Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - blitzmaster5000

Pages: [1]

NFL Blitz Hacking / Blitz 2000 extended teams + playbook + updated roster patch (updated 5/28/2017)

« on: August 25, 2016, 10:24:23 PM »

After many months of working on the extended playbook and other things, I am finally ready to release the patch. This patch includes the following major changes from the original blitz 2000 (N64) game:

1. Expanded team hack (thanks to Zoinkity), including the Texans as well as an extra team titled "Pork Rub Fantasy" (it's an inside joke)
2. Updated Rosters through last year at the end of the 2015 season
3. Custom "tips"; these are again inside jokes, so won't make any sense
4. Expanded playbook for both offense (5 pages) and defense (2 pages)
5. Two custom cheats: ultra low gravity (- - 1 down), and 2000 play speed (- - 1 right)
6. Extended playbook timer to 20 seconds from 9 to compensate for the larger amount of plays

For (1) and (2), the extra team and rosters can be modified using Jakes roster editor tool. (3) needs to be edited by hand.

For (4), I plan on including the first page of 2001 offensive plays, but no other default plays from different versions. The data is jut too complicated and time consuming to work through. However, I think we may try and somehow incorporate custom plays generated from the external playbook editor into the game by default, but that's way down the road.

Finally, for (5), these two custom cheats are more for testing purposes for custom cheats. The patch has 2001 speeds by default, so if you want the 2000 play speed (slightly slower), just use the cheat as stated above. These cheats can be cleared like any other by simply starting a new game. I plan on adding other custom cheats down the road as well.

You can find the patch here:
http://s000.tinyupload.com/?file_id=49015556741157514844

Installation is simple. Just do as follows:

1. download patch and xdeltaUI program from here: http://www.romhacking.net/download/utilities/598/
2. in xdeltaUI, select a non-edited nfl blitz .z64 ROM for the file to modify. It will probably work with other patched ROMs (such as ones that you may have already patched w/ Zoinkity's patch), but I didn't test it.
3. select the output directory and file name - any file name will do, just make sure you have the .z64 extension.

If it worked, it will display "patched applied succesfully" or something along those lines. Good luck!

NFL Blitz Hacking / Blitzmaster5000 hacks

« on: July 13, 2016, 01:13:03 AM »

I will deposit most of my hacks I have here. I figured it would be best to stick it here as they cover a variety of hacks. This will be a constantly updated thread, as I want to separate the various hacks that maybe unrelated but people may want. For now, they will be mixed together, but I will separate each eventually so if people want specific hacks they can incorporate them.

BLITZ_CHANGE_LOG
latest stable version: 4.0
major changes:

1. increased speeds of players to be similar to blitz 2001 (notes not in here)
2. increased size of playbook for offense and defense. Still need to work out bugs for multiplayer and custom plays. // DONE!!
3. Increased playbook timer to 20 seconds to allow for more time with larger playbook. // DONE!!

Changes planned for next major release (4.5):
1. Include plays from 2001 //sort of done
2. Deactivate "use team plays" cheat // DONE!!

Changes planned for Version 2.1:
1. Fix bugs with custom playbook - page #, B-button action //DONE!
2. Fix custom playbook defensive plays //DONE!
3. Fix custom playbook for P2,3,4 - need to increase the write function to fill all the plays //DONE!

TODO: 1.   ADD IMAGES FOR 2001 PLAYS
     2.   FIX "FLIP PLAY" ISSUE (UPDATE POINTERS) //DONE!!!!
=================
changes to version 4.5
======================
many changes. Dumped a bunch of data for plays up to 6, ran out of room. started to get strange behavior in other parts
added all play data for 2001. however, plays 6-9 are not authentic. used data from other plays.
no serious issues nonetheless.

========================
changes to version 4.1
========================
1.   updated page 6 (2001 plays) names
2.   moved pointers for defensive play names to make room for page 6
3.   updated custom plays so last offensive page is custom page + page flipping (see V2.0 & 2.1 below for changes)

//adding new 2001 offensive play pointers (6ad7c) and names (71b60)
NEW POINTERS TO PLAY NAMES STARTING AT
0x6AD7C
0x71b60      80070F60   SHORT JET
0x71b6C      80070F6C   STACK IT
0X71B78      80070F78   SMACK YOU
0X71B84      80070F84   DEEP ATTACK
0X71B90      80070F90   FLOOD SLIT
0X71B9C      80070F9C   POST DRAG
0X71BA8      80070FA8   TASTY TREAT
0X71BB4      80070FB4   KOMBAT
0X71BBC      80070FBC   BLACK RAIN

//moving defensive play names so we can expand the offensive play names
0xd19f0   lui at, $8029   //originally $8028
0xD19F8   V0 0xADD0 (AT)   //originally V0, 0x405C (AT)

=======================
changes to version 3.7c - BlitzXL2016_V37c.z64
=======================
added plays:
SHORT JET
STACK IT
SMACK YOU

========================
changes to version 3.6 - BlitzXL2016_V36_stable.Z64
========================
team plays deactivation hack - with the extended playbook, this cheat is no longer necessary, so this turns off using team plays

