帮助排行榜

口袋妖怪网

 找回密码
 立即注册

QQ登录

只需一步,快速开始

搜索
查看: 4190|回复: 7

[第一阶段完成,9.6更新](英,节译)DS金手指码指令表,并以穿墙金手指为例分析

[复制链接]

63

主题

1959

帖子

4103

积分

超级贵宾

汇编语言不会编

威望
18
帅气
0
聪明
49
强壮
0
美丽
1
可爱
0
星沙
0
金钱
21400
发表于 2011-8-30 16:50:52 | 显示全部楼层 |阅读模式
       原地址


       只转载了其中AR,CB的指令表部分。什么是指令表呢?就是金手指命令的使用说明书,告诉大家一条金手指做了哪些操作。

Action Replay DS

Description

The first commercial DS cheat code solution, this device was developed by Datel. It supports swapping out cartridges after loading the AR software. For updating, the user may either manually enter codes or use the included proprietary USB cable that comes with the device.The user has been able to manually update codes since firmware version1.52.

Code Types

Type(类型) Description(描述)

Constant RAM Writes(在RAM中写入常量)

Type 0x00
32-bit
0XXXXXXX YYYYYYYY
Writes word YYYYYYYY to [XXXXXXX+offset].
Type 0x01
16-bit
1XXXXXXX 0000YYYY
Writes halfword YYYY to [XXXXXXX+offset].
Type 0x02
8-bit
2XXXXXXX 000000YY
Writes byte YY to [XXXXXXX+offset].

Conditional 32-Bit Code Types(条件判断,32位操作)

Type 0x03
Greater Than
3XXXXXXX YYYYYYYY
Checks if YYYYYYYY> (word at [XXXXXXX])
If not, the code(s) following this one are not executed (ie. executionstatus is set to false) until a code type D0 or D2 is encountered, oruntil the end of the code list is reached.
Type 0x04
Less Than
4XXXXXXX YYYYYYYY
Checks if YYYYYYYY < (word at [XXXXXXX]).
If not, the code(s) following this one are not executed (ie. executionstatus is set to false) until a code type D0 or D2 is encountered, oruntil the end of the code list is reached.
Type 0x05
Equal To
5XXXXXXX YYYYYYYY
Checks if YYYYYYYY == (word at [XXXXXXX]).
If not, the code(s) following this one are not executed (ie. executionstatus is set to false) until a code type D0 or D2 is encountered, oruntil the end of the code list is reached.
Type 0x06
Not Equal To
6XXXXXXX YYYYYYYY
Checks if YYYYYYYY != (word at [XXXXXXX]).
If not, the code(s) following this one are not executed (ie. executionstatus is set to false) until a code type D0 or D2 is encountered, oruntil the end of the code list is reached.

Conditional 16-Bit + Masking RAM Writes (条件16位操作+内存掩码操作?)

Type 0x07
Greater Than
7XXXXXXX ZZZZYYYY
Checks if (YYYY)> (not (ZZZZ) < halfword at [XXXX]).
If not, the code(s) following this one are not executed (ie. executionstatus is set to false) until a code type D0 or D2 is encountered, or until the end of the code list is reached.
Type 0x08
Less Than
8XXXXXXX ZZZZYYYY
Checks if (YYYY) < (not (ZZZZ) & halfword at [XXXXXXX]).
If not, the code(s) following this one are not executed (ie. executionstatus is set to false) until a code type D0 or D2 is encountered, or until the end of the code list is reached.
Type 0x09
Equal To
9XXXXXXX ZZZZYYYY
Checks if (YYYY) == (not (ZZZZ) & halfword at [XXXXXXX]).
If not, the code(s) following this one are not executed (ie. executionstatus is set to false) until a code type D0 or D2 is encountered, or until the end of the code list is reached.
Type 0x0A
Not Equal To
AXXXXXXX ZZZZYYYY
Checks if (YYYY) != (not (ZZZZ) & halfword at [XXXXXXX]).
If not, the code(s) following this one are not executed (ie. executionstatus is set to false) until a code type D0 or D2 is encountered, or until the end of the code list is reached.

