Monster Farm 2 Change log 4-the eve of a showdown

Next, Monster Farm 2 change log 3-ring

BGM Tide and Tiger second season ED Showdown Eve

In the previous article, we succeeded in finding the "race Allow Generation" list (0x97336), which could be used to generate monsters from all races in the early stages.

We speculate that the processing logic in the game is as follows,

1, read the data from the CDROM.

2, calculates the ID of the monster to be generated, and other initial data based on the data.

3, if the spawn condition of the monster is not satisfied, then prompt the player that the monster can not be generated.

4. Play the animation that generated the monster.

5, confirm whether the player will adopt the monster, if OK, add the monster ID to the "Collected Monster ID" list.

In the case of a tri-colored bird, the program reads (0x97336 + 33-1 = 0x97356) This position to determine whether the tri-color bird is allowed to spawn.

We can place the next memory breakpoint at the 0x97356 to see if we can reverse the race ID 33 where it came from.

Re-read the image to generate the monster, found the code broken in the 0xd91b8.

From here, we push the 0XD91B8 to read the memory at 0x97356 (R2+0X15DA), triggering the breakpoint. 0XD91B4 anti-Push can get R5 = 0x20 corresponds to the race of the tri-colored Bird 33, you can know here R5 save is the race ID, The data for this race ID should be read from the CDROM. We're not going to push anymore. .  we are at 0xd91b8 and 0xd91a8 place the breakpoint to see. found that 0xd91a8 will not pass. Continue stepping until you return, Found 0XD9C64 here jump to 0xd914c, in the 0xd91b4 above some, so it may be from here to jump over. We the next breakpoint in 0XD9C64 to check the MIPS document and find that JAL jumps to the specified location. and save the return address in R31. The return address of the function can be found based on the value of the R31. We jump to the 0xd914c and start a single-step debug .  Notice that, just entering the 0xd914c function, R5 is already 0x20. Debugged the next, did not find too many clues, So we continue to see where the value of the R5 is obtained. We jump from this, up and down, looking at a layer of function, 0xd914c will return to 0xd9c6c, so we look up from the 0xd9c6c .   in 0xd9c5c found here R5 is from [r4+48 ] Get, R4 is 0X1FCB40. But looking at [1fcb40+48], there is no clue. We continue to look at the upper function 0x900ec.   the next breakpoint in the 0x900e4, Re-read the disc to spawn the monster. Found here the instruction is to jump to the R2 register stored in the address, will be very frequent trigger breakpoint, here must be R2 to do a limit to do. Tried many or no way in 0x900e4 place breakpoint, because do not know 0x900e4 here to jump to the R2 is how much, Unable to set conditional breakpoint .  seems to be in the wrong direction, or return to 0xd9c5c this position, since found the R5 read source memory [1FCB40 +48], obviously this memory address is after reading the CD, according to the data on the CD is computed and written to this address, The R5 data actually comes from this memory address. We tried to read the image of Monster Farm 2 directly, and found that [1FCB40 +48] This location wrote the value is 0x19, corresponding to the number of the Monster モッチー (0x19+1), That's the monster Farm. 2 The race ID of the monster that corresponds to the image. So the previous inference is correct, from reading the data in CDROM. The race ID of the monster will be written to [1FCB40 +48] .  Note here the 1FCB40 is present R4, the value is dynamic, each debugmay be different and need to be obtained from a breakpoint in the 0xd9c5c. Save the file first, re-0xd9c5c the breakpoint and spawn the monster, and find R4 is 0x1ffc50. , we just have the next memory breakpoint in [0x1ffc50+48], This breakpoint should be triggered when the CDROM data is read .  found to trigger a breakpoint at the moment of change. The value of R2 is being 0x2020 written to [0x1ffc50+48], and the R2 value is read from r7[0x76868] .  After simple debugging, it is found that this side seems to be reading data from CDROM, the data is written to [0x1ffc50+48] in the beginning of this piece of memory. We have previously speculated on the monster ID, which is the last monster to spawn. Is that the monster ID also written at this time? The ID of the tri-color bird is 0x148, but there is no data near this memory 0x48,0x01 such as .  if we read the CDROM and write [0x1ffc50+48], modify the race ID stored here, what happens? I liked beetles before, and it was hard to get started, The beetle's race ID is 5, in memory it is 0x04, we directly change [0x1ffc50+48] Two bytes to 0x04,0x04, because the beetle can not be generated early, so also by the "race Allow generation" list +4 location write 1 (0x97336+5-1 = 1). Continue execution , and then change back to the monster Farm 2 Mirror, Spawn monster .  was successful .  but why would there be two duplicate race IDs? It suddenly occurred to me that a fit monster does have the main race ID and the sub-race ID. We can use the combination of the Centaur and the dragon to try, the race ID of the Centaur is 3, The Dragon's race ID is 2. According to the way of modification, the reading file triggers the data breakpoint and changes [0x1ffc50+48] to 0x02,0x01. Write the location of the race Allow generation list +3,+2 1 (0x97336+3-1 = 1, 0x97336+2-1 = 1). Regenerate , found that really generated the Centaur + Dragon's fit .  to this step, theoretically we can spawn all the monsters, except for the special monsters. Monster Farm 2 There are some particularly rare monsters that can only be generated with certain disc images. For example, PS game parasitic on the eve of the B-plate, can generate metal liquid people, It's the T1000 in The Terminator, the cool one. It's definitely not a coincidence. Oh, a disc with Terminator 2 sound track can also spawn this monster .  we try to spawn a monster with the B-disk on the eve of the parasite. The memory breakpoint is triggered when the disc is read .  As you can see, the main race ID of the liquid Metal Man is 0x1c, which is 28+1,29.The sub-race ID is 0x26, which is 38+1. Monster Farm 2 Altogether there are only 38 races, and it seems that 38 of the race ID is dedicated to special rare monsters .  we use the Golem of race ID 8 to try it. Write 0x07,0x26 at [0x1ffc50+48]. " Race Allow generation "the location of listing +8 writes 1 (0x97336+8-1 = 1). Well, it's weird, but it's a rare monster. .  So far, we've been able to spawn all the monsters in the game, including the unusable wild monsters. The original goal has been achieved by more than half.   will then try to analyze the data read from CDROM, and if possible, make a simple modifier or CD generator, preferably I can use the emulator directly on the Android phone to spawn monsters . 

To be Continued ...

Monster Farm 2 Change log 4-the eve of a showdown