Patch Nes Rom With Vcdiff
Creating a NES Patch LoaderJuly 14, 2018Arbitrary code execution in Animal Crossing has been something I’ve been interested in finding for some time now. After James Chambers informed me about the PAT tag for the NES emulator, which could possibly allow for arbitrary writes to RAM, I had to investigate more.James also mentioned that due to certain restrictions, we could only write a portion of RAM rather than all of it. Writes were also limited in size. He theorized the best way to get around these limitations would be by creating a custom loader.
With this knowledge in hand, I set out to do just that. Designing the Patch LoaderThe basic idea that I had for the loader was simple. Treat the NES ROM as data itself, rather than a ROM. The loader would simply copy the NES ROM Data to a specified location in RAM. The next thing I had to consider were the limitations. Specifically, the ROM loader had to fulfill the following things:.
- Patch creation (maybe) If you happen to encounter any bugs please report them here. Brushtool, David, PablosCorner, queueRAM, and simer liked this post.
- ROMs GAMES or ROM which stands for (Read-Only-Memory), it is NVM or (Nonvolatile Memory) which we mainly use in many devices such as computers, mobile phones, consoles and other. Most of the times it is impossible to modify the data of ROM without having advanced knowledges in the IT field.
It must be written to memory between 0x80000000 and 0x807FFFFF. This is the write address limitation I mentioned earlier.
This allows for substantially smaller patches on non-ROM based systems and certain ROM types (eg Mystic Ark is half the size this way.) Folder-patching: beat patches can be used to patch either a single file or an entire directory full of files and subfolders, thus allowing the format to handle ROMs, CDs, PC games, etc.
It must be no larger than 251 bytes in size, as the tag responsible for patching used four bytes for other information.A Deeper Look at the LimitationsLet’s take a break for a moment to breakdown why the limitations mentioned above exist. First, let’s look at the write address limitation. The GameCube’s main RAM is 24 megabytes in size, and starts at 0x80000000. This makes the effective address range 0x80000000 - 0x817FFFFF. So why can the tag only patch to a third of that address? The answer lies in the code responsible for calculating the write address. Let’s take a look at that code:Taking the above code into account, we can see there are four cases that determine how the write address is calcuated.
The first one checks if the PAT type is 3. If so, it will clear the address entirely, resetting any address we had before.The second one checks if the type is 2. If so, it’ll take the next two bytes after the PAT type and use that as a 16 bit value to add to the current patch address.The third one checks if the type is 9. If so, it takes the next two bytes and shifts it left by four, which is the same as multiplying by 16, and adds that to the current patch address.The final case checks if the type is between 0x80 and 0xFF. If so, it adds the type to 0x7F80, and shifts it left by 16, then adds the 16 bit value to that. This is where the write problem stems from.
Let’s look at what would happen if we set the PAT type to 0xFF and use 0xFFFF as the 16 bit add value!The equation ends up looking like this:((0x7F80 + 0xFF) « 16) + 0xFFFFThat then becomes:(0x807F « 16) + 0xFFFFWhich becomes:0x807F0000 + 0xFFFFFinally, that equates to:0x807FFFFFThat’s how the maximum address is reached. So we now know for sure we can only write to addressess between 0x80000000 and 0x807FFFFF. What about the write size limitation though? To understand that, we need to take a look at the PAT tag structure. Text // allocate stack framestwu r1, - 0x30 ( r1 ) // save LR through r0mflr r0 // store r0/r3/r4/r5/r6 registersstw r0, 0x20 ( r1 ) stw r3, 0x1C ( r1 ) stw r4, 0x18 ( r1 ) stw r5, 0x14 ( r1 ) stw r6, 0x10 ( r1 ) // loader (loads from ROM Data)lis r3, NESROMDATAPTRADDRESS @ h addi r3, r3, NESROMDATAPTRADDRESS @ l lwz r3, 0 ( r3 ) // check if the ROM start address is nullptrcmplwi r3, 0 beq exit // load patch offsetlwz r4, 0 ( r3 ) cmplwi r4, 0 beq exit stw r4, 0x28 ( r1 ) // save jump offsetlwz r6, 0x08 ( r3 ) // the third int should be 'bool isExecutable'. If anything other than 0, the loader will jump to the address itstw r6, 0x24 ( r1 ) // save executable flaglwz r6, 0x04 ( r3 ) // the second int should be the size to copy (ROM size - 8)stw r6, 0x2C ( r1 ) // save size for invalidation operation lateraddi r5, r3, 0xC // start patchingpatchLoop: cmpwi r6, 0 ble exitPatchLoop lbz r3, 0 ( r5 ) stb r3, 0 ( r4 ) addi r4, r4, 1 addi r5, r5, 1 addi r6, r6, - 1 b patchLoop exitPatchLoop: // invalidate instruction and data cacheslwz r4, 0x2C ( r1 ) // load sizelwz r3, 0x28 ( r1 ) // load addressclrlwi.
This guide will show you how to patch ROMs to apply translations, bug fixes, or modifications (also known as ROM hacks) to the game. Patching ROMs is very useful and can give you access to even more games for your SNES Classic Mini. You can patch games that were only available in Japan and add English translations to many great Japan exclusive SNES titles like Magical Pop'n, Fire Emblem: Seisen no Keifu, Seiken Densetsu 3, and more. You can apply patches to modify games and play popular ROM hacks like Super Mario World: Return to Dinosaur Land, Metroid Super Zero Mission, Link to the Past: Parallel Worlds, and many others.Before we begin:This tutorial uses a computer running Windows. If you are using a Mac, follow our guide before you begin. This tutorial is the same and works for both the SNES Classic Mini and NES Classic Mini. How-to Patch ROMS for SNES Classic1.
Nes Rom Pack
Download and extract and to your computer.2. Download and extract the patch (patch files are in.ips format) and correct ROM file.has a huge database of patches (translations/bug fixes/rom hacks).
Patch Nes Rom With Vcdiff 3
Make sure you download the correct ROM file for the patch. Note: You are patching the ROM, therefore you will need to download the original ROM file. I usually just download a ROM with the same name as the one listed under 'ROM / ISO Information' (in this example I would look for a ROM titled 'Super Mario World (USA).sfc'.3. Hit Browse and add ROM. If the file is headered, hit OK and exit TUSH.If the file is unheadered. Hit OK and press Add Header.5. Run Lunar IPS and press Apply IPS Patch.6.
Select patch (must be an.IPS file).7. Select ROM.Patching is complete.8. You can now add the game to your SNES Classic Mini with hakchi2.