|
|
本帖最后由 yandagui 于 2015-10-28 19:02 编辑
; h! f) ?' r& `' u! L+ n9 n$ Y m) v0 a' K; a
FC自动演示修改教程
- e; |& N' a2 w) V作者:火焰烈旋风
P1 p) d: k6 B2 c4 Q- E工具:FCEUX中文版(www.9553.cn搜FCEU即可)6 c4 q0 B8 S3 Y, b \3 r
1.找按键地址:% k5 z% a4 F% g
首先,我们打开FCEUX,再打开魂斗罗美版,进入游戏无动作,打开FCEUX的工具>作弊,若左下角的"活跃时暂停"没打勾请点击打勾,游戏暂停了,点击中上部的"重设",在已知值输入后输入框中00,点击按钮"已知值",此时搜到大量数据为00的地址.单击FCEU窗口,游戏正常运行,按住一个按键不放如上键,点击作弊窗口的">",游戏暂停了,此时剩下几个地址,再单击FCEU窗口,按住两个按键如上+选择键不放,点击作弊窗口的">",游戏暂停了,只剩下几个地址了,再单击FCEU窗口,不要按任何按键键,点击作弊窗口的"已知值:00"最后剩下两个地址F1,F2,点中其中一个,再点左下角的"添加",发现按什么按键人物都不能动,说明这两个地址就是按键地址,双击左上部的锁定地址,前面的"*"号消失就解除了锁定,并且通过调试知道上=08,下=04,左01,右=02,A=80,B=40,选择=20,开始=10." v8 E9 C! E: a: B
2.找演示时按键的数据来源:
7 Q, V+ m) `! {2 H ~ 既然知道了按键的地址,那么就要看演示时是什么改变了这些值.点击FCEUX的>游戏>重设,等进入自动演示时,我们打开打开FCEUX的调试>调试器,在右上部分点击"断点"下的"添加",此时弹出"添加断点"窗口,我们在"地址"第一个输入框输入F1(我们找到的按键),将输入框下面的"写"打上勾,CPU也打勾,点"确定".此时调试窗口出现如下指令:
9 G# C, W1 X1 n' _! v" w$ J07:C38F:94 F1 STY $F1,X @ $00F1 = #$01
4 E7 P7 I8 h% Q' x. Z5 U07:C391:94 F9 STY $F9,X @ $00F9 = #$00, n+ \) P9 Z: y# H5 ~6 g# p( k( O
07:C393:CA DEX
) ~7 V, y D" w6 B J- T4 c07:C394:10 F0 BPL $C386
/ b6 D/ u! ]! B; s$ M% Y! T07:C396:60 RTS
. ?7 L7 n( l5 p, n6 ]我们点击"运行"左边的上拉按钮上拉,看到如下指令:
3 X* Z" D" B2 o0 E: ~07:C378:A5 1D LDA $001D = #$07
+ b7 Y6 f/ n2 w, C% m07:C37A:29 04 AND #$04: c# S" W c `
07:C37C:D0 06 BNE $C384' m/ Q0 J4 v2 D6 j# W
07:C37E:A5 04 LDA $0004 = #$00
0 W9 K5 p7 s/ b0 e& }07:C380:05 05 ORA $0005 = #$00
3 g! z# `$ S5 s5 Y. k+ O0 c$ ~9 v07:C382:85 04 STA $0004 = #$00+ Y! f7 X$ s( K9 c) k1 m# p
07:C384:A2 01 LDX #$01; k& |# q: o) s* [
07:C386:B5 04 LDA $04,X @ $0004 = #$00
# X6 \0 l, s; t+ i$ y ?07:C388:A8 TAY
Z- Q# G, ?6 R( n: q8 ~; b07:C389:55 F9 EOR $F9,X @ $00F9 = #$00