0x328B8   SW V0,0x0000 (T0)   //sets cheat to 1 for all cheats
0x328BC J $80070D88         //jump to 0x71988; originally SW S3, 0x0010 (SP)
0x328C0   SW S3, 0x0010 (SP)   //originally SW R0, 0x0014 (SP)
0x71988 SUBU T0, T0, T0      //CLEAR T0
0x7198C   LUI T0, $8028      //LOAD UPPER HALF OF TEAM PLAYS ADDRESS
0x71990   ADDIU T0,T0,$2E64   //LOAD LOWER HALF
0x71994   SUBU V0,V0,V0      //CLEAR V0
0x71998   SW V0, 0X0000(T0)   //SET TEAM PLAYS VALUE TO 0 TO DISABLE
0x7199C   SW R0, 0x0014(SP)   //from original code
0x719A0   J $0024BBA4         //JUMP BACK to 328C4 in rom; 8024BBA0 in ram

========================
changes to version 3.5 - TO DO STILL
========================
////////another one /////
starts at 0xD197C - still need to fix! used for flippd play names

///here are all the LW v0,0x0000(a0) if you need to fix
0032D71C
0032D8EC
0032D914
0032D938
00330A58
003311FC
003318FC

========================
changes to version 3.4
========================
//fixing another place where it loads offense data
D5240   J $80070D60      //originally lw v0, $0000 (A3); 71960 in ROM
D5244   subu v0,v0,v0   //originally addu v0,v1,v0
71960   lui v0, $802B
71964   addiu v0,v0,$1988
71968   addu v0,v1,v0
7196C   J $803311F8
//same for defense
D5260   J $80070D74      //originally lw v0, $0000 (A3); 71974 in ROM
D5264   subu v0,v0,v0    // originally addu v0,v1,v0
71974   lui v0, $802B
71978 addiu v0,v0, $1988
7197C   addu v0,v1,v0
71980   J $80331218      //D5268 in ROM

=======================
changes to version 3.3
=======================
deleted all USE TEAM PLAYS data. The cheat still works, need to delete it


=======================
changes to version 3.2
======================
actually fixed the previous. This is the definitive version of the extended playbook, as it no issues with custom plays that the others did.
//THIS FIXES THE MULTIPLE PLAYBOOK ISSUE, CHANGES SOME PREVIOUS THINGS IN V2.0//////
//offense -images
0xD192C      8032D8DC   J $80070D1C   //original sll v1,a1,0x3; jump to new part; 0x7191C in ROM
0xD1930         SLL V1, A1, $3      //move top down here; original ADDU V1,V1,A1
0x7191C         ADDU V1,V1,A1      //from original code
0x71924         SUB V0,V0,V0      //set V0 = 0
0x71928         LUI V0, $802B      //set upper to 802A
0x7192C         ADDIU V0,V0, $1988   //set lower to DF20
0x71930         J $800D0D34         // jump back; 0xd1934 in rom
//offense - names
0xD1958   J $80070D4C         //originally LW V0, $0000(A0); 7194C in rom
0xD195C   SUBU V1,V1,V1      //originally ADDU V0,V1,V0
0X7194C   LUI V1, $802B
0x71950   ADDIU V0,V0, $1988   //
0x71954   ADDU V0,V1,V0      //from original string
0x71958   J $8032D910         //JUMP BACK TO D1960
//offense - picking right play
0xD1750   J $80070BE0
0xD1754   NOP
0x717E0   LUI V1, $802B
0X717E4   ADDIU V1,V1,$1988
0x717E8   ADDU V1,V1,V0
0x717EC   ADDU A1,S3,R0
0X717F0   J $8032D708
//defense
0xd19a0   lui v0, $802B
0xd19a4   ADDIU v0,v0, $1988
0xd19a8   NOP
0xd19B0   NOP
0x71938   lui v0, $802B
0x7193c   addiu v0,v0,$1988
0x71640   ADDU V1, V1, V0
0x71948   J $0032D994
//defense- picking right play
0xD171C   SUBU V1,V1,V1 //CLEAR OUT ALL OTHER VALUES
0xD1720   LUI V1, $802B   //SET PLAYLIST TO LAST ONE
0XD1724   ADDIU V1,V1, $1988   //SET BOTTOM HALF OF ADDRESS
//END OF MULTIPLE PLABOOK ISSUE/////////////////

