News
Welcome to NeoRHDN! This place is still a work-in-progress, so pardon the construction...

Chat on Discord
Views: 2,080,100
Main | Rules/FAQ | Discord | Memberlist | Latest posts | Stats | Ranks | Online users
10-26-25 01:29 AM
Guest: Register | Login

0 users currently in Hacking Help | 1 bot

Main - Hacking Help - Trying to find text pointers in CPS-1 arcade game (1)


ADC
Posted on 02-08-25 08:16 PM, in (rev. 2 of 02-08-25 08:24 PM by ADC) Link | ID: 1541
Newcomer

Level: 4

Posts: 1/5
EXP: 180
Next: 99

Since: 02-08-25

Last post: 256 days
Last view: 250 days
Hi! I'm fairly new to the romhacking world.

I'm trying to change some victory quotes in the arcade version of Street Fighter II' CE (nothing fancy, just transplanting a couple of spaces from one quote to another), but I'm unable to find how those texts are called upon the respective fighter victory. I tried to simply move the spaces between quotes to my needs and, of course, broke the game. I'm sure there are pointers involved.

I've researched for info, but most of it is for SNES and Gameboy text hacking, didn't found anything for Capcom CPS-1, which uses the Motorola 68000 processor (big endian).

My questions:
1. How can I find the pointers?
2. There are some "cosmetic" bytes before those quotes (vertical/horizontal margin, font color, etc). Should I concentrate in finding pointers pointing those bytes OR the first alphabetical character in the sentence?


Thanks in advance!


EDIT: I tried to break my post in 2, to explain what I did so far, because the post would be too long. But the forum rules don't allow me to.

Zoinkity
Posted on 02-09-25 03:12 AM, in Link | ID: 1542

Gator

Level: 11

Posts: 20/43
EXP: 5454
Next: 531

Since: 10-16-24

Last post: 53 days
Last view: 32 days
Being arcade and all, I'd suggest using MAME's debug interface to set read watchpoints on the data and see how it's accessed.

Basically, start mame with the -d flag and read through the help on "WP" as well as the various other commands you can use. Every processor seems a little different in the specifics; I've only used it for MIPS.

It's probably something like a offset from a different pointer or they worked their way up from a base address. No matter what crazy scheme though the WP should trip. If it doesn't...well, then there's something else going on entirely.

ADC
Posted on 02-09-25 06:40 AM, in (rev. 2 of 02-09-25 07:00 AM by ADC) Link | ID: 1543
Newcomer

Level: 4

Posts: 2/5
EXP: 180
Next: 99

Since: 02-08-25

Last post: 256 days
Last view: 250 days
Posted by Zoinkity
Being arcade and all, I'd suggest using MAME's debug interface to set read watchpoints on the data and see how it's accessed.

Basically, start mame with the -d flag and read through the help on "WP" as well as the various other commands you can use. Every processor seems a little different in the specifics; I've only used it for MIPS.

It's probably something like a offset from a different pointer or they worked their way up from a base address. No matter what crazy scheme though the WP should trip. If it doesn't...well, then there's something else going on entirely.

Hi, Zoinkity! Thanks for your input!

I decided to break the post in 2, because people don't like to read long posts. :) I'd like to explain what I did so far:

Yes, I'm somewhat used to the MAME debugger tool/sintax, but to be honest I never find anything using it. I'm sure I'm doing something wrong. I know how to select the processor, and even find the text files in the memory window using the "find" command. Simple tasks.

Here's a rom snapshot using HxD (swapendianed). You can see all the quotes separated by a bunch of bytes.



Just for the record: in SF2, you win 2 rounds against an opponent then there's a screen showing the defeated opponent with a victory quote by the winner. The marked quote in the pic is "CAN'T YOU DO BETTER THAN THAT?" by E. Honda.

The "cosmetic bytes" I mentioned in my 1st post are marked in red, just before the actual text. They're vertical/horizontal margin, font color, etc.

What I tried so far:

1. I knew it would not work, anyway tried some Gameboy/SNES tricks to find the pointers. No success. :P

2. with MAME debugger, tried to breakpoint/watchpoint using the marked bytes/offsets, I thought they would trigger something when the respective quote is displayed. Both the "C" initial character and the cosmetic bytes. No success, the game doesn't stop at any point given.

