Gameboy Development Forum

Discussion about software development for the old-school Gameboys, ranging from the "Gray brick" to Gameboy Color
(Launched in 2008)

You are not logged in.

Ads

#1 2013-04-27 14:38:14

shanem
New member
Registered: 2013-04-27
Posts: 9

Z80 How do you Hack OAM?

How does one find OAM for this in a disassemble?

Here are pics specifically for what:

English
https://i1302.photobucket.com/albums/ag140/Shane_Mohammed/0d96eed6-0404-4140-971d-9797961d377e_zpsd303fa80.jpg

Japanese
https://i1302.photobucket.com/albums/ag140/Shane_Mohammed/ba3af468-258a-43e0-abc9-3c2f142bf3c2_zpscc38b5e1.jpg


I have found this in the disassemble:

Code:

 
; calculates the OAM data for all currently visible sprites and writes it to $c300
PrepareOAMData: ; 4b0f (1:4b0f)
    ld a, [$cfcb]
    dec a
    jr z, .asm_4b1e
    cp $ff
    ret nz
    ld [$cfcb], a
    jp ResetLCD_OAM
.asm_4b1e
    xor a
    ld [$FF00+$90], a
.asm_4b21
    ld [$FF00+$8f], a
    ld d, $c1
    ld a, [$FF00+$8f]
    ld e, a
    ld a, [de]         ; c1x0
    and a
    jp z, .asm_4bad
    inc e
    inc e
    ld a, [de]         ; c1x2 read combined orientation and animation info
    ld [$d5cd], a
    cp $ff
    jr nz, .spriteVisible   ; $ff -> offscreen, don't draw
    call Func_4bd1
    jr .asm_4bad

Also:

Code:

    ld d, $c3                ; $c300+x is buffer for OAM data
.spriteTilesLoop             ; loops 4 times for the 4 tiles a sprite consists of
    ld a, [$FF00+$92]        ; temp for sprite Y position
    add $10                  ; Y=16 is top of screen (Y=0 is invisible)
    add [hl]                 ; add Y offset from table
    ld [de], a               ; write new sprite OAM Y position
    inc hl
    ld a, [$FF00+$91]        ; temp for sprite X position
    add $8                   ; X=8 is left of screen (X=0 is invisible)
    add [hl]                 ; add X offset from table
    inc e
    ld [de], a               ; write new sprite OAM X position
    inc e
    ld a, [bc]               ; read pattern number offset (accomodates orientation (offset 0,4 or 8) and animation (offset 0 or $80))
    inc bc
    push bc
    ld b, a
    ld a, [$d5cd]            ; temp copy of c1x2
    swap a                   ; high nybble determines sprite used (0 is always player sprite, next are some npcs)
    and $f
    cp $b                    ; sprites $a and $b have no orientation or animation and therefore only 4 tiles
    jr nz, .calcTileOffset   ; (instead of 12), so tile b's offset is a special case
    ld a, $7c                ; = $a * 12 + 4
    jr .doneCalcTileOffset

This is how OAM's are loaded routine-wise, but I cannot even locate the trainer's sprite OAM routine found on the Title Screen in my disassemble. I have tried to trace it in RAM using BGB's debugger at $FE00, no luck. If somebody knows what the label for this is in the disassemble, or understands how the OAM works, please share, as I would like to finish my localized Green into English.

The X/Y Axis appear to be in Little Endian, while the attribute and Tile no. aren't. In the disassemble by iiMarkus I am at line 11543. Thanks.

Offline

 

#2 2013-04-28 13:19:27

paulc
Member
Registered: 2012-10-23
Posts: 27

Re: Z80 How do you Hack OAM?

Data for OAM is temporarily stored in $C3xx, which is the range from $C300 to $C3A0.

And it is transferred to official OAM through DMA with the call to $FF80.

So to find where the OAM attributes are being stored and loaded, look for the loads with "C300".
I found the routine by doing a search for "ld hl,C300".
And I found that it was in the $C3xx location by looking at the DMA "call FF80" routine, which starts with "ld a,C3". That number "C3" indicates that the sprite table is at location $C300.


So here seems to be the routine you are looking for that controls the image of the boy:

01:44F2  =  ld hl,C300

If you change this to "ret", the boy will not load on the main title screen.

Without looking more into it, it seems that the next line " ld de,605A" controls the y and x position of the character (60 is y height, 5A is x length.

Last edited by paulc (2013-04-28 13:24:57)

Offline

 

#3 2013-04-29 13:09:29

shanem
New member
Registered: 2013-04-27
Posts: 9

Re: Z80 How do you Hack OAM?

Hi paulc,

I sent you an email, but just in case you did not get it, here is my question again.

"There is only one problem, maybe you may know how to trace this. At C328 in Red/Blue there is a routine where the pokeball goes up, then down after the starter monsters, it is labeled as 74 5a 0a 00 in OAM block. I did a search like you showed me for C328, and I ended up at 4369 ld hl,c328.