=======================
changes to version 2.3
=======================
Fixed P2,P3,P4 custom playbook + extended playbook.
Game now reads all plays for default plays from the P4 play table at A0 = 0x802B1988 & 0x802B2CD6.
This way we're not writing/being written over the first 3 playbooks.
//offense
0xD192C      8032D8DC   J $80070D1C   //original sll v1,a1,0x3; jump to new part; 0x7191C in ROM
0xD1930               SLL V1, A1, $3      //move top down here; original ADDU V1,V1,A1
0x7191C               ADDU V1,V1,A1      //from original code
0x71924               SUB V0,V0,V0      //set V0 = 0
0x71928               LUI V0, $802B      //set upper to 802A
0x7192C               ADDIU V0,V0, $1988   //set lower to DF20
0x71930               J $800D0D34         // jump back; 0xd1934 in rom
//defense
0xd19a0   lui v0, $802B
0xd19a4   ADDIU v0,v0, $1988
0xd19a8   NOP
0xd19B0   NOP
0x71938   lui v0, $802B
0x7193c   addiu v0,v0,$1988
0x71640   ADDU V1, V1, V0
0x71948   J $0032D994
=======================
changes to Version 2.2
=======================
Fixed defensive play issues
0xD2980      8032E930   XORI V0, S3, 0x0002      //moves actual custom custom play data to last page
=======================
changes to Version 2.1
=======================
//fixing default play flipping issue w/ play 5
8032E7E0   SW T1, 0x002C (SP)   //stores into 800C2C84; flip play - boolean 0 or 1; each is for normal or flipped
0xD7298      8032E748   XORI V0,S3, 0x0005   //Fixes flip page issues for custom plays, must be == to number of pages; originally 0x0002
0xD27AC      8032E75C   SLTI V0,S3, 0x0006   //Fixes flip page w/ default plays; must be > # of pages; originally 0x0004
==========================================
changes to ROM blitzXL_V20.z64
==========================================
//extending playbook - default and custom
0xD2590      8032E540   ADDIU V0,R0,0x0005      //sets 5 pages for default playbook
0xD25D0      8032E580   SLTI V0,S3,0x0006      //sets 6 pages for custom playbook
0x34130      8024D410   ADDIU V0,A1,0x1399      //original 1369; moves defensive play data back to make room for new plays
0x34150      8024D430   SLTI V0,A3, 0x0023      //original 0009; allows all play table data to be written
//fixing playbook to read/write correct plays
0xd1924   J 0x80070C28      //ORIGINALLY addu a0,v0,v1 ; 71828 IN ROM; jump to new area to make playbook pages correct
0xd1928   addu a0,v0,v1      //ORIGINALLY LW V0, $0000 (A0)
0x71828   LW V0, 0x0000 (A0)   //line needed from original function
0x7182C   ADDU S4,S5,R0      //sets correct page number; may not work w/ custom plays
0x81730   ADDU A1,S5,R0      //sets correct page number; may not work w/ custom plays
0x71830   j 0x8032D8DC      //jump back; D192C IN ROM; this is address from NEMU; calculated one didn't work
//move custom pages around - puts custom plays last - still need to fix page #
0x37B44      80250E24   ADDIU T0, A2, 0x1350   //original 0x1370; writes the entire first playbook; truncate may damage last play; make sure to only truncate play data
0xd2558      8032E508   XORI V0,S3, 0x0005      //original 0x2; sets playbook on the last page (versus 3rd)
0xd2a20      8032E9D0   ADDIU T1, R0, 0x0005   //original 0x2; sets playbook on last page; not changing this freezes game
//fix how to load in data for multiple playbooks for p2,p3,p4
         80250E00   BEQL V0,R0, $XXXX      // originally SUBU V0,V0,A0;    jump to 80250E10 if first playbook
         80250E04   NOP                  // originally SLL V0,V0, 0x4;   delete for branch
         80250E08   SUBU V0,V0,V0         // originally SUBU V0,V0,A0;   set V0 = 0
         80250E0C   ORI V0,V0, 0x13C0      // originally SLL V0,V0, 0x3;   set size of playbook to be larger
//fixing page 4 custom - above fixes the graphics and text, but this will fix actually loading correct play data
0xd1750      8032D700   J $00070C3C            //originally lui v1, 0x8037; is 7183C in ROM
0xd1754      8032D704   lui v1, 0x8037         //originally addu v1,v1,v0
0x7183C               addu v1,v1,v0         //entry point at jump
0x71840               addu a1,s3,r0         //copy s3 value (correct page #) to a1
0x71844               J $8032D708            //jump back to RAM address; is d1754 in ROM
//DEFENSE - add more pages (currently 2, default 1)
0xD26B8               BEQ R0, V1, 0x000D26B8   //branch if custom play or not; same as original code
0xD2698               SLTI V0,S3, 0x0003      //puts custom play page last; originally 0x0002
0xD26A4               ADDIU T1, R0, 0X0002   //increases to 3 pages for custom playbook; originally 1
0xD26B8               J $80070C70            //jumps to same page change code as offensive, just with page total = 2; 0x71870 IN ROM
0x71870               **page change code**   //same code as that for offensive play select (found at 0x8032e5a4)
0x71890               SLTI V0,S3, 0X0002      //set playbook size to 2 pages (for defense); ORIGINALLY 1
0x7189C               ADDIU T1, R0, 0X0002   //set playbook size to 2 (no custom plays)
0x7199C               **end of page change code**
0xD2980               XORI V0, S3, 0x0002      //moves actual custom custom play data to last page

//Increasing playbook timer //
//Time stored in 800BCB68
//800BCB98   similar to timer
0xd7710      LW S0, 0x0000(A0)
0xd7714      J 0X80070C4C         //originally LWC1, F2, 0x0004(A0); 7184C IN ROM
0xd7718      LWC1, F2, 0x0004(A0)   //originally CVT.S.W F2, F2
0x7184C      CVT.S.W F2, F2
0x71850      SUB S0,S0,S0         //SET S0 = 0
0x71854      ORI S0,R0, 0X0014      //INCREASE TIMER TO 20 SECONDS
0x71858      J 0x800D6B1C         //JUMP BACK TO D771C IN ROM