Offset Codes(偏移码)

Type 0x0B
Load offset
BXXXXXXX 00000000
Loads the 32-bit value into the 'offset'.
Offset = word at [0XXXXXXX + offset].
Type 0xD3
Set offset
D3000000 XXXXXXXX
Sets the offset value to XXXXXXXX.
Type 0xDC
Set offset
DC000000 XXXXXXXX
Adds an offset to the current offset. (Dual Offset)

Loop Code(循环指令)

Type 0x0C
C0000000 YYYYYYYY
This sets the 'Dx repeat value' toYYYYYYYY and saves the 'Dx next code to be executed' and the 'Dxexecution status'. Repeat will be executed when a D1/D2 code isencountered.
When repeat is executed, the AR reloads the 'next code to be executed' and the 'execution status' from the Dx registers.

Special Codes(特殊码)

Type 0xD0
Terminator
D0000000 00000000
Loads the previous execution status. If none exists, the execution status stays at 'execute codes'.
Type 0xD1
Loop execute variant
D1000000 00000000
Executes the next block of codes 'n'times (specified by the 0x0C code type), but doesn't clear the Dxregister upon completion.
Type 0xD2
Loop Execute Variant/ Full Terminator
D2000000 00000000
Executes the next block of codes 'n'times (specified by the 0x0C code type), and clears all temporary data.(i.e. execution status, offsets, code C settings, etc.)
This code can also be used as a full terminator, giving the same effects to any block of code.

Data Register Codes(寄存器操作码)

Type 0xD4
Add Value
D4000000 XXXXXXXX
Adds 'XXXXXXXX' to the data register used by code types 0xD6 - 0xDB.
More arithmetical/logical operations can be set using the 'NDS AR HACK #2'.
Type 0xD5
Set Value
D5000000 XXXXXXXX
Set 'XXXXXXXX' to the data register used by code types 0xD6 - 0xD8.
Type 0xD6
32-Bit Incrementive Write
D6000000 XXXXXXXX
Writes the 'Dx data' word to [XXXXXXXX+offset], and increments the offset by 4.
Type 0xD7
16-Bit Incrementive Write
D7000000 XXXXXXXX
Writes the 'Dx data' halfword to [XXXXXXXX+offset], and increments the offset by 2.
Type 0xD8
8-Bit Incrementive Write
D8000000 XXXXXXXX
Writes the 'Dx data' byte to [XXXXXXXX+offset], and increments the offset by 1.
Type 0xD9
32-Bit Load
D9000000 XXXXXXXX
Loads the word at [XXXXXXXX+offset] and stores it in the'Dx data register'.
Type 0xDA
16-Bit Load
DA000000 XXXXXXXX
Loads the halfword at [XXXXXXXX+offset] and stores it in the'Dx data register'.
Type 0xDB
8-Bit Load
DB000000 XXXXXXXX
Loads the byte at [XXXXXXXX+offset] and stores it in the'Dx data register'.
This is a bugged code type. Check 'AR Hack #0' for the fix.

Miscellaneous Memory Manipulation Codes(其他内存操作码)

Type 0x0E
Patch Code
EXXXXXXX YYYYYYYY
Copies YYYYYYYY bytes from (current code location + 8) to [XXXXXXXX + offset].
Type 0x0F
Memory Copy Code
FXXXXXXX YYYYYYYY
Use the code type D3, DC or B before to set the offset. D2 should be needed to clear the offset after the code.
D3000000 XXXXXXXX
FYYYYYYY ZZZZZZZZ
This should copy ZZZZZZZZ bytes from offset (=XXXXXXXX in this case) toYYYYYYYY. (YYYYYYYY if fixed, no offsets are added to it).