% Z5 o4 R( B2 w" V4 P07:C38B:35 04 AND $04,X @ $0004 = #$002 l% j8 `+ [1 |- [
07:C38D:95 F5 STA $F5,X @ $00F5 = #$00# i& u+ ?) e7 v* b
07:C38F:94 F1 STY $F1,X @ $00F1 = #$01
# Q+ R3 n' G* D9 ~( K# g07:C391:94 F9 STY $F9,X @ $00F9 = #$00' u3 W% [3 Z+ t0 y) U0 k
07:C393:CA DEX
" Q: |; }3 z) w. N8 b% t07:C394:10 F0 BPL $C3868 y9 h- p. R$ n6 L& W5 s( C
07:C396:60 RTS
4 C% c8 M" n! l/ ^, x由于演示的数据存放在某处,然而这里并没有读取某处的值送F1的指令,所以很可能不是我们要找的指令,点击"断点"窗口旁边的"运行",窗口中出现如下数据:
" w8 G! b: F% ~9 Q05:B3A3:95 F1 STA $F1,X @ $00F1 = #$00
& j8 p5 L. R7 ]* ~% {: f4 U05:B3A5:A5 2E LDA $002E = #$C81 U C9 j! a$ R! r
05:B3A7:C9 50 CMP #$504 Q% V( B, D8 {: D3 T
05:B3A9:90 20 BCC $B3CB/ T3 S3 d3 l2 J4 ~
05:B3AB:B5 AA LDA $AA,X @ $00AA = #$00) `, o3 M7 ]& \& Q3 f
05:B3AD:29 0F AND #$0F2 Q8 K* M, A: J R- [* e# O
05:B3AF:C9 01 CMP #$01' D2 D6 M! {2 v% h' V& i
05:B3B1:F0 04 BEQ $B3B7
+ v9 o3 ^2 P/ p05:B3B3:C9 04 CMP #$04
, R! t+ V: T1 k# |" B.........
0 E* ~$ j/ C& B$ G: |我们点击"运行"左边的上拉按钮上拉,看到如下指令:+ E4 @ l `8 f8 a4 C
05:B39F:B5 5C LDA $5C,X @ $005C = #$01 {" Z8 v7 x, x- \! R+ S
05:B3A1:95 F5 STA $F5,X @ $00F5 = #$01
( `# e0 b4 E' P$ t( O+ z05:B3A3:95 F1 STA $F1,X @ $00F1 = #$00
' g/ m0 Y- }* s; Q' E05:B3A5:A5 2E LDA $002E = #$C8
3 Z1 B( p: g8 }, v) S! m05:B3A7:C9 50 CMP #$505 K& m" j) ]- L4 l
05:B3A9:90 20 BCC $B3CB
% |' P; h, ^# R' [, [/ G: A8 C9 S05:B3AB:B5 AA LDA $AA,X @ $00AA = #$00+ z. H* y' b- X: Y4 G
05:B3AD:29 0F AND #$0F
' w6 B; j' {1 Z, e* U看到
4 w4 d: f. \; b7 g# e3 y05:B39F:B5 5C LDA $5C,X @ $005C = #$01
: v" D* K- ^5 {) {- o, c, u, w05:B3A1:95 F5 STA $F5,X @ $00F5 = #$01
9 [5 B1 g5 `6 E* L: m05:B3A3:95 F1 STA $F1,X @ $00F1 = #$00
) V& \/ ?! F6 n# W: ?% o0 L5 t没有?这个说明F1的数据是从地址5C送出得到的,说明我们要找到存储演示按键数据必须从地址5C入手.
