The following conversation is real. It took place on Saturday October 1st between an OnStar oper---whatever! This is just a big chat log of me talking to hcs while ripping Diddy Kong Racing. Enjoy, or something. Session Start (Peter S Conway:Adam Gashlin): Sat Oct 01 14:42:50 2005 [14:43] Peter S Conway: Just a suggestion - could you add a "rips in database" function to the usf central page [14:43] Adam Gashlin: what would that do? [14:43] Peter S Conway: It would print how much sets are avaliable, how many are preliminary, etc [14:45] Adam Gashlin: I'd have to add a new column, right now the descriptions are just vague and textual, so if I grouped by them you'd have a few lone "complete-ish" tghins [14:45] Peter S Conway: i'm surprised how lame the snowboard kids music is [14:45] Adam Gashlin: meh [14:46] Peter S Conway: now I'm starting to wonder why people were requesting it [14:46] Adam Gashlin: 'twas highly requested, though I didn't look through the IPs of the requesters for abuse [14:48] Peter S Conway: I will check out random games until I find one that looks like it uses a lot of standard library calls. [14:48] Adam Gashlin: dkr must, or [14:48] Adam Gashlin: I wouldn't have been able to do the generic rip [14:49] Peter S Conway: I shall now give it another try, although it will end up in failure. [14:49] Peter S Conway: tell me, what version of the ROM did you use to make the generic driver rip [14:49] Adam Gashlin: durrr,.... dunno [14:50] Peter S Conway: I'll be using v1.0 instead of 1.1 [14:51] Adam Gashlin: that'sprobably what I used, but I can't tell [14:52] Peter S Conway: by the way, how did you batchrip kig [14:53] Peter S Conway: the thing crashes when I try it with your notes [14:53] Peter S Conway: Hoorah, alseqpsetseq has been found. [14:53] Adam Gashlin: I guess I left something out, or your misinterpreted something, because I think I notoed everything... [14:54] Peter S Conway: what was the song playing offset located [14:54] Adam Gashlin: for what? [14:54] Peter S Conway: you know, for the Song value offset. [14:55] Peter S Conway: It didn't say anything really [14:55] Adam Gashlin: I mean for what game? [14:55] Peter S Conway: Killer Instinct Gold [14:55] Peter S Conway: i made the savestate as in the guide, but it didn't say where the song value offset was [14:55] Adam Gashlin: doesn't matter [14:56] Adam Gashlin: I think it says that [14:56] Adam Gashlin: it's in a0, not RAM [14:56] Peter S Conway: well, let's get tracin' [14:58] Peter S Conway: Traced: ra=800629fc. [15:03] Peter S Conway: 800023C4 jal alSeqpSetSeq [15:03] Peter S Conway: I think that's what I'm looking for. [15:03] Adam Gashlin: looks right to me [15:04] Peter S Conway: this is a bit different [15:04] Peter S Conway: in KIG, the addiu is located differently [15:04] Peter S Conway: in DKR, it's at the start of the functin [15:04] Peter S Conway: RAM:8000232C sub_8000232C: # CODE XREF: sub_80000D00+21Cp RAM:8000232C # sub_80000D00+240p RAM:8000232C RAM:8000232C var_14 = -0x14 RAM:8000232C var_10 = -0x10 RAM:8000232C var_C = -0xC RAM:8000232C var_8 = -8 RAM:8000232C var_4 = -4 RAM:8000232C RAM:8000232C addiu $sp, -0x28 [15:05] Adam Gashlin: no problem with that, what you should really look for to be sure you're at the beginning is the end of the previous function [15:05] Adam Gashlin: the jr ra will always be right there [15:05] Peter S Conway: RAM:80002324 jr $ra [15:06] Peter S Conway: this one is a bit different though [15:06] Peter S Conway: RAM:8000231C loc_8000231C: # CODE XREF: sub_800022BC+38j RAM:8000231C # sub_800022BC+54j RAM:8000231C lw $ra, 0x18+var_4($sp) # loads return address RAM:80002320 addiu $sp, 0x18 RAM:80002324 jr $ra RAM:80002328 nop [15:07] Peter S Conway: the LW is a bit different than in the kig thing [15:07] Adam Gashlin: still shouldn't matter [15:11] Peter S Conway: RAM:800023B8 jal alCSeqNew [15:12] Adam Gashlin: yay [15:12] Peter S Conway: RAM:800023B4 move $a0, $s2 RAM:800023B8 jal alCSeqNew RAM:800023BC move $a1, $s1 RAM:800023C0 move $a0, $s0 [15:12] Peter S Conway: doesn't look like a load address is in the vicinity [15:13] Adam Gashlin: where's s2 loaded from? [15:13] Adam Gashlin: or... s1, I forget, which is the raw data address... a0 or a1? [15:14] Peter S Conway: the only thing that does something for a0 is the following [15:14] Peter S Conway: RAM:80002438 beqz $a0, loc_80002458 [15:14] Peter S Conway: and that isn't a loading function. [15:15] Adam Gashlin: correct, it's just making sure you don't have a null pointer before doing anything with it [15:15] Adam Gashlin: but that doesn't matter, the two instructions that load a0 and a1 for jal alCSeqNew are the moves at 800023B4 and 800023B8 [15:15] Peter S Conway: higher in the function is [15:15] Peter S Conway: RAM:800023F4 li $s0, 0x80115D1C [15:16] Adam Gashlin: you can tell that those mean a0 is loaded from s2 and a1 is loaded from s1, right? [15:16] Peter S Conway: I don't really know MIPS all that well, but I think that's right [15:17] Adam Gashlin: ok, look at the documentation for alCSeqNew [15:17] Peter S Conway: void alCSeqNew(ALCSeq *seq, u8 *ptr); [15:18] Adam Gashlin: yep [15:18] Adam Gashlin: the first parameter is a pointer to the sequence structure to initialize [15:18] Adam Gashlin: that's in a0 [15:18] Peter S Conway: not a1? [15:18] Adam Gashlin: the second parameter is the actual sequence data to load [15:18] Adam Gashlin: that's in a1 [15:18] Peter S Conway: yippee [15:19] Adam Gashlin: and where does a1 get loaded from? [15:20] Peter S Conway: v0 must get passed onto s0 which in turn must get passed onto a0 [15:20] Peter S Conway: RAM:80002448 lw $v0, dword_80115D1C [15:20] Peter S Conway: or so I figure. [15:20] Adam Gashlin: ok, but we don't care about a0 [15:20] Adam Gashlin: and a0 is loaded from s2 anyway [15:21] Peter S Conway: Hold on [15:21] Peter S Conway: under jal AlSeqpSetSeq: [15:21] Peter S Conway: RAM:800023C8 move $a1, $s2 [15:21] Peter S Conway: but that's not really what to care about. [15:21] Adam Gashlin: that's SetSeq, we're interested in CSeqNew [15:21] Peter S Conway: s1 is passed onto a1 [15:21] Adam Gashlin: right [15:22] Adam Gashlin: what SeqpSetSeq does is tell the sequence player to play the sequence strcuture CSeqNew intiialized [15:23] Adam Gashlin: but that strucuture is only loaded from that thing in s2, which is what we're really interested in [15:23] Adam Gashlin: scratch that, s1 [15:23] Peter S Conway: RAM:800023F0 multu $t6, $s1 [15:23] Peter S Conway: it appears it's just a game of hot potato going around in the function [15:24] Adam Gashlin: that's a little weird [15:24] Adam Gashlin: that mutiplies t6 by s1 and puts the result in the LO and HI registers [15:24] Peter S Conway: i can just send you the entire function, but that might not do anything. [15:25] Adam Gashlin: go ahea [15:25] Adam Gashlin: d (The following message was refused) RAM:8000232C sub_8000232C: # CODE XREF: sub_80000D00+21Cp RAM:8000232C # sub_80000D00+240p RAM:8000232C RAM:8000232C var_14 = -0x14 RAM:8000232C var_10 = -0x10 RAM:8000232C var_C = -0xC RAM:8000232C var_8 = -8 RAM:8000232C var_4 = -4 RAM:8000232C RAM:8000232C addiu $sp, -0x28 # moves stack pointer back 28 RAM:80002330 sw $ra, 0x28+var_4($sp) RAM:80002334 sw $s3, 0x28+var_8($sp) RAM:80002338 sw $s2, 0x28+var_C($sp) RAM:8000233C sw $s1, 0x28+var_10($sp) RAM:80002340 sw $s0, 0x28+var_14($sp) RAM:80002344 move $s0, $a0 RAM:80002348 move $s1, $a1 RAM:8000234C move $s2, $a3 RAM:80002350 jal alSeqpGetState # doubtful name RAM:80002350 # alCSPGetState RAM:80002350 # doubtful name RAM:80002354 move $s3, $a2 RAM:80002358 bnez $v0, loc_80002558 RAM:8000235C lw $ra, 0x28+var_4($sp) RAM:80002360 lbu $t6, 0($s3) RAM:80002364 li $a0, 0x27 RAM:80002368 beqz $t6, loc_80002558 RAM:8000236C lw $ra, 0x28+var_4($sp) RAM:80002370 jal sub_80076EE8 RAM:80002374 move $a1, $0 RAM:80002378 lbu $v1, 0($s3) RAM:8000237C lw $t7, dword_80115CF8 RAM:80002384 lw $t1, dword_80115D0C RAM:8000238C sll $t8, $v1, 3 RAM:80002390 sll $t2, $v1, 2 RAM:80002394 addu $t9, $t7, $t8 RAM:80002398 lw $t0, 4($t9) RAM:8000239C addu $t3, $t1, $t2 RAM:800023A0 lw $a3, 0($t3) RAM:800023A4 li $a0, 0x27 RAM:800023A8 move $a1, $s1 RAM:800023AC jal sub_80076E68 RAM:800023B0 subu $a2, $t0, $v0 RAM:800023B4 move $a0, $s2 RAM:800023B8 jal alCSeqNew RAM:800023BC move $a1, $s1 RAM:800023C0 move $a0, $s0 RAM:800023C4 jal alSeqpSetSeq # doubtful name RAM:800023C8 move $a1, $s2 RAM:800023CC jal alSeqpPlay # doubtful name RAM:800023D0 move $a0, $s0 RAM:800023D4 lw $t4, dword_800DC630 RAM:800023DC nop RAM:800023E0 bne $s0, $t4, loc_800024E8 RAM:800023E4 nop RAM:800023E8 lbu $t6, 0($s3) RAM:800023EC li $s1, 3 RAM:800023F0 multu $t6, $s1 RAM:800023F4 li $s0, 0x80115D1C RAM:800023FC lw $t5, 0($s0) RAM:80002400 mflo $t7 RAM:80002404 addu $t8, $t5, $t7 RAM:80002408 lbu $a0, 0($t8) RAM:8000240C jal sub_80001990 RAM:80002410 nop RAM:80002414 lbu $t9, 0($s3) RAM:80002418 lw $v0, 0($s0) RAM:8000241C multu $t9, $s1 RAM:80002420 li $t2, 0xFFFFFFFF RAM:80002424 lui $1, 0x8011 RAM:80002428 mflo $t0 RAM:8000242C addu $t1, $v0, $t0 RAM:80002430 lbu $a0, 1($t1) RAM:80002434 nop RAM:80002438 beqz $a0, loc_80002458 RAM:8000243C nop RAM:80002440 jal sub_80001534 RAM:80002444 nop RAM:80002448 lw $v0, dword_80115D1C RAM:80002450 b loc_80002460 RAM:80002454 lbu $t3, 0($s3) [15:25] *** Error while sending IM: Refused by client [15:25] Adam Gashlin: too large [15:25] Peter S Conway: indeed [15:26] *** Adam Gashlin has received dkr_func.txt. [15:27] Adam Gashlin: ok, here's what you do [15:27] Adam Gashlin: look above 800023BC, what references to s1 do you see? [15:27] Peter S Conway: RAM:800023A8 move $a1, $s1 RAM:800023AC jal sub_80076E68 RAM:800023B0 subu $a2, $t0, $v0 RAM:800023B4 move $a0, $s2 [15:27] Peter S Conway: that first one looks interesting. [15:28] Adam Gashlin: but it doesn't modify s1 [15:28] Peter S Conway: it just moves something onto a1 [15:28] Adam Gashlin: right, from s1 [15:28] Peter S Conway: aha [15:28] Peter S Conway: found it [15:28] Peter S Conway: (I guess) [15:28] Peter S Conway: RAM:8000233C sw $s1, 0x28+var_10($sp) [15:29] Adam Gashlin: nope, that saves the value upon entry to the function [15:29] Peter S Conway: aodsiihsaof [15:29] Adam Gashlin: look down a few lines [15:29] Peter S Conway: RAM:80002348 move $s1, $a1 [15:29] Peter S Conway: now this is where it gets confusing [15:29] Adam Gashlin: tada [15:30] Peter S Conway: it appears that it moves something from a1 to s1 and then vice versa a few lines later [15:30] Peter S Conway: something doesn't seem right here [15:30] Adam Gashlin: nothing wrong with that [15:30] Adam Gashlin: you have to think of how the compiler sees it [15:30] Adam Gashlin: a1 is the second parameter to this function [15:31] Adam Gashlin: the compiler moves it to s2, one of the "safe" registers, which any function called must respect and leave unmodified [15:31] Adam Gashlin: when it needs to use it to call another function it must move it back into a1 [15:31] Peter S Conway: hmm [15:32] Adam Gashlin: but this tells us that another function is called with this value, the address of the sequence [15:32] Adam Gashlin: and by s2 up there I meant s1, sorry [15:32] Peter S Conway: ok. [15:33] Peter S Conway: So, what should I be looking for right now? [15:33] Peter S Conway: a call to s1? [15:33] Adam Gashlin: in a sense [15:33] Adam Gashlin: you noticed it yourself: [15:33] Adam Gashlin: RAM:800023A4 li $a0, 0x27 RAM:800023A8 move $a1, $s1 RAM:800023AC jal sub_80076E68 [15:33] Adam Gashlin: here we see another function called with what's in s1, which we know to be the location of the raw sequence [15:33] Peter S Conway: also found a sp thing [15:33] Peter S Conway: RAM:8000232C addiu $sp, -0x28 # moves stack pointer back 28 [15:34] Adam Gashlin: good, but not important [15:34] Adam Gashlin: what could this function be doing with the address of the sequence? [15:34] Adam Gashlin: my guess is that this is what's loading it [15:34] Adam Gashlin: and that li $a0,0x27 is the sequence number [15:34] Peter S Conway: so the sequence is 0x27 [15:34] Adam Gashlin: since 0x27 seems like an arbitrary constant [15:35] Adam Gashlin: I think so [15:35] Peter S Conway: If I was able to, I'd load up the sound test thing and hit it to find out what the a0 register changed to [15:35] Adam Gashlin: well you can do something easily right now [15:36] Adam Gashlin: add a line to ExecuteInterpreterOpcode to set a0 to whatever you want at the top of sub_80076E68 [15:36] Adam Gashlin: if something else plays you'll know you have it [15:36] Peter S Conway: and what would that line be like [15:37] Adam Gashlin: if (PROGRAM_COUNTER==0x80076E68) GPR[4].UW[0]=0x28; // or something [15:37] Peter S Conway: I will now get it to play the Trophy Award thing [15:38] Peter S Conway: which is 0x4 [15:39] Peter S Conway: or 0x3? [15:39] Adam Gashlin: whatever [15:42] Peter S Conway: nope, just freezes the game. [15:42] Adam Gashlin: nooooooooooooooooo [15:42] Adam Gashlin: well there goes idea #1 [15:42] Peter S Conway: carp. [15:43] Peter S Conway: i will try it again with 0x24 [15:43] Peter S Conway: nope. [15:44] Peter S Conway: well, that isn't what we're looking for. [15:44] Adam Gashlin: nope [15:44] Peter S Conway: now what [15:44] Adam Gashlin: now let's look at where the second parameter or the big function comes from [15:44] Adam Gashlin: *of [15:45] Peter S Conway: now which one was that again [15:45] Adam Gashlin: sub_8000232C, where alCSeqNew is called from [15:45] Peter S Conway: a bunch of stack crap: [15:45] Peter S Conway: RAM:80002330 sw $ra, 0x28+var_4($sp) RAM:80002334 sw $s3, 0x28+var_8($sp) RAM:80002338 sw $s2, 0x28+var_C($sp) RAM:8000233C sw $s1, 0x28+var_10($sp) RAM:80002340 sw $s0, 0x28+var_14($sp) [15:45] Adam Gashlin: we were able to tell that the second parameter for alCSeqNew is also the second parameter of sub_8000232C, right? [15:46] Peter S Conway: I'm sorry, mom distracted me. ;( [15:46] Peter S Conway: But anyway... [15:46] Adam Gashlin: no, we're looking for a call to sub_8000232C, not it's beginning [15:47] Peter S Conway: inside the function? [15:47] Adam Gashlin: no... [15:47] Adam Gashlin: what sense would that make [15:47] Adam Gashlin: a call to itself? [15:47] Peter S Conway: oh. ;p [15:49] Peter S Conway: RAM:80000F1C jal sub_8000232C [15:49] Adam Gashlin: gimme the surroundings [15:49] Peter S Conway: Aha [15:50] Peter S Conway: found the call to s1 [15:50] Peter S Conway: RAM:80000F48 li $s1, 0x80115D30 [15:50] Adam Gashlin: no good [15:50] Peter S Conway: Asfsdoiasjf. [15:50] Adam Gashlin: different function, different s1 [15:50] Peter S Conway: well... [15:50] Peter S Conway: ok then [15:50] Adam Gashlin: "safe" register, remember? [15:50] Peter S Conway: RAM:80000F14 li $a3, 0x80115D88 RAM:80000F1C jal sub_8000232C RAM:80000F20 li $a2, 0x800DC65C RAM:80000F24 lui $a0, 0x800E RAM:80000F28 lw $a1, dword_80115D00 RAM:80000F30 lw $a0, dword_800DC634 RAM:80000F34 lui $a2, 0x800E RAM:80000F38 li $a3, 0x80115E80 RAM:80000F40 jal sub_8000232C RAM:80000F44 li $a2, 0x800DC660 RAM:80000F48 li $s1, 0x80115D30 RAM:80000F50 lh $t0, 0($s1) RAM:80000F54 li $1, 0xFFFFFFFF [15:51] Peter S Conway: RAM:80000F58 bne $t0, $1, loc_80000FC0 RAM:80000F5C lw $ra, 0x30+var_4($sp) RAM:80000F60 lw $a0, 0($s0) RAM:80000F64 nop RAM:80000F68 lw $t1, 0x18($a0) RAM:80000F6C nop RAM:80000F70 beqz $t1, loc_80000FC0 RAM:80000F74 lw $ra, 0x30+var_4($sp) [15:51] Adam Gashlin: multiple calls, eh... [15:51] Peter S Conway: then after that is a jal alCSPGetTempo and a nop [15:51] Peter S Conway: as well as [15:51] Peter S Conway: RAM:80000F80 li $t2, 0x3938700 RAM:80000F88 div $t2, $v0 RAM:80000F8C bnez $v0, loc_80000F98 RAM:80000F90 nop RAM:80000F94 break #0x1C00 [15:51] Adam Gashlin: go up a bit [15:52] Peter S Conway: RAM:80000EFC loc_80000EFC: # CODE XREF: sub_80000D00+154j RAM:80000EFC # sub_80000D00+15Cj RAM:80000EFC li $s0, 0x800DC630 RAM:80000F04 lw $a1, dword_80115CFC RAM:80000F0C lw $a0, 0($s0) RAM:80000F10 lui $a2, 0x800E [15:52] Peter S Conway: etc. [15:52] Adam Gashlin: crap... looks like two different functions, two different addresses [15:52] Peter S Conway: Teh crapness. [15:53] Peter S Conway: other functions above 0xefc [15:53] Peter S Conway: RAM:80000EE8 RAM:80000EE8 loc_80000EE8: # CODE XREF: sub_80000D00+188j RAM:80000EE8 addiu $s2, 1 RAM:80000EEC addiu $s1, 8 RAM:80000EF0 RAM:80000EF0 loc_80000EF0: # CODE XREF: sub_80000D00+1B0j RAM:80000EF0 slt $1, $s2, $v0 RAM:80000EF4 RAM:80000EF4 loc_80000EF4: # CODE XREF: sub_80000D00+1E0j RAM:80000EF4 bnez $1, loc_80000E70 RAM:80000EF8 nop [15:53] Peter S Conway: Hoorah for crappy assemblers. [15:54] Adam Gashlin: yeah, I'm confused... let me start up a savestate [15:54] Adam Gashlin: and look at the big picture [15:54] Peter S Conway: the version I'm using is v1.0 [15:54] Adam Gashlin: 'k [15:54] Peter S Conway: DONT GO MAKING PHONEY CALLS [15:54] Peter S Conway: JUST CALL THE 7 DIGIT PHONE NUMBERS YOUR USED TO [15:55] Adam Gashlin: *ONLY DIAL THE 7 DIGIT NUMBERS YOU'RE USED TO [15:55] Peter S Conway: oh [15:55] Peter S Conway: you know that song? [15:55] Adam Gashlin: have you no sense of rhythm? [15:55] Adam Gashlin: yes [15:55] Peter S Conway: ;p. [15:55] Adam Gashlin: I've seen Weird Al live [15:55] Peter S Conway: he rux [15:56] Peter S Conway: Anyways, you got the savestates [15:56] Adam Gashlin: loadin' [15:58] Adam Gashlin: this is a big-ass function [15:58] Adam Gashlin: starts at 80000d00 [15:58] Peter S Conway: what is cvt.s.w? [15:59] Peter S Conway: it appears to be a sort of instruction [15:59] Adam Gashlin: I may have the order backwards, but it's a COP1 (floating point) instruction to convert a single-precision floating point value to a word [16:00] Peter S Conway: it doesn't look like this is of any use [16:00] Adam Gashlin: no [16:01] Peter S Conway: just a whole bunch of locs [16:02] Peter S Conway: and shit, i need to idle now [16:02] Peter S Conway: you can take a look at that, that thing is confusing me like algebra does in math class [16:03] Adam Gashlin: i'll do that [16:17] Adam Gashlin: song select fcn located, when you return we will have many happy adventures explaining how I found it [16:17] *** Auto-response sent to Adam Gashlin: I'm busy so GOAWAYPLZKTHX. [17:36] Peter S Conway: I HAVE RETURNED [17:36] Adam Gashlin: wow, that's a big screen [17:36] Adam Gashlin: ready to get down to business? [17:36] Peter S Conway: Indeed, Mr. President. I am all ears (or eyes). [17:37] Adam Gashlin: ok, we'll start with that function we thought was the song select before [17:37] Peter S Conway: hmm [17:37] Peter S Conway: The one that was located in that uberbig thread starting at F00? [17:37] Adam Gashlin: no [17:37] Adam Gashlin: in sub_8000232C [17:38] Peter S Conway: Yes, that one [17:38] Adam Gashlin: sub_80076E68 [17:38] Adam Gashlin: oh, I misread you [17:38] Adam Gashlin: you said "located in"... and I missed it [17:38] Peter S Conway: yes/ [17:38] Peter S Conway: whats at sub_80076e68? [17:39] Adam Gashlin: the thing we thought might be the song select [17:39] Adam Gashlin: we know it's called with the sequence address in a1 [17:39] Adam Gashlin: and we saw 0x27 in a0 and thought it might be the song, but we were wron [17:39] Adam Gashlin: I now propose that that is a file number [17:39] Peter S Conway: A filenumber? [17:40] Peter S Conway: [16:17] Adam Gashlin: song select fcn located, when you return we will have many happy adventures explaining how I found it [17:40] Adam Gashlin: yes [17:40] Adam Gashlin: there are the happy adventures [17:40] Adam Gashlin: I still think sub_80076E68 is responsible for loading the sequence [17:40] Adam Gashlin: let's take a look at it [17:41] Adam Gashlin: better yet, not [17:41] Adam Gashlin: instead, look a few lines up from the call to it, at RAM:800023A0 lw $a3, 0($t3) [17:42] Peter S Conway: RAM:8000237C lw $t7, dword_80115CF8 RAM:80002384 lw $t1, dword_80115D0C [17:42] Adam Gashlin: what? [17:42] Peter S Conway: oh [17:42] Peter S Conway: I see it [17:42] Peter S Conway: the one at 23a0 [17:42] Adam Gashlin: yeah [17:43] Adam Gashlin: this is where a3, the third parameter to sub_80076E68 