 3x3 in map, ie, 3 tiles 3 tiles. In which there are only eight tiles, but in one, empty. And when you press "A " on a tile that is adjacent to the empty space, the tile will move it, so I can make the puzzle.

By the way, I feel my bad English, I'm Spanish

 

[C me]

This routine won't compile for me for some reason, usually when I drag a routine onto the compiler I get the bin file, but nothing appears for this one.

Spoiler:

.text
.align 2
.thumb
.thumb_func
.global crushgrip

main:
push {lr}
ldr r0, targetBank
ldrb r0, [r0]
ldr r1, battleData
mov r2, #0x58
mul r0, r2
add r3, r0, r1
ldrh r0, [r3, #0x28]
mov r2, #0x78
ldrh r1, [r3, #0x2c]
mov r3, r1
sub r1, r0
mov r0, r1
mul r0, r2
mov r1, r3
bl divide
mov r1, #0x1
add r1, r0
ldr r2, basePower
strb r1, [r2]
pop {r0}
bx r0

divide:
ldr r2, divider
bx r2

.align 2
targetBank: .word 0x0202420C
battleData: .word 0x02024084
divider: .word 0x082E7541
basePower: .word 0x02024400

What's wrong?

 

[Touched]

This routine won't compile for me for some reason, usually when I drag a routine onto the compiler I get the bin file, but nothing appears for this one.

Spoiler:

.text
.align 2
.thumb
.thumb_func
.global crushgrip

main:
push {lr}
ldr r0, targetBank
ldrb r0, [r0]
ldr r1, battleData
mov r2, #0x58
mul r0, r2
add r3, r0, r1
ldrh r0, [r3, #0x28]
mov r2, #0x78
ldrh r1, [r3, #0x2c]
mov r3, r1
sub r1, r0
mov r0, r1
mul r0, r2
mov r1, r3
bl divide
mov r1, #0x1
add r1, r0
ldr r2, basePower
strb r1, [r2]
pop {r0}
bx r0

divide:
ldr r2, divider
bx r2

.align 2
targetBank: .word 0x0202420C
battleData: .word 0x02024084
divider: .word 0x082E7541
basePower: .word 0x02024400

What's wrong?

No idea, seems to assemble just fine for me.

Do not drag your assembly file onto the assembler, use the command line so that you have a chance to read the output. If you have to drag and drop, add a pause to end of the batch file (I assume you're using Hackmew's batch file) so that you can read the assembler output.

 

[C me]

No idea, seems to assemble just fine for me.

Do not drag your assembly file onto the assembler, use the command line so that you have a chance to read the output. If you have to drag and drop, add a pause to end of the batch file (I assume you're using Hackmew's batch file) so that you can read the assembler output.

I drag it onto the thumb program, how do I add a pause?

 

[HidoranBlaze]

I drag it onto the thumb program, how do I add a pause?

http://lmgtfy.com/?q=how+to+add+a+pause+in+a+batch+file

 

[C me]

Its says Assembler messages:

38:Warning: Partial line at end of file ignored

26:Error: invalid offset, value too big <0xFFFFFFFC>

 

[azurile13]

Its says Assembler messages:

38:Warning: Partial line at end of file ignored

26:Error: invalid offset, value too big <0xFFFFFFFC>

Idk. I copy pasted and was also able to assemble with no issues, but I'm not using hackmew's batch file.

Is there anything else you're assembling in the same .s file? Meh, here's your bin:

00 B5 0C 48 00 78 0C 49 58 22 50 43 43 18 18 8D 78 22 99 8D 0B 1C 09 1A 08 1C 50 43 19 1C 00 F0 06 F8 01 21 09 18 06 4A 11 70 01 BC 00 47 03 4A 10 47 C0 46 0C 42 02 02 84 40 02 02 41 75 2E 08 00 44 02 02

 

[DeliPunch]

How to compile and use this patch? (it is for gold)

Spoiler:

org: MACRO
IF $02 ; _NARG == $02
IF \1 == $00
SECTION "section\@", HOME[\2]
ELSE
SECTION "section\@", CODE[\2], BANK[\1]
ENDC
ELSE
IF \1 < $4000
SECTION "section\@", HOME[\1]
ELSE
SECTION "section\@", CODE[(\1 & $3FFF) + $4000], BANK[\1 >> 14]
ENDC
ENDC
ENDM

org $00, $0065
Label1:
ld a, [$FF70] ; get wram bank
push af ; save value
ld a, $01 ; set a to 1
ld [$FF70], a ; set wram bank
call Label2 ; new fixtime function
pop af ; restore value
ld [$FF70], a ; set wram bank
ret