Giving all that info and the snapshot, any tip on how to use the MAME debugger for this task? I've read the help function for some commands, but it doesn't make sense for what I'm trying to do because I need a basic "get started" so I can follow from that.


Zoinkity
Posted on 02-09-25 03:54 PM, in Link | ID: 1545

Gator

Level: 11

Posts: 21/43
EXP: 5454
Next: 531

Since: 10-16-24

Last post: 53 days
Last view: 32 days
Hmm, no hits... It's probably working on a copy of the one you found.
The thing that comes to mind is whether the watch was on some kind of ram or on the original data in whichever ROM has it. They only trip when a processor reads something, not when something is memory mapped, DMA'd, etc.

One option is to search all the different listed blobs of memory at the time the quote is used to find other copies of the string. Throwing watches on those might turn something up.
Another is to find the printer and catch its users (usually by backtracing users of the font), but without knowing how the addressing works that might be a no-go.

MAME's debugger is a hideous centipede, only used when all else fails.

ADC
Posted on 02-09-25 07:10 PM, in Link | ID: 1546
Newcomer

Level: 4

Posts: 3/5
EXP: 180
Next: 99

Since: 02-08-25

Last post: 256 days
Last view: 250 days
I've watched every MAME debugger video I could find and every tutorial available, some of them even buried in Archive.org. Not only for this task, but other basic stuff I need for my hacking projects, however they're too away from my goals, so I can't really use that knowledge, besides some commands and keyboard shortcuts.
Posted by Zoinkity
Hmm, no hits... It's probably working on a copy of the one you found.
One option is to search all the different listed blobs of memory at the time the quote is used to find other copies of the string. Throwing watches on those might turn something up.
Another is to find the printer and catch its users (usually by backtracing users of the font), but without knowing how the addressing works that might be a no-go.

Makes sense. You mean using traces and cheatlists dumps of all the memory locations read/written after the match winner is declared? Would be a lot of RAM addresses to check, so do you think it makes sense to save 2 dumps after 2 matches and compare which ones repeat? I think it would be a lot less addresses... still, to reverse engineering those RAM addresses back to ROM is a little too much for simply move an empty space from one quote to another, me thinks. @_@ I bet it's possible to find the supposed pointers without leaving the hex territory.
Posted by Zoinkity

MAME's debugger is a hideous centipede, only used when all else fails.

Care to explain? What would be "all else"? Any other tool I could use/learn? (disassemblers like Radare2 and Ghidra would be too complex for me right now)

Zoinkity
Posted on 02-10-25 05:51 AM, in Link | ID: 1547

Gator

Level: 11

Posts: 22/43
EXP: 5454
Next: 531

Since: 10-16-24

Last post: 53 days
Last view: 32 days
If there is the option between MAME's unintuitive quirky debugger and anything else at all, guaranteed you're going with the "anything else". Problem is there isn't anything else for (most) arcade stuff.


What I meant is to do a very targeted search for the string itself across all memory regions at a time you know it's being used (like they're actively printing it). From there you can work backwards, either putting a write watch on the locations to see what put them there or reads to see what is using each.

The reason is you basically don't know at this point if it's reading from the chip indirectly (like bankswapping or memory mapping) or they copy a table into a blob of RAM. (Direct access is pretty much ruled out.) They could use pointers from a base ram address or a table of offsets. Doing this is sorting out how data is accessed and from there what needs to be adjusted.

ADC
Posted on 02-10-25 07:20 PM, in Link | ID: 1548
Newcomer

Level: 4

Posts: 4/5
EXP: 180
Next: 99

Since: 02-08-25

Last post: 256 days
Last view: 250 days
Posted by Zoinkity
If there is the option between MAME's unintuitive quirky debugger and anything else at all, guaranteed you're going with the "anything else". Problem is there isn't anything else for (most) arcade stuff.

What I meant is to do a very targeted search for the string itself across all memory regions at a time you know it's being used (like they're actively printing it). From there you can work backwards, either putting a write watch on the locations to see what put them there or reads to see what is using each.

