Search for Images Using VBA-SDL-H

Address: http://www.romhacking.net/docs/361/

Tool download: http://www.romhacking.net/utils/297/

Rom download: this self-built Baidu, I admit, this aspect is better than Google

 

Some areas without translation:

Terms include Sprite, Char, and tile. You don't need to read this article if you don't understand it.

Other commands, such as the debugging console, are also difficult to translate into the debugging console.

 

A simple tutorial-searching for image data using memory breakpoints

By labmaster, 24/03/06

Is the author of VBA-SDL-H)

 

This is a very short tutorial that will show you how to use VBA-SDL-H to find image data. You need

Understand the VBA-SDL-H instructions (see the instruction document: P) and some GBA hardware knowledge. If you have any questions, please

Go to romhacking.net to ask.

Purpose: Legend of Serda-Thumbnail (logo of the Title Screen)

The first step is to find the image position in VRAM. The first step is to find BG. Running a game in a normal VBA,
Open the map viewer and check whether it is in these BG. The use of Mode 1 at this time, a total of three BG, BG0-2)
In this example, the logo (The Legend of Zelda, The minish cap) and
Not in BG, so it must be in Sprite. To confirm this, open the OAM viewer and keep moving the scroll bar.
Until a part of the logo is found.

 

Now let's briefly talk about the basic knowledge of GBA sprites. Its images are stored in 0x06010000 (the OAM data is
Control the sprite position, zoom in and so on, and store it in 0x07000000). Now open tile viewer, and then
Select 0x6010000 char base. The Preview window is black at this time, so try to change the color palette,
Until something comes out. You should see that the tile that makes up the logo appears (there are three different color palette,
The Legend of Zelda is red, The minish cap is green, and there is a sword palette)

 

Now we need to find out where the data is in the Rom. At this time we need to use the memory write VBA-SDL-H
Breakpoint. Click the tile that constitutes the logo (for example, the upper left corner of Z ). Tile viewer will tell you about it
Memory Address-06013020.

 

Open the game with VBA-SDL-H, let intro run, as long as you stop before the logo appears (Open tile viewer,
Check the automatic update function to see that the logo is not written to VRAM during the running of intro ). Go
Debugging console, enter the following command to write a breakpoint to the memory:

 

BPW 06013020 20

 

This command writes a breakpoint to the 20 bytes starting from 06013020. In fact, it does not matter how many bytes are disconnected (you can
Set to 1 ). Continue the game. It will be disconnected in a short time and will be displayed as follows:

Breakpoint (on write) Address 06013020 old: 00000000 New: 00000000
Breakpoint (on write) Address 06013024 old: 00000000 New: 00000000
Breakpoint (on write) Address 06013028 old: 00000000 New: 00000000
Breakpoint (on write) Address 0601302c old: 00000000 New: cccc0000
Breakpoint (on write) Address 06013030 old: 00000000 New: eeccc000
R00 = 84000580 r04 = 00000004 r08 = 00000000 R12 = 03000090
R01 = 84000000 r05 = 00000030 R09 = 00000000 R13 = 03007ecc
R02 = 040000d4 r06 = 03001000 R10 = 00000000 R14 = 080 addcf
R03 = 020244c4 r07= 00000000 R11 = 00000000 R15 = 080adf40
CPSR = 8000003f (n... T mode: 1f)
080adf3e 6890 LDR r0, [R2, #0x8]

 

How do we know this is true? If you have opened memory viewer before and observed 06013020, you should
These values are true. Now we need to know which command triggers this breakpoint. In diassembly
In the viewer, jump to 080adf3e and look up. The command to trigger this breakpoint is close to 080adf3e.
The above:

 

080adf3c 6090 STR r0, [R2, #0x8]

This command writes the R0 value to the address indicated by r02 + 0x8. It is convenient for you to understand the GBA Io register.
More. The r02 value is 0x040000d4, which is the register that controls the DMA transmission (if you do not know what the DMA is, put
Dog search ). 0x040000d4 + 0x8 = 040000dc. This command writes a word, which corresponds
Two registers: the number of words register and the control register of DMA Channel 3. (How do I know? Gbatek is
The most useful information for GBA hacker ). The Source Address Register of DMA Channel 3 is 0x040000d4, so
Let's use the following command to check its content:

 

MW 040000d4)

 

Shown as follows:

040000d4 088d6760 06013000 04000000 00000000 'G ...... 0 ..........
040000e4 00000000 00000000 00000000 00000000 ................
040000f4 00000000 00000000 00000000 0080fd44...
...

The data source is 088d6760. Note that the value of the next word is 06013000. It looks familiar. This is the target.
Address (040000d8 is the target address register of DMA Channel 3 ).

 

This short article is over. If you look like you are on the cloud, you can buy something simpler.
See the article.

 

To valued buyers (also buy posts by foreigners): Although the steps from top to bottom are true for most games
Generic (however, if you use tile viewer to find the image, it may be in another character bases ),
However, different games write data into VRAM in different ways. Some may use software interrupt (SWI)
To copy or decompress the data in the Rom, some may also have self-made decompression functions to decompress the image (some directly
Write to VRAM, some write to wram, and then use DMA or SWI to copy to VRAM, or even use stmia/ldmia
So it is up to you to analyze what happened before the disconnection. I will write more about other games.
So that you can understand these possible ways of working. However, it's a pitfall)