org $00, $0073
Label2:
ld a, [$D1EF] ; get playtime frames
ld [$FF9A], a ; store time seconds
ld a, [$D1EE] ; get playtime seconds
ld [$FF98], a ; store time minutes
ld a, [$D1ED] ; get playtime minutes
sub a, $30 ; sub value by 48
jr nc, .here ; doesn't carry jump
add a, $30 ; restore value if carried
sub a, $18 ; sub value by 24
jr nc, .here ; doesn't carry jump
add a, $18 ; restore value if carried
.here
ld [$FF96], a ; set time hours
ld a, [$FF9A] ; get time seconds
cp a, $00 ; compare to zero
ret nz ; return if not zero
ld a, [$FF98] ; get time minutes
cp a, $00 ; compare to zero
ret nz ; return if not zero
ld a, [$FF96] ; get playtime hours
cp a, $00 ; compare to zero
ret nz ; return if not zero
ld a, [$D1F2] ; get time day of week
inc a ; increment by 1
ld [$D1F2], a ; store time day of week
ret

org $00, $0467
nop ; call getclock
nop
nop
nop ; call fixdays
nop
nop
call Label1 ; wram bank and fixtime function

org $00, $053D
nop ; getclock and fixdays in bank 05

org $00, $0665
nop ; getclock and fixdays in bank 05

org $01, $5B2F
nop ; write textbox for RTC date mainscreen
nop
nop

org $01, $5B39
nop ; write text for RTC date mainscreen
nop
nop

org $01, $5FAA
nop ; remove time set dialog on new game

Also, PKSVUI cant load Scintilla.dll even though they're in the same directory

 

[sdw7sm]

Hi,
I found the routine of the battle command C1 (hidden power), I wanted to write a far more simple routine to just return the type of the user (wich I think I have), and, if it is needed, the power (fixe)

Here is the hidden power routine :

Spoiler:

sub_8054400: @ DATA XREF: ROM:battle_script_command_tableo
ROM:08054400 PUSH {R4-R7,LR}
ROM:08054402 MOV R7, R10
ROM:08054404 MOV R6, R9
ROM:08054406 MOV R5, R8
ROM:08054408 PUSH {R5-R7}
ROM:0805440A LDR R2, =0x2024084
ROM:0805440C LDR R0, =0x202420B
ROM:0805440E LDRB R1, [R0]
ROM:08054410 MOVS R0, #0x58 @ 'X'
ROM:08054412 MOVS R4, R1
ROM:08054414 MULS R4, R0
ROM:08054416 ADDS R4, R4, R2
ROM:08054418 LDRB R0, [R4,#0x14]
ROM:0805441A MOV R10, R0
ROM:0805441C MOV R7, R10
ROM:0805441E LSLS R7, R7, #0x1B
ROM:08054420 MOVS R0, R7
ROM:08054422 LSRS R0, R0, #0x1B
ROM:08054424 MOV R10, R0
ROM:08054426 MOVS R1, #2
ROM:08054428 MOV R2, R10
ROM:0805442A ANDS R2, R1
ROM:0805442C ASRS R2, R2, #1
ROM:0805442E LDRH R7, [R4,#0x14]
ROM:08054430 MOV R9, R7
ROM:08054432 MOV R0, R9
ROM:08054434 LSLS R0, R0, #0x16
ROM:08054436 MOV R9, R0
ROM:08054438 LSRS R3, R0, #0x1B
ROM:0805443A MOVS R0, R1
ROM:0805443C ANDS R0, R3
ROM:0805443E ORRS R2, R0
ROM:08054440 LDRB R7, [R4,#0x15]
ROM:08054442 MOV R8, R7
ROM:08054444 MOV R0, R8
ROM:08054446 LSLS R0, R0, #0x19
ROM:08054448 MOV R8, R0
ROM:0805444A LSRS R3, R0, #0x1B
ROM:0805444C MOVS R0, R1
ROM:0805444E ANDS R0, R3
ROM:08054450 LSLS R0, R0, #1
ROM:08054452 ORRS R2, R0
ROM:08054454 LDR R6, [R4,#0x14]
ROM:08054456 LSLS R6, R6, #0xC
ROM:08054458 LSRS R3, R6, #0x1B
ROM:0805445A MOVS R0, R1
ROM:0805445C ANDS R0, R3
ROM:0805445E LSLS R0, R0, #2
ROM:08054460 ORRS R2, R0
ROM:08054462 LDRH R5, [R4,#0x16]
ROM:08054464 LSLS R5, R5, #0x17
ROM:08054466 LSRS R3, R5, #0x1B
ROM:08054468 MOVS R0, R1
ROM:0805446A ANDS R0, R3
ROM:0805446C LSLS R0, R0, #3
ROM:0805446E ORRS R2, R0
ROM:08054470 LDRB R3, [R4,#0x17]
ROM:08054472 LSLS R3, R3, #0x1A
ROM:08054474 LSRS R0, R3, #0x1B
ROM:08054476 ANDS R1, R0
ROM:08054478 LSLS R1, R1, #4
ROM:0805447A ORRS R2, R1
ROM:0805447C MOVS R1, #1
ROM:0805447E MOVS R4, R1
ROM:08054480 MOV R7, R10
ROM:08054482 ANDS R4, R7
ROM:08054484 MOV R0, R9
ROM:08054486 LSRS R0, R0, #0x1B
ROM:08054488 MOV R9, R0
ROM:0805448A MOVS R0, R1
ROM:0805448C MOV R7, R9
ROM:0805448E ANDS R0, R7
ROM:08054490 LSLS R0, R0, #1
ROM:08054492 ORRS R4, R0
ROM:08054494 MOV R0, R8
ROM:08054496 LSRS R0, R0, #0x1B
ROM:08054498 MOV R8, R0
ROM:0805449A MOVS R0, R1
ROM:0805449C MOV R7, R8
ROM:0805449E ANDS R0, R7
ROM:080544A0 LSLS R0, R0, #2
ROM:080544A2 ORRS R4, R0
ROM:080544A4 LSRS R6, R6, #0x1B
ROM:080544A6 MOVS R0, R1
ROM:080544A8 ANDS R0, R6
ROM:080544AA LSLS R0, R0, #3
ROM:080544AC ORRS R4, R0
ROM:080544AE LSRS R5, R5, #0x1B
ROM:080544B0 MOVS R0, R1
ROM:080544B2 ANDS R0, R5
ROM:080544B4 LSLS R0, R0, #4
ROM:080544B6 ORRS R4, R0
ROM:080544B8 LSRS R3, R3, #0x1B
ROM:080544BA ANDS R1, R3
ROM:080544BC LSLS R1, R1, #5
ROM:080544BE ORRS R4, R1
ROM:080544C0 LDR R5, =(word_20243CC+0x34)
ROM:080544C2 LSLS R0, R2, #2
ROM:080544C4 ADDS R0, R0, R2
ROM:080544C6 LSLS R0, R0, #3
ROM:080544C8 MOVS R1, #0x3F @ '?'
ROM:080544CA BL sub_82E7540
ROM:080544CE ADDS R0, #0x1E
ROM:080544D0 STRH R0, [R5]
ROM:080544D2 LDR R6, =dword_202449C
ROM:080544D4 LDR R5, [R6]
ROM:080544D6 LSLS R0, R4, #4
ROM:080544D8 SUBS R0, R0, R4
ROM:080544DA MOVS R1, #0x3F @ '?'
ROM:080544DC BL sub_82E7540
ROM:080544E0 ADDS R0, #1
ROM:080544E2 STRB R0, [R5,#0x13]
ROM:080544E4 LDR R1, [R6]
ROM:080544E6 LDRB R0, [R1,#0x13]
ROM:080544E8 CMP R0, #8
ROM:080544EA BLS loc_80544F0
ROM:080544EC ADDS R0, #1
ROM:080544EE STRB R0, [R1,#0x13]
ROM:080544F0
ROM:080544F0 loc_80544F0: @ CODE XREF: sub_8054400+EAj
ROM:080544F0 LDR R2, [R6]
ROM:080544F2 LDRB R0, [R2,#0x13]
ROM:080544F4 MOVS R1, #0xC0 @ '+'
ROM:080544F6 ORRS R0, R1
ROM:080544F8 STRB R0, [R2,#0x13]
ROM:080544FA LDR R1, =0x2024214
ROM:080544FC LDR R0, [R1]
ROM:080544FE ADDS R0, #1
ROM:08054500 STR R0, [R1]
ROM:08054502 POP {R3-R5}
ROM:08054504 MOV R8, R3
ROM:08054506 MOV R9, R4
ROM:08054508 MOV R10, R5
ROM:0805450A POP {R4-R7}
ROM:0805450C POP {R0}
ROM:0805450E BX R0
ROM:0805450E @ End of function sub_8054400

I don't want to someone translate the routine, but, does someone know what it returns ? I mean, It supposed to determine type and power, but in the end it pop five register. So how they're used ?
Or there only R0 that is used ? If so, how the data are stored in ?
I know there's a lot of question but I read tutorials since hours but I am not able to understand this one x)

Could someone explain to me how this person was able to obtain the internal code for a battle command? I have been looking for something like this for at least a week, so if someone could please explain this to me, it would be very helpful.