is loaded [17:44] Peter S Conway: ooo! [17:44] Adam Gashlin: now look at where t3 is loaded [17:44] Adam Gashlin: in the previous line, it's the sum of t1 and t2 [17:45] Adam Gashlin: t1 is loaded from a word in RAM:80002384 lw $t1, dword_80115D0C [17:45] Peter S Conway: and t2? [17:45] Adam Gashlin: why that's equal to v1*4, on 80002390 [17:45] Adam Gashlin: something like this always makes me suspect the song number [17:46] Adam Gashlin: since it looks like an index into an array [17:46] Adam Gashlin: something like a3=(*t1)[t1]; [17:46] Adam Gashlin: where the elements of the array are 4 bytes in size [17:46] Adam Gashlin: with me yet? [17:46] Peter S Conway: hmm... [17:47] Peter S Conway: I don't know. :P [17:47] Adam Gashlin: it probably doesn't help that I wrote it wrong [17:48] Adam Gashlin: try a3=dword_80115D0C[v1 [17:48] Adam Gashlin: ]; [17:48] Adam Gashlin: dword_80115D0C is a pointer to the base of the array [17:48] Adam Gashlin: v1 is the index into the array [17:48] Adam Gashlin: we have to multiply v1 by 4 to get the actual address within the array, this is stored in t1 [17:49] Peter S Conway: what will a3=dword_80115d0c[v1]; do and where do I put it [17:49] Adam Gashlin: it will do nothing, I was trying to write the equivalent in C [17:49] Adam Gashlin: do demonstrate [17:49] Adam Gashlin: *to [17:49] Adam Gashlin: but then again you don't know much C, do you... [17:49] Peter S Conway: No. [17:49] Adam Gashlin: drat [17:49] Peter S Conway: Though I wish I did. [17:50] Adam Gashlin: do you get the concept of an array, though? [17:50] Peter S Conway: yes. [17:50] Adam Gashlin: good, and that dword_80115D0C is a pointer to the base of the array, that is it holds the address of the first element of that array? [17:51] Peter S Conway: that isn't a question [17:51] Adam Gashlin: thanks [17:51] Adam Gashlin: good, and DO YOU GET THAT that dword_80115D0C is a pointer to the base of the array, that is it holds the address of the first element of that array? [17:51] Adam Gashlin: feck [17:51] Peter S Conway: yes. [17:52] Adam Gashlin: ok [17:52] Peter S Conway: That stup size control :P [17:52] Adam Gashlin: ? [17:52] Peter S Conway: you hit the text enlarge button. [17:52] Adam Gashlin: I did? [17:53] Peter S Conway: Now, I think that Windows Calculator can calculate the array in the hex thingy [17:53] Peter S Conway: yes [17:53] Adam Gashlin: is it still odd? [17:53] Peter S Conway: nope [17:53] Adam Gashlin: good [17:53] Peter S Conway: so the command would be x times y in algebra [17:53] Adam Gashlin: the sll t2,v1,2? [17:54] Peter S Conway: I thought that something multiplies t1 and t2 and sends the result to t3. [17:54] Peter S Conway: it would be something like t1 x t2 = t3 [17:54] Adam Gashlin: no, it's t3 = t1 + t2, and t2 = v1 x 4 [17:55] Peter S Conway: hmm [17:55] Peter S Conway: I'm sux at math which isn't too good, but whatever [17:55] Peter S Conway: Moving along [17:56] Adam Gashlin: t2 = v1 x 4 is at 80002390 [17:56] Adam Gashlin: sll t2,v1,2 is t2 = v1 x 4 [17:56] Peter S Conway: I don't get it. [17:56] Adam Gashlin: the instruction is called shift left logical [17:56] Peter S Conway: Shouldnt the 2 be 4? [17:57] Adam Gashlin: shifting a value left by 2 bytes causes a mutliplication by 4 [17:57] Peter S Conway: oh [17:57] Adam Gashlin: *2 bits [17:57] Adam Gashlin: like 1 in binary is 1 in decimal but 100 in binary is 4 in decimal [17:57] Peter S Conway: I don't know binary. [17:57] Adam Gashlin: doh [17:58] Peter S Conway: just hex and decimal [17:58] Adam Gashlin: well, now you know some binary [17:58] Adam Gashlin: 1 = 1, 10 = 2, 100 = 4 [17:58] Peter S Conway: so 1000 would be 6? [17:58] Adam Gashlin: 1000 = 8 [17:58] Peter S Conway: doh [17:58] Adam Gashlin: powers of 2, just like powers of 16 in hex [17:58] Peter S Conway: cool! ;D [17:59] Peter S Conway: so it would be 1 2 4 8... 16? [17:59] Adam Gashlin: correct [18:00] Peter S Conway: 36, 64, 128, 256, 512, etc [18:00] Adam Gashlin: yes [18:00] Adam Gashlin: er, 32, not 36 [18:00] Peter S Conway: d'oh [18:00] Peter S Conway: so now what [18:00] Adam Gashlin: so now do you get why the sll ,,2 is a mutliplication by 4? [18:01] Peter S Conway: indeed [18:01] Adam Gashlin: and why sll ,,3 would be multiplication by 8 [18:01] Peter S Conway: 0 = 1 [18:01] Peter S Conway: 1 = 2 [18:01] Peter S Conway: 2 = 4= [18:01] Peter S Conway: 3 = 8 [18:01] Peter S Conway: 4 = 16 [18:02] Peter S Conway: its a binary multiplication. [18:02] Adam Gashlin: correny [18:02] Adam Gashlin: right [18:02] Adam Gashlin: whatever [18:02] Adam Gashlin: and thus srl, shift right logical, is a division by whatever value [18:02] Peter S Conway: and 3 would be 11 [18:02] Adam Gashlin: in binary, yeah [18:03] Peter S Conway: or so sez this nifteh decimal2hex/binary/octal thing [18:03] Peter S Conway: OK [18:03] Peter S Conway: moving on [18:03] Adam Gashlin: yes [18:04] Adam Gashlin: so we're dealing with an array whose every element is 4 bytes in size [18:04] Adam Gashlin: thus we use an sll 4 on the index to get the offset into the array [18:04] Adam Gashlin: then we add this onto the base address to get the address of the element we're looking at [18:05] Peter S Conway: the question is, where is this 4byte string located [18:05] Adam Gashlin: well, look at the dword_80115D0C [18:05] Adam Gashlin: 0x801C4680 is the base address [18:05] Peter S Conway: Coolness! [18:06] Adam Gashlin: get it? [18:06] Peter S Conway: indeed. [18:06] Peter S Conway: Now, the 4byte string is located at 801C4680 [18:06] Adam Gashlin: the first one is [18:06] Adam Gashlin: the second is at 0x801C4684 [18:06] Adam Gashlin: et al [18:07] Peter S Conway: now, we need to get the thing to receive a byte [18:07] Peter S Conway: and process it into nifteh music! [18:08] Adam Gashlin: now, we've seen that v1 is the index, right? [18:08] Peter S Conway: yes [18:08] Adam Gashlin: I propose, no, *DEMAND*, that this is the index number [18:08] Adam Gashlin: of the song [18:08] Adam Gashlin: stuff [18:09] Peter S Conway: so v1 = the song id [18:09] Adam Gashlin: at this very particular point in the program, yes [18:09] Adam Gashlin: so what we could do is put a line in PJ64 to set v1 to whatever [18:09] Peter S Conway: what line would that be [18:09] Adam Gashlin: or we could do it right and find how v1 is set that way and find the proper select fcn [18:10] Peter S Conway: The second one is a better choice though [18:10] Adam Gashlin: where is v1 used as the array index? [18:10] Adam Gashlin: yes, and it isn't terriby difficult either [18:10] Peter S Conway: I can't remember where v1 is used [18:10] Peter S Conway: was it back near the jal alcseqnew? [18:10] Adam Gashlin: take a look, we discussed the instruction at length [18:10] Adam Gashlin: yes [18:11] Adam Gashlin: before sub_80076E68, which we've decided loads the sequence [18:11] Peter S Conway: is it the one at 2378? [18:11] Peter S Conway: it says something about v1 there [18:11] Peter S Conway: RAM:80002378 lbu $v1, 0($s3) [18:11] Adam Gashlin: yes, that is where v1 is loaded [18:11] Adam Gashlin: but I asked where it was used, which is at the sll [18:12] Peter S Conway: RAM:8000238C sll $t8, $v1, 3 RAM:80002390 sll $t2, $v1, 2 [18:12] Adam Gashlin: right [18:12] Adam Gashlin: the latter is the one we looked at, but you can see it's being used for another lookup as well [18:12] Adam Gashlin: into an array with elements of size 8 [18:12] Peter S Conway: t2 would indicate a 4-byte string, right [18:13] Adam Gashlin: I think you need better terminology [18:13] Adam Gashlin: what do you mean by "string" [18:13] Peter S Conway: sequence? [18:13] Adam Gashlin: ah [18:13] Adam Gashlin: just say array, then [18:14] Peter S Conway: OK [18:14] Peter S Conway: a four byte ARRAY then. [18:14] Adam Gashlin: string has a different implication [18:14] Peter S Conway: string is like this sequence of letters. [18:14] Adam Gashlin: an array with elements of 4 bytes [18:14] Adam Gashlin: the array itself is some multiple of 4 bytes in size [18:14] Adam Gashlin: we call the 4 bytes units double words, or dwords [18:15] Adam Gashlin: so you could call it an array of dwords for short [18:15] Peter S Conway: a word would be a two byte array [18:15] Peter S Conway: or so I guess. [18:15] Peter S Conway: But yes, now I know what a dword is [18:15] Adam Gashlin: god [18:15] Adam Gashlin: *good [18:15] Peter S Conway: OK. [18:16] Peter S Conway: Now, time to hunt down Mr. Dword. [18:16] Adam Gashlin: no [18:16] Peter S Conway: Oh. [18:16] Adam Gashlin: we're hunting down a single byte [18:16] Adam Gashlin: which is the index into the array of dwords [18:16] Peter S Conway: hmm... [18:17] Peter S Conway: Now, where is that byte [18:17] Adam Gashlin: you found it yourself [18:17] Adam Gashlin: that lbu line [18:17] Adam Gashlin: lbu is "load byte unsigned" [18:17] Peter S Conway: RAM:80002378 lbu $v1, 0($s3) [18:17] Adam Gashlin: right [18:17] Peter S Conway: so if I placed a byte there a song would play? [18:17] Adam Gashlin: where? [18:17] Peter S Conway: never mind [18:17] Peter S Conway: it wouldnt work [18:18] Adam Gashlin: first, what does that instruction do? [18:18] Peter S Conway: it appears it is sending a blank song id [18:18] Peter S Conway: but i don't really know what lbu means [18:18] Adam Gashlin: lbu is "load byte unsigned" [18:18] Peter S Conway: oh. [18:19] Peter S Conway: so what exactly is s3 [18:19] Adam Gashlin: the syntax is lbu destination, base(source) [18:19] Adam Gashlin: distination is the register in which to load [18:19] Adam Gashlin: source is a register which holds the address [18:19] Peter S Conway: it loads an unsigned byte of a base of 0 in s3. [18:19] Adam Gashlin: base is an immediate (constant) value built into the instruction which is added to the value of s3 before loading [18:20] Adam Gashlin: wait 'till I's done 'splainin' [18:20] Peter S Conway: ;p [18:20] Peter S Conway: so right now the instruction is setting the base to a blank sequence [18:20] Adam Gashlin: no [18:21] Adam Gashlin: ignore what you said, read what