Code Hacks


   The following codes modify the AR code handler.
    As they write toa fixed address, they are not compatible with any game that uses an 'M'code (since the 'M' code changes the location of the code handler inmemory).
Type Description
Hack #0
0xDB Code Type Fix
023FE4D8 0A000003
Fixes a bug in the Action Replay Code Handler.
Hack #1 - Offset Support for Conditionals
Offset support:
023FE20C E5933000
No offset support
023FE20C E5903000
For code type 0x03
Offset support:
023FE224 E5933000
No offset support:
023FE224 E5903000
For code type 0x04
Offset support:
023FE23C E5933000
No offset support:
023FE23C E5903000
For code type 0x05
Offset support:
023FE254 E5933000
No offset support:
023FE254 E5903000
For code type 0x06
Offset Support:
023FE26C E1D320B0
023FE270 E1E03004
No offset support:
023FE26C E1E03004
023FE270 E1D020B0
For code type 0x07
Offset Support:
023FE290 E1D320B0
023FE294 E1E03004
No offset support:
023FE290 E1E03004
023FE294 E1D020B0
For code type 0x08
Offset Support:
023FE2B4 E1D320B0
023FE2B8 E1E03004
No offset support:
023FE2B4 E1E03004
023FE2B8 E1D020B0
For code type 0x09
Offset Support:
023FE2D8 E1D320B0
023FE2DC E1E03004
No offset support:
023FE2D8 E1E03004
023FE2DC E1D020B0
For code type 0x0A
Offset Support:
C0000000 00000003
023FE20C E5933000
DC000000 00000018
D2000000 00000000
No offset support:
C0000000 00000003
023FE20C E5903000
DC000000 00000018
D2000000 00000000
For code types 0x03 - 0x06 all at once.
Offset Support:
C0000000 00000003
023FE26C E1D320B0
023FE270 E1E03004
DC000000 00000024
D2000000 00000000
No offset Support:
C0000000 00000003
023FE26C E1E03004
023FE270 E1D020B0
DC000000 00000024
D2000000 00000000
For code types 0x07 - 0x0A all at once.
Hack #2 - ORR/AND/ADD Codes
023FE424 E1833004 Makes the D4 code type execute a 'ORR' instruction.
023FE424 E0033004 Makes the D4 code type execute a 'AND' instruction.
023FE424 E0833004 Makes the D4 code type execute an 'ADD' instruction.
Hack #3 - Add Dx Data to Offset Codes
023FE424 E08AA003 This code changes the D4 code type to make it add the Dx Data to the offset.
It could be useful if the game's pointer's offset changes.
Hack #4 - Execute Custom ASM Routines
023FE074 012FFF11 This code changes the 0x0E code type to make it execute the data entered by the hacker.
023FE074 E3520003 Reverts code type 0x0E to normal
023FE074 012FFF11
EXXXXXXX 00000010
AAAAAAAA BBBBBBBB
CCCCCCCC E12FFF1E

When the E code type will be encountered, the code handler will jumpto and execute (ie. bx to) the AAAAAAAA, BBBBBBBB, CCCCCCCC andE12FFF1E instructions (means the instructions must be in ARM, and notTHUMB).
To learn more read the ARM9 Assembly section.







Codebreaker DS


Description


This is Pelican's entry into the DS cheat-device industry. It supports swapping out the cartridges and also gives the user the optionof connecting another game card onto it. For updating, the user mayeither manually enter codes or use WiFi to connect to a computerrunning the Codebreaker software.

