November 21, 2024, 10:57:27 AM

Author Topic: Hacking Blitz Tutorial 1: finding an in-game variable to modify  (Read 20215 times)

blitzmaster5000

  • Full Member
  • ***
  • Posts: 150
    • View Profile
Hacking Blitz Tutorial 1: finding an in-game variable to modify
« on: January 31, 2016, 07:11:40 PM »
I have been working on a variety of hacks for Blitz lately and figured I would write up some tutorials for people who maybe interested in similar things.

This first tutorial will explain how to try to find an in-game variable that you want to modify. More specifically, we will be finding a variable that corresponds to the play-timer in the play editor "preview" mode. We will find this value, and then freeze it, resulting in the ability to run around infinitely until you run out of bounds, score a safety, or TD. This is a very important "hack" as it will make finding other in-game variables much easier.

I first suggest going through these tutorials: http://orbitaldecay.com/N64/index.html

The author did an excellent job breaking down what is a typically difficult process into a simple one. We will be essentially doing the same thing as his first tutorial.

Tools necessary (can all be found in this convenient zip: http://www.orbitaldecay.com/N64/N64-RomHackingToolkit.zip):

1. Nemu64
2. Blitz 2000 ROM - patched with Zoinkity's hack (will techinically work w/ any version, but this is the one I'm using)
3. Cheat Engine


1. Open Nemu64 and load up Blitz 2000.

2. Open Cheat Engine, and click "process", and click "nemu64.exe".

3. In Blitz, go to the playbook editor, select any team, and then enter preview mode. It doesn't matter what play or yard line you are on.

4. Start to run a play, and then hike the ball. Pause the game (F4).

Preview mode has a timer counting down when the play will automatically end, regardless if you score or not. Therefore, we can assume that there's a variable somewhere acting as that counter. However, there are literally hundreds of millions of variables - how will we find it? Fortunately Cheat Engine has some simple tools that allows us to narrow down those values to just a few.

5. With the game paused, in Cheat Engine, change "Scan Type" from "Exact Value" to "Unknown Initial Value".

6. Change "Value Type" from "4 bytes" to "Byte". Click First Scan.

It should report back a very large number of addresses found (~133,000,000 if I remember correctly). We can assume that the timer value (once we un-pause) will either decrease or increase, however we don't really know which one. Therefore, we should look for just any change at all.

7. Un-pause Blitz (F4), after a second or two Pause again.

8. change the "Scan Type" to "Changed Value". It should decrease by a significant amount.

9. With the game still paused, we know that the value shouldn't change any more. Therefore, we can do another scan with it paused, only this time do "Unchanged value". You can keep clicking this repeatedly and it should take more addresses away, although eventually it will level off.

10. Un-pause again, let it sit for another second or so, and pause. Search for a "changed value".

Eventually you will run out of time and it will automatically go back to the playbook editor. Just preview the play again, hike the ball, and search for the changed value until there are not many left (repeat 7-10).

I have found the timer located at 100D39B0, although I've noticed it is sometimes at different addresses for some reason. The timer starts at a large value (~238 I think) when the ball is first hiked, and then it decreases to 0 as the timer runs out. Therefore, you could actually be using the scan type "Decreased Value" as the time decreases instead of "changed value", however for the sake of the tutorial I used "Changed Value". If you do use "Decreased Value", Remember that once the timer runs out and you start another preview, the value will actually have increased once you hike the ball, so I suggest using "changed value" between different Preview scenarios.

11. Once you find that timer variable, hike the ball, Pause the game, and then click the box in Cheat engine next to it in the Frozen column. This will freeze the value at whatever it was at the time. Basically any value between 170 and 0 will work.

If everything went smoothly, you should now be able to run around indefinitely as long as you don't run out of bounds, score, and get a safety. You can even pass the ball to other players, jump, etc. We will use this technique going forward to find other in-game variables related to the player movement. It makes it much easier as there is no time constraint, nor Richard Sherman trying to tackle you. I may add pictures to help annotate this in the future.

Next tutorial: Finding player vertical height variable.

givehimsix

  • Newbie
  • *
  • Posts: 13
    • View Profile
Re: Hacking Blitz Tutorial 1: finding an in-game variable to modify
« Reply #1 on: January 19, 2018, 07:13:19 PM »
The orbitaldecay website appears to be offline. Any way you could repost the ROM hacking toolkit?

jaker3

  • Administrator
  • Sr. Member
  • *****
  • Posts: 334
    • View Profile

givehimsix

  • Newbie
  • *
  • Posts: 13
    • View Profile
Re: Hacking Blitz Tutorial 1: finding an in-game variable to modify
« Reply #3 on: January 21, 2018, 08:59:23 PM »
Thank you!!

jaker3

  • Administrator
  • Sr. Member
  • *****
  • Posts: 334
    • View Profile
Re: Hacking Blitz Tutorial 1: finding an in-game variable to modify
« Reply #4 on: January 26, 2018, 02:02:44 PM »
Everything end up working in that zip?

givehimsix

  • Newbie
  • *
  • Posts: 13
    • View Profile
Re: Hacking Blitz Tutorial 1: finding an in-game variable to modify
« Reply #5 on: January 27, 2018, 01:18:57 PM »
Nope, I couldn't get Nemu64 to open my edited ROM. It opens the original Blitz2000 just fine though.

blitzmaster5000

  • Full Member
  • ***
  • Posts: 150
    • View Profile
Re: Hacking Blitz Tutorial 1: finding an in-game variable to modify
« Reply #6 on: February 11, 2018, 11:45:01 PM »
What edits did you make? Was it just patching it with Zoinkity's hack? Or was it you trying to do your own changes?