NFL Blitz Hacking / Hacking Blitz tutorial 2: modifying tackle speed with jumps

« on: May 25, 2016, 07:33:47 PM »

Jumping out of a function, injecting new code, and jumping back to modify in-game variables tutorial
Introduction
I will explain below how to jump out of a certain function, add some new code to a blank area in the ROM, and jump back. This sort of thing is useful for many different hacks, but especially in cases where there are no NOPs to add new opcodes into. Even if there are some NOPs in the function you’re interested in, it’s sometimes useful to jump out in order to add more code than there are NOPs. I’m going to be using the following programs:

1.   NEmu64 – command, register, and memory debuggers for finding opcodes and hex values
2.   LemAsm – for modifying actual ROM and saving the changes
3.   Cygnus hex editor – for finding the opcodes in LemAsm originally found in Nemu

This tutorial is written using Zoinkity’s hacked 2000 version. Other versions can probably similarly be hacked, but the addresses are most likely different. The hack that will be discussed here is related to the tackle speed. Blitz works by having multiple functions control tackle speeds. Thus far, I have found 4 total:

1.   Lateral (left – right) tackle speed, not locked onto target
2.   Vertical (up – down) tackle speed, not locked onto target
3.   Lateral tackle speed, locked on
4.   Vertical speed, locked on

By “locked on” I refer to how the game mechanics handles tackling. It works as follows: if the tackler is within a certain distance to the opponent (player to be tackled), the game adjusts the course of the player to hit the opponent. It’s similar to an auto-aim feature in a FPS. It’s usually a very small adjustment, but it is there. But more importantly, I found that being within this “zone of locking on” writes the speed of the tackler from a different function than if you are not. Thus, if you are tackling nowhere near anyone, the player tackle speed is being written to by (1) and (2) above; if the you are tackling very near an opponent, then (3) and (4) are. I think there are some other subtleties I haven’t worked out yet regarding how these functions work, but for the sake of the tutorial, this is about all you need to know about the mechanics of the game. We will be focusing on (1) above – modifying the lateral tackle speed when not near an opponent.

A few things to mention before getting started: Thus far from the various hacks I have done regarding the physics of the game (player speed, tackling, gravity, etc), they are usually heavily arithmetic – lots of math working out where the player will be next, speed, etc. This is convenient because it’s usually quite easy to read the assembly and follow what exactly is happening. Usually there are constants that will be set throughout the function, in our case the lateral speed of the tackler that can be very easily modified either by changing the value, or adding more arithmetic operations to the value to increase/decrease whatever that value is.

Another thing to mention is that these functions are undoubtedly using floating point values for each operation, meaning that whatever value you are modifying is not going to be a whole number or integer such as 1, 20, 255, etc. It will usually be an irrational number of some sort such as 1.333, 1.43546, etc. This is important because the N64 has specific registers (registers = slots to stick temporary values needed for the function you are in) for floating point operations, located in COP 1 (Figure 1 shows an annotated screenshot of the COP 1 register window in nemu). There are 31 floating point registers that can be accessed – most of these are being used throughout a given function, but there are sometimes some that aren’t, and you can write your own values to those to apply arithmetic operations on the registers you want. The nice thing about Nemu64 (beyond all the other awesome debugging features it has) is you can monitor these registers very easily to see what values are being stored.

The lateral tackle speed function was found by following a similar procedure found in a previous tutorial I wrote regarding finding variables. The address corresponding to the players lateral tackle speed is written to by 8027F1CC, which has the operation SWC1 F4, 0x0014(S0). This can be seen, along with the previous and subsequent operations, in Figure 2. It should be noted that the game processes these operations in-line, meaning that they go sequentially through the operations, unless there are jumps, branches, etc.

This operation code (opcode) stores the value into the floating point register F4 (seen in Figure 1). This means that we need to modify whatever F4 is prior to this operation. If you look above two lines at 8027F1C4, the opcode is SUB.S F4,F4,F2. This operation is doing the following: F4 = F4 – F2. So it takes whatever value was in F4, takes away whatever was in F2, and stores that value in F4. If one wanted to, this opcode could be replaced with NOP (no operation; does nothing) and this would in itself modify the lateral tackle speed. However, we don’t want to simply delete this, we may want to increase the speed of the tackle. Unfortunately looking at the list of operations in the command dialogue box shows no NOPs where we could stuff an extra bit of code to modify F4. Therefore, we must jump out of this function, go to a new area in the ROM where there is no pre-existing code, add our code, and then jump back. These changes can be made directly to the Nemu command window and memory viewer, but any changes made here will be temporary and will not be permanent. Therefore, we must modify the actual ROM itself in order to make it permanent (The reason we can modify the operations of the game in the RAM but it is not permanent is the 64 will load the whole ROM into memory, which we are modifying in Nemu – therefore, we are not modifying the actual ROM itself, just the “RAM image” of the ROM).