I said [18:21] Peter S Conway: base is an immediate (constant) value built into the instruction which is added to the value of s3 before loading [18:21] Adam Gashlin: correct [18:21] Adam Gashlin: here it's zero [18:21] Adam Gashlin: 0(s3) [18:21] Adam Gashlin: thus it has no effect [18:21] Peter S Conway: is the song id 0? [18:21] Adam Gashlin: what? [18:21] Adam Gashlin: the base? no [18:22] Peter S Conway: so where is the base [18:22] Adam Gashlin: the base is the little 0 in front of ($3) in lbu $v1, 0($s3) [18:22] Adam Gashlin: *in front of (*s3) [18:22] Adam Gashlin: *in front of ($s3) [18:23] Peter S Conway: is it loading that byte in the instruction? [18:23] Adam Gashlin: no [18:23] Adam Gashlin: what the instruction does: [18:24] Adam Gashlin: lbu $v1, 0($s3) 1) read the value of register s3 2) add the base (0, in this case) to that value 3) load the byte at that location ($s3+0) into $v1 [18:25] Peter S Conway: so it's adding 0 to the value at s3 [18:25] Adam Gashlin: correct [18:25] Peter S Conway: that is stup. [18:25] Adam Gashlin: yes [18:25] Peter S Conway: I mean, if you added 1 + 0 it would be 1. [18:25] Adam Gashlin: right [18:25] Adam Gashlin: it's just important for you to know why the 0 is there [18:25] Peter S Conway: The compiler they were using was just wacky [18:25] Adam Gashlin: no [18:25] Adam Gashlin: it's part of the instruction [18:25] Adam Gashlin: the base has to be specified, so if you don't need it you leave it 0 [18:26] Peter S Conway: AND NOW FOR A FANCEH COMMERCIAL BREAK AFTER YOU ARE DONE, AS I MUST GO. [18:26] Adam Gashlin: going? [18:26] Peter S Conway: Yes, I am going to dinner. [18:26] Peter S Conway: And after that we will finish this once and for all. [18:26] Adam Gashlin: ok... I'll go to the bathroom or something and dance around until you return [18:26] Peter S Conway: :P! [18:26] Peter S Conway: bbl. [18:27] Peter S Conway: i'll probably be home around 7:30 or 8, somewhere in between there. [18:27] Adam Gashlin: 'k [18:27] *** Auto-response sent to Adam Gashlin: I'm busy so GOAWAYPLZKTHX. [18:47] *** "Adam Gashlin" signed off at Sat Oct 01 18:47:04 2005. [19:21] *** "Adam Gashlin" signed on at Sat Oct 01 19:21:56 2005. [19:49] Peter S Conway: ammuu? [19:49] Adam Gashlin: hi [19:50] Peter S Conway: it appears you dropped offline. [19:50] Peter S Conway: But whatever. [19:50] Adam Gashlin: several times [19:50] Peter S Conway: Back to work! [19:50] Peter S Conway: WHEN WE LAST LEFT OUR HEROS... [19:50] Peter S Conway: [18:25] Peter S Conway: The compiler they were using was just wacky [18:25] Adam Gashlin: no [18:25] Adam Gashlin: it's part of the instruction [18:25] Adam Gashlin: the base has to be specified, so if you don't need it you leave it 0 [19:50] Adam Gashlin: I'm using somene else's wireless router so I really have no control over my connection [19:51] Peter S Conway: OK [19:51] Peter S Conway: So, where were we? [19:51] Adam Gashlin: do we now understand 80002378 lbu $v1, 0($s3) [19:51] Peter S Conway: yes [19:52] Adam Gashlin: good [19:52] Peter S Conway: that adds 0 to s3, and sends it to v1 [19:52] Adam Gashlin: not precisely [19:52] Adam Gashlin: in fact, not at all [19:52] Adam Gashlin: it does add 0 to s3 [19:52] Adam Gashlin: but it then uses that as an address [19:52] Adam Gashlin: and loads a byte from RAM [19:53] Peter S Conway: and which byte would that be [19:53] Adam Gashlin: that would be the byte at the address in s3 [19:53] Peter S Conway: how do we know what the byte at s3 is [19:54] Adam Gashlin: we don't! [19:54] Adam Gashlin: but it's the song number [19:54] Peter S Conway: Well there is one way... [19:54] Peter S Conway: that is to find out the s3 using the n64 debugger in pj64. or we can just find the function to send something to s3 [19:55] Adam Gashlin: well, we can easily tell what s3 itself is [19:55] Adam Gashlin: s3 is loaded from a2 at 80002354 [19:56] Peter S Conway: it copies a2 to s3 [19:56] Adam Gashlin: yes [19:56] Peter S Conway: now we need to get where a2 is loaded from [19:56] Adam Gashlin: right [19:56] Adam Gashlin: and for that we go up to the big-ass function identified before [19:57] Peter S Conway: the one at d00? [19:57] Adam Gashlin: aye [19:57] Peter S Conway: so this is the function. [19:58] Peter S Conway: Since it is different so will the memory. [19:58] Adam Gashlin: hmm? [19:58] Peter S Conway: well you said earlier [19:58] Peter S Conway: since it is a different function, the memory will be different [19:58] Adam Gashlin: not for a2 [19:59] Adam Gashlin: the a registers, a0,a1,a2, and a3 are used for passing parameters [19:59] Adam Gashlin: thus they are set before entering a function and used by that function [19:59] Adam Gashlin: the s registers, s0,s1,s2,s3,s4,s5,s6,s6,s8, and s9, are to be left unchanged by a function [19:59] Peter S Conway: oh [20:00] Peter S Conway: so now to find the a2 register [20:00] Adam Gashlin: right [20:00] Adam Gashlin: there are two calls to sub_8000232C [20:01] Adam Gashlin: look and you will see that for each a different value is loaded into a2 [20:01] Adam Gashlin: can you find these? [20:01] Peter S Conway: let's look [20:01] Peter S Conway: RAM:80000F1C jal MusicSelect RAM:80000F20 li $a2, 0x800DC65C [20:01] Adam Gashlin: right, there's one [20:02] Peter S Conway: MusicSelect is my name for the sub_8000 thing [20:02] Adam Gashlin: a bit of a misnomer, but that's ok [20:02] Peter S Conway: heres another $a2 thing [20:02] Peter S Conway: RAM:80000F34 lui $a2, 0x800E [20:02] Adam Gashlin: ok, that's half a load, the rest is at 80000F44 (exp. to follow) [20:02] Peter S Conway: and yes, I found it [20:02] Peter S Conway: RAM:80000F40 jal MusicSelect RAM:80000F44 li $a2, 0x800DC660 [20:03] Adam Gashlin: MIPS instructions can only load 16 bits at a time [20:03] Adam Gashlin: right [20:03] Adam Gashlin: anyway, in order to load a full 32 bits, for an address, for example, you therefore need two instructions [20:03] Adam Gashlin: one would be something like lui t0,0x8000 [20:04] Adam Gashlin: that's Load Upper Immediate [20:04] Adam Gashlin: which loads t0 with 0x80000000 [20:04] Peter S Conway: I know something [20:04] Peter S Conway: well at least I THINK [20:04] Adam Gashlin: do you want me to go over it anyway? [20:04] Peter S Conway: never mind, I don't. [20:04] Peter S Conway: Go ahead [20:05] Adam Gashlin: ok, say you want to load a byte from 0x80000004 [20:05] Peter S Conway: uhhuh [20:05] Adam Gashlin: and you don't know what's in any register [20:05] Adam Gashlin: you'd have to do: lui t0,0x8000 lbu t1,4(t0) [20:06] Peter S Conway: so that would... [20:06] Peter S Conway: load 80000000 [20:06] Adam Gashlin: the lui loads t0 with 0x80000000, then the lbu loads the byte from 0x80000000+4 [20:06] Peter S Conway: then set it to 80000004 [20:06] Peter S Conway: OK then [20:06] Adam Gashlin: ok, it's the same thing with just loading an address [20:07] Adam Gashlin: you've seen instructions like li t0,0x27, right? [20:07] Peter S Conway: I don't know. [20:07] Peter S Conway: oh yeah [20:07] Peter S Conway: Yes I see [20:07] Adam Gashlin: what that is is Load Immediate [20:07] Adam Gashlin: it can only load 16 bits, though [20:07] Adam Gashlin: so if you wanted to load, say, 0xdeadbeef [20:07] Peter S Conway: lol [20:08] Adam Gashlin: you'd need to do: lui t0,0xdead ori t0,0xbeef [20:08] Peter S Conway: ori? [20:08] Adam Gashlin: ori being just Or Immediate [20:08] Adam Gashlin: are you at all familiar with the bitwise OR operation? [20:08] Peter S Conway: whazzat? [20:08] Adam Gashlin: guess not... [20:09] Adam Gashlin: suffice to say for this discussion that the ori will fill in the rest [20:09] Adam Gashlin: crap, my now playing thing is borked [20:09] Peter S Conway: as in how [20:09] Peter S Conway: did an idiot exploit a bug [20:09] Adam Gashlin: no, something with the wrapping [20:10] Peter S Conway: yes [20:10] Peter S Conway: I see the image is broken [20:10] Peter S Conway: Do continue with DKR. [20:10] Adam Gashlin: anyway, moving on we see that each time MusicSelect is called we have a different value in a2 [20:11] Peter S Conway: uhhuh [20:11] Adam Gashlin: ok, back a step [20:11] Adam Gashlin: RAM:80000F40 jal sub_8000232C RAM:80000F44 la $a2, byte_800DC660 [20:11] Adam Gashlin: do you know about delay slots? [20:11] Peter S Conway: Nope. [20:12] Adam Gashlin: the instruction after a jump or branch instruction is called the delay slot [20:12] Adam Gashlin: on MIPS [20:12] Adam Gashlin: this applies to j, jal, bne, etc. [20:12] Adam Gashlin: it takes the CPU extra time to load the jump destination [20:13] Peter S Conway: jal = Jump and Link [20:13] Adam Gashlin: correct [20:13] Adam Gashlin: which is most often used in function calls [20:13] Peter S Conway: ok [20:13] Adam Gashlin: anyway, in the time that the CPU is loading the instruction at the jump destination, it executes the instruction after the jump instruction [20:14] Adam Gashlin: so RAM:80000F40 jal sub_8000232C RAM:80000F44 la $a2, byte_800DC660 will execute "la $a2, byte_800DC660" before we ever get to 800DC660 [20:14] Peter S Conway: wargh [20:14] Peter S Conway: your text size went up again [20:14] Adam Gashlin: sorry [20:14] Adam Gashlin: *before we ever get to 8000232C [20:15] Peter S Conway: What does la do [20:15] Adam Gashlin: la is load address [20:15] Adam Gashlin: it isn't a real instruction [20:15] Adam Gashlin: remember I was talking about two instructions being needed to load an address? [20:16] Peter S Conway: yes [20:16] Adam Gashlin: when IDA sees those two instructions it displays an la instruction [20:17] Adam Gashlin: RAM:80000F34 lui $a2, 0x800E RAM:80000F38 li $a3, 0x80115E80 RAM:80000F40 jal sub_8000232C RAM:80000F44 la $a2, byte_800DC660 here the upper half of the address is loaded at 0x80000E34, the bottom half is loaded somehow at 0x80000F44 [20:18] Peter S Conway: Does it run an instruction at the load position [20:18] Adam Gashlin: i don't know what you mean [20:19] Adam Gashlin: crap, I meant 0x80000F34 [20:19] Adam Gashlin: the upper half of the address is loaded at 