Code Types

Type Description
Auto-Game Recognizers
Type 0x00
With Encryption
0000YYYY XXXXXXXX
YYYY = Game's Header CRC16
XXXXXXXX = Game's Nintendo ID
Type 0x08
Without Encryption
8000YYYY XXXXXXXX
YYYY = Game's Header CRC16
XXXXXXXX = Game's Nintendo ID
Constant RAM-Write Codes
Type 0x00
8-Bit
0XXXXXXX 000000YY
XXXXXXX = Address to be written to
YY = Byte to be written
Type 0x10
16-Bit
1XXXXXXX 0000YYYY
XXXXXXX = Address to be written to
YYYY = Halfword to be written
Type 0x20
32-Bit
2XXXXXXX YYYYYYYY
XXXXXXX = Address to be written to
YYYYYYYY = Word to be written
Increment/Decrement Codes
Type 0x30
8/16-Bit
3XXXXXXX 000UYYYY
XXXXXXX = Address to be written to
U = Bit-type Write, 0 for 8-Bit and 1 for 16-Bit
YYYY = Halfword/Byte to be written
Type 0x38
32-Bit
3XXXXXXX YYYYYYYY
XXXXXXX = Address to be written to
YYYY = Word to be written
Serial Repeat Constant Write (Slider) Code
Type 0x40
Slider
4XXXXXXX TWWWZZZZ
YYYYYYYY VVVVVVVV
XXXXXXX = Address to be written to
T = Bit-type Write, 0 for 32-Bit, 1 for 16-Bit and 2 for 8-Bit
WWW = Number of times to repeat
ZZZZ = Increase Address by (Multiply by data size (1 << (2 - T)))
YYYY = Word to be written
VVVVVVVV = Increase Value by
Memory Copy Code
Type 0x50
Copy Bytes
5XXXXXXX YYYYYYYY
ZZZZZZZZ 00000000
XXXXXXX = Address to be copied to
YYYYYYYY = Number of Bytes to copy
ZZZZZZZZ = Address to copy from
Pointer
Type 0x60
Copy Bytes
6XXXXXXX YYYYYYYY
ZZZZZZZZ BCTUVVVV
XXXXXXX = Pointer Address
YYYYYYYY = Word/Halfword/Byte to be written
ZZZZZZZZ = Offset to add to the Pointer Address
B = Bit-type Write, 0 for 8-bit, 1 for 16-Bit, and 2 for 32-Bit
C = Condition Enabled, 0 for disabled, 1 for enabled
T = Condition type to check against VVVV [0 is ==, 1 is !=, 2 is <,3 is>, 4 is == and == 0000, 4-7 follow the pattern set by 0-3]
U = Bit-type Load, 0 for 8-Bit, and 1 for 16-Bit
VVVV = Halfword/Byte to check against
8/16-Bit Special Bitwise Write
Type 0x70
7XXXXXXX 00TBYYYY
XXXXXXX = Address to be written to
YYYY = Halfword/Byte to be written
T = Operation type, 0 for OR, 1 for AND, 2 for XOR
B = Bit-type Write, 0 for 8-Bit, and 1 for 16-Bit
32-Bit Write On Bootup-Hooks
Type 0xA0
Hook 1
AXXXXXXX YYYYYYYY
XXXXXXX = Address to be written to
YYYY = Word to be written
Type 0xA8
Hook 2
AXXXXXXX YYYYYYYY
XXXXXXX = Address to be written to
YYYY = Word to be written
Conditional Codes
Type 0xD0
16-Bit
DXXXXXXX ZZTUYYYY
ZZ = Lines to skip, 00 means 01 by default XXXXXXX = Pointer Address
YYYY = Word/Halfword/Byte to be written
T = Condition type to check against VVVV [0 is ==, 1 is !=, 2 is <,3 is>, 4 is == and == 0000, 4-7 follow the pattern set by 0-3]
U = Bit-type Load, 0 for 16-Bit, and 1 for 8-Bit
VVVV = Halfword/Byte to check against
Enable Code-Hooks
Type 0xF8
Hook 2
FXXXXXXX TYYYYYYY

XXXXXXX = Hook Address
T = Type of Hook to use. See the CBDS Master Code section for more info
YYYYYYY = Cheat Engine Address





Using CBDSCrypt

(这是一个加密工具,略)

评分

参与人数 1威望 +1000 收起 理由
薇茵 + 1000 已收资料库,谢谢分享

查看全部评分

战争      这帝国主义的女儿, 像个幽灵            在世界上飞旋。                                             ——马雅可夫斯基

63

主题

1959

帖子

4103

积分

超级贵宾

汇编语言不会编

威望
18
帅气
0
聪明
49
强壮
0
美丽
1
可爱
0
星沙
0
金钱
21400
 楼主| 发表于 2011-9-1 14:10:59 | 显示全部楼层
能调试的NDS模拟器Ideas下载:http://www.ideasemu.biz/,注意载入rom后需要按那个小三角箭头以开始模拟

还需要掌握一些资料:
AR NDS Codes Type Information
By kenobi.