To view the ROM that also has the opcodes as well (rather than just the hex, which is essentially indecipherable), download LemAsm. This program allows you to load a ROM, add/edit opcodes, write and save to the ROM itself. However, the addresses in RAM (in nemu) and the ROM (in lemAsm/hex editor) are not the same. There is an offset between them that must be determined. How that is done is beyond this part of the tutorial, so I will say the easiest way to find the function you want is to do a search match of the hexadecimal of the function you want to find and the instructions nearest it in a hex editor, such as Cygnus. So if you are looking for the hex corresponding to the SWC1 F4, 0x0014(S0), which is E6040014, you can search for this value and a few more hex codes following this. Don’t simply search for E6040014 as there are probably at least 50 of these codes throughout the ROM. Once you find the correct address in the ROM in the hex editor and LemAsm, which is at 00065EEC, we can start modifying the actual ROM (Figure 3).

As mentioned previously, there are no NOPs that can be replaced with an operation to modify our value. Therefore, we must jump out of the function to change it. We can use the opcode “J $XXXXXXXX” where J is the jump command, to some address, XXXXXXXX, to execute some new code. This is where things may get complicated: we cannot simply search the ROM for some empty space and jump to it. So for instance, 00071800 has a bunch NOPs, so we could stick some new code here. But we can’t simply Jump to 00071800 – we must jump to its RAM value. This value is calculated as follows: RAM = ROM - 1000 + 80000400. This is all in hex, by the way, not decimal. So to calculate the RAM address for the ROM address we have, we do: RAM = 00071800 – 1000 + 80000400, which is equal to 80070C00. Therefore, our jump command that we type into LemAsm will be “J $80070C00” (no quotes). Now I have not mentioned where we will add this. So the question then is, where should we add this jump to inject some new code? So far, I have found that it is best to modify the register of interest as near to the address that writes your value (8027F1CC in ram, 00065EEC in ROM). This means find the last operation to modify your value (F4), execute this operation, and then jump to your code.

Important!!!!!!
LemAsm has a bug where when you type the SUB.S command, it will actually be a DIV.S command. Therefore, when you change the ADDU command to the SUB.S F4,F4,F2 command, you will have to go into a hex editor to change the hex value of that line.

The error erroneously changes the last value from 01 to 03, which calls the DIV.S command. This will ALWAYS happen when modifying the SUB.S command, regardless of location or registers, so be careful!

So the last operation on F4 prior to writing it is 2 lines above the SWC1 command. It is the SUB.S F4,F4,F2 opcode. After this is an ADDU V0,R0,R0 operation. This one doesn’t actually affect our value, so modifying when this occurs shouldn’t change our function too much. To add our jump and then add our code, we do the following: 1) replace the SUB.S F4,F4,F2 opcode with our Jump, 2) change the following ADDU V0,R0,R0 opcode to the SUB.S F4,F4,F2. Why do we need to do (2)? This is because the Jump command (as well as other jump opcodes such as JR RA or JAL) always execute the command immediately after it. Therefore, if we put our jump where the SUB.S command is, we should move the SUB.S command where the ADDU command is so that it still is executed at the right time. So what happens to the ADDU opcode? Well now we go to the location of where our new code goes, which we found in the ROM to be 00071800. There is nothing but NOPs here, so we know we’re not replacing actual code or other functions. The first thing we should add here is the command we wrote over in the previous function: ADDU V0,R0,R0. We can now add whatever operations we want to modify F4 (or really any other registers if we wanted)!

Let’s say you want your lateral tackle speed to be very fast. Well currently F4 is ~1.6 = 3FCCCCD. We could double this value by adding the line ADD.S F4, F4,F4. This will do the function F4 = F4+F4, which is equal to 1.6+1.6 = 3.2. So now your lateral speed is 2x as fast! You can do other arithmetic operations here however you want. After you add your new code, you need to jump back to your original function. This is easy – just figure out the address 2 down from your original Jump (our original jump was at 65EE4, so 2 addresses down is 65EEC). Compute the RAM value for this ROM address as explained above (it is = 80065EC). So simply type J $800652EC after your code, and you will jump right back into the original function, now with your modified F4 value! It should be noted that LemAsm will automatically change your 8 at the beginning of the RAM address to a 0, so your 800652EC will look like 000652EC.

This is a simple example of how you can jump out of a function, add new code, and then jump back like nothing happened. This is very useful when there are no NOPs to add new code, or if your new code takes up too much space. Just remember that the registers you are modifying shouldn’t be over written. If you want to really get good at ROM hacking the assembly, you need to familiarize yourself with the MIPS assembly opcodes. As explained in this tutorial, SUB.S is a subtraction operation, ADD.S is an addition, but there are many more beyond just simple arithmetic operations.

NFL Blitz Hacking / External playbook editor

« on: May 15, 2016, 12:40:38 PM »

Jake had mentioned making an external playbook editor a while back. Initially I thought this would be nearly impossible as Zoinkity had mentioned custom plays is quite difficult. However, I have been able to find out how the game (specifically Blitz 2000 Zoinkity hacked version) saves custom plays on the memory pak. I can also view how different player position, route, action (juking,blocking, etc) affects the block of code for each play. Therefore, I think it would most definitely be possible to create an external playbook editor, it's just a matter of mapping all of the addresses with their respective functions. I will be posting updates here.