0x80000F34, the bottom half is loaded somehow at 0x80000F44 [20:19] Peter S Conway: How does it get loaded at f44 [20:20] Adam Gashlin: I don't know what instruction it is [20:20] Adam Gashlin: IDA has called it "la" to make things easier to read [20:21] Adam Gashlin: because the upshot is that a2 is loaded with 800DC660 [20:21] Peter S Conway: so la is actually two instructions? [20:21] Adam Gashlin: in this case, no [20:21] Adam Gashlin: in other cases, yes [20:21] Adam Gashlin: sorry if it's a little confusing [20:21] Peter S Conway: i think I understand [20:21] Peter S Conway: Moving on [20:21] Adam Gashlin: you can safely look at it and say "this loads an address" [20:22] Adam Gashlin: ok, so, two different addresses for the song number byte for two different calls to MusicSelect (I think you called it) [20:22] Peter S Conway: it is musicselect [20:22] Adam Gashlin: I think this is so that the game can have two sequences playing at once [20:22] Adam Gashlin: we'll look at the first one... first [20:23] Peter S Conway: then the second one... second one [20:23] Adam Gashlin: no, we'll ignore the second one [20:23] Adam Gashlin: RAM:80000F1C jal sub_8000232C RAM:80000F20 la $a2, unk_800DC65C [20:23] Peter S Conway: I see [20:23] Adam Gashlin: it will be seen whether or not this was a good idea [20:23] Adam Gashlin: crap, when I did it I used the second one, I don't know if the first will work out, let's stick with the second [20:24] Adam Gashlin: so RAM:80000F40 jal sub_8000232C RAM:80000F44 la $a2, byte_800DC660 [20:24] Peter S Conway: OK [20:24] Adam Gashlin: now you'll see that in my disassembly it's called byte_800DC660 insetad of unk_800DC660 in yours, probably [20:25] Peter S Conway: something's wrong [20:25] Adam Gashlin: is it? [20:25] Peter S Conway: RAM:80000F40 jal MusicSelect RAM:80000F44 li $a2, 0x800DC660 [20:25] Adam Gashlin: whatever, same thing [20:25] Adam Gashlin: that's how it starts off, I played with it [20:25] Adam Gashlin: select 0x800DC660 and press Ctrl-O [20:25] Adam Gashlin: that tells IDA that it's a memory offset [20:25] Peter S Conway: there [20:25] Adam Gashlin: you'll get the unk_ [20:25] Peter S Conway: it's a byte [20:26] Adam Gashlin: oh, it already has the byte? [20:26] Peter S Conway: yes [20:26] Adam Gashlin: ok, well select it and press "x" for the crossreference list [20:26] Adam Gashlin: ah, I see what it is [20:27] Peter S Conway: xrefs [20:27] Adam Gashlin: right [20:27] Adam Gashlin: there should be two [20:27] Peter S Conway: there are two [20:27] Peter S Conway: the first one is an o [20:27] Peter S Conway: the second one is a w [20:27] Adam Gashlin: the other is RAM:800025F0 sb $0, byte_800DC660 [20:27] Peter S Conway: I see that [20:27] Adam Gashlin: good [20:27] Peter S Conway: it has a +80 after the address [20:28] Peter S Conway: so which one am I going to go [20:28] Adam Gashlin: don't bother, that's just the initialization [20:28] Adam Gashlin: the first one is the place you already are [20:28] Peter S Conway: uhhuh [20:29] Adam Gashlin: you just want the address 800DC660 so we can find what writes it [20:29] Adam Gashlin: which you already had [20:29] Adam Gashlin: so we'll go back into PJ64 and trap byte writes to that address [20:29] Peter S Conway: what would trap be [20:29] Peter S Conway: *the trap [20:29] Adam Gashlin: getting to it [20:30] Adam Gashlin: we'll be working with memory.c [20:30] Peter S Conway: not ExecuteInterpreterOpcode? [20:30] Adam Gashlin: not for memory writes [20:30] Adam Gashlin: look for the function called r4300i_SB_VAddr [20:30] Adam Gashlin: this handles all writes of one byte [20:31] Peter S Conway: I found the instruction [20:31] Peter S Conway: BOOL r4300i_SB_VAddr ( DWORD VAddr, BYTE Value ) { if (TLB_WriteMap[VAddr >> 12] == 0) { return FALSE; } *(BYTE *)(TLB_WriteMap[VAddr >> 12] + (VAddr ^ 3)) = Value; return TRUE; } [20:31] Peter S Conway: is that the one? [20:31] Adam Gashlin: while it's possible that the music number was written as a word, halfword, or doubleword it's more likely that it's written as a byte since it's read as a byte, so that's where we'll put our trap [20:31] Adam Gashlin: yes [20:32] Adam Gashlin: before the line return TRUE; put: if (VAddr==0x800DC660) DisplayError("PC=%08x",PROGRAM_COUNTER); [20:32] Adam Gashlin: that'll pop up an error when the song number is written to [20:32] Adam Gashlin: VAddr is the address of the write [20:32] Peter S Conway: built [20:33] Adam Gashlin: good, let 'er run [20:33] Peter S Conway: Is it ok to switch to Recompiler [20:33] Adam Gashlin: no [20:33] Peter S Conway: asjas [20:34] Peter S Conway: nothing popped up. [20:34] Peter S Conway: I'm running under interpreter. [20:34] Peter S Conway: [20:33] Adam Gashlin: stunned silence [20:35] Peter S Conway: ;p [20:35] Adam Gashlin: quiet, knucklehead [20:35] Adam Gashlin: ok, we'll try the first one, 800DC65C, instead [20:35] Adam Gashlin: can you make that modification? [20:35] Peter S Conway: donre [20:35] Peter S Conway: *done [20:35] Peter S Conway: recompiled [20:36] Peter S Conway: It called a write from 2314. [20:36] Peter S Conway: and another one from 2550 [20:37] Adam Gashlin: ok [20:37] Adam Gashlin: we'll look at both [20:37] Peter S Conway: that was for the nintendo and rareware titles [20:37] Adam Gashlin: first, 80002314 [20:37] Peter S Conway: when it fades out and switches to the title screen [20:37] Peter S Conway: it also gets 25b8 [20:37] Peter S Conway: then 2134 [20:38] Adam Gashlin: ok, really, only the first one interests us [20:38] Adam Gashlin: since we'll be halting execution after it [20:38] Peter S Conway: RAM:80002314 sb $a2, -0x39A4($1) [20:39] Peter S Conway: it's also above musicselect [20:39] Adam Gashlin: ok, look up to find where a2 is set [20:39] Peter S Conway: RAM:800022D0 sb $a2, 0x18+arg_0+3($sp)? [20:39] Peter S Conway: the ? indicating a question [20:39] Adam Gashlin: no [20:39] Adam Gashlin: the no indicating no [20:39] Peter S Conway: ;p [20:39] Adam Gashlin: but what does that instruction do? [20:40] Peter S Conway: I have no idea [20:40] Adam Gashlin: oh [20:40] Adam Gashlin: sb is Store Byte [20:40] Peter S Conway: it appears to be sending 0x18 to a2 [20:40] Adam Gashlin: think Load Byte but the other way around [20:40] Adam Gashlin: no [20:40] Peter S Conway: Rule of universe: [20:41] Peter S Conway: The Adam is always right. [20:41] Adam Gashlin: it is storing the value of a2, load loading something into a2 [20:41] Adam Gashlin: *not loading [20:41] Peter S Conway: so it is saving 0x18 to a2 [20:41] Adam Gashlin: no [20:41] Peter S Conway: AOSIDHOISAFHOAIS [20:41] Adam Gashlin: in fact 0x18 has nothing to do with it, that's just IDA munging up what's a simple base [20:42] Adam Gashlin: that doesn't change a2 at all, look up a few more lines [20:42] Peter S Conway: RAM:800022C8 move $a2, $a0 [20:42] Adam Gashlin: tada [20:42] Adam Gashlin: therefore... [20:42] Peter S Conway: It is sending something from a0 to a2 [20:42] Adam Gashlin: yep [20:43] Peter S Conway: which is the song id [20:43] Adam Gashlin: yep [20:43] Peter S Conway: but something isn't right [20:43] Adam Gashlin: ? [20:43] Peter S Conway: err nevermind [20:43] Peter S Conway: Argument 0 is nothing [20:43] Peter S Conway: I'm not sure what these arguments are all about [20:44] Adam Gashlin: don't worry about that [20:44] Peter S Conway: RAM:800022C4 sw $a0, 0x18+arg_0($sp) [20:44] Adam Gashlin: SW = Store Word [20:44] Adam Gashlin: just saving the value of a0 [20:44] Adam Gashlin: and what do we know is in a0? [20:45] Peter S Conway: I don't remember [20:45] Adam Gashlin: (20:36:22) UNKNOWNFILE: It is sending something from a0 to a2 (20:36:28) Masked Tomato: yep (20:36:31) UNKNOWNFILE: which is the song id [20:45] Peter S Conway: doh [20:45] Adam Gashlin: that's how the song id gets into a2, from a0 [20:45] Adam Gashlin: and a0 is the first parameter/argument of this function [20:46] Peter S Conway: so, what would the currently playing song be [20:46] Adam Gashlin: damned if I know [20:46] Adam Gashlin: but we know what the song we want to play now is [20:46] Adam Gashlin: it's value is in a0 [20:46] Adam Gashlin: this function is the (or at least a) song select function [20:48] Peter S Conway: So how do we get it to play a song [20:48] Adam Gashlin: we just change what a0 is at the beginning of this function [20:48] Adam Gashlin: I gave you a line to do that before for the other function we were playing with, do you still have that? [20:48] Peter S Conway: do you? [20:49] Adam Gashlin: if (PROGRAM_COUNTER==whatever) GPR[4].UW[0]=somewewanttoplay; [20:49] Peter S Conway: oh [20:49] Peter S Conway: ok [20:49] Adam Gashlin: whatever being the address of the song select fucntio [20:49] Adam Gashlin: anagram [20:50] Peter S Conway: so this will be in ExecuteInterpreterOpcode. [20:50] Adam Gashlin: yes [20:50] Peter S Conway: I will make it play 0x18, the menus song [20:50] Adam Gashlin: comment out the thing in that mempry function, now [20:50] Peter S Conway: how do you make it a comment [20:50] Adam Gashlin: put // at the beginning of the line [20:51] Peter S Conway: ok [20:51] Peter S Conway: do I put 18 or 0x18? [20:51] Adam Gashlin: 0x18 if you mean 0x18 [20:51] Adam Gashlin: brb, bathroom [20:51] Peter S Conway: ok [20:52] Peter S Conway: I shall try it [20:53] Peter S Conway: IT WORKED! [20:53] Peter S Conway: YOU ARE TEH MAN [20:53] Peter S Conway: highfive! [20:54] Peter S Conway: but that, obviously, is not what we are looking for [20:54] Adam Gashlin: what? [20:54] Peter S Conway: Now what we are looking for is the graphics thread [20:54] Adam Gashlin: why not? [20:54] Adam Gashlin: oh, yes [20:54] Adam Gashlin: I'm sad to say that was the easy part. [20:54] Peter S Conway: and the gameplay thread [20:55] Adam Gashlin: I suggest killing things at random [20:55] Peter S Conway: where would the create thread be [20:55] Peter S Conway: o ya [20:55] Peter S Conway: OsCreateThread [20:56] Peter S Conway: ack, that's not what I'm looking for [20:56] Peter S Conway: at least not the actual oscreatethread