/ U: v3 O' y) G3 c- l 接下来调试器,双击取消F1断点,点击"断点"下的"添加",此时弹出"添加断点"窗口,我们在"地址"第一个输入框输入5C,同样"写"打上勾,点"确定",一会出现如下指令:
. L4 m! g" ?- k2 ^/ Y. P7 K" b8 D0 c05:B392:95 5C STA $5C,X @ $005C = #$01
& Q9 E5 I& Q, S# d5 w8 u3 G05:B394:C8 INY
1 M% a! r* A8 p! g05:B395:B1 08 LDA ($08),Y @ $B3F2 = #$09
% w* b) v4 s9 Q- y' u* ^05:B397:95 5A STA $5A,X @ $005A = #$00
1 [& _2 I& b& {8 L6 `/ k) G05:B399:C8 INY
$ v6 G; w2 I/ t u5 D05:B39A:98 TYA
; \. G% g, n' X0 B5 p% x9 \" G然后我们再上拉,得到如下指令:; k6 P5 c- K- }* ^
05:B38C:B1 08 LDA ($08),Y @ $B3F2 = #$09
$ P, v* n" S- i6 ?% Q. g05:B38E:C9 FF CMP #$FF
, J0 N% b) x3 t8 W- x" a$ u4 r05:B390:F0 3D BEQ $B3CF5 c8 I& M( A9 |$ p
05:B392:95 5C STA $5C,X @ $005C = #$016 X0 S$ x% I; t- _8 U% M( X2 C
05:B394:C8 INY
3 u$ Y1 W+ S4 v- }05:B395:B1 08 LDA ($08),Y @ $B3F2 = #$09" S7 j5 {- i9 k6 F
05:B397:95 5A STA $5A,X @ $005A = #$00
2 _9 r8 ]/ r) G) q05:B399:C8 INY
6 e% e7 C$ x0 N1 z+ f+ g+ r05:B39A:98 TYA
. E; e9 t! s/ Q( z% p: c' ]看到05:B38C:B1 08 LDA ($08),Y @ $B3F2 = #$09
. V9 K9 s4 r8 k没有?说明现在5C的值来源于变址得到的$B3F2,哈哈,演示按键的数据找到了,在游戏CPU的$B3F2附近.2 K; y3 F7 E+ H/ r
3.修改演示:0 N K( z0 x* I* Y; M6 ?1 I2 v
打开FCEUX的调试>十六进制编辑器,按Ctrl+A或点击十六进制编辑器>转到地址,输入B3F2,此时黑色光标标记的地方就是CPU的$B3F2,右击黑色光标>转至ROM文件中对应位置,此时已转至ROM文件中对应位置了.
" X1 C) Q2 j" d; n! S$ t 我们要修改,必须从开始演示的第一个演示按键开始,接下来去找到它:3 S& C; M+ I e' J
打开FCEUX的游戏>重设,此时游戏暂停无状态,点击调试器的"运行",出现黑屏,再点击两次"运行"游戏运行了,过一会又暂停,再点击两次"运行"游戏运行了,出现背景画面时暂停了,调试器窗口中出现了如下数据:" B7 r8 [) N/ B' {0 ]& z; _: _* M
05:B392:95 5C STA $5C,X @ $005C = #$00
% b2 U2 ?7 C1 j6 A. t05:B394:C8 INY! h& f$ t! l6 N. r1 X, [
05:B395:B1 08 LDA ($08),Y @ $B3DE = #$00. U: l: J% l" @# H i' l
05:B397:95 5A STA $5A,X @ $005A = #$002 Z3 ^- O4 _6 [4 {0 \9 G/ t) O
05:B399:C8 INY
. |$ K& U1 t1 i4 c+ q05:B39A:98 TYA* ~7 U. a) I0 {" u
我们上拉看到了:
7 I! B- R6 B% k0 x% g05:B38C:B1 08 LDA ($08),Y @ $B3DE = #$004 W$ Z( B, V- q3 j& h
05:B38E:C9 FF CMP #$FF* L0 P6 N$ `/ @
05:B390:F0 3D BEQ $B3CF
$ z7 p; K* _( q# [* ~05:B392:95 5C STA $5C,X @ $005C = #$00
, z( K9 _3 W2 f, s- e' N05:B394:C8 INY
, y0 B' |0 [& I) I3 `% p: y05:B395:B1 08 LDA ($08),Y @ $B3DE = #$00
# f% V: S9 B$ R6 A; K# M; B05:B397:95 5A STA $5A,X @ $005A = #$001 l6 R& i% b' G* P4 S4 k! F
05:B399:C8 INY. Q' e4 R6 q3 ?! Y- F& W% Y