 

[Blah]

Could someone explain to me how this person was able to obtain the internal code for a battle command? I have been looking for something like this for at least a week, so if someone could please explain this to me, it would be very helpful.

That's from an IDA IDB file. You can find the IDB in knizz or Touched's signature, but it's against the rules for us to post an IDA download. You'll have to pirate buy it yourself :x

 

[Dontreadthi]

I got a script to change the IV of the pokemon in first party slot using the below script from user Touched. However the IV value only changes and the PKMN stats do not reflect the IV value change... What is going on?

To be clear, the code works, it changes the IV value, but the stats are not updated to reflect the change.

Code from /archive/index.php/t-347391.html:
.text
.align 2
.thumb
.thumb_func

main:
push {lr} @ Preserve LR, you are setting it and it needs to be maintained

ldr r0, =(0x02024284)
mov r1, #0x27

@ Load the value we want to set
mov r2, #0x1F
@ We want a pointer to this value, so place it on the stack
push {r2}
mov r2, sp

@ We now have a pointer to 0x1F. Thus a ldr r2, [r2] would set r2 to 0x1F

@ Call the function as usual
ldr r3, =(0x0804037C + 1)
bl call_via_r3

@ Take the value off the stack (we don't need it anymore)
pop {r2}

@ Return (LR was pushed onto the stack, take it off and put the value on PC)
pop {pc}

call_via_r3:
bx r3

 

[DarkPsychic]

So I was going threw my asm folder and found a text file that reads

Spoiler:

You have to use ASM.

(I didnt make this, JPAN did so credits go to him)

This code here allows you to cure, immunize and catch the pokemon virus. To make it work, put in var 0x8005 a number between 0x1 and 0xf to give it, 0x0 to cure but not immunize and 0x10 or higher to immunize the pokemon, preventing him to ever catch the virus again (even with this code)

ASM Code:
b507 push {r0-r2, lr}
4806 ldr r0, 0x0203f414 ;Misc block data storage address
6800 ldr r0, [r0]
4906 ldr r1, 0x020370C2 ;var 0x8005, keeps pokerus new status
7802 ldrb r2, [r0]
2a0f cmp r2, 0xf ; if immune, do nothing
dc02 bgt end
8809 ldrh r1, [r1] ;time to remain, bigger than 10 to immunize
2910 cmp r1, 0x10
db00 blt infect
2110 mov r1, 0x10
7001 infect:strb r1, [r0]
bd07 end:pop {r0-r2, lr}

Compiled and ready:
07 B5 06 48 00 68 06 49 02 78 0F 2A 04 DC 09 88
10 29 00 DB 10 21 01 70 07 BD 00 00 14 F4 03 02
C2 70 03 02

Now I converted it into this

.text
.align 2
.thumb
.thumb_func

main:
        push {r0-r2, lr} 
        ldr r0, =(0x0203f414)
        ldr r0, [r0]
        ldr r1, =(0x020370C2)
        ldrb r2, [r0]
        cmp r2, #0xf
        bgt end
        ldrh r1, [r1]
        cmp r1, #0x10 
        blt infect
        mov r1, #0x10
infect:
        strb r1, [r0]
        
end:
        pop {r0-r2, pc}

.align 2

Before I converted the original routine, I could not get it to compile.
After conversion I compiled it an came up with this

07 B5 06 48 00 68 06 49 02 78 0F 2A 04 DC 09 88 
10 29 00 DB 10 21 01 70 07 BD C0 46 14 F4 03 02 
C2 70 03 02

The only difference I could see between the two was that after BD mine had C0 46 wile the original has 00 00.

My question is
Am I going about this right?
And I have tried to make a testing script but I can't seem to get it to work so I don't know if if either of these Pokerus routines work or its just my scripting at the moment.

Any help is much appreciated ^_^

 

[azurile13]

Spoiler:

So I was going threw my asm folder and found a text file that reads

Spoiler:

You have to use ASM.