The reason is you basically don't know at this point if it's reading from the chip indirectly (like bankswapping or memory mapping) or they copy a table into a blob of RAM. (Direct access is pretty much ruled out.) They could use pointers from a base ram address or a table of offsets. Doing this is sorting out how data is accessed and from there what needs to be adjusted.

I really appreciate your willingness to help. Thank you very much! :)

One last question: have you seen a SNES/GBA text pointers tutorial? They say we must do a byte inversion to find the correct addresses. Do you think it could be the case here? As I said, CPS-1 runs on M68K, big endian. I did some twisted math and didn't find anything, but as I said, I'm clueless so I may be doing something slightly wrong. @_@

Zoinkity
Posted on 02-11-25 03:16 AM, in Link | ID: 1549

Gator

Level: 11

Posts: 23/43
EXP: 5454
Next: 531

Since: 10-16-24

Last post: 53 days
Last view: 32 days
If it's a big-endian processor usually stored values will be BE. Otherwise you have to byteswap things in software before you can use them. An LE IC doesn't mean data loaded from it is LE; electronics is weird.

The pointer(s) could be hardcoded as well. They don't need to be in a table. They can also be offsets from a hardcoded address or a series of lengths. Depending what they did it could be ram or rom. Minimum, there has to be a root table address. No matter what the scheme used--pointers, offsets, walking entries--that first address has to exist.

The big issue is that arcade hardware can be designed any which way they want. Home consoles tend to be somewhat intuitive--they do want a large number of people programming for them over a long period of time--but arcade is very specialized, few games made for each board, (usually) no care for cost or sanity. (A big exception made for the "consolized" stuff like Namco system *, NEC's Neo Geos, etc.)

I'm in the middle of wrapping up a patch for release otherwise would try finding it myself. Sorry I can't be much help.

One question though: changing the string in-place was fine, just not changing lengths, right?

ADC
Posted on 02-11-25 07:15 PM, in (rev. 3 of 02-11-25 07:17 PM by ADC) Link | ID: 1552
Newcomer

Level: 4

Posts: 5/5
EXP: 180
Next: 99

Since: 02-08-25

Last post: 256 days
Last view: 250 days
Yes, I can freely edit those quotes, they're simple ASCII strings. I can reduce them, filling the empty spaces with $20 (ASCII space), but I cannot move spaces between the quotes. EG. reducing Honda's quote and move the now emptied spaces to Ryu's quote. Between the quotes, there are a bunch of bytes, and this A0 appears everytime inbetween the quotes. I'm sure this A0 is a quote "limit" of sorts.



I must "invert" everything I do on this rom, because I'm too lazy to use Swapendian, edit, then use SE again. Example: if a hitbox coordinates appears in the debug menu as "09 0B 1D 19" I must search the rom for 0B09 191D, everything in this game follow this pattern.

Since the quotes appears as ASCII in the game rom, I thought they were simply "called" by the game when needed, so I supposed some breakpoints to offsets in that ROM region would work, but unfortunately they didn't. So, my guess is: the game calls the quote somehow pointing to the ROM address because it would be only one difference between the phrases, and whenever I try messing around the empty spaces it breaks the game (weird graphic glitches whenever the quote is summoned).

Yeah, each arcade is different, however the CPS-1 is M68K based, so there must be a "logic" between games using this hardware. And in this case, CPS-1 already has a ton of documented stuff, like memory maps and so. I been using those resources a lot and they already make sense to me. The MAME debugger would be my next step, but I'm stuck. Will keep researching, though.

Please, feel free to give it a try, after you finish your work. Those quotes are just a part of a major hack I'm doing for this game, and there's a lot of work ahead, so I can simply "wait" for any help possible. :)


Main - Hacking Help - Trying to find text pointers in CPS-1 arcade game (1)

Affiliates:


Acmlmboard v2.5.6+neo (2024-08-13)
© 2005-2025 Acmlm, Emuz, NinCollin, et al.

Page rendered in 0.080 seconds. (843KB of memory used)
MySQL - queries: 78, rows: 433/442, time: 0.069 seconds.