Before starting :
=================

Compared to other AR (like the NGC or GBA ones) the NDS AR code handler offers a
lot of changes.

* First, the NDS AR doesn't wait to encounter a '00000000 00000000' code to stop
the code execution. It knows how much code have been entered and enabled,
and only stops when all of them have been have been processed.

* Second, the NDS AR uses temporary data. There are 3 kind of them :
- The first one is what I'll call the offset, which is a 32-bits value usually
added to the address of the code.
- The second one are what I'll call the Dx registers. They are four 32-bits, stored
before the code list, which is used by the AR to store/load data. I call them
'Dx repeat value', 'Dx next code to be executed', 'Dx code status' and 'Dx data'.
- Finally, there is the 'code execution status', which is a 32bits value that
tells the AR if a code can be executed, or can be skipped. This code execution
status is changed by the 'if' codes.

* Third, the NDS AR uses some kind of 'while... end' code type, which opens a
lot of new ways to make codes.

大概意思是:NDS的Action Replay码,与GBA上相比有如下改进:
   1.不需要00000000 00000000作为中止码,机器会知道金手指在哪里终止。
   2.NDS 码用了一些暂存数据(相当于编程时的变量,用来暂时存储数据的)
      -偏移(Offset),一个32位的数值(通常用来存储一个内存地址--指针)
      -Dx寄存器(Dx registers)四个32位的数值,存储在代码列表之前。分别称作‘Dx repeat value', 'Dx next code to be executed', 'Dx code status'和'Dx data'
      -代码的执行状态(Code execution status),用来决定一条指令是被执行还是被跳过。一个32位的数值,可以被“if”命令改变。
   3.允许使用条件判断指令,而不仅仅是顺序结构。这能让金手指码更加丰富。


举个例子,美版珍珠钻石穿墙金手指码:
B21C5A08 00000000
DA000000 0000210C
D3000000 00000000
D7000000 023FCC00
D2000000 00000000
923FCC00 0000001E
B21C5A08 00000000
2000210C 0000000E
D2000000 00000000
B21C5A08 00000000
DA000000 0000210C
D3000000 00000000
D7000000 023FCC04
D2000000 00000000
923FCC04 0000001F
B21C5A08 00000000
2000210C 0000000F
D2000000 00000000
B21C5A08 00000000
DA000000 0000210C
D3000000 00000000
D7000000 023FCC08
D2000000 00000000
923FCC08 0000001C
B21C5A08 00000000
2000210C 0000000C
D2000000 00000000
B21C5A08 00000000
DA000000 0000210C
D3000000 00000000
D7000000 023FCC0C
D2000000 00000000
923FCC0C 0000001D
B21C5A08 00000000
2000210C 0000000D
D2000000 00000000


看起来眼晕吧?这些代码是什么意思呢?又是怎样发挥作用的呢?
其中似乎有一些大同小异的代码段,看来需要分段考虑。不过先分析几行试试看。
战争      这帝国主义的女儿, 像个幽灵            在世界上飞旋。                                             ——马雅可夫斯基
回复 支持 反对

使用道具 举报

63

主题

1959

帖子

4103

积分

超级贵宾

汇编语言不会编

威望
18
帅气
0
聪明
49
强壮
0
美丽
1
可爱
0
星沙
0
金钱
21400
 楼主| 发表于 2011-9-1 14:16:49 | 显示全部楼层
先逐行分析看看:
前两行(AR码):
B21C5A08 00000000
DA000000 0000210C

查表,第一行B打头,属于
Type 0x0B:Load offset
BXXXXXXX 00000000    Loads the 32-bit value into the 'offset'.
Offset = word at [0XXXXXXX + offset].

