Skip to content

Finding stuff using debuggers

Jump to bottom Edit New page
bryc edited this page Dec 28, 2017 · 6 revisions

A quick test for debuggers:

Set breakpoint on: 8025C160: This seems to fire immediately before each individual calculation occurs.

Environment: With the EEPROM already initialized (without starting a file), we can catch an instance where the algorithm attempts to validate the stored checksum 32C9A1E6 in the EEPROM.

Set breakpoint on: 8033C040: V1 will contain 32C9A1E6

Project64d

Nemu64

Memory addresses (Algo read write) [Sep 1 2014]

Start and ending memory addresses accessed by the algorithm

0x803FFF00 - 0x803FFF78 - 120 B   # 1  first area accessed on boot
0x803A5C00 - 0x803A5C78 - 120 B   # 2
0x8002D700 - 0x8002D778 - 120 B   # 3
0x8023D780 - 0x8023D7F8 - 120 B   # 4   and 7?    - polls constantly at intro, main menu, etc
0x80283400 - 0x8028341C - 28 B    # 5   and 6?    - this is where the global 32 byte data section of EEPROM is.
0x80283400 - 0x8028341C - 28 B    # 6?            - this is where the global 32 byte data section of EEPROM is.
0x8023D780 - 0x8023D7F8 - 120 B   # 7?            - polls constantly at intro, main menu, etc
-------------------------------------
0x80383D20 - 0x80383D94 - 116 B     # MAIN MENU INIT #1    3 times
0x80383D98 - 0x80383E0C - 116 B     # MAIN MENU INIT #2    3 times
0x80383E10 - 0x80383E84 - 116 B     # MAIN MENU INIT #3    3 times
0x80383E88 - 0x80383EFC - 116 B
^ upon selecting Game #1... same goes for Game #2... "Selected" game slot?.. AND Game #3 --- FOUR TIMES then D94.... E0C... but NOT E84 (I picked game 3)

When saving the game... D94.. E84 then E84 again... then E84 again.. then D94

Update

Setting a breakpoint at 8025C160 will pause at each of these instances in sequence.

More notes

The initial checksum value is hardcoded and loaded like so:

8025C104 LUI     T6, 0x8F80
8025C108 LUI     T7, 0x3108
...
8025C120 ORI     T7, T7, 0xB3C1   ; hello 0x3108B3C1!
8025C124 ORI     T6, T6, 0x9F47

Technically both of these come together to form 8F809F47 3108B3C1. But I have found that 00000001 3108B3C1 is the only part being used. Notice the single bit taken on the 64-bit side. 64-bit bitwise arithmetic must be used.

8025C148 SW    T7, 0x004C (SP)   ; save 3108B3C1 to T7
31080000
3108B3C1

Other shit:

8033C050: XOR T8, T6, T7
8033C054: BEQ V1, T8, 0x8033C068 ; (V1 == T8) basically checking if the calculated checksum equals the stored one!

Others code locations:

8025C20C, 8025C1B0

Add a custom footer
Add a custom sidebar
Clone this wiki locally