Jake - I don't have the skills for doing a stand alone c# program like you have made for the other hacking tools, so maybe we could collaborate on this one. It would be awesome to create plays using mouse + keyboard versus the way in the game as is.

NFL Blitz Hacking / Having text appear after a tackle

« on: February 14, 2016, 12:11:30 PM »

I am going to try and make a hack where text appears after the ball handler is tackled. Depending on the tackle, it will display certain text in the same way that first downs, touchdowns, etc are shown. Do you know where the function is to write that text? Also, do you have a table file with the hex representation of ascii characters? I see that the Texans correctly display "Texans win" after they win a game, so it would be essentially the same modification, only to trigger after tackles.

NFL Blitz Hacking / Tackle animation hack: Executing specific tackles on command

« on: February 04, 2016, 05:53:17 PM »

I'm currently working on a hack to allow the player to do specific tackle animations. I will be posting here what I find as a log, or if anyone else is interested. The ideal end product would be similar to fighting games where short button combinations results in a specific tackle to be done on the opponent.

I also would like the game to display text when a certain tackle combo is done. It is possible to display text as seen in this video: https://www.youtube.com/watch?v=DnFxpRwT0Gc

NFL Blitz Hacking / Hacking Blitz Tutorial 1: finding an in-game variable to modify

« on: January 31, 2016, 07:11:40 PM »

I have been working on a variety of hacks for Blitz lately and figured I would write up some tutorials for people who maybe interested in similar things.

This first tutorial will explain how to try to find an in-game variable that you want to modify. More specifically, we will be finding a variable that corresponds to the play-timer in the play editor "preview" mode. We will find this value, and then freeze it, resulting in the ability to run around infinitely until you run out of bounds, score a safety, or TD. This is a very important "hack" as it will make finding other in-game variables much easier.

I first suggest going through these tutorials: http://orbitaldecay.com/N64/index.html

The author did an excellent job breaking down what is a typically difficult process into a simple one. We will be essentially doing the same thing as his first tutorial.

Tools necessary (can all be found in this convenient zip: http://www.orbitaldecay.com/N64/N64-RomHackingToolkit.zip):

1. Nemu64
2. Blitz 2000 ROM - patched with Zoinkity's hack (will techinically work w/ any version, but this is the one I'm using)
3. Cheat Engine

1. Open Nemu64 and load up Blitz 2000.

2. Open Cheat Engine, and click "process", and click "nemu64.exe".

3. In Blitz, go to the playbook editor, select any team, and then enter preview mode. It doesn't matter what play or yard line you are on.

4. Start to run a play, and then hike the ball. Pause the game (F4).

Preview mode has a timer counting down when the play will automatically end, regardless if you score or not. Therefore, we can assume that there's a variable somewhere acting as that counter. However, there are literally hundreds of millions of variables - how will we find it? Fortunately Cheat Engine has some simple tools that allows us to narrow down those values to just a few.

5. With the game paused, in Cheat Engine, change "Scan Type" from "Exact Value" to "Unknown Initial Value".

6. Change "Value Type" from "4 bytes" to "Byte". Click First Scan.

It should report back a very large number of addresses found (~133,000,000 if I remember correctly). We can assume that the timer value (once we un-pause) will either decrease or increase, however we don't really know which one. Therefore, we should look for just any change at all.

7. Un-pause Blitz (F4), after a second or two Pause again.

8. change the "Scan Type" to "Changed Value". It should decrease by a significant amount.

9. With the game still paused, we know that the value shouldn't change any more. Therefore, we can do another scan with it paused, only this time do "Unchanged value". You can keep clicking this repeatedly and it should take more addresses away, although eventually it will level off.

10. Un-pause again, let it sit for another second or so, and pause. Search for a "changed value".

Eventually you will run out of time and it will automatically go back to the playbook editor. Just preview the play again, hike the ball, and search for the changed value until there are not many left (repeat 7-10).

I have found the timer located at 100D39B0, although I've noticed it is sometimes at different addresses for some reason. The timer starts at a large value (~238 I think) when the ball is first hiked, and then it decreases to 0 as the timer runs out. Therefore, you could actually be using the scan type "Decreased Value" as the time decreases instead of "changed value", however for the sake of the tutorial I used "Changed Value". If you do use "Decreased Value", Remember that once the timer runs out and you start another preview, the value will actually have increased once you hike the ball, so I suggest using "changed value" between different Preview scenarios.

11. Once you find that timer variable, hike the ball, Pause the game, and then click the box in Cheat engine next to it in the Frozen column. This will freeze the value at whatever it was at the time. Basically any value between 170 and 0 will work.

If everything went smoothly, you should now be able to run around indefinitely as long as you don't run out of bounds, score, and get a safety. You can even pass the ball to other players, jump, etc. We will use this technique going forward to find other in-game variables related to the player movement. It makes it much easier as there is no time constraint, nor Richard Sherman trying to tackle you. I may add pictures to help annotate this in the future.