  B21C5A08 00000000也就是把0x021C5A08h里面的32位数据取出来,当作偏移值(也就是这个地址里存着动态内存的偏移)(后面的00000000是格式需要)
  用内存查看器看0x021C5A08h的值,的确用32位存着一个地址(是02开头的八个数字连着,旁边有一些0,很醒目),这就是动态内存地址的指针,例如我这里现在是0228fc78h

    第二行DA000000 0000210C,查表:Type 0xDA  16-Bit Load
    DA000000 XXXXXXXX    Loads the halfword at [XXXXXXXX+offset] and stores it in the'Dx data register'.
    也就是把210Ch加上刚取出的偏移值,作为地址指针,取出该处16位数据再存入寄存器,现在寄存器里面存着[0228fc78h+210Ch]=[02291D84h]处的数据

三四行:
D3000000 00000000
D7000000 023FCC00

第三行:查表,属于
Type 0xD3  :Set offset
D3000000 XXXXXXXX    Sets the offset value to XXXXXXXX.
D3000000 00000000也就是把偏移值设成00000000,偏移清空了

第四行:查表,属于
Type 0xD7:16-Bit Incrementive Write
D7000000 XXXXXXXX    Writes the 'Dx data' halfword to [XXXXXXXX+offset], and increments the offset by 2.

D7000000 023FCC00
也就是把刚才寄存器里面的值取出来,写到023FCC00+0h,然后偏移值加上2,变成02h
这时有点莫名其妙。
战争      这帝国主义的女儿, 像个幽灵            在世界上飞旋。                                             ——马雅可夫斯基
回复 支持 反对

使用道具 举报

63

主题

1959

帖子

4103

积分

超级贵宾

汇编语言不会编

威望
18
帅气
0
聪明
49
强壮
0
美丽
1
可爱
0
星沙
0
金钱
21400
 楼主| 发表于 2011-9-1 14:48:46 | 显示全部楼层
D2000000 00000000
923FCC00 0000001E

第五行:
D2000000 00000000

属于Type 0xD2:Loop Execute Variant/ Full Terminator
D2000000 00000000    Executes the next block of codes 'n'times (specified by the 0x0C code type), and clears all temporary data.(i.e. execution status, offsets, code C settings, etc.)
This code can also be used as a full terminator, giving the same effects to any block of code.
    这种类型有两个功能:第一,执行下一个指令块n次,n由0x0C类型的金手指码确定,并清除所有暂存数据(执行状态,偏移量,C码设置等);或者,第二,作为循环终止的标识。
    0x0c类型是C0000000 YYYYYYYY,并没有在这些金手指码中出现。可见不属于“执行下个指令块n次”这种情况。
    而前面也没有循环开始的标识,因此它也不是循环终止的标识。于是,猜想这行没用。
    经过测试,如果去掉这一行,仍然可以正常使用

第六行:
923FCC00 0000001E

属于:Type 0x09:Equal To
9XXXXXXX ZZZZYYYY    Checks if (YYYY) == (not (ZZZZ) & halfword at [XXXXXXX]).
If not, the code(s) following this one are not executed (ie. executionstatus is set to false) until a code type D0 or D2 is encountered, or until the end of the code list is reached.
     也就是说,如果0x023FCC00处的半字等于0x001Eh,则执行下面指令,否则不执行。(此处ZZZZ=0000,not(ZZZZ)=1111。&是位与运算,任何半字位与1111后值不变)。“下面”,从这条指令的下一条开始,直到D0或D2类型的终止符出现。这行代码是用于开始判断的。
     D0类型码:D0000000 00000000
     D2类型码:D2000000 00000000
     我们往下找,发现第九行是D2类型的。这是判断终止符
战争      这帝国主义的女儿, 像个幽灵            在世界上飞旋。                                             ——马雅可夫斯基
回复 支持 反对

使用道具 举报

63

主题

1959

帖子

4103

积分

超级贵宾

汇编语言不会编

威望
18
帅气
0
聪明
49
强壮
0
美丽
1
可爱
0
星沙
0
金钱
21400
 楼主| 发表于 2011-9-2 14:20:20 | 显示全部楼层
七八行:
B21C5A08 00000000
2000210C 0000000E

第七行属于:Type 0x0B:Load offset
BXXXXXXX 00000000    Loads the 32-bit value into the 'offset'.
Offset = word at [0XXXXXXX + offset].