05:B39A:98 TYA0 q- R0 Y+ H m
看到6 ?% |1 x( z, t2 I# ^ L/ h
05:B38C:B1 08 LDA ($08),Y @ $B3DE = #$00
+ L+ h! f' s5 h/ t' i) ?* g没有?它应该是第一个演示按键,接下来进入十六进制编辑器,点击查看>NES内存,此时切换到NES的CPU内存,按Ctrl+A或点击十六进制编辑器>转到地址,输入B3DE,此时黑色光标标记的地方就是CPU的$B3DE,右击黑色光标>转至ROM文件中对应位置,此时已转至ROM文件中对应位置了,这里就是演示按键的开始地址." Z4 |4 i7 Y' k
说明:演示按键地址的结构,以开始的00 21 01 03 00 0E 01 3D 04 06 05 33 00 0E 04 0A 05 01为例:第1个00是按键数值(无行动),第2个21是指按键数值21前的按键保持21(时间),第3个01是按键数值(向右走),第4个03是指按键数值03前的按键保持03(时间).......以此类推,判断根据:( ^+ h! F: l) l
05:B371:B5 5A LDA $5A,X @ $005A = #$7F+ V2 B* r. |6 D' |! c
05:B373:D0 28 BNE $B39D(如果5A=00,那么就会跳过28字节执行2A递减的指令)
# j- u% j) O0 p; t05:B375:A5 30 LDA $0030 = #$00
3 K( u. V8 T7 r/ F05:B377:0A ASL
. q! d, q' J0 ^2 E9 K05:B378:0A ASL
- q: y9 N+ y f4 n; j05:B379:85 08 STA $0008 = #$29
1 d0 L( Q$ h$ t05:B37B:8A TXA" e8 ^6 z" f# W& S- f3 S
05:B37C:0A ASL
- U$ R% W$ E9 t& d8 S# ^05:B37D:65 08 ADC $0008 = #$29' F9 |- S( {, S1 s+ S r# j
05:B37F:A8 TAY
: d. o, ?0 B8 m$ O! y9 O, N% G) Q6 Z05:B380:B9 D2 B3 LDA $B3D2,Y @ $B3D7 = #$B4! i, m( [6 b' f
05:B383:85 08 STA $0008 = #$29( b9 [5 [6 `4 Y" Z
05:B385:B9 D3 B3 LDA $B3D3,Y @ $B3D8 = #$FC/ K2 Z; `8 e; [3 D1 p/ V
05:B388:85 09 STA $0009 = #$B2
: |. z4 p6 ^! ^1 T3 q05:B38A:B4 5E LDY $5E,X @ $005E = #$02
0 T: |4 X$ F) l2 Z3 R05:B38C:B1 08 LDA ($08),Y @ $B22E = #$10
; j1 i, q. P3 m0 _05:B38E:C9 FF CMP #$FF; k( G. t* n% P+ N! N# B
05:B390:F0 3D BEQ $B3CF
7 Y( ?- x; `" _. L05:B392:95 5C STA $5C,X @ $005C = #$00: h2 G! D8 x3 E
05:B394:C8 INY6 Y% p6 g: \, ~2 ?
05:B395:B1 08 LDA ($08),Y @ $B22E = #$10
9 @" K# p, S: ?* D+ S05:B397:95 5A STA $5A,X @ $005A = #$7F$ w+ B& Y G" h" O7 {
05:B399:C8 INY
" Z3 z+ w0 l! I# {4 ^. H7 j05:B39A:98 TYA
4 ]! g+ B- {& a& `( m05:B39B:95 5E STA $5E,X @ $005E = #$02
5 j9 s6 G8 w# M' Q05:B39D:D6 5A DEC $5A,X @ $005A = #$7F(5A递减)! u# |& K a$ P9 Y/ k
05:B39F:B5 5C LDA $5C,X @ $005C = #$00- h* `1 {# l0 Y& ]0 h) D
05:B3A1:95 F5 STA $F5,X @ $00F5 = #$00
7 h/ } j M5 n$ H: X05:B3A3:95 F1 STA $F1,X @ $00F1 = #$00
6 ?- J* b2 P7 ? |0 ?
7 k2 k2 b' w9 |% ]由于技术原因,本人以前只能改到打完三关,因为间址LDA ($08),Y得到的地址发生改变,那时本人无能力了.现在全部完成,用到其他方法们再次难以叙述了
2 {1 h% R. o u0 g可以下载玩一玩
7 G& r- p9 Y6 s! T% R. Uhttp://pan.baidu.com/s/1bnE0AwZ |
|
IP卡
狗仔卡
发表于 2015-10-15 08:53:29
提升卡
置顶卡
变色卡
显身卡