(I didnt make this, JPAN did so credits go to him)

This code here allows you to cure, immunize and catch the pokemon virus. To make it work, put in var 0x8005 a number between 0x1 and 0xf to give it, 0x0 to cure but not immunize and 0x10 or higher to immunize the pokemon, preventing him to ever catch the virus again (even with this code)

ASM Code:
b507 push {r0-r2, lr}
4806 ldr r0, 0x0203f414 ;Misc block data storage address
6800 ldr r0, [r0]
4906 ldr r1, 0x020370C2 ;var 0x8005, keeps pokerus new status
7802 ldrb r2, [r0]
2a0f cmp r2, 0xf ; if immune, do nothing
dc02 bgt end
8809 ldrh r1, [r1] ;time to remain, bigger than 10 to immunize
2910 cmp r1, 0x10
db00 blt infect
2110 mov r1, 0x10
7001 infect:strb r1, [r0]
bd07 end:pop {r0-r2, lr}

Compiled and ready:
07 B5 06 48 00 68 06 49 02 78 0F 2A 04 DC 09 88
10 29 00 DB 10 21 01 70 07 BD 00 00 14 F4 03 02
C2 70 03 02

Now I converted it into this

.text
.align 2
.thumb
.thumb_func

main:
        push {r0-r2, lr} 
        ldr r0, =(0x0203f414)
        ldr r0, [r0]
        ldr r1, =(0x020370C2)
        ldrb r2, [r0]
        cmp r2, #0xf
        bgt end
        ldrh r1, [r1]
        cmp r1, #0x10 
        blt infect
        mov r1, #0x10
infect:
        strb r1, [r0]
        
end:
        pop {r0-r2, pc}

.align 2

Before I converted the original routine, I could not get it to compile.
After conversion I compiled it an came up with this

07 B5 06 48 00 68 06 49 02 78 0F 2A 04 DC 09 88 
10 29 00 DB 10 21 01 70 07 BD C0 46 14 F4 03 02 
C2 70 03 02

The only difference I could see between the two was that after BD mine had C0 46 wile the original has 00 00.

My question is
Am I going about this right?
And I have tried to make a testing script but I can't seem to get it to work so I don't know if if either of these Pokerus routines work or its just my scripting at the moment.

Any help is much appreciated ^_^

Please link to the original post. I'm not familiar with those offsets, but for now I'll assume that the comments are accurate. I ask for the original routine because the routine is altering the (encrypted) misc data structure, but I see neither decryption nor encryption. It appears that routine is intended to be used with the routines JPAN wrote, which you don't need to use anymore anyways. The game has built in routines for handling encrypted data. As for your C0 46 and 00 00 question, they are irrelevant to your current issue. That is for alignment purposes only; you'll notice that the two words following them are the literal pool which needs to be word aligned for ldr to load them. In this particular case, they could literally be any combination of two bytes, and I'm fairly sure C0 46 is the what devkitARM uses for any .align 2.

 

[DarkPsychic]

Please link to the original post. I'm not familiar with those offsets, but for now I'll assume that the comments are accurate. I ask for the original routine because the routine is altering the (encrypted) misc data structure, but I see neither decryption nor encryption. It appears that routine is intended to be used with the routines JPAN wrote, which you don't need to use anymore anyways. The game has built in routines for handling encrypted data. As for your C0 46 and 00 00 question, they are irrelevant to your current issue. That is for alignment purposes only; you'll notice that the two words following them are the literal pool which needs to be word aligned for ldr to load them. In this particular case, they could literally be any combination of two bytes, and I'm fairly sure C0 46 is the what devkitARM uses for any .align 2.

Ok...
So after digging around, I found that the post that I had saved in a text file was from the Script Help Thread but was deleted. So I started looking again and found the original post here

In the "Catch the pokerus" section

Also you where right as this does work with JPANs encryption and decryption routines, I think anyway >_<

If I was better at scripting I would use the in game routines but I was trying to use this for simplicity.
Not to mention I have really never seen a hack use Pokerus so I was hoping to add the feature to mine.
Now I am not so sure about it >_<

 

[azurile13]

Ok...
So after digging around, I found that the post that I had saved in a text file was from the Script Help Thread but was deleted. So I started looking again and found the original post here

In the "Catch the pokerus" section

Also you where right as this does work with JPANs encryption and decryption routines, I think anyway >_<

If I was better at scripting I would use the in game routines but I was trying to use this for simplicity.
Not to mention I have really never seen a hack use Pokerus so I was hoping to add the feature to mine.
Now I am not so sure about it >_<

Info on the decrypter:
http://www.romhack.me/database/23/fire-red-commonly-used-asm-rom-offsets/page_3/

If you aren't sure how to use that, there are a few ASM tutorials around. A few resources that may be helpful:

http://www.pokecommunity.com/showthread.php?t=343871
https://github.com/Touched/asm-tutorial/blob/master/doc.md
http://problemkaputt.de/gbatek.htm