B21C5A08 00000000=把32字节的数装载(??)到偏移-offset(此处偏移等于0x021c5a08+02h)

第八行Type 0x02:8-bit
2XXXXXXX 000000YY    Writes byte YY to [XXXXXXX+offset].
2000210C 0000000E=把0Eh写到[偏移+210Ch](不是02000210Ch吗?)


D2000000 00000000
B21C5A08 00000000
第九行又是D20000000 00000000也就是前面条件判断执行指令的终止符,此指令用途明确


第十行B21C5A08 00000000 属于Type 0x0B:Load offset
BXXXXXXX 00000000    Loads the 32-bit value into the 'offset'.
Offset = word at [0XXXXXXX + offset].
和第一行一样,重复了
战争      这帝国主义的女儿, 像个幽灵            在世界上飞旋。                                             ——马雅可夫斯基
回复 支持 反对

使用道具 举报

63

主题

1959

帖子

4103

积分

超级贵宾

汇编语言不会编

威望
18
帅气
0
聪明
49
强壮
0
美丽
1
可爱
0
星沙
0
金钱
21400
 楼主| 发表于 2011-9-2 18:04:46 | 显示全部楼层
然后我们看看代码,发现它很有规律,重新排版以后是:

B21C5A08 00000000
DA000000 0000210C
D3000000 00000000
D7000000 023FCC00

D2000000 00000000

923FCC00 0000001E
B21C5A08 00000000
2000210C 0000000E
D2000000 00000000
  

-------------------------------------------------------

B21C5A08 00000000
DA000000 0000210C
D3000000 00000000
D7000000 023FCC04

D2000000 00000000

923FCC04 0000001F
B21C5A08 00000000
2000210C 0000000F
D2000000 00000000

-------------------------------------------------------

B21C5A08 00000000
DA000000 0000210C
D3000000 00000000
D7000000 023FCC08

D2000000 00000000

923FCC08 0000001C
B21C5A08 00000000
2000210C 0000000C
D2000000 00000000

-------------------------------------------------------
  

B21C5A08 00000000
DA000000 0000210C
D3000000 00000000
D7000000 023FCC0C

D2000000 00000000

923FCC0C 0000001D
B21C5A08 00000000
2000210C 0000000D
D2000000 00000000


       是不是有四段几乎一样的?区别我用红字标出了。
       首先,和第四行相似,有四个重复的无用D2000000 00000000,经试验,去掉以后完全没有影响。所以干脆去掉。
       为什么会有四段一样的呢?一个很自然的想法是:穿墙有四个方向
战争      这帝国主义的女儿, 像个幽灵            在世界上飞旋。                                             ——马雅可夫斯基
回复 支持 反对

使用道具 举报

63

主题

1959

帖子

4103

积分

超级贵宾

汇编语言不会编

威望
18
帅气
0
聪明
49
强壮
0
美丽
1
可爱
0
星沙
0
金钱
21400
 楼主| 发表于 2011-9-2 20:24:52 | 显示全部楼层
于是逐段删除来测试,发现的确如此,四段大同小异的代码每段管一个方向。如下(那几行无用代码已删去,下同):
(下面这段管左边,删掉则无法从左侧穿墙
B21C5A08 00000000
DA000000 0000210C
D3000000 00000000
D7000000 023FCC00


923FCC00 0000001E
B21C5A08 00000000
2000210C 0000000E
D2000000 00000000

(管边)
B21C5A08 00000000
DA000000 0000210C
D3000000 00000000
D7000000 023FCC04

923FCC04 0000001F
B21C5A08 00000000
2000210C 0000000F
D2000000 00000000

(管边)
B21C5A08 00000000
DA000000 0000210C
D3000000 00000000
D7000000 023FCC08

923FCC08 0000001C
B21C5A08 00000000
2000210C 0000000C
D2000000 00000000

(管边)
B21C5A08 00000000
DA000000 0000210C
D3000000 00000000
D7000000 023FCC0C

923FCC0C 0000001D
B21C5A08 00000000
2000210C 0000000D
D2000000 00000000

现在我们只需重新细细分析前八行代码

B21C5A08 00000000
DA000000 0000210C
D3000000 00000000
D7000000 023FCC00
923FCC00 0000001E
B21C5A08 00000000
2000210C 0000000E
D2000000 00000000
下文中行数,也指的是去掉无用代码以后的行数。
战争      这帝国主义的女儿, 像个幽灵            在世界上飞旋。                                             ——马雅可夫斯基
回复 支持 反对