I changed the next value at 436C from ld a,74 to ld a,70, which fixes the sprite upon the game loading, but after the first monster passes it reverts back to the way it was. I checked the VRAM on the Y Loc for 74 (which holds tile $0A). It seems to change from 74 to 6E 6C, etc (too fast for me to see) when the starter monster goes by and then back to 74 . I could not find the routine for this in the disassemble, any way to search for it?  I basically want to NOP ($00) the routine, but keep the Y axis at 74. How do I find that routine?"

Here is a pic:

https://i1302.photobucket.com/albums/ag140/Shane_Mohammed/6561c0a5-caf5-4545-ad0b-15ec6ff096ab_zps791a849e.jpg

Offline

 

#4 2013-04-29 14:41:39

paulc
Member
Registered: 2012-10-23
Posts: 27

Re: Z80 How do you Hack OAM?

It seems to be this routine:  0D:72D1 = ld (C328),a

You should also do a search for "C328" alone, since it can be used in different ways than being loaded into HL.
Tip: You can step through each frame by setting VBLANK as a breakpoint. Vblank hits each screen refresh so it's a good way to check things.

Offline

 

#5 2013-04-29 15:03:05

shanem
New member
Registered: 2013-04-27
Posts: 9

Re: Z80 How do you Hack OAM?

@paulc

But 72D1 is ld d,b

I did a search on C328 already and ended up  at 436c ld a,74. I wrote about it in my last post smile .

Are you sure it's 72d1, as it is a different set of mnemonic instructions?

p.s. I'm new to Z80, I use bgb, how do I set a break on vblank?

Last edited by shanem (2013-04-29 15:31:22)

Offline

 

#6 2013-04-29 15:38:25

shanem
New member
Registered: 2013-04-27
Posts: 9

Re: Z80 How do you Hack OAM?

@paulc

Problem solved, I figured it out, I did a search for 21 c3 28 and NOP'd it, and it worked!

One last question: The monsters are on the same side as the dude, how do I locate them to move them if they are not OAM?

https://i1302.photobucket.com/albums/ag140/Shane_Mohammed/bgb00077_zps2a88053c.png

https://i1302.photobucket.com/albums/ag140/Shane_Mohammed/bgb00078_zps1b4caa70.png

Offline

 

#7 2013-04-29 16:48:01

paulc
Member
Registered: 2012-10-23
Posts: 27

Re: Z80 How do you Hack OAM?

72D1 is in Rom bank "0D". Hence: 0D:72D1.
To find it, hit "control+G" in bgb to go to the address.

Vblank is always at $0040. Just double click on the line and it
will turn red. Position your screen window so that it overlaps
a bit with the debugger window. Now every time Vblank
hits it will stop the game and the debugger window will
come on top of the screen window. Click on the screen window
to move off the breakpoint. Since it hits each frame with
vblank, you just keep clicking on the screen window and it
will advance each frame.

The monsters are part of the bkg window it seems. They are probably moved by checking if LY is on a certain line, then changing rSCX with a variable that stores the scrolling. Your best bet is to use the vblank approach to step through each frame until the scrolling occurs and then step through the program to find what's controlling it.

Offline

 

#8 2013-04-29 17:32:11

shanem
New member
Registered: 2013-04-27
Posts: 9

Re: Z80 How do you Hack OAM?

@paulc

I did as you suggested.

I narrowed it down to, I believe, WRA1 which has 4D E4 35 C0 1F at DEFA-DEFE, how do I trace it to ROM? I tried to do ctrl+f and locate it, no luck. How do I trace that, or are these values stored also at another location?

Last edited by shanem (2013-04-29 17:41:29)

Offline

 

#9 2013-04-29 18:10:43

paulc
Member
Registered: 2012-10-23
Posts: 27

Re: Z80 How do you Hack OAM?

I think the routine is Called from 0D:727C

0D:7298 controls the scrolling.

It loads a value into SCX.
When the monsters are scrolling, go to the debugger and hit F7 to go line-by-line through the code.
You'll probably have to do some back tracking.
I don't think the game runs routines through RAM, so you're likely not going to be able to "trace" the code in those areas.

Offline

 

#10 2013-04-29 18:34:48

shanem
New member
Registered: 2013-04-27
Posts: 9

Re: Z80 How do you Hack OAM?

Do you mean trace 727C or 7298 when the code is running?


Also, I did 'Animate' and got stuck in a loop at 7292. At this spot it says ld a,(ff00+44) ;LY Is that important?

Last edited by shanem (2013-04-29 18:46:32)

Offline

 

#11 2013-05-01 02:08:52

shanem
New member
Registered: 2013-04-27
Posts: 9

Re: Z80 How do you Hack OAM?

@paulc

How did you get 0D:727C and 0D:7298, when I ended at 0d:7292? I double-checked and the routine that you ended up at is correct.

Offline

 

#12 2013-05-24 13:09:47

shanem
New member
Registered: 2013-04-27
Posts: 9

Re: Z80 How do you Hack OAM?

This issue has been resolved. Thanks paulc.

https://i1302.photobucket.com/albums/ag140/Shane_Mohammed/bgb00088_zpsda47be3b.png

Offline

 

Board footer

Powered by PunBB
© Copyright 2002–2005 Rickard Andersson