function. [21:00] Adam Gashlin: what are you looking for? [21:00] Peter S Conway: threads! [21:00] Peter S Conway: I have 3 so far [21:00] Adam Gashlin: good [21:01] Peter S Conway: 80065d98 800b6fc4 800d2760 8006c330 800d1b08 800795ac 80002a98 800c74a0 [21:01] Peter S Conway: those are the threads [21:01] Adam Gashlin: ok [21:01] Adam Gashlin: are you going to number them in that order? [21:02] Peter S Conway: yeds [21:02] Peter S Conway: *yes [21:02] Adam Gashlin: good [21:02] Adam Gashlin: one you will find is already named [21:02] Adam Gashlin: skip it and call the next one Thread4 anyway [21:02] Peter S Conway: the one at 80065d98 is just creating and starting threads [21:03] Peter S Conway: along with the one that calls it [21:03] Peter S Conway: RAM:80065E18 b loc_80065E18 RAM:80065E1C nop [21:03] Adam Gashlin: typical [21:03] Peter S Conway: so we should leave that alone [21:03] Adam Gashlin: killing it won't do any good, so yes [21:04] Peter S Conway: the one at 800b64c4 looks confusing [21:04] Peter S Conway: it just looks like it's setting queues [21:05] Adam Gashlin: well it's getting messages and doing stuff after that [21:06] Adam Gashlin: you mean 800B6FC4, right? [21:06] Peter S Conway: Yes. [21:06] Peter S Conway: I will try killing it [21:08] Peter S Conway: but the question is, how [21:09] Adam Gashlin: we'll want to do the killing when the song select function is called [21:09] Adam Gashlin: so change the if (PROGRAM_COUNTER==whatever) GPR[4].UW[0]=somewewanttoplay; to if (PROGRAM_COUNTER==whatever) { } so we can put some extra stuff inside there [21:09] Adam Gashlin: are you familiar with the function of the curly braces? [21:10] Peter S Conway: Yes [21:10] Adam Gashlin: ok [21:10] Peter S Conway: I've been working on an IRC bot recently [21:10] Peter S Conway: so it's like [21:10] Peter S Conway: if ($nick == UNKNOWNFILE) { /msg $chan Hello } [21:10] Peter S Conway: or on 1:TEXT:moo:#: { [21:10] Peter S Conway: zomg [21:10] Peter S Conway: these [21:10] Peter S Conway: are [21:10] Peter S Conway: stuff [21:10] Peter S Conway: } [21:12] Peter S Conway: now how should I enter the offset [21:12] Adam Gashlin: what offset? [21:12] Peter S Conway: the offset of the thread [21:12] Adam Gashlin: you won't [21:13] Adam Gashlin: you'll want to look for an instruction that you can remove or change to cause the thread to cease operation [21:13] Adam Gashlin: the main body of the thread is a loop starting at loc_800B7050 [21:14] Adam Gashlin: 800B7068, 800B7088, and 800B70A8 loop back to it [21:14] Peter S Conway: I don't see the thing that activates it [21:14] Adam Gashlin: activates? [21:14] Peter S Conway: that starts the loop [21:14] Peter S Conway: oh now I do [21:15] Peter S Conway: 800B7050 [21:15] Peter S Conway: no [21:15] Peter S Conway: RAM:800B70A8 b loc_800B7050 RAM:800B70AC move $a0, $s4 [21:15] Adam Gashlin: I don't know what you mean by "starts the lop" [21:15] Adam Gashlin: that's at the end of the loop, to take us back to the beginning [21:16] Peter S Conway: that tells it to start operation. [21:16] Adam Gashlin: you see the dashed arrow along the left margin [21:16] Adam Gashlin: doesn't tell it to start anything [21:16] Adam Gashlin: it goes back to the beginning, if it hadn't been at the beginning before it wouldn't have gotten to the end [21:16] Peter S Conway: it loops it [21:16] Adam Gashlin: yes [21:16] Peter S Conway: so how do I kill this loop [21:16] Adam Gashlin: by taking out the loop instruction [21:17] Adam Gashlin: which you pointed out [21:17] Adam Gashlin: however there are three [21:17] Adam Gashlin: as I pointed out [21:17] Peter S Conway: so we must remove all of them [21:17] Adam Gashlin: the easiest way to kill this thread is to remove everything between 800B7050 and 800B70AC [21:18] Peter S Conway: that's to wipe the whole thread out [21:18] Adam Gashlin: ayep [21:18] Peter S Conway: now how should I kill this in the source code [21:18] Adam Gashlin: for that you'll need a loop of your own [21:18] Adam Gashlin: at the top of ExecuteInterpreterOpcode put the line "int c;" [21:19] Adam Gashlin: then inside the song select if block put: for (c=0xb7050; c < 0xb70ac; c+=4) ((DWORD*)N64MEM)[c/4]=0; [21:20] Peter S Conway: compiling [21:20] Adam Gashlin: do you see what that line does? [21:20] Peter S Conway: I am not sure [21:20] Peter S Conway: as I don't really know C [21:21] Adam Gashlin: have you seen a for loop before? [21:21] Adam Gashlin: yes... nowplaying fixed [21:21] Peter S Conway: nope. [21:21] Peter S Conway: That just makes execution stand there [21:21] Adam Gashlin: no music? [21:21] Peter S Conway: and make pj64 pop up errors that say [21:21] Peter S Conway: ST TLB (address) [21:22] Adam Gashlin: ok, I guess that was an important thread. [21:22] Peter S Conway: as well as Left Kernel Mode [21:22] Peter S Conway: I think we should leave that alone [21:22] Adam Gashlin: try one more thing: [21:22] Peter S Conway: runyet? [21:22] Adam Gashlin: ((DWORD*)N64MEM)[0xB70A0/4]=0; [21:23] Peter S Conway: in the for loop? [21:23] Adam Gashlin: no, replace the for loop [21:23] Adam Gashlin: I think this thread is used for controller reading [21:23] Peter S Conway: ok [21:23] Peter S Conway: running [21:24] Peter S Conway: and shit, those stupid sw tlb errors haven't gone away [21:24] Adam Gashlin: hmm [21:24] Adam Gashlin: ah well, we'll leave it be for now [21:24] Peter S Conway: try compiling it yourself and see what it does for you [21:24] Peter S Conway: I might have something wrong [21:25] Adam Gashlin: you're right, I get no effect at all [21:25] Adam Gashlin: show me your code [21:26] Adam Gashlin: from the top of the fcn [21:26] Peter S Conway: in ida or in msvc++6 [21:26] Adam Gashlin: the C code [21:26] Peter S Conway: void ExecuteInterpreterOpCode (void) { if (PROGRAM_COUNTER==0x800C8850) { ((DWORD*)N64MEM)[0xB70A0/4]=0; GPR[4].UW[0]=0x18; } [21:26] Peter S Conway: actually [21:27] Peter S Conway: I had an undefined variable in there [21:27] Peter S Conway: I shall try it again [21:27] Peter S Conway: there [21:27] Peter S Conway: no difference [21:27] Peter S Conway: just the same annoying loop of errors [21:27] Adam Gashlin: whoa, c8850? [21:27] Adam Gashlin: where'd that come from? [21:27] Peter S Conway: the song select thing [21:27] Adam Gashlin: we have a new song select function, remember? [21:28] Peter S Conway: where would that be [21:28] Adam Gashlin: 800022BC [21:28] Peter S Conway: rebuilding... [21:28] Adam Gashlin: when you got it to change songs... [21:28] Adam Gashlin: you weren't using that other address, were you? [21:28] Peter S Conway: I think I was.. [21:29] Adam Gashlin: I'm pretty sure that wouldn't work [21:29] Adam Gashlin: yeah, that's osCreateThread [21:29] Peter S Conway: this function does absolutely nothing [21:29] Adam Gashlin: yep [21:29] Peter S Conway: it's just a nonsense thread [21:29] Adam Gashlin: I don't think so [21:30] Peter S Conway: well the controller is working [21:30] Adam Gashlin: oh [21:30] Adam Gashlin: hmm [21:30] Adam Gashlin: well [21:30] Adam Gashlin: even with the for loop? [21:30] Peter S Conway: let me try it with that [21:30] Adam Gashlin: yeah, you' [21:30] Adam Gashlin: you're right [21:32] Peter S Conway: it does do nothing [21:32] Adam Gashlin: heh [21:32] Peter S Conway: even with the for loop [21:32] Adam Gashlin: well, I guess we killed the right function [21:32] Adam Gashlin: might be a debug thing... or it might not be used until in game [21:32] Peter S Conway: Let's try it [21:33] Adam Gashlin: hmm, actually, we never even get to the end of the function [21:34] Peter S Conway: ok [21:34] Peter S Conway: so anyway [21:34] Peter S Conway: now I shall kill another thread [21:34] Adam Gashlin: ayep [21:34] Peter S Conway: 800d2760 appears to be the osDevMgrMain are [21:34] Peter S Conway: *area [21:35] Peter S Conway: I think it's just used for debugging [21:35] Adam Gashlin: yeah, best to leave that be [21:35] Adam Gashlin: probably not debugging [21:36] Peter S Conway: this looks like a display thread. [21:36] Adam Gashlin: 8006c330? [21:36] Peter S Conway: yes that one [21:36] Peter S Conway: what do you think it does [21:37] Adam Gashlin: I agree with your analysis [21:37] Adam Gashlin: let's see, shall we? [21:37] Peter S Conway: ok [21:37] Adam Gashlin: any ideas for killing it? [21:37] Peter S Conway: I suggest entire range [21:37] Adam Gashlin: go nuts [21:38] Peter S Conway: it just sits there, no sound or audio [21:39] Peter S Conway: but there is a 100% cpu use [21:39] Adam Gashlin: crashy, crashy [21:39] Peter S Conway: ;p [21:39] Adam Gashlin: probably used for both audio and video [21:39] Peter S Conway: now how do I get rid of the video part [21:40] Adam Gashlin: good question [21:40] Adam Gashlin: and I'm not going to claim to know, I'll just say that we should move on [21:40] Adam Gashlin: find another thread which will halt video function [21:41] Peter S Conway: I will try one last thing before moving on [21:41] Peter S Conway: Woah [21:41] Peter S Conway: Guess what, adam [21:41] Peter S Conway: that killed everything [21:41] Peter S Conway: except the audio! [21:41] Adam Gashlin: ! [21:42] Adam Gashlin: whadja do? [21:42] Peter S Conway: if (PROGRAM_COUNTER==0x800022BC) { for (c=0xb7050; c < 0xb70ac; c+=4) ((DWORD*)N64MEM)[c/4]=0; for (c=0x6c36c; c < 0x6c3a4; c+=4) ((DWORD*)N64MEM)[c/4]=0; GPR[4].UW[0]=0x18; } [21:42] Peter S Conway: I'm so excited! ^^ [21:42] Peter S Conway: But first [21:42] Peter S Conway: Can this be made into an actual, working USF?! [21:43] Peter S Conway: LETS FIND OUT!!!!!111 [21:43] Adam Gashlin: so you're happy with that? [21:43] Adam Gashlin: if you leave it running nothing else happens, like the music restarting? [21:43] Peter S Conway: the music loops. [21:43] Peter S Conway: nothing else. [21:44] Adam Gashlin: ok, well, we can take it from here , I guess [21:44] Peter S Conway: ok [21:44] Peter S Conway: first we need to make a savestate [21:44] Adam Gashlin: right [21:45] Adam Gashlin: that's covered in the tutorial [21:46] Peter S Conway: There [21:46] Peter S Conway: the state was saved to race_start.pj.zip [21:46] Adam Gashlin: .zip... ewww [21:46] Peter S Conway: :P [21:46] Adam Gashlin: extract it [21:46] Peter S Conway: done [21:46] Adam Gashlin: and disable that option for the future [21:47] Peter S Conway: I don't know how. [21:47] Peter S Conway: But whatever [21:47] Peter S Conway: moving onto PJ64: USF! [21:47] Adam Gashlin: it's "automatically compress instant saves" in the options [21:47] Peter S Conway: PJ64 USF is the monstrosity I have created to pare down ROMs and save states for use in USFs. When set up correctly it will trace every data access the game makes and decide what data to keep and what to throw out. --you [21:48] Peter S Conway: now [21:48] Peter S Conway: Let's open the thing up, shall we? [21:50] Peter S Conway: Savestate - you know ;p [21:50] Peter S Conway: Trace begin offset...? [21:50] Peter S Conway: I NEVER KNOW WHERE. [21:50] Adam Gashlin: try a few instructions into the song select [21:50] Peter S Conway: the savestate already has music playing. [21:51] Adam Gashlin: oh? [21:51] Peter S Conway: yes [21:51] Peter S Conway: it's already playing 0x18 [21:51] Peter S Conway: I think I should remove that part [21:51] Adam Gashlin: doesn't matter [21:51] Adam Gashlin: you'll be overwriting it with all the values in pj64 usf [21:52] Peter S Conway: ok [21:53] Peter S Conway: now which music function should I look at [21:53] Peter S Conway: I'm thinking the one at 232c [21:53] Adam Gashlin: not that you're wrong, but why? [21:54] Peter S Conway: Because I'm wrong. ;p [21:54] Peter S Conway: I will be using the PROPER part. [21:54] Peter S Conway: ok [21:54] Peter S Conway: now what should the Song Value Offset be [21:55] Adam Gashlin: well, start with the 0x18 you know works [21:55] Peter S Conway: no, I meant the offset, not the values [21:55] Adam Gashlin: doesn't matter [21:55] Adam Gashlin: it isn't used [21:56] Peter S Conway: nothing is playing [21:57] Peter S Conway: I don't know what to use. [21:57] Peter S Conway: GRALFSHFA [21:57] Adam Gashlin: 'tisn't a good sign, it 'tisn't [21:57] Adam Gashlin: exactly what code do you use in PJ64 [21:57] Peter S Conway: void ExecuteInterpreterOpCode (void) { int c; if (PROGRAM_COUNTER==0x800022BC) { for (c=0xb7050; c < 0xb70ac; c+=4) ((DWORD*)N64MEM)[c/4]=0; for (c=0x6c36c; c < 0x6c3a4; c+=4) ((DWORD*)N64MEM)[c/4]=0; sprintf(SaveAsFileName,"race_start.pj"); Machine_SaveState(); } [21:59] Adam Gashlin: ok, now what are you using for your start location? [21:59] Peter S Conway: hold on - [22:01] Peter S Conway: i recall it gave me an error [22:02] Adam Gashlin: by the way, it's working for me [22:02] Peter S Conway: Can you batchrip something? [22:02] Peter S Conway: try a song [22:03] Peter S Conway: an error pops up saying Fix RDRAM size and then the game freezes [22:03] Adam Gashlin: uh [22:04] Adam Gashlin: go into the config, what is your memory size set as [22:04] Peter S Conway: 8mb [22:04] Adam Gashlin: change to 4mb [22:04] Adam Gashlin: foo [22:05] Peter S Conway: there [22:05] Peter S Conway: NOW something plays [22:06] Adam Gashlin: ok, set limits 18 to 18, uncheck "reset on new data read", and let it run through [22:08] Peter S Conway: i meant when a savestate is loaded [22:08] Peter S Conway: when a batchrip starts the thing freezes [22:09] Adam Gashlin: oh [22:09] Adam Gashlin: here, let me send a new version [22:09] Peter S Conway: hcs: I have to go now [22:09] Adam Gashlin: wtf? [22:09] Adam Gashlin: we're almost there! [22:10] Peter S Conway: But my parents are going to be pissed at me! [22:10] Peter S Conway: I stayed on an hour after I was supposed to get off! [22:10] Peter S Conway: But what the hell ;p [22:10] Adam Gashlin: seriously, a few minutes, you'll have it set to rip, then you can go to sleep [22:11] Peter S Conway: ok wheres the new version [22:11] Peter S Conway: just post a link [22:12] Adam Gashlin: did you get that? [22:12] Peter S Conway: brb [22:13] Peter S Conway: back [22:13] Peter S Conway: had to distract dad [22:13] Peter S Conway: anyways [22:13] Peter S Conway: now what [22:13] Peter S Conway: I got what you said [22:14] Peter S Conway: so now what [22:14] Adam Gashlin: download, compile, run [22:14] Peter S Conway: which version [22:15] Adam Gashlin: (Link: http://www.halleyscometsoftware.com/usf/usfpj64-batchripper3dkr.zip)http://www.halleyscometsoftware.com/usf/usfpj64-batchripper3dkr.zip [22:17] Peter S Conway: 1 error, 23 warnings [22:17] Adam Gashlin: sigh [22:18] Adam Gashlin: what's the error [22:18] Peter S Conway: C:\Program Files\Pj64_usf\pj64_usf-dkr\CPU.c(1426) : error C2065: 'InR4300iCommandsWindow' : undeclared identifier [22:19] Peter S Conway: i shall comment that out [22:20] Adam Gashlin: make sure the active configuration is set to Project 64 - Win32 Release [22:21] Adam Gashlin: that's under build->set active configuration [22:21] Peter S Conway: done [22:22] Peter S Conway: still nothing [22:23] Peter S Conway: just hits 1 alist than stays there [22:24] Adam Gashlin: no sound? [22:24] Peter S Conway: let me try unchecking reset on new dataread [22:25] Adam Gashlin: if there's music playing and new data is being read then yeah, there won't be sound [22:25] Adam Gashlin: *the alist will stay at one [22:25] Adam Gashlin: what the hell am I saying [22:25] Peter S Conway: if you set the song value to 0, something starts [22:25] Adam Gashlin: did you run the registry patch I referred to in the tutorial [22:25] Adam Gashlin: ? [22:25] Peter S Conway: the regpatch? [22:25] Peter S Conway: no. [22:25] Adam Gashlin: yes [22:25] Peter S Conway: I haven't. [22:26] Adam Gashlin: well your configuration is probably off [22:26] Peter S Conway: how should I configure it [22:26] Adam Gashlin: just run the patch [22:26] Peter S Conway: i dont see a regpatch [22:26] Peter S Conway: oh [22:26] Peter S Conway: found it [22:27] Peter S Conway: done [22:28] Peter S Conway: there [22:28] Peter S Conway: something happened [22:29] Peter S Conway: i will do song 0x22, as it is one of the songs that is missing effects in the Generic Driver Rip by you [22:30] Adam Gashlin: do anything, just so you get something you can test in 64th Note [22:30] Adam Gashlin: disable the reset on new data so it'll be done quickly [22:30] Peter S Conway: rom is 56 kb, ram is 280 kb. [22:31] Peter S Conway: since the rom and ram are on an external harddisk, the command prompt wont work [22:31] Peter S Conway: so over to C you go [22:32] Peter S Conway: and nothing plays in 64th Note, drat [22:32] Adam Gashlin: psfpoint -_enablecompare=1 sparse00.usf [22:32] Adam Gashlin: or whatever [22:33] Peter S Conway: doesn't work with that either [22:33] Peter S Conway: I think we traced the wrong address [22:33] Peter S Conway: because the music wasn't playing slowly [22:33] Adam Gashlin: no, I don't think it would have made any decent sized save states [22:33] Adam Gashlin: what address did you use? [22:34] Peter S Conway: address as in what [22:34] Peter S Conway: song value or trace [22:34] Adam Gashlin: trace [22:34] Peter S Conway: 800022C4 [22:34] Adam Gashlin: ok [22:35] Peter S Conway: what do you think I should trace from [22:35] Adam Gashlin: that should be fine... [22:35] Peter S Conway: I'll give it a thousand extra alists [22:35] Adam Gashlin: no point [22:35] Peter S Conway: time to wait. [22:36] Adam Gashlin: which track did you try? [22:36] Peter S Conway: it "failed to open save state" [22:36] Adam Gashlin: because I just did it with 0x18 and it works [22:36] Adam Gashlin: in 64th note [22:37] Adam Gashlin: how did you run rom2usf? [22:37] Peter S Conway: rom2usf sparse22.rom sparse22.ram sparse22.usf [22:38] Peter S Conway: i tried track 22 [22:38] Peter S Conway: the battle arena theme [22:38] Adam Gashlin: works for me [22:39] Peter S Conway: let me try it [22:40] Peter S Conway: doesn't play [22:40] Adam Gashlin: go to settings, what plugins are you using? [22:41] Peter S Conway: vmaj adx file player v1.03 [22:41] Peter S Conway: Nullsoft CD/Linein v3.02 [22:41] Adam Gashlin: I mean in USF ripper [22:41] Peter S Conway: Oh [22:41] Peter S Conway: rsp = RSP emulation Plugin [22:41] Peter S Conway: graphics = Jabo's Direct3D7 1.40 [22:41] Peter S Conway: audio = Azimer's Audio v0.30 (Old Driver) [22:42] Adam Gashlin: for one thing that audio driver has to go [22:42] Adam Gashlin: I think I have an approved set of plugins [22:42] Peter S Conway: are they the ones in the url in the kig guide? [22:42] Adam Gashlin: look at the tutorial, use only those with the batch ripper [22:42] Adam Gashlin: aye [22:43] Adam Gashlin: Jabo's DirectSound 1.5 is what I have set here [22:43] Adam Gashlin: and it's a special RSP.dll but I think you have that [22:44] Peter S Conway: trying it again [22:45] Peter S Conway: if this works out you are the most ruxx0riffic person on earth. [22:45] Adam Gashlin: if all else fails I can rip it [22:45] Adam Gashlin: but I don't know what's wrong on your side... [22:45] Peter S Conway: all just failed. ;p [22:46] Peter S Conway: IM GONNA CUT THIS RIP TO PIECES [22:46] Peter S Conway: THIS IS MY LAST RESORT [22:46] Peter S Conway: (note lame song parody above) [22:46] Adam Gashlin: yes [22:46] Adam Gashlin: but only from weird al [22:46] Peter S Conway: now, how did you rip it [22:47] Adam Gashlin: (Link: http://www.halleyscometsoftware.com/usf/usfbatchplugindkr.zip)http://www.halleyscometsoftware.com/usf/usfbatchplugindkr.zip [22:48] Peter S Conway: time to try it [22:48] Peter S Conway: there [22:48] Peter S Conway: it sounds like more is being traced [22:49] Adam Gashlin: mm, maybe you didn't have the right rsp plugin [22:49] Adam Gashlin: it should have a different name [22:50] Peter S Conway: can I put my name in the usfby? [22:50] Adam Gashlin: go ahead [22:50] Peter S Conway: oh yeah [22:50] Peter S Conway: when it hits 1000 alists the song crashes and burns [22:50] Adam Gashlin: hmm? [22:51] Adam Gashlin: is it working in 64th note? [22:51] Peter S Conway: because we only traced it for 1000 alists! :P [22:51] Peter S Conway: yes