使用道具 举报

63

主题

1959

帖子

4103

积分

超级贵宾

汇编语言不会编

威望
18
帅气
0
聪明
49
强壮
0
美丽
1
可爱
0
星沙
0
金钱
21400
 楼主| 发表于 2011-9-2 21:53:33 | 显示全部楼层
1.看四五行都涉及对0x023FCC00h这个地址的操作,用内存查看器一看,只有这行的字节不是0,旁边有好多0。于是猜想,这个地址只是作者借空白内存用来暂存数据的,改一改也没关系。把D7000000 023FCC00 923FCC00 0000001E改成D7000000 023FCC10 923FCC10 0000001E,完全正常,验证了这个假设。

    不仅如此,如果改成D7000000 023FCC00 923FCC10 0000001E,则发现向左侧不能正常穿墙了。此时,内存中023FCC00h这个地址的数据和023FCC10h不同。如果能正常穿墙,那么穿的时候两个数据都是1Eh,代表向左穿。改了以后,023FCC00h的数据仍然是1Eh,而023FCC10h处的数据变了。我们先不改回来,而是把023FCC10h的数据手动改成1Eh,发现不管按什么方向键,主角都一路向左穿墙。
    这说明什么呢?
    说明改动以后,023FCC00h这个地址用于储存读出来的数据,比如左边的图块;而023FCC10h这个地址里存的数据,用于写回到该写的内存里,用于判断。
    往回对照一下,可以写一点伪代码了。

B21C5A08 00000000     <--从021C5A08中取得动态内存指针,存到偏移值
DA000000 0000210C   
D3000000 00000000
D7000000 023FCC00    <--把寄存器里面地址取出,暂存到0x023FCC00h这个内存地址(实际上是看玩家按了哪个键,再看对应的方向能不能走得通,这些都用一个字节表示)
923FCC00 0000001E    <--如果(if)0x023FCC00h这个地址中存的是1E,则执行以下两行代码。(如果是1E,证明此路不通,那么就手动改写)
B21C5A08 00000000    <--从021C5A08中再次取得动态内存指针,存到偏移值(因为怕执行的时候内存地址已经变了,所以重读。作者还是很严谨的)
2000210C 0000000E     <--这行用来让游戏认为,左侧可以走通
D2000000 00000000     <--结束判断语句(相当于end if)

        根据1,4行,我们可以推出2,3行的意思: 用来取玩家的按键,或/和左侧的实际图块,再或/和此处是否通,反正这些在游戏里都是用一个字节表示的,存放在[021C5A08h]+210Ch这个内存地址里。但是可能反复存取多次,每次存取其意义不同。比如,玩家按键,就会向其中写入一个值,表示在往左走;经过读取图层,游戏得知左边是什么图块,然后判断是否走得通,把值存到这个地址里,按以下规则对应:
       根据金手指码,这个字节为0Ch、0Dh、0Eh、0Fh,依次对应在向上、向下、向左、向右走并可以走通;
       这个字节为1Ch、1Dh、1Eh、1Fh,依次对应在向上、向下、向左、向右走并不能走通。
       最后,游戏根据这个值,再去对玩家的图像操作,如果走得通就往左移,如果走不通就在原地顶一下。
战争      这帝国主义的女儿, 像个幽灵            在世界上飞旋。                                             ——马雅可夫斯基
回复 支持 反对

使用道具 举报

*滑动验证:
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

手机版|PMGBA ( 闽ICP备06006686号  

GMT+8, 2016-12-9 17:56 , Processed in 0.252688 second(s), 33 queries , Gzip On.

Powered by Discuz! X3.2

© 2001-2013 Comsenz Inc.

快速回复 返回顶部 返回列表