Next tutorial: Finding player vertical height variable.

NFL Blitz Hacking / Modifying speed of players in Zoinky's hacked Blitz 2000 version

« on: January 07, 2016, 07:12:15 PM »

I've been back to trying to figure out how to modify player speeds. I will post addresses with variables and necessary info that I find that works. I'm doing all this using cheat engine and nemu64 to try and find out what addresses write to what.

QB speed (behind line of scrimmage)

802D386C --> float gives a value of varying magnitude when moving left or right (faster speeds = larger values); moving left the value is negative, moving right value is positive. Vertical motion does not affect it, therefore there must be another address related to the vertical speed.

When the QB is moving laterally (left or right), this value is written to from 802f7fd4. Therefore, I think that it is this address that would need to be changed (probably a multiplier to scale the speed of QB up).

Fortunately there are a few math commands above it (at least I think, based on my very naive understanding of assembly language), so I was able to do a quick and dirty multiplier. directly above this line is:

802F7FD0 MUL.S F0,F20,F0 (the actual memory value is 4600A002)

I assumed this was doing some sort of math function to determine the lateral speed of the QB. right above this address is 802F7FCC, which is NOP. I took the same exact memory 4600A002 and replaced that NOP (which is just 00000000) and it increased the lateral QB speed 2-fold. i.e. It did indeed act as a "multiplier". However, I noticed that the value only changes when you hold turbo.

So the original addresses will look like this:

802F7FCC NOP
802F7FD0 MUL.S F0, F20, F0
802F7FD4 SWC1 F0, 0x0014 (S0) <--- this is what does the actual writing to QB lateral speed

whereas the quick modification would look like:

802F7FCC MUL.S F0, F20, F0
802F7FD0 MUL.S F0, F20, F0
802F7FD4 SWC1 F0, 0x0014 (S0)

and once again, the actual array of bytes to do the MUL.S F0, F20, F0 command is 4600A002.

I then just scrolled up the address list and looked for the next SWC1 command. It was located at 802F7B0. Once again, above it was yet another MUL.S command (although not directly above it; it was 3 addresses up) with a NOP address as above it. I did the same thing here replacing:

802F7FA0 NOP
802F7FA4 MUL.S F0,F20,F0
802F7FB0 SWC1 F0, 0x000C (S0)

with:

802F7FA0 MUL.S F0,F20,F0
802F7FA4 MUL.S F0,F20,F0
802F7FB0 SWC1 F0, 0x000C (S0)

which resulted in the QB vertical speed to increase with turbo! So it seems these two commands can at least affect the speed of the QB with turbo.

The way I'm changing the speed is pretty rough. Ideally, it would be better to be able to tune the "multiplier" so that it's not so fast - with these hacks on, the QB speed is even higher than in Blitz 2001. I think if it was just a bit slower it would be better. Problem is, I don't know how to multiply a random constant (which I assume in the above case would be what ever is stored in F20) to the SWC1 value.

I will post more as I go along. Hopefully this makes sense, I'm thinking about taking screen shots to help illustrate the process I'm using so if others are interested then they can take a stab at it too.

NFL Blitz 2018 (NFL blitz 2000 hack) / Walk-through guide for Zoinky's hack and Project 64 tweaks

« on: December 30, 2015, 04:56:44 PM »

I finally got around to playing Zoinky's patch and used the roster editor, and they are absolutely amazing! I had some issues along the way and figured I would post them here with my solutions in case others have the same problems. Thanks Jake, Zoinky, and Idabadas for these additions.

Here is a walk-through guide for how to install Zoinky’s patch. I also include some graphical tweaks to Project64 I had to do in order to get it running smoothly and looking good.

Installing Zoinky’s Patch

1.   Obtain a N64 NFL Blitz 2000 ROM.
2.   Download and unzip Zoinky’s patch: http://nflblitzfans.com/index.php?topic=53.0
3.   Download xdelta: http://www.romhacking.net/utilities/598/
4.   open xdeltaUI – a window opens with the tab “apply patch” highlighted.
5.   Find Zoinky’s patch by clicking the “open” button for the “Patch” field and go to the directory you unzipped it to.
6.   Open either the “Blitz2k-10_team+.xdelta” or “Blitz2k-11_team+.xdelta” file. You will know which one to use by patching it (step 9). If it gives you an error saying “target window checksum mismatch: XD3_INVALID_INPUT”, try using the other file.
7.   Find your Blitz 2000 ROM by clicking the “open” button for the “source file” field and go to the directory you saved it to
8.   Hit the “…” button in the “Output File” field to save it. Be sure to save it as XX.z64 or XX.n64 (depending on the file type of the original ROM) where XX = the name you want to give it (i.e. Blitz2015.z64)
9.   Hit the “Patch” button. If it worked, it will say “file patched successfully”.

Troubleshooting installation of Zoinky’s patch

There are two parts that can give you an issue. The first is that the ROM you have is the incorrect type, or you are using the wrong patch (10 versus 11) on the correct ROM. Additionally, don’t forget to include the file extension in the output file name. Try the following if you have issues:

1. Using the same ROM, try patching with the other version. If this does not work again, then you probably need a different ROM.