it is [22:51] Adam Gashlin: huzzah! [22:51] Peter S Conway: until it hits 1000 alists [22:51] Peter S Conway: THAT'S the only problem [22:51] Peter S Conway: let's try 2000 [22:51] Adam Gashlin: well, that's why you reenable "reset on new data" [22:51] Peter S Conway: ok [22:51] Peter S Conway: what will that do [22:52] Adam Gashlin: you just want to make sure everything's set right, the rip works and all before putting in all the time with thefull riup [22:52] Adam Gashlin: it's a method of detecting when a song loops [22:52] Peter S Conway: when it hits previously traced data? [22:52] Adam Gashlin: the theory is that after it loops (or the track ends) nothing new will be read [22:52] Peter S Conway: so the 1000 alists is like the "I'm paranoid" option in PSFLab [22:52] Adam Gashlin: so you wait for x alists after nothing new is read and conclude that it's ripped [22:52] Adam Gashlin: no [22:53] Adam Gashlin: the I'm paranoid option is built in [22:53] Adam Gashlin: it's 128 [22:53] Adam Gashlin: you have to have some threshhold [22:53] Adam Gashlin: look for #define PARANOIA [22:53] Peter S Conway: hold on [22:53] Peter S Conway: sparse22 should finish ripping soon [22:53] Adam Gashlin: yay [22:53] Peter S Conway: but the alist count keeps resetting after the song loops [22:54] Peter S Conway: oh [22:54] Peter S Conway: yeah [22:54] Peter S Conway: the thing varies a bit before it repeats [22:54] Adam Gashlin: there ya go [22:54] Adam Gashlin: the unflinching mechanical precision of the batch ripper is superior to your human senses [22:54] Peter S Conway: ;p [22:55] Adam Gashlin: I did LoZ manually, though [22:55] Adam Gashlin: on a 400 MhZ machine, listening for loop points [22:55] Peter S Conway: that must have been like whipping yourself with an axe [22:55] Peter S Conway: saving [22:56] Peter S Conway: OK [22:56] Peter S Conway: let's listen for any crash/burns [22:56] Peter S Conway: ahh who cares [22:56] Peter S Conway: I shall start mr. batchrip [22:57] Peter S Conway: ok [22:57] Peter S Conway: it has begun [22:58] Peter S Conway: in about half an hour it should be completed [22:58] Peter S Conway: you may add this log of the chat to the USF lecture series thread [22:58] Adam Gashlin: aw HELL nmo [22:58] Peter S Conway: ;p! [22:59] Peter S Conway: Who cares about THAT [22:59] Peter S Conway: The RIP is what's important [22:59] Adam Gashlin: aye [22:59] Peter S Conway: hopefully PdZ will move his generic driver rip tags over to their new home. [22:59] Peter S Conway: or I can just do that later [23:00] Peter S Conway: actually [23:00] Peter S Conway: I think I'll let someone else tag it [23:01] Peter S Conway: BEHOLD THE POWER OF BEING THE RIPPER [23:02] Peter S Conway: as for the dynamic music issue, I'll let it slide [23:02] Peter S Conway: as the sound test plays the songs like that [23:02] Peter S Conway: what do you say? [23:03] Adam Gashlin: that's the spirit! [23:04] Peter S Conway: 0x6/0x41 is done. [23:04] Peter S Conway: Hoorah whoopdedoo etc. [23:04] Peter S Conway: in the meantime, up goes the sample for dkr. [23:05] Peter S Conway: I made the readme. [23:05] Adam Gashlin: info.txt? [23:05] Peter S Conway: The filename will be NOT A README! ZOMG!.txt if it's ok with you [23:06] Adam Gashlin: whateve [23:06] Adam Gashlin: r [23:06] Peter S Conway: OK USF Lord [23:06] Peter S Conway: By the way, are you happy about this awesomezor new rip? [23:07] Adam Gashlin: I'm glad you were able to eventually get it [23:07] Adam Gashlin: the rip itself I don't care too much about [23:07] Peter S Conway: considering that I'm only 14 [23:07] Adam Gashlin: I haven't listened to the generic one yet, though [23:07] Peter S Conway: Try 22 real vs 22 generic [23:07] Peter S Conway: some effects are missing [23:08] Peter S Conway: thats why i wanted to do a rerip [23:08] Adam Gashlin: makes sens [23:09] Adam Gashlin: (Link: http://sinfest.net/d/20040720.html)http://sinfest.net/d/20040720.html [23:09] Peter S Conway: by UNKNOWNFILE at 11:02 PM EDT on October 1, 2005 A sample is now up: Battle Arenas tune - now with boo boo ah ay ee ow effects! [edit] [23:10] Peter S Conway: lol [23:10] Peter S Conway: one asexual clown [23:10] Peter S Conway: and I think clowns sux ;p [23:11] Peter S Conway: anyways [23:11] Peter S Conway: I think this really did pay off [23:11] Peter S Conway: imagine, just one thread controlled gameplay [23:12] Peter S Conway: and video [23:12] Adam Gashlin: I doubt it controlled gameplay [23:12] Peter S Conway: if it did explain how come the opening titles dont advance [23:12] Adam Gashlin: sometimes if you kill the graphics the gameplay thread will hang waiting for the rendering [23:13] Peter S Conway: track 9 is ripping [23:13] Peter S Conway: i can't remember which one that was [23:13] Adam Gashlin: so do you think you'll be trying another game any time soon? [23:13] Peter S Conway: Maybe [23:13] Peter S Conway: this weekend there was no homework [23:13] Peter S Conway: so that's what made it easy [23:14] Peter S Conway: I bet you're swimming through piles of homework right now, eh, Adam? [23:14] Adam Gashlin: yeah, not [23:14] Peter S Conway: pff [23:14] Peter S Conway: hahaha [23:14] Adam Gashlin: I'm lazy and easily distracted [23:15] Peter S Conway: You sound like me. ;D [23:15] Peter S Conway: when all this is done, I'll post a rip in a usf directory [23:15] Peter S Conway: and you move it on over into the prelims directory [23:15] Peter S Conway: k? [23:16] Adam Gashlin: whatev [23:16] Peter S Conway: er [23:16] Adam Gashlin: so long as it's < 12 MB [23:16] Peter S Conway: i'm guessing it shant be much [23:16] Peter S Conway: right now its on track 0x0a, which is one of my favorites. [23:17] Peter S Conway: I can't remember which one that was [23:17] Peter S Conway: but it was a stage in the Dino Domain [23:17] Peter S Conway: So how can I ever repay you for your help? [23:17] Adam Gashlin: by learning something :) [23:17] Peter S Conway: well I do know the basics now [23:18] Peter S Conway: I should find a couple more al games [23:18] Peter S Conway: before I move on to harder things [23:18] Adam Gashlin: mmm [23:18] Peter S Conway: harder things = any game you have given up hope on [23:18] Peter S Conway: not [23:18] Adam Gashlin: hey, if you can get DK64 working, more awesome to ya [23:19] Peter S Conway: I'm not too much of a coder, and the C programming classes don't start until grade 10 [23:19] Adam Gashlin: pshht [23:19] Adam Gashlin: never stopped [23:19] Adam Gashlin: me! [23:20] Adam Gashlin: I started writing Neon64 in MIPS assembler freshman year of high school [23:20] Peter S Conway: when did you first write 64th note? [23:20] Adam Gashlin: that didn't start 'till senior year [23:22] Adam Gashlin: might want to recall that for neon64 I also wrote the assembler [23:22] Peter S Conway: So you took up mips r43k assembly in highschool? [23:22] Adam Gashlin: yep [23:22] Peter S Conway: TEH AWESOMENESS! [23:22] Peter S Conway: *high fives* [23:22] Adam Gashlin: and hopefully you can, too [23:22] Adam Gashlin: or whatever year you're in [23:23] Peter S Conway: I shall take that into consideration [23:26] Peter S Conway: I'm naming the usflib diddykr to distinguish it from the generic driver rip [23:26] Adam Gashlin: ok [23:26] Peter S Conway: first thing - bathroom! [23:26] Peter S Conway: second thing: watch this go longer! [23:28] Peter S Conway: damn [23:28] Peter S Conway: that things been stuck on track d forever. [23:29] Peter S Conway: hopefully it moves on shortly [23:29] Peter S Conway: DAMN! [23:29] Peter S Conway: Fucking alist count keeps resetting! [23:29] Adam Gashlin: it is quite possible something is still going on in the background [23:29] Peter S Conway: it should finish shortly [23:30] Peter S Conway: there it hit 1000 alists [23:30] Peter S Conway: it is moving on to track e [23:30] Adam Gashlin: how many tracks? [23:30] Adam Gashlin: total? [23:30] Peter S Conway: there are 41 [23:30] Adam Gashlin: 0x41? [23:30] Peter S Conway: yes [23:30] Peter S Conway: that number is based on the # of tracks in the generic driver rip [23:30] Adam Gashlin: 'k [23:31] Adam Gashlin: I think that should handle everything [23:31] Adam Gashlin: what's your range set to? [23:31] Peter S Conway: track 0x2 to track 0x41 [23:31] Adam Gashlin: oh, make sure you delete the 1000 alist ones you made before [23:31] Peter S Conway: why [23:31] Peter S Conway: will they not be overwritten? [23:32] Adam Gashlin: I'm not sure [23:32] Adam Gashlin: it's best to be safe [23:32] Peter S Conway: done [23:33] Peter S Conway: damn I hate that cheesy country music guitar sound. [23:34] Adam Gashlin: I liked it in Banjo Kazooie [23:34] Peter S Conway: then again, I dislike country music [23:35] Peter S Conway: batch ripper is on track F [23:35] Peter S Conway: its been almost a half hour since I started the batchrip [23:35] Adam Gashlin: you should see the ones that run at 10 fps [23:35] Peter S Conway: that must take hours [23:35] Adam Gashlin: ayep [23:35] Adam Gashlin: the goemon games were insane [23:36] Peter S Conway: Adam's Roommate: Come on! We have to get to a big test! [23:36] Adam Gashlin: took almost a day each [23:36] Peter S Conway: Adam: No! I have to finish this batchrip! [23:36] Adam Gashlin: well, you don't have to sit around while it runs [23:36] Peter S Conway: watch a movie [23:36] Adam Gashlin: and you can outsource [23:36] Adam Gashlin: want me to run half of them? [23:36] Peter S Conway: I think I'll be fine [23:36] Adam Gashlin: 'k [23:37] Peter S Conway: what is the clock and architecture of your CPU? [23:37] Peter S Conway: (mine is 3ghz Pentium 4 HT) [23:37] Adam Gashlin: 2.4 GHz Pentium IV [23:37] Adam Gashlin: yeah, I'm just under the HT thingy [23:37] Adam Gashlin: I can overclock up to 3 GHz, though [23:37] Adam Gashlin: I don't bother, though [23:37] Peter S Conway: I wouldn't overclock my CPU [23:38] Peter S Conway: as I don't want to have a firestart when I sleep [23:38] Adam Gashlin: ja From there the rest of the game was ripped successfully. now go rip some usfs!