2. Find a different ROM and try patching them.

Troubleshooting Project64 settings

I have found that P64 can be buggy at times, especially for some reason with the Blitz 2000 ROM I use. For instance, the frame rate is very low (~2 fps), making it unplayable. Also, I have had issues with the emulator drawing the yard lines. Here are a few things you can try if you have similar issues.

I also noticed Jabu’s Direct3D graphics Plugin does not let me play full screen but using Glide does. I have read online this is a Windows 10 issue; i.e. if you have any version of Windows prior to this, it should work. This was the case with mine, as full screen worked just fine using Windows 8.

Before changing anything, set advanced settings on by going to: Options -> Settings -> Options -> uncheck “Hide advanced settings”.

Issue: Cannot play full screen

Solution: If you are using Jabu’s Direct3D8 plugin on Windows 10, this is most likely the issue. So far I have not been able to fix this, besides changing the plugin to Glide64. To do this: Options  Plugins -> Change Video plugin to Glide64.

You can change the video settings in Options -> Configure Graphics Plugin…

Issue: extremely low frame rate

Solution: Open your ROM in P64. Once running, go to: Options -> Settings -> Config:blitz2k (expand to show “Recompiler & Plugins”); in the “Recompiler” window, change “CPU core style from “Recompiler” to “Interpreter”.

This should fix the frame rate issue. If it doesn’t, it maybe something with your hardware or video settings. Try playing with the video settings if so.

Issue: No yard lines appear on field

Solution:If using Jabu’s Direct3D8 graphics plugin , go to: Options -> Configure Graphics Plugin -> Advanced tab -> uncheck “Force legacy pixel pipeline”

If using Glide64: Goto: Options -> Configure Graphics Plugin -> Emulation settings tab -> LOD calculation: set to either FAST or PRECISE

Also, I should mention that if you are interested in using N64 controllers for your PC, by far the best way to do it is to use the MAYFLASH N64 adapter: http://www.amazon.com/MAYFLASH-N64-Controller-Adapter-For/dp/B002B9FIUU

These allow you to hook up 2 controllers per USB port. I have tested this out and have gotten up to 4 controllers working using two MAYFLASH adapters. I highly recommend them if you are interested in playing on your PC versus the actual console. There is no issue with delay/response time, and they are easy to install (just follow the top rated review on Amazon if you have problems). These are a much better alternative to using the knock-off N64 USB controllers that are out there.

You can also use Xbox 360 controllers as long as you get the drivers from Microsoft. If you have wireless controllers, you will need a wireless adapter.

NFL Blitz Hacking / Potential hacks to change gameplay

« on: November 05, 2015, 02:44:06 PM »

So currently these are some hacks I plan on attempting to do at some point. I have successfully completed the low gravity hack, so it's taken care of. The first two below should be fairly easy, but the ones after would be much more difficult.

1. (Blitz 2001) allow onside kicks in second half - for some reason the game doesn't allow onside kicks in the second half. This doesn't make any sense, and I still wonder to this day if it was a coding error on the developers part (the game as a whole is pretty glitchy compared to 2000). I'm going to see if I can get them allowed.

2. (Blitz 2000) increase speed of QB - I prefer the faster speed of the QB in blitz 2001, so I am going to try and find a code to modify the QB speed.

3. Allow slow motion - Turn on or off slow motion.

4. Add instant replay - This will be really difficult, if not impossible. I feel like the only way to make this work would be to look at other games and how they work (such as Wayne Gretzky 3D hockey).

5. Do certain tackle animations - Some of the tackle animations are hilarious, such as the "dump truck" or the "levitator" as I call them. I want to try and find the function that sets the tackle animation and see if there's a way to force it to do certain ones more frequently.

6. Increase late hits time - I would like to try and increase the amount of time the late hits lasts, that way you can do "combo" tackles (one tackle throws the player into another, and vice versa).

7. Add tackle "combos" - This will be related to (5) and (6) above. I want it so that lets say you tackle a player and it throws them into another player that then tackles them again, this would be a "2 hit combo". I know it is possible to make text appear at certain times, so this should be possible. The hard part would to make the text appear specifically after a certain animation sequence happens.

8. Change yardage required for 1st downs - This would be interesting to see how it changes the games. I'm not sure how difficult it would be.

NFL Blitz Hacking / Low Gravity hack

« on: November 02, 2015, 02:29:54 PM »

Hey Jaker, looks like you have some spam.

Anyway, I had mentioned (as a different account, starfishmaster) about trying to do some different modifications to the game play, such as turning on low gravity. Well, I have successfully done it! It makes the game play even more absurd, with characters flying through the sky when they jump or get hit. Even better is that it can be turned on or off using a gameshark code, so it's simple to implement. I will upload the code that needs to be put in later today once I get home. It's well worth checking out, it makes the game just that much more insane!

One other thing: I prefer 2001 because it's much faster paced than 2000, so I worked on the code for that version. However, I noticed for whatever reason, 2001 does not allow onside kicks in the second half. This is the next thing I'm going to try and change. I wasn't sure if you were aware of this, or if anyone else was. I wonder if it was intentional or if it was